Attacks/Breaches
2/28/2014
12:45 PM
50%
50%

Fresh Target Breach Cards Hitting Black Market

A Bitcoin-powered marketplace is selling stolen card data in small batches, offering card validity guarantees, an RSA presentation reveals.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Since Target discovered that its point-of-sale systems were breached and 40 million credit cards stolen, how usable has the stolen card data been for criminals?

In fact, nearly two-thirds of the stolen card data being sold by Target's attackers remains valid, Dan Ingevaldson, CTO of Easy Solutions, said Thursday in a presentation at this week's RSA Conference in San Francisco. "When the first batch of Target cards hit, it was about 90% valid," Ingevaldson said in an interview at the conference. "Now they're about 60% valid, so it's just tapering off."

So far, only a fraction of the 40 million cards stolen from Target's point-of-sale systems have hit the black market. Furthermore, at the current rate of distribution, attackers will be continuing to drip feed the data on to carder forums for many more months. "The Target breach is going to be happening for at least the next year, until the cards age out," Ingevaldson said.

The implications for consumers are clear. Anyone whose card data was stolen by Target's attackers may not see related fraud hit their card until later this year -- or even next year -- when their card data finally gets offered for sale. The reason for that delay, Ingevaldson said, comes down to supply and demand: Attackers want to maximize their haul from the Target breach. "The market isn't big enough to absorb 40 million cards" all at once.

[The Target data breach started with an email attack on retailer's HVAC subcontractor. Read Target Breach: Phishing Attack Implicated.]

That release strategy is also tailored to selling card data repeatedly to a relatively small audience, which wouldn't have enough cash to hand to buy -- or put to use -- all the stolen card data outright, Aviv Raff, CTO of Seculert, said in an interview at the conference. "They want to monetize their stolen data. They could have just dumped it and gotten some money, but they want to get more."

Why are the stolen credit card numbers still valid at all? Because many issuers have chosen not to invalidate stolen numbers and issue new cards -- which costs either them or Target money. They are taking a wait-and-see approach and hope that their internal fraud controls spot related abuse.

How effective is that approach? "Good luck with that," said Raff, who formed the fraud action research lab at RSA before cofounding Seculert. In other words, those who shopped at Target during the period when attackers hacked into the company's network -- from Nov. 27 until Dec. 18 of last year -- may want to call their credit or debit card issuer and demand a new card, if they haven't already received one.

In his RSA presentation, Ingevaldson also demonstrated how Target's attackers -- or anyone else selling stolen card data -- maintain buyer interest, even as the data grows less valid and thus usable over time. Interestingly, some sites selling card data offer money-back guarantees for any numbers that don't work. Ingevaldson browsed a carder site called Valid Shop, which functions like an Amazon.com for black market data buyers, allowing them to purchase card data using bitcoins.

Valid Shop, which is offering Target card data, offers a number of otherwise de rigueur e-commerce features: one-click buying, easy checkout, robust customer service, and the aforementioned money-back guarantee. The site also allows users to buy either individual card numbers or bigger batches, and it calculates their validity rate, typically by using a valid merchant card that's been stolen by hackers. "That validity level is really the core metric for the price of the card -- in addition to limits and gold cards and platinum cards and stuff like that," Ingevaldson said.

Upon checkout and payment, the site adds a further twist: It tests all the numbers to see if they're valid. Some boards will immediately replace bad numbers with good ones or issue the buyer a refund -- in bitcoins, in the case of Valid Shop. "So it's a good customer service angle."

What will likely happen now that Easy Solutions has publicized Valid Shop? The forum may continue unchanged, since it does restrict access to vetted members. "We had to talk with these guys on ICQ, build up a persona, and do a few transactions with them to get known and vetted," Ingevaldson said. The site is hidden behind registration walls.

Or Valid Shop's administrators may just set up a new shop under a different name, as recently happened when the journalist Brian Krebs publicized a similar outfit. "When Krebs exposed a forum, it was shut down the next day and came up [under a new name] the day after that," Ingevaldson said.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
anon2815515591
50%
50%
anon2815515591,
User Rank: Apprentice
1/14/2015 | 12:36:06 PM
Re: Target Breach: the gift that keeps giving
Remember if you log on to a site that sells stolen data a) the FBI may be watching and you may get wrapped up in the hoopla, and B) If they are the unscrupulous type and sell peoples cards do you think it would be easy for them to also monitor who connects and inject malware into the systems that are connecting??

Just a thought, I would make sure you use a public wifi connection not your house and also use a computer that is ready for the scrap heap then pull the hard disk out and junk it...DONT use the computer you surf the web for on a day to day or you may get something you didnt ask for.
catvalencia
50%
50%
catvalencia,
User Rank: Apprentice
7/5/2014 | 4:01:32 AM
Re: Target Breach: the gift that keeps giving
That's absolutely right. Such scenarios of financial pain and horror might cause you to wonder how you can keep yourself from becoming a credit card theft victim. One answer is to use payday loans rather than credit cards in emergency situations where you need quick cash, as the process does not generally expose you to potential identity theft. However, having a small number of credit cards can be beneficial to your FICO score (indicating diversity in your credit portfolio, which creditors like to see), so perhaps a better long-term answer would be how to make credit card usage less dangerous.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
3/4/2014 | 7:13:21 PM
Re: Target Breach: the gift that keeps giving
That's an excellent question: upgrade to what? Some of the most secure forms of transfer payments that I have heard about concerns NFC and mobile wallets -- card security has a lot of limitations. I think cards can be utilized by the average consumers for another good decade or so, if somehow payments required the users to enter a pin, so in the event that 40 million card information has been stolen then all a user would have to do to make their card secure again is to assign a new pin.

Upgrade is a process that we should not be overlooked, I have heard that some small retailers have been issued to upgrade their OS from XP (not because of the Target Breach, but because XP won't we officially supported) by their payment solution providers.  
WKash
50%
50%
WKash,
User Rank: Apprentice
3/3/2014 | 9:19:05 PM
Protected
Interesting how credit card groups are saying you're protected if your card gets stolen. I just went through a fresh example of that -- and at least got what was promised:  Someone made off with my AMEX card.  I didn't discovere it for four days, by which time, the person ran up $2457 in credit cards purchases, mostly small stuff, where a credit card scan is all that's required.  Fortunately, AMEX credited all 30 charges.  But I would probably have not been as fortunate if I hadn't reported it.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
3/3/2014 | 5:14:10 PM
Re: Target Breach: the gift that keeps giving
I agree. Financial institutions keep saying it's too expensive to change -- but surely all the costs associated with a breach like this approach the cost of changing over. Viewed as an upgrade, then it might be more palatable. And if banks do it voluntarily, then the government won't force it on them at some point.
Michael Endler
100%
0%
Michael Endler,
User Rank: Apprentice
3/3/2014 | 3:50:50 PM
Re: Not Only Credit Cards
I wonder if it's the same "Microsoft Windows software" guy who called me twice last month.

"Hackers are trying to hack into your PC, really bad," he said. I proceeded to ask him which PC, which seemed to really confuse him. "What do you mean?" he asked. "I have more than one," I replied, at which point he hung up.

The next time, I decided to tell him he was full of BS, at which point he told me that if I wanted to let hackers take over my computer, it was on me. He hung up again.

If I weren't certain some people have fallen for it, the calls would have been pretty funny.
rradina
50%
50%
rradina,
User Rank: Apprentice
3/2/2014 | 8:55:59 PM
Re: Target Breach: the gift that keeps giving
Upgrade to what?  You cannot just change the card without changing the pin pads too.  You can add a chip in the card but as long as the local "Roach Coach" uses a Square plugged into an iPhone, old payment methods have to be allowed.  How are on-line sites more secure with new cards?  3-D Secure?  That doesn't require new cards.
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
3/2/2014 | 8:29:35 PM
Re: Target Breach: the gift that keeps giving
I completely agree. The major issue is not about card itself but mainly the security process. Nowadays the card with magnetic strip is in use not upgraded to IC chip yet. Keeping your card with the reach of your eyesight help nothing to prevent security breach. Instead some solid process must be in place.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
3/2/2014 | 9:56:42 AM
Re: Target Breach: the gift that keeps giving
I think the cost of a card itself is not a big deal (even when multiplied by 40 million). The logistics of sending all those cards out and getting them activated is what's causing the apprehension. Since the breach has taken place and eventually new cards have to be issued, now would be a nice time to upgrade card security in the processes. By viewing this whole process as an upgrade to security rather than a containment exercise, better results can be gained.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
3/2/2014 | 9:41:12 AM
Re: Bottom line advice?
Great advice and anyone who has been exposed to the breach window should call up the bank and say "that there is a 60% chance their card will be misused".
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7266
Published: 2015-02-01
Algorithmic complexity vulnerability in Cybozu Remote Service Manager through 2.3.0 and 3.x through 3.1.2 allows remote attackers to cause a denial of service (CPU consumption) via vectors that trigger colliding hash-table keys. NOTE: this vulnerability exists because of an incomplete fix for CVE-2...

CVE-2014-7269
Published: 2015-02-01
ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376....

CVE-2014-7270
Published: 2015-02-01
Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earl...

CVE-2014-8630
Published: 2015-02-01
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shel...

CVE-2014-9200
Published: 2015-02-01
Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X8...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.