Attacks/Breaches
2/28/2014
12:45 PM
Connect Directly
RSS
E-Mail
50%
50%

Fresh Target Breach Cards Hitting Black Market

A Bitcoin-powered marketplace is selling stolen card data in small batches, offering card validity guarantees, an RSA presentation reveals.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and for slideshow.)

Since Target discovered that its point-of-sale systems were breached and 40 million credit cards stolen, how usable has the stolen card data been for criminals?

In fact, nearly two-thirds of the stolen card data being sold by Target's attackers remains valid, Dan Ingevaldson, CTO of Easy Solutions, said Thursday in a presentation at this week's RSA Conference in San Francisco. "When the first batch of Target cards hit, it was about 90% valid," Ingevaldson said in an interview at the conference. "Now they're about 60% valid, so it's just tapering off."

So far, only a fraction of the 40 million cards stolen from Target's point-of-sale systems have hit the black market. Furthermore, at the current rate of distribution, attackers will be continuing to drip feed the data on to carder forums for many more months. "The Target breach is going to be happening for at least the next year, until the cards age out," Ingevaldson said.

The implications for consumers are clear. Anyone whose card data was stolen by Target's attackers may not see related fraud hit their card until later this year -- or even next year -- when their card data finally gets offered for sale. The reason for that delay, Ingevaldson said, comes down to supply and demand: Attackers want to maximize their haul from the Target breach. "The market isn't big enough to absorb 40 million cards" all at once.

[The Target data breach started with an email attack on retailer's HVAC subcontractor. Read Target Breach: Phishing Attack Implicated.]

That release strategy is also tailored to selling card data repeatedly to a relatively small audience, which wouldn't have enough cash to hand to buy -- or put to use -- all the stolen card data outright, Aviv Raff, CTO of Seculert, said in an interview at the conference. "They want to monetize their stolen data. They could have just dumped it and gotten some money, but they want to get more."

Why are the stolen credit card numbers still valid at all? Because many issuers have chosen not to invalidate stolen numbers and issue new cards -- which costs either them or Target money. They are taking a wait-and-see approach and hope that their internal fraud controls spot related abuse.

How effective is that approach? "Good luck with that," said Raff, who formed the fraud action research lab at RSA before cofounding Seculert. In other words, those who shopped at Target during the period when attackers hacked into the company's network -- from Nov. 27 until Dec. 18 of last year -- may want to call their credit or debit card issuer and demand a new card, if they haven't already received one.

In his RSA presentation, Ingevaldson also demonstrated how Target's attackers -- or anyone else selling stolen card data -- maintain buyer interest, even as the data grows less valid and thus usable over time. Interestingly, some sites selling card data offer money-back guarantees for any numbers that don't work. Ingevaldson browsed a carder site called Valid Shop, which functions like an Amazon.com for black market data buyers, allowing them to purchase card data using bitcoins.

Valid Shop, which is offering Target card data, offers a number of otherwise de rigueur e-commerce features: one-click buying, easy checkout, robust customer service, and the aforementioned money-back guarantee. The site also allows users to buy either individual card numbers or bigger batches, and it calculates their validity rate, typically by using a valid merchant card that's been stolen by hackers. "That validity level is really the core metric for the price of the card -- in addition to limits and gold cards and platinum cards and stuff like that," Ingevaldson said.

Upon checkout and payment, the site adds a further twist: It tests all the numbers to see if they're valid. Some boards will immediately replace bad numbers with good ones or issue the buyer a refund -- in bitcoins, in the case of Valid Shop. "So it's a good customer service angle."

What will likely happen now that Easy Solutions has publicized Valid Shop? The forum may continue unchanged, since it does restrict access to vetted members. "We had to talk with these guys on ICQ, build up a persona, and do a few transactions with them to get known and vetted," Ingevaldson said. The site is hidden behind registration walls.

Or Valid Shop's administrators may just set up a new shop under a different name, as recently happened when the journalist Brian Krebs publicized a similar outfit. "When Krebs exposed a forum, it was shut down the next day and came up [under a new name] the day after that," Ingevaldson said.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
catvalencia
50%
50%
catvalencia,
User Rank: Apprentice
7/5/2014 | 4:01:32 AM
Re: Target Breach: the gift that keeps giving
That's absolutely right. Such scenarios of financial pain and horror might cause you to wonder how you can keep yourself from becoming a credit card theft victim. One answer is to use payday loans rather than credit cards in emergency situations where you need quick cash, as the process does not generally expose you to potential identity theft. However, having a small number of credit cards can be beneficial to your FICO score (indicating diversity in your credit portfolio, which creditors like to see), so perhaps a better long-term answer would be how to make credit card usage less dangerous.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
3/4/2014 | 7:13:21 PM
Re: Target Breach: the gift that keeps giving
That's an excellent question: upgrade to what? Some of the most secure forms of transfer payments that I have heard about concerns NFC and mobile wallets -- card security has a lot of limitations. I think cards can be utilized by the average consumers for another good decade or so, if somehow payments required the users to enter a pin, so in the event that 40 million card information has been stolen then all a user would have to do to make their card secure again is to assign a new pin.

Upgrade is a process that we should not be overlooked, I have heard that some small retailers have been issued to upgrade their OS from XP (not because of the Target Breach, but because XP won't we officially supported) by their payment solution providers.  
WKash
50%
50%
WKash,
User Rank: Apprentice
3/3/2014 | 9:19:05 PM
Protected
Interesting how credit card groups are saying you're protected if your card gets stolen. I just went through a fresh example of that -- and at least got what was promised:  Someone made off with my AMEX card.  I didn't discovere it for four days, by which time, the person ran up $2457 in credit cards purchases, mostly small stuff, where a credit card scan is all that's required.  Fortunately, AMEX credited all 30 charges.  But I would probably have not been as fortunate if I hadn't reported it.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
3/3/2014 | 5:14:10 PM
Re: Target Breach: the gift that keeps giving
I agree. Financial institutions keep saying it's too expensive to change -- but surely all the costs associated with a breach like this approach the cost of changing over. Viewed as an upgrade, then it might be more palatable. And if banks do it voluntarily, then the government won't force it on them at some point.
Michael Endler
100%
0%
Michael Endler,
User Rank: Apprentice
3/3/2014 | 3:50:50 PM
Re: Not Only Credit Cards
I wonder if it's the same "Microsoft Windows software" guy who called me twice last month.

"Hackers are trying to hack into your PC, really bad," he said. I proceeded to ask him which PC, which seemed to really confuse him. "What do you mean?" he asked. "I have more than one," I replied, at which point he hung up.

The next time, I decided to tell him he was full of BS, at which point he told me that if I wanted to let hackers take over my computer, it was on me. He hung up again.

If I weren't certain some people have fallen for it, the calls would have been pretty funny.
rradina
50%
50%
rradina,
User Rank: Apprentice
3/2/2014 | 8:55:59 PM
Re: Target Breach: the gift that keeps giving
Upgrade to what?  You cannot just change the card without changing the pin pads too.  You can add a chip in the card but as long as the local "Roach Coach" uses a Square plugged into an iPhone, old payment methods have to be allowed.  How are on-line sites more secure with new cards?  3-D Secure?  That doesn't require new cards.
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
3/2/2014 | 8:29:35 PM
Re: Target Breach: the gift that keeps giving
I completely agree. The major issue is not about card itself but mainly the security process. Nowadays the card with magnetic strip is in use not upgraded to IC chip yet. Keeping your card with the reach of your eyesight help nothing to prevent security breach. Instead some solid process must be in place.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
3/2/2014 | 9:56:42 AM
Re: Target Breach: the gift that keeps giving
I think the cost of a card itself is not a big deal (even when multiplied by 40 million). The logistics of sending all those cards out and getting them activated is what's causing the apprehension. Since the breach has taken place and eventually new cards have to be issued, now would be a nice time to upgrade card security in the processes. By viewing this whole process as an upgrade to security rather than a containment exercise, better results can be gained.
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
3/2/2014 | 9:41:12 AM
Re: Bottom line advice?
Great advice and anyone who has been exposed to the breach window should call up the bank and say "that there is a 60% chance their card will be misused".
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
3/2/2014 | 9:32:37 AM
Re: Not Only Credit Cards
The Microsoft scam support call is amusing to think about, someone actually thinks that by making such calls and investing time and money consumers are going to fall prey to the scam. The scary bit is that they are still operational, which means that they are people falling for the scam -- generating revenue. Otherwise they would not be attempting such a scam. The idea that a company will provide a high level of customer support is appealing to customers, but from the article we can see that when support and protection requires investment then firms choose the wait-and-see approach (risk management).
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.