The criminals who cracked Target's defenses, stealing debit and credit card information of as many as 40 million shoppers who swiped at the retailer's stores, exposed a major vulnerability in the way Americans pay.
"The credit card system is inherently broken," said Jeremiah Grossman, the chief technology officer of Web-application security firm WhiteHat Security. "It's a shared-secret system, in which everyone has the secret every time you swipe your card in the U.S."
Los Angeles Times
More bad news for shoppers who used their credit cards at Target in recent weeks: Many of the 40 million credit cards that the company says were part of a massive data breach are said to be for sale on black markets around the world.
That report comes from KrebsOnSecurity, the website run by cyber-security reporter Brian Krebs, who initially broke the story about the Target breach.
On Friday, Krebs posted another story detailing how he had tracked down phony cards made using information that was stolen as part of the Target data breach:
"Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned."
As expected, the thieves are using that information obtained from those credit cards to make phony copies that are being sold on black market stores around the world, Krebs found.
At just one site that sells such counterfeit cards, Krebs said, he helped one bank find 100 cards for sale that were made using data obtained from customers who were affected by the Target breach.
That secret is the data encoded on the back of magnetic-stripe cards: the name of the cardholder, plus the account number, security code and expiration date, among other vital bits.
Banks and other card issuers — not individual consumers — will absorb whatever direct losses result from the Target security breach. That's a fundamental part of how plastic works: consumer protections shield individual cardholders from liability.
But there's still the hassle of watching for bogus charges or requesting a new card and updating any automatic payments associated with the old one.
For card issuers, data thefts on the scale of the Target breach, which occurred between Nov. 27 and the middle of this month, represent a major headache and possibly substantial expenses. To combat would-be thieves, payment networks, banks and retailers already are shifting to new technologies, but the transition will take years.
Target admitted Thursday that hackers had infiltrated the payment system used in all its brick-and-mortar stores. The admission came a day after digital security reporter Brian Krebs broke the story.
The nationwide retailer stressed that its estimate of the number of people affected, 40 million, is just an approximation. Many of those shoppers will probably never experience any fraud on their accounts.
For now, exactly how this particular breach happened is unclear. Target had little to say on that subject.
"Clearly this was a sophisticated crime," Target spokeswoman Molly Snyder said in an email. "However, it is an active and ongoing investigation so I cannot comment further."
Still, experts are fairly sure how these schemes take shape.
Hackers do business on forums in the deep recesses of the Internet. These meeting places act as eBays for criminal activity. There, malicious actors buy and sell stolen information.
After that, crooks can work with separate groups that replicate the stolen card information and place lifted data onto pieces of plastic. Eventually, mules on the street get hold of the finished product and spend the cash. Criminals also can buy goods online.
Sometimes criminals bolster the price of their wares by validating that the card is still active — a telltale sign that your account has been compromised. They do that by initiating a micro-charge of $2 or less, "something that you're not going to call your issuer about," said Yaron Samid, chief executive of startup BillGuard, which monitors its users' card accounts for fraud.
That means cardholders should be vigilant for months, he said, or at least change their PIN codes if they think they've been affected.
Criminals, he explained, can hold on to cardholder data for a long time before selling it on the black market. And even more time may elapse before the transactions that bilk cardholders at the ATM or the virtual or physical point of sale.
This all puts the affected banks, payment networks (American Express, Visa, MasterCard and Discover) and merchants in a tight spot.
Banks have to make a decision on whether or not to either issue their customers new cards or just put tighter fraud controls on the accounts of customers who might have been impacted.
As they scramble to deal with the Target breach, financial services companies are already looking to shift the system.
The most prominent way they're doing this is with the chip card standard that's being used by issuers of cards in just about every country in the world outside the U.S.
Those cards — known as "Europay, MasterCard and Visa," or EMV — are armed with encrypted chips. EMV technology, experts explain, is just more secure than the magnetic stripes used on American cards.
Until EMV takes hold, or something more resilient takes the place of the current payment system, consumers will just have to live with the headaches caused by breaches.
"It's ultimately not the consumers who face the liability here. That's the one beautiful thing about the credit card system," said Robert E. Lee, a security business partner at Intuit. "If my card is stolen and used like this, I'm not out of pocket.
"There are all these consumer protections in place, even though the entire system is stupid."