recommended reading

Inside the Black Market That Buys and Sells Target’s Stolen Credit Cards

Yongcharoen_kittiyaporn/Shutterstock.com

The mass theft of credit-card data has spawned an underground black market where huge stacks of those cards are being purchased by identity thieves.

This black market is in the spotlight thanks to an expose from Brian Krebs, the same blogger who broke the story last week that Target was investigating a data breach of millions of credit- and debit-card accounts.

Krebs explains that a large bank knew Target had been breached after it went and bought "a huge chunk of the bank's card accounts from a well-known 'card shop' — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards." He continues:

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality "dumps," data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim's bank account.

Target confirmed on Thursday that 40 million cards had been stolen in a nationwide data breach spanning from Nov. 27 to Dec. 15. Following the announcement, Krebs reached out to a small community bank in New England to see if it knew which of its cards had been stolen.

Krebs teamed up with the bank's fraud team to figure out which of its cards might be at risk for fraud given that "the tiny bank had not yet heard anything from the card as specific cards that might have been compromised as a result of the Target breach," despite the fact that almost 6,000 of the cards issued had been used in Target stores around the country. He began searching through a black-market card site and went shopping. What he found is nothing short of terrifying.

Some highlights:

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card....

Another fascinating feature of this card shop is that it appears to include the ZIP code and city of the store from which the cards were stolen. One fraud expert I spoke with who asked to remain anonymous said this information is included to help fraudsters purchasing the dumps make same-state purchases, thus avoiding any knee-jerk fraud defenses in which a financial institution might block transactions out-of-state from a known compromised card.

Krebs also notes that the store doesn't let its customers buy up cards with their own credit cards. Instead, thieves must use virtual currencies like Bitcoin or wire transfers like Western Union to complete a transaction.

(Image via Yongcharoen_kittiyaporn/Shutterstock.com)

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.