Target Card Breach Goes From Bad to Worse

It seems like every day we hear about more after-effects of Target’s (NYSE:TGT) 19-day credit and debit card breach that resulted in the theft of an estimated 40 million credit and debit cards. From before Thanksgiving through December 15, shoppers in Target’s U.S. stores were subject to card theft (Target and investigators are not saying how the massive, nationwide theft occurred). The data could have been used by the hackers to create counterfeit cards that could be used to withdraw money at ATMs or pay for purchases, according to reports. Now, security experts have discovered that the stolen debit and credit card numbers are being sold on the black market. In addition, Target revealed late last week that consumers’ PIN data was stolen during the massive breach. At least the PIN number theft appears to be under control, since Target has an extensive PIN encryption system and, in fact, consumers’ PIN numbers are not stored in the retailer’s system. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement. When consumers make debit card purchases at Target, their card information is "encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” according to the statement. "What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident,” Target stated. However, the sale of potentially 40 million debit and credit cards on the black market remains a major concern for Target and, of course, all of its impacted customers. Credit card store is selling some of the stolen credit cards in large lots, KrebsonSecurity reported. “The shop was selling data stolen from the magnetic stripe of each card, which thieves can re-encode onto new, counterfeit cards and use to go shopping in bricks-and-mortar stores for items that can easily be fenced or resold,” the site reported. Hearing about large lots of cards that recently became available on, executives from a large U.S. bank and a small, community bank wondered if the lots included some of their stolen cards from the Target breach. They essentially bought back their customers’ stolen cards from and discovered that all of the purchased cards had been used at Target during the breach timeframe, according to KrebsonSecurity. To make matters worse, thieves will love the great zip code feature of the Target cards being sold on “This feature is included because it allows customers of the shop to buy cards issued to cardholders that live nearby. This lets crooks who want to use the cards for in-store fraud avoid any knee-jerk fraud defenses in which a financial institution might block transactions that occur outside the legitimate cardholder’s immediate geographic region,” KrebsonSecurity reported. Where will this nightmare end for Target and its shoppers? We certainly hope the U.S. Secret Service and fraud experts can quickly quell the black market sale of all 40 million cards.