Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Target Hackers Have More Data Than They Can Sell

Soulskill posted about 8 months ago | from the embarrassment-of-riches dept.

Security 118

itwbennett writes "The hackers who stole millions of credit card numbers from Target customers are probably 'laying low knowing that everyone is looking for them,' says Alex Holden, who runs cybercrime consultancy Hold Security. But it's also likely that they can't sell them: 'You can imagine that having a lot of stolen credit cards will not net the hackers, say $35 per card for all 40 million,' said Holden. 'Even if the hackers are willing to sell cards for $1 a card, no one will buy the stolen goods in these amounts.'"

cancel ×

118 comments

Sorry! There are no comments related to the filter you selected.

Proposal for new *coin (2, Funny)

relisher (2955441) | about 8 months ago | (#45960619)

The TargetCardCoin

Re:Proposal for new *coin (1)

TheloniousToady (3343045) | about 8 months ago | (#45960981)

Don't they already offer The Red Coin?

It's not the *coin dealers that are profiting (0)

Taco Cowboy (5327) | about 8 months ago | (#45961845)

It's the banks that issuing the cards that are profiting from the hack.

Shoppers (more than 40 millions of them) who used their credit cards in Target are all running scared, and many will go to their banks to exchange their existing credit cards for a new one.

And the banks gonna change those poor credit cards owner a "service charge".

Even if the "service charge" is only $50 per card, for 40 million cards we are looking at a $2 billion dollar extra revenue for the banks !

Paranoid much? (2, Insightful)

Anonymous Coward | about 8 months ago | (#45961897)

What kind of awful bank / credit card company do you have that charges you a replacement fee? I literally replaced my debit card and credit card without any fee, and my debit card was even replaced with a temporary one free of charge.

Furthermore, most of them would likely prefer to send out a card rather than have to deal with claims of account fraud, which costs them money to investigate as well as to eventually replace.

I'm no fan of the banks, but this is ridiculous.

Re:Paranoid much? (2)

ubergeek2009 (1475007) | about 8 months ago | (#45961937)

My bank sent me a replacement debit card in the mail without charge and without even asking. I just got a letter apologizing saying that my card may have been compromised, so they sent me a replacement the same way they would have if my card had expired, so no charge and a new card with a new number.

Re:It's not the *coin dealers that are profiting (1)

ArbitraryName (3391191) | about 8 months ago | (#45962125)

Where the hell do you bank? I once had a bank that charged me a very nominal fee (like $5) if I wanted to replace a card out of cycle because it was worn or damaged, but never for routine or fraud related replacements. A $50 charge would be outrageous and unheard of. My current bank just out of the blue sent my wife and I new cards with a letter about the compromise. Only one of our two cards had even been used at Target so I guess they just reissued en masse. We were certainly not charged,

Re:It's not the *coin dealers that are profiting (1)

Arancaytar (966377) | about 8 months ago | (#45963005)

Even if the "service charge" is only $50 per card,

Hmmmm...

(a) Limits on liability
(1) A cardholder shall be liable for the unauthorized use of a credit card only if—
(A) the card is an accepted credit card;
(B) the liability is not in excess of $50;

So, do I pay $50 to the bank right now, or do I risk possibly, maybe being liable for up to $50 later on? I can't decide.

Re:It's not the *coin dealers that are profiting (0)

Anonymous Coward | about 8 months ago | (#45963799)

What does this have to do with its (well-placed) parent?...

Stupid People (4, Insightful)

Anonymous Coward | about 8 months ago | (#45960627)

You can always reduce things. They can sell a smaller subsets.

Re:Stupid People (3, Insightful)

PPH (736903) | about 8 months ago | (#45960885)

But the buyers know (roughly) how many cards are available. The media has seen to that. So they know its a buyers' market.

Re: Stupid People (0, Flamebait)

Anonymous Coward | about 8 months ago | (#45960933)

No you don't reveal where you got them from jackass.

Re: Stupid People (3, Interesting)

Redmancometh (2676319) | about 8 months ago | (#45962201)

I'm surprised I haven't seen anyone mention this, but I think they single-handedly killed the market. Think about it...no one knows all of the CC numbers yet. Not only should no one buy off of those guys, but no one knows who those guys are. So if say 80% of the cards are cancelled there are now 32 million legitimate useless credit card numbers out there.

No one is going to trust anyone. I have a feeling this is going to do the blackhat community quite a blow.

Re:Stupid People (1)

Anonymous Coward | about 8 months ago | (#45960899)

This is so fucking obvious that it is really really sad somebody had to point it out.

Re:Stupid People (1)

Anonymous Coward | about 8 months ago | (#45961311)

It's also fucking obvious that the second set they sell will be worth about 10 cents since everyone will have canceled their cards by then.

Re:Stupid People (0)

Anonymous Coward | about 8 months ago | (#45962983)

I doubt it, people tend to fuck off until it's too late and then they'll fix it but it won't matter after they've been bled dry.

Re:Stupid People (0)

Anonymous Coward | about 8 months ago | (#45961011)

Agreed. And I thought the information was taken with malware in POS registers. Were the 100+ million credit cards really accumulated and then transmitted? While I don't expect it to transmit non-stop, it seems it would've transmitted more often.

Re:Stupid People (4, Informative)

jeffmeden (135043) | about 8 months ago | (#45961105)

You can always reduce things. They can sell a smaller subsets.

This. Thefuck is this article? The guy who broke the breach [krebsonsecurity.com] also pointed out where the cards were getting sold at [krebsonsecurity.com] too. This article is a muse on a blog by a supposed "pundit" (pundit, n.: one whose insistence of credibility is the only thing greater than their ignorance).

Re:Stupid People (1)

Fnord666 (889225) | about 8 months ago | (#45961277)

What do you expect from a guy who says the following:

Cybercriminals often advertise the kind of data they've captured from the card's magnetic stripe, which has three so-called "tracks," each containing data.

News flash. They are called tracks because they are tracks on a magnetic recording tape. Nothing "so called" about it.

Re:Stupid People (1)

hawkinspeter (831501) | about 8 months ago | (#45963023)

News flash. They are called tracks because they are tracks on a so called "magnetic recording tape". Nothing "so called" about

FTFY

So what? (2)

o_ferguson (836655) | about 8 months ago | (#45960677)

Maybe they did it for the lulz.

Seeing that (4, Insightful)

Kardos (1348077) | about 8 months ago | (#45960693)

next to everybody's card has been stolen, is it time for everybody to get a new card? It'll make the stolen database worthless, as well as all other databases of stolen credit cards...

Re:Seeing that (0)

Anonymous Coward | about 8 months ago | (#45960747)

Ah yes, the Great Reset.

It's a potentially valid strategy just like fault-tolerance is today -- instead of spending loads of money running chillers, RAID, and battery backup systems to keep the software running, just design your systems to allow for failover more often and reduce the need for all the exotic hardware.

One day credit cards will reach the point where it'll be easier to just throw them away more often and recover faster. Imagine if Target were hacked again and Visa just reset _everyone_ regardless if they ever shopped at Target.

Re:Seeing that (0)

Anonymous Coward | about 8 months ago | (#45960821)

but now everyone needs to be issued a new card which requires some work (not to mention the cost of the cards) and can be an inconvenience to everyone who needs to replace their credit card and update the status of their card to those who regularly charge it (ie: cable bill).

It may also help for people to have two sets of cards, one set for one time payments and one set for regularly repeated payments but having two sets of credit cards is also an inconvenience and costs more.

People get new cards periodically anyways.

Perhaps linking your credit card to your cell phone. When you purchase something you receive a text message that you must reply to with your pin so in order for someone with your credit card to make a purchase on your behalf they may need your cell phone, your cell phone password, and your credit card pin. This could potentially make man in the middle attacks more difficult. This could be problematic if your cell phone dies and you are stuck in a difficult situation where you need money ... perhaps there could be a daily allowance like with ATM's. None of these ideas are novel ideas we just need the credit card companies to implement them.

Re: Seeing that (0)

Anonymous Coward | about 8 months ago | (#45962849)

Bank of America did that. I got a new card without shopping at target.

Spoiler alert (4, Funny)

symbolset (646467) | about 8 months ago | (#45960921)

The data was stolen by the company that prints the replacement cards.

How Do You Steal A Number? (-1, Troll)

zenlessyank (748553) | about 8 months ago | (#45960715)

I can write out any old number corresponding to a CC. Then write it again. Now I am a thief. Straw man. No one cares about HAVING to have the number to begin with, eh? Hehe, fools....

Re:How Do You Steal A Number? (0)

Anonymous Coward | about 8 months ago | (#45964029)

I know your a troll but I'll bite anyways...You know its not just the card number that was stolen, but the other information that makes a number matching Luhn's Algorithm valuable. You know information like the card holders name, card expiration date, the CVV, perhaps even the PIN.

But of course, you were just being obtuse.

Probably not worth a dollar... (4, Interesting)

jddeluxe (965655) | about 8 months ago | (#45960721)

My bank (Chase) has sent out new cards to anyone that had a transaction at Target during the time period they indicated of the breach, and many other banks/financial institutions have done likewise. The value of the purloined data is heading towards nil quickly.

Re:Probably not worth a dollar... (1)

Anonymous Coward | about 8 months ago | (#45960905)

This is not true. Chase has not sent everyone a card. My wife had two transactions at target on two different debit cards and has not received a new card from either bank.

Re:Probably not worth a dollar... (3, Insightful)

Anonymous Coward | about 8 months ago | (#45960969)

Ah but those are debit cards not credit cards. If stuff happens with your wife's debit cards it's her money that's gone and she has to try to get it back from the bank/merchant.

Whereas if they were credit cards, if stuff happens it's the bank/merchant's money that's gone and they'd have to try to get the money from her or their insurer or eat the loss.

See the difference in urgency? ;)

Re:Probably not worth a dollar... (0)

Anonymous Coward | about 8 months ago | (#45961511)

If it has the visa/master card logo (and no pin is used) it has to comply with the rules. Ultimately your still NOT liable (beyond $50 USD). They may be able to keep your money until they've resolved the issue. That's about the extent of it. They might also require you to file a police report.

Re:Probably not worth a dollar... (0)

Anonymous Coward | about 8 months ago | (#45964293)

Ultimately your still NOT liable (beyond $50 USD). They may be able to keep your money until they've resolved the issue. That's about the extent of it.

They still make more money that way. Multiply by X affected people and it adds up.

Sociopathic companies will behave like that. There are companies that will do the right thing, but the right thing is often less profitable - and most customers seem to prefer lowest price no matter what.

Re:Probably not worth a dollar... (1)

grim4593 (947789) | about 8 months ago | (#45961631)

I have a debit card from TCF bank and they sent out notices that their VISA debit cards were covered by the same VISA zero-liability-policy as their credit cards. Regardless, I didn't purchase anything at Target.

Re:Probably not worth a dollar... (0)

Anonymous Coward | about 8 months ago | (#45964507)

Ah but those are debit cards not credit cards. If stuff happens with your wife's debit cards it's her money that's gone and she has to try to get it back from the bank/merchant.

That depends on your bank. A lot of reasonable institutions don't have different policies regarding credit/debit regarding fraud. If your bank sucks like this, time for a new bank.

Re:Probably not worth a dollar... (0)

Anonymous Coward | about 8 months ago | (#45961033)

debit card is your money why would they care, credit cards are replaced because its the banks money that will be stolen.

Re:Probably not worth a dollar... (1)

ahabswhale (1189519) | about 8 months ago | (#45961125)

Because the bank still has to cover it if it's stolen. The only thing that makes debit cards more painful is that you can bounce checks not realizing someone has made charges against it.

Re:Probably not worth a dollar... (0)

Anonymous Coward | about 8 months ago | (#45964703)

Because the bank still has to cover it if it's stolen. The only thing that makes debit cards more painful is that you can bounce checks not realizing someone has made charges against it.

Your money gone till you get it back is not more painful to you than 100% of your money still with you while it's someone else's money gone?

If it's not your money that's gone you still have your money to use whether it is to pay bills, buy stuff, or even hire a lawyer to fight the Bank or Merchant if they try something stupid.

Yes with debit card fraud in most cases Banks will give you back your money eventually. The keywords are "in most cases" and "eventually". Where eventually is infinite times longer compared to credit card fraud where you'd still have your money with you.

Re:Probably not worth a dollar... (0)

Anonymous Coward | about 8 months ago | (#45962111)

anyone, but myself, my wife, my mother and my father

Re:Probably not worth a dollar... (2)

jddeluxe (965655) | about 8 months ago | (#45961545)

Mine was a Chase debit card, everyone else I know that is with Chase got an unsolicited new card if they shopped at Target during the breach period. If you fall into the same category and haven't received one I'd recommend contacting them.

Re:Probably not worth a dollar... (1)

TubeSteak (669689) | about 8 months ago | (#45961841)

The value of the purloined data is heading towards nil quickly.

I just got a robo call today that I'll be getting a new credit card (number) soon.
My current number will still be good till the end of the month.

So at least for my issuer, that's how long the criminals have to commit some fraud.

Re:Probably not worth a dollar... (1)

bobjr94 (1120555) | about 8 months ago | (#45961995)

Thats what I was thinking. Many people I know had received new cards and the old ones deactivated. I guess even if 20% of these old cards are still valid, thats still a huge number. Some banks like Chase even have setup phones lines just to deal with target related calls. Myself, my card number was stolen from Harbor Freight Tools in October in a nation wide security breach.

Re:Probably not worth a dollar... (0)

Anonymous Coward | about 8 months ago | (#45964535)

My bank (Chase) has sent out new cards to anyone that had a transaction at Target during the time period they indicated of the breach...

False. Completely and utterly. Do you just make this shit up or are you just a moron? I also have a Chase credit card and they have specifically told me they are not replacing my card unless unauthorized transactions occur on it.

De Beers and OPEC (3, Insightful)

tepples (727027) | about 8 months ago | (#45960723)

And now you understand the dilemma of De Beers and OPEC, which have more diamonds and oil than they know what to do with and trickle them to the market to keep the price up.

What me worry? (1)

mrmeval (662166) | about 8 months ago | (#45960743)

So they dump a small portion of them for free all over the place. If some who use it get busted it's a smoke screen but they can claim they're freedom fighting Robyn Hoods or something. My bank can only dock me $50 except that I have a plan that is free which means I don't get docked squat the bank eats it.

Re:What me worry? (1)

Anonymous Coward | about 8 months ago | (#45960805)

So they dump a small portion of them for free all over the place. If some who use it get busted it's a smoke screen but they can claim they're freedom fighting Robyn Hoods or something.

You took that right out of the Ed Snowden game plan, didn't you? ;)

Re:What me worry? (5, Informative)

TheloniousToady (3343045) | about 8 months ago | (#45960973)

Actually, the merchant eats it - at least that's been my experience as a merchant. The ingestion process is called a chargeback [wikipedia.org] . It's one reason why credit card issuers are so glad to make refunds to consumers. Merchants live in fear of chargebacks because not only do they lose the revenue, they also have to pay a penalty.

As a merchant, you quickly figure out that it's best to accommodate any request for a refund, even if you think you're being treated unfairly. For example, I recently had a customer in another country who asked me to pay his local taxes on the sale I had just made to him. So I gave him a refund for the amount of the tax. Easy decision.

(I shouldn't be telling you folks this, it's supposed to be a dirty little secret. Don't tell anybody else.)

Re:What me worry? (1)

Anonymous Coward | about 8 months ago | (#45961387)

Chargebacks are definitely annoying for physical merchants, but are even worse if you're selling stuff online or have a presence in more than one state. I did some work for a company that sells specialized sports equipment and has stores in four or five states, as well as selling things at various events. The problem was that due to the way their payment system worked, they had to present their physical location - their main store in my state - on every transaction. So many people who bought things on the road would see that their card had been charged by a merchant in another state and immediately charge back thinking they'd been the victims of fraud, and most of the time their card companies would issue the chargeback even though there was no solid proof of fraud and all of the people who had purchased things had a receipt for the same amount that was charged to their card somewhere with the company's address on it.

As for parent, I recall my boss telling me something about retail: It would be better to pay roughly 20% of the people who buy from you to walk away rather than deal with them, because the problems they'll have will ultimately cost you more.

Re:What me worry? (3, Interesting)

black6host (469985) | about 8 months ago | (#45964543)

As for parent, I recall my boss telling me something about retail: It would be better to pay roughly 20% of the people who buy from you to walk away rather than deal with them, because the problems they'll have will ultimately cost you more.

Somehow, as a favor to someone, I ended up managing the operations of a service based company for a short period of time. We would have customers that constantly were saying: "Do you know who I am?" Usually the past, past, past president of some condo association. Or customers who thought we'd starve without their business and make all kinds of unreasonable demands that would result in a loss to us. We'd let that happen maybe two or three times and when it became apparent that the customer's behavior was chronic I would simply tell them that our goal was to satisfy our customers in every way and obviously we were unable to meet their needs. We valued their satisfaction and felt they would be better served by another company. I'd then suggest a competitor for them to call. The reactions were priceless! They couldn't believe they were being "fired". It helped us two ways. First, it freed up our resources to service the customers who appreciated being treated fairly (and we really were service oriented, money back guarantee on everything.) Second, by the time our competitor figured out what kind of customer they just took on they had suffered the loss.

This was a service industry where there was more work to do than we had people to do it so there really was no loss to us in culling the bad ones. Offtopic I know but maybe someone will benefit from our experience.

Re:What me worry? (0)

Anonymous Coward | about 8 months ago | (#45961425)

More dirty secrets from the inside...

If a company gets more than ~30% chargebacks they can have the merchant account canceled. This makes it impossible to charge any cards and effectively puts the company out of business. I have worked for companies doing customer support and actually had this happen. Some companies are even so scummy they have multiple merchant account and just tell us "No refund's no matter what the customer says." They just don't care.

Even worse at one time I worked for a company where we as customer service reps where not told what the customers where being charged for and the "customers" didn't know either... Could have been porn? But we gave refunds no questions asked. I also suspect it was a company buying these stolen card numbers and just randomly charging people... Even if only a small percentage slips though the cracks it can add up to a lot of money.

Thank God I no longer have to deal with that stuff anymore.

Re:What me worry? (1)

Anonymous Coward | about 8 months ago | (#45961791)

BITCOINS for the WIN! :P

Re:What me worry? (1)

TheloniousToady (3343045) | about 8 months ago | (#45963995)

From a merchant's point of view, a system like Bitcoin that puts the merchants back in control of refunds sure sounds appealing. However, I believe most customers appreciate the security of having a third party like a credit-card issuer to go to when there is a dispute. In starker terms, customers enjoy the power they currently hold. So, if the use of Bitcoin eliminates fraudulent chargebacks but reduces overall sales, it still may not be in the merchant's best interest.

Also, from the merchant's point of view, the idea of a totally anonymous transaction isn't very appealing. If your customers know that you know who they are, maybe they'll be a little kinder to you in terms of post-sale behavior like spreading word of mouth and demanding refunds. Just a theory.

Re:What me worry? (0)

Anonymous Coward | about 8 months ago | (#45961813)

Can't the merchant contest the charge, going back and forth before going to arbitration with the loser paying the fee?

Re:What me worry? (2)

Solandri (704621) | about 8 months ago | (#45962127)

The onus is upon the merchant to prove the charge was legit. For an in-store transaction, this usually means a copy of the signature on the credit card receipt. You send that to the credit card clearinghouse, they compare it to the signature the credit card company provides, and decide if the cardholder really made the purchase or not.

For online transactions, you're pretty much SOL. The credit card companies provide tools to let you try to confirm the cardholder is legit before completing the transaction. e.g. Compare billing address and phone number to that provided by the purchaser (this is why gas station pumps require you to type in a zip code - they're not trying to collect marketing data, it's cross-checking what you type with the zip code on file for the card). The better cards also keep a list of authorized shipping addresses on file, and the merchant can decline the sale if the shipping address for the order doesn't match that on file. But if the customer makes a chargeback, all you can do is show the clearinghouse that you used the tools they provided and hope they decline the chargeback. Usually the customer wins no questions asked, and the merchant just eats the loss as a cost of doing business (like shoplifting).

The banks and credit card companies have done a pretty good job making sure they don't pay anything for fraud (except the customer support rep's wages), all while charging exorbitant interest and fees purportedly to combat fraud. (In their defense, the interest and fees do pay for a different type of fraud - non-payment from customers, though I still think it's excessive.)

Re:What me worry? (2)

TheloniousToady (3343045) | about 8 months ago | (#45964253)

The onus is upon the merchant to prove the charge was legit. For an in-store transaction, this usually means a copy of the signature on the credit card receipt. You send that to the credit card clearinghouse, they compare it to the signature the credit card company provides, and decide if the cardholder really made the purchase or not.

In light of that, it fascinates me that those electronic signature gizmos at stores work so badly. Half the time, I can't even recognize my own signature because half of it's missing. I guess signature comparisons to dispute chargebacks must not happen very often - I assume that merchants just roll over and die most of the time. The fact that we're all faithfully made to sign on those things probably is just psychology to make us feel like we can't commit friendly fraud [wikipedia.org] by disputing our own purchases.

only in theory. call the customer (2)

raymorris (2726007) | about 8 months ago | (#45962159)

Theoretically, yes. Practically, it doesn't happen.
You sell something. 40 days later, the customer calls their bank. The bank mails a form, which the customer receives 10 days later. They fill it in and mail it back. 14 days later, the bank deducts the amount from the merchant's receipts. Ten days after that, the merchant receives a letter saying they've been charged back for a transaction that occurred over two months ago. They money has already been taken from them, subtracted from recent sales.

IF the merchant digs up a signed receipt, they can start the process to dispute the chargeback. 90 days later they'll just get another letter saying the customer now says the product wasn't as advertised.

What HAS worked for me, in a small business, is to call the customer and start some friendly small talk. "Hi George, it's Ray from bettercgi.com. How was your vacation? ...". After establishing that human contact so the customer sees me as an actual person, I mention the chargeback. "I wanted to see if there was a misunderstanding because the bank sent me a letter saying you filed a fraud report against me...". When they are reminded of what the charge is for, I used to ask them to call the bank and cancel the chargeback. That involves the bank mailing another form for them to fill out, so that never ended up working. Now, I just get them to repay the amount. I end up eating the chargeback fee of about $39, plus the double processing fees. I then CALL them 20 days later and REMIND them what the charge is for because people who forget and charge back once tend to forget and charge back again.

As a consumer, please keep in mind your credit card provides strong protection from FRAUD. When you call the bank and charge back, you are accusing someone of fraud.

Perhaps.... (0)

Anonymous Coward | about 8 months ago | (#45960751)

They should help the less fortunate. Like me.....
I would take a few cards for free.

It has arrived! (5, Funny)

Ol Olsoc (1175323) | about 8 months ago | (#45960847)

Security through Ubiquity!

Re:It has arrived! (3, Informative)

ebno-10db (1459097) | about 8 months ago | (#45960949)

That's the latter day corollary to hiding something in plain sight.

Uh, it's not 40 million... (3, Interesting)

Patent Lover (779809) | about 8 months ago | (#45960939)

It's 110 million. Yes about 1/3 of the U.S. population has used a credit card at Target. I pray they don't hit Wal Mart.

Re:Uh, it's not 40 million... (4, Interesting)

DigiShaman (671371) | about 8 months ago | (#45961025)

Well given how successful this was on a Windows based POS system, just imagine all the restaurants, and bars that might be compromised too. I'm in agreement with what others have said; we need to go to the Chip-and-PIN system. If we are going to be replacing CC for potentially hundreds of millions of people, now is the time to make the switch. If the bank wants to charge me a few extra bucks for a fancy new card, do it. I'd rather have the peace of mind after this fiasco.

Re:Uh, it's not 40 million... (4, Interesting)

baker_tony (621742) | about 8 months ago | (#45961231)

Wait, American's aren't using chip and pin yet?

Re:Uh, it's not 40 million... (0)

Anonymous Coward | about 8 months ago | (#45961317)

Indeed.

But it's a pain in the neck when we have to visit EU with our trust-the-world credit cards.

Re:Uh, it's not 40 million... (0)

Xeno man (1614779) | about 8 months ago | (#45961355)

No they are not, that would require change and as we all know, Americans fear change.

Re:Uh, it's not 40 million... (1)

DigiShaman (671371) | about 8 months ago | (#45961569)

Fear of change is not applicable in this case. As with converting to the metric system, the holdback from Chip-and-PIN is pure momentum of an established system. That, and the up-front cost to make the change. Everyone I knows agrees that the metric system is better, but we're kinda stuck with it because a concerted effort to change is a vast undertaking. To do so would be the equivalent of an American Moonshot part II. The very idea is epic in its own right.

Re:Uh, it's not 40 million... (0)

Anonymous Coward | about 8 months ago | (#45961795)

Every other country did it. It's no moonshot.

Re:Uh, it's not 40 million... (0)

Anonymous Coward | about 8 months ago | (#45962067)

Such changes should start on the state level. Each state here is equivalent to a nation in the EU. The issue we have is that states don't want to push for anything not stupid. Well, that is wrong. They are slowly seeing same-sex couples are people now, and while I may not care for the stuff, legalizing weed is a way forward too.

Re:Uh, it's not 40 million... (0)

Anonymous Coward | about 8 months ago | (#45962153)

Same-sex and weed have fuck all to do with establishing standards of measurement.

Re:Uh, it's not 40 million... (0)

Anonymous Coward | about 8 months ago | (#45962079)

No they are not, that would require change and as we all know, Americans fear change.

Fear of change is why they use cards. Who wants to carry around all those fiddly little coins?

Re:Uh, it's not 40 million... (1)

mewsenews (251487) | about 8 months ago | (#45961923)

They'll get to it. Right after they switch to metric

Re:Uh, it's not 40 million... (5, Insightful)

cusco (717999) | about 8 months ago | (#45962157)

Our banks are run by people who play "executive musical chairs". If something will save the bank a million dollars over the next ten years, but nothing for the first three years, it won't get implemented because the executives will have rotated out to another company by the time the savings could affect their quarterly bonuses. Chip and pin would cost the banks money to implement, so it won't happen until you get a set of executives who can see further than the next board meeting.

Re:Uh, it's not 40 million... (0)

Anonymous Coward | about 8 months ago | (#45961051)

Speaks highly to just how important security is for the consumer credit industry, since we're the ones who take the hit on our credit reports, and having to go through the reissue mess. I guess you could NOT have one, and then be 'un-American' .... Yes, CC companies still have to handle the sorting of all this, but it's hard for me to take them seriously when this shit happens, and they reap billions annually in profits.

300Million Americans are being bent over, and the financial sector is acting like it's business as usual. At this point, I want Wall Street and the banking industry to come to a screeching halt for an entire week! I don't care how, but it needs to happen to get these fuckers to wake up and have Congress fix their fucking house! A man can dream, can't he?

Re:Uh, it's not 40 million... (0)

Anonymous Coward | about 8 months ago | (#45961627)

At this point, I want Wall Street and the banking industry to come to a screeching halt for an entire week! I don't care how, but it needs to happen to get these fuckers to wake up and have Congress fix their fucking house!

Isn't there something in the constitution regarding this? The justification of the public's need for firearms to overthrow a government that has become ineffective? Of course its not going to happen, the concept of the american people actually having a "well-regulated militia" for this purpose is laughable, its just a bunch of rednecks that *want* guns.

You assume they haven't. (0)

Anonymous Coward | about 8 months ago | (#45961163)

How long did it take Target to realize this and then how long did it take them to come forth?

Re:Uh, it's not 40 million... (1)

cdrudge (68377) | about 8 months ago | (#45964089)

The 110m number is comprised of 40m credit and debit cards as well as personal data of 70m individuals. The latter includes names, addresses, phone, and email records but not credit/debit card.

The 40m cards is not 40m customers, as customers may have used multiple cards during the breach. The 70m customer with stolen personal data also likely has a huge overlap with the 40m cards.

I can guarantee that almost all of that personal data is very readily available on public lists already, diminishing the impact as well as value of that portion of the data.

lying low (2)

contrapunctus (907549) | about 8 months ago | (#45960959)

ugh! lying low not laying low.

I thought card data was already being sold (1)

Anonymous Coward | about 8 months ago | (#45960963)

Supposedly one bank had already figured out the Target hack happened before Target announced it by buying back some of their own card data and checking the common point of purchase:
http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/

Plastic is the past (1)

aacool (700143) | about 8 months ago | (#45961045)

To borrow from the Graduate, plastic has no future - is it really necessary to possess physical plastic cards and scan them? Not at all, the future is biometric/electronic/e-wallets and in at least one large retailer's case, regular customers will be able to walk out of the door without ever approaching a cash register.

Re:Plastic is the past (1)

kesuki (321456) | about 8 months ago | (#45961279)

"in at least one large retailer's case, regular customers will be able to walk out of the door without ever approaching a cash register."

rfid tags and 'walk through' charging is dubious at best. imagine a small smartphone app that jams the rfid tag signal with its own, at close range quite a bit can be stolen.

Really? (1)

crioca (1394491) | about 8 months ago | (#45961057)

I find this difficult to believe; for one the data can simply be sold off in smaller chunks, and secondly because there exist fences for this type of product that would be willing to purchase the data at a low-ball price and sit on it until the right buyer is found.

Re:Really? (1)

DarkOx (621550) | about 8 months ago | (#45963389)

Moreover the data has to be sold in chunks anyway. The card info pretty much has to be used in the region in which it was purloined. They don't have the CCV codes, so mostly they will need to make counterfeit cards and use them at physical locations, online will be difficult. There is already evidence the cards are being used in the region they were stolen from, and that makes sense to do otherwise would trip everyone's fraud monitoring.

So they are not trying to sell the whole grab to anyone to begin with.

Nearly worthless (0)

Anonymous Coward | about 8 months ago | (#45961191)

All of my cards have been replaced (i didn't request either) due to the breach. It seems banks are getting more cautious and replacing cards after big breaches like this. I'd imagine in a month or two 90% of the stolen card numbers will be worthless.

They're doing it wrong (1)

Jeremi (14640) | about 8 months ago | (#45961227)

Since it sounds like we are near the point where everybody's credit card will need replacing anywayâ¦. how about this?

Under the current credit card system, when I want to purchase something from Target (or from anybody else), I send them my name, credit card number, billing address, and security code. Anyone who has this information is able to bill any number of charges to my account, in any amount, for as long as they want to (or until I catch on and cancel the card).

That seems like a bit too much power. What I'd like instead is the ability to send information that the holder of that information can only use once, to initiate a single transaction, for a specified amount, and (ideally) only to a specified destination account. That way if (okay, when) some miscreant gets ahold of the data I sent, the damage they can do is limited to the amount specified in that one transaction -- I won't have to replace my credit card, and I won't have to fight the credit company to get thousands of dollars in charges reversed.

Given that it's 2014 already (the future!), surely a system like this (or better) is possible? Build it around BitCoin if you have to, they seem to manage it just fine.

Re:They're doing it wrong (0)

Anonymous Coward | about 8 months ago | (#45961509)

Several banks and credit card companies do offer virtual credit cards. You generate a new number, and give it a specific use period, with set charge limits. So, I can make a card good for $15/mo for 12 months, and not worry about a company auto-renewing me, or charging me for more money. Unfortunately, it's only for online use, and not in-store use. Maybe someone will make a "smart" card with an app that lets you set it on the fly some day.

An embarrassment of riches (1)

TheloniousToady (3343045) | about 8 months ago | (#45961259)

Not a bad problem to have from a hacker's point of view. As Mae West said, "Too much of a good thing can be wonderful."

garbage (1)

csumpi (2258986) | about 8 months ago | (#45961367)

This is stupid. Starting with the title:

"Target Hackers Have More Data Than They Can Sell" - so what? And based on what? Any guarantees?

"But it's also likely that they can't sell them" - but that leaves the possibility that they can, right?

"no one will buy the stolen goods in these amount" - why not? And why would they need to sell ALL to the same buyer? Couldn't they sell them in batches?

.

Re:garbage (1)

azadrozny (576352) | about 8 months ago | (#45964501)

We need to think of this like spam, where the cost of sending the second and subsequent spam messages is negligible. Even if these guys can't sell 95% of the card numbers they collected, it did not cost them much to collect them. Even to sell 1% of their take at $35 ea. is a lot of money. The volume is key here.

Implying (1)

CheezburgerBrown . (3417019) | about 8 months ago | (#45961463)

Implying they haven't been selling them in smaller batches.

What is the point of this article? (1)

Ecuador (740021) | about 8 months ago | (#45961515)

I mean, if you are in business of stealing something to sell, you can never have "too much". You just have to sell in packets or whatever is the usual instead of advertizing "hey! Anybody wanna buy 110 million CCs wink, wink, nudge, nudge!".
But most importantly, they had been stealing at least since November. And CCs are a "commodity" with an expiration date. You think if they wanted to sell them they have sat on them for all these months (when there was supposedly no "problem" finding buyers), waiting for something?
Low article even for /.
Not that I read it of course ;) The summary was too much already!

LOL (1)

bloggerhater (2439270) | about 8 months ago | (#45961695)

Bull. They will be selling these numbers for months. Many of the people who were impacted by this will never follow up by changing credit cards and pins. A large percentage of these numbers will remain valid until used.

  What we are going to see is more large scale attacks because these gray and black hat hackers have access to vast resources. Stolen credit cards are a favorite for buying cloud hosting.

Chip and PIN instead of BitCoin (1)

MacTechnic (40042) | about 8 months ago | (#45961803)

I think that the current US magnetic strip EMV credit card days are numbered.

Some form of two factor authentication should follow, which limits the vulnerability of the card information. Most european EMV credit cards use a Chip and PIN method of authentication, but the expense of these cards have been a deal breaker so far.

The heist is so big, I sometimes wonder, if it was done to destabilize the current US credit card system.

Re:Chip and PIN instead of BitCoin (0)

Anonymous Coward | about 8 months ago | (#45962001)

What's sad is Target's excuse is everyone's excuse, before they get hacked. "Security is so expensive, we'll roll the dice and pay out damages later rather than implementing a secure infrastructure".

Re:Chip and PIN instead of BitCoin (1)

bussdriver (620565) | about 8 months ago | (#45962331)

The Credit "industry" is one of the few big industries the USA still has. Cheap bastards never had a legitimate excuse - they simply do not want to spend the money or be the 1st one and compete with that extra overhead.

If they really cared about the issue and their losses (which I'm sure they have clever uses for,) they would LOBBY the US Government and regulation mandating chips would have happened already. The losses have to be significant enough.

Given the CIA was involved a while ago already and it likely has at least international implications that politicians are going to want to do something about it.

Nothing's changed... (1)

jasno (124830) | about 8 months ago | (#45962047)

Let's face it - credit cards are insecure. They always have been, and they still are. I have long operated under the assumption that all of my cards are compromised, but that someone hasn't gotten around to making use of them yet. Even 20+ years ago when I was trading cards using stolen voicemail boxes, we had more cards than we knew what to do with. Sure, there are organized gangs now using smurfs to work the cards, but they're still few in number. When you have say, 1/2 of all credit cards at your disposal, it's going to take you quite a while to go through them all, gang or no gang.

Until the economics change, the financial companies have no incentive to change things. Adding another step to a credit card transaction which reduces convenience, leading to even a infinitesimal amount of spending reduction, could easily cost more than all of the fraud combined.

Serious question (0)

Anonymous Coward | about 8 months ago | (#45962847)

When you buy some cards on that website, are you supposed to already have a fraudulent credit card?

It just doesn't seem smart to use your real credit card to purchase stolen credit card numbers.

The Silver Lining (1)

Kevin Fishburne (1296859) | about 8 months ago | (#45962865)

At least they didn't shoot someone then leave the goods laying there on the floor like idiots. Good for them, and go to jail. There are laws against that kind of griefing in this MMO.

www.buyastolencreditcard.com (1)

GauteL (29207) | about 8 months ago | (#45962881)

Now you too can own stolen credit card to buy all your online pr0n! All for the limited cost of $1. Nothing could be easier! Simply pay by Credit Card! No hassle!

Vapid piece (0)

Anonymous Coward | about 8 months ago | (#45963121)

So the crooks might've slurped in more data than they can handle (where have we heard that one before?) and so these "analysts" do a bit of back-of-the-envelope calculating and find cause to write a bit of a piece full of sensationalist terms like the now entirely meaningless "hacker" (which colour hat, eh? did you check?) and gratuitous repeating the same over and over again again to try and cover up that they really have not more than a sentence or two of speculation to share.

Thank you so much for wasting my time like this.

Speculative and Wrong (0)

Anonymous Coward | about 8 months ago | (#45963797)

Cause my credit card was stolen in the hack and charged $1000; so basically, they're wrong. Unless they pulled my card randomly out of a hat and I'm the most unlucky person on this earth they are and have been selling them.

Check my card number (1)

mikehilly (653401) | about 8 months ago | (#45964663)

Does anyone have that website handy where you can enter your card number to see if it was stolen? That could be pretty helpful for people to figure out their risk level here...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>