Target revealed that 40 million credit card numbers were stolen from its servers. Where did they go?
"Over the last few years, that data has been flowing primarily to Eastern Europe, to the former soviet bloc," says Kevin O’Brien with cloud security company CloudLock. That region, he says, has become an epicenter for data stealing malware. "These hackers post these programs or the output of these programs for sale."
Who buys them? In this case, people in the U.S.
Brian Krebs is a reporter/investigator with KrebsonSecurity.com, and he broke the Target data breach story. A credit card issuer asked him to go undercover to buy stolen credit card data, and to see if their cards were affected and whether they were related to the Target Breach.
Out of the approximately 125,000 cards issued by this institution, says Krebs, data from about 6,000 of them had been stolen.
"I expect that to grow, probably to about 12,000," Krebs says.
All of them, he says, were related to the Target breach.
"These cards are selling like hot cakes right now," adds Krebs. "Because the bad guys know we know."
The card numbers, says Krebs, are sold in bulk for up to $100 apiece. He usually sees prices ranging from $24 to $48 a card.
It may seem like a bargain for a card that could net a criminal hundreds if not thousands of dollars, but he says, “You never know if the card will end up working – only three to four out of every 10 typically end up being useable.”
He says "there is a finite number" of the "trustworthy" data sellers who offer high-quality stolen data and have a reputation of trustworthiness.
The transactions used to buy stolen data are extremely sophisticated, and yet somehow simple.
"You tell them what banks you’re interested in, and they’ll tell you how many cards from those banks that they have, then you put them in your shopping cart, you pay with bitcoin, and you’re off to the races," Krebs says.
There’s even a drop down bar, he says, where you can run credit checks on the stolen card data you’ve purchased to see if the cards have been canceled at the time of sale. You can even get a refund. It’s basically, like a criminal eBay.
"This level and pace of vulnerability will increase, partially because there is a recognized market for stolen data, and because the number of point of sale machines is increasing," says CloudLock’s Kevin O’Brien, referring to the explosion of apps that allow credit card payments to be processed from a computer, tablet or phone.
Brian Riley, Senior Research Director, CEB TowerGroup, says the past few years have also shown an increasing sophistication in fraud attacks.
"They’re much more organized plays, that’s the biggest take away from this," he says.
Consumers are not usually liable for fraudulent purchases, or at least not for much ($50-$75 typically). But they still need to be watching their balances like a hawk. Especially with debit cards, since it’s a bit more alarming to try to get missing deposits back than it is to dispute credit owed.
O’Brien advises that people look out not just for large purchases, but for miniscule ones. Accounts of cards whose data has been stolen will often show 'small micro-transactions of just say six or eight cents, something easily not noticed, just to validate that the card works."
When asked if he would cancel his card had it been used at Target, Brian Riley, with CEB Tower Group, had one word: