Target hackers try new ways to use stolen card data

For the first time, hackers market stolen data with info on the location of store where card was used; experts say new strategy will slow detection

The techniques used by hackers to access credit and debit card data from target shoppers suggests that the cyber crooks have found a troubling new way to stay ahead of the latest fraud detection processes.

Security blogger Brian Krebs, who first reported the Target data breach news last week, said on Sunday that compromised cards are being marketed online with information on the state, city and ZIP code of the Target store where they were used.

Fraud experts say the location information will likely allow buyers of the stolen data to use spoofed versions of cards issued to people in their immediate vicinity, Krebs wrote. "This lets crooks who want to use the cards for in-store fraud avoid any knee-jerk fraud defenses in which a financial institution might block transactions that occur outside the legitimate cardholder's immediate geographic region," he said.

This is believed to be the first time that security experts have observed hyper-localized selling of stolen credit and debit card information following a retail breach.

Target last week disclosed that hackers had accessed data stored on some 40 million credit and debit cards belonging to shoppers who bought merchandise in its stores between Nov. 27 and Dec. 15.

The information exposed in the incident includes the cardholder's name, the credit or debit card number, the card's expiration date and the CVV security code used to activate the card in a store, Target said.

The breach is believed to have exposed data from cards distributed by most major U.S. credit card issuing banks and credit unions. JP Morgan Chase on Saturday announced that it had put restrictions on the amount that customers affected by the Target breach could spend or withdraw daily.

James Huguelet, an independent consultant who specializes in retail security, said Krebs' report concurs sporadic reports after the breach that that stolen Target cards were used fraudulently in areas close to where the owners of the cards lived.

Local use of a card makes it more likely that the crooks can use it for a relatively long period of time before a block is put on it, he said. "That makes such cards much more valuable to a criminal. This is a very clever tactic to increase the monetary value of each stolen card. It's one I've not seen used before," Huguelet said.

Card thieves typically sell stolen data to buyers around he world, making it likely that fraud detection tools used by banks will detect the crimes.

Fraud detection tools used by banks and other card issuers look closely at the location where a card is used and the frequency of its use to determine potential criminal use. Banks often decline transactions or require additional authentication for card transactions that originate from new or unexpected locations.

Such detection is harder when a stolen card is used within the area where the card is typically used.

"Whoever is behind this breach appears to have a tremendous amount of not only technical, but also retail operations and payment industry knowledge. This could indicate someone who has previously worked in the retail payments industry." Huguelet said.

Gartner analyst Avivah Litan said that card issuers and others have to significantly ramp up fraud detection capabilities to deal with the new threat.

"It's very significant because it shows how sophisticated the criminals are," Litan said. "They are trying to avoid being spotted by fraud detection systems that check the location of a transaction against the individual's home zip code and the location of that individual's most recent transactions."

This level of sophistication, combined with the sheer large volume of active cards that were compromised, makes fraud detection far more difficult, Litan said. "Companies will need to beef up their fraud detection capabilities and strategies to overcome the criminals' tactics, which is not a simple task and which does not happen overnight," she said.

Major data breaches often have provided a window into the systemic weaknesses exploited by cyber criminals to infiltrate networks and to profit from data theft.

The 2007 breach at TJX Companies, in which hackers accessed data on 45 million credit and debit cards, showed how easily a poorly protected wireless network can be exploited to gain access to a payment network. Massive data compromises at Heartland Payment Systems and Hannaford Brothers in 2009 hammered home the dangers of SQL injection flaws in Web application software.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingTargetretailsecurityindustry verticals

More about GartnerJP MorganMorganTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts