http://rt.com/usa/us-banks-magnetic-card-target-651/

( The use of outdated technology in US ( when compared with Europe and Canada ) gives thieves an edge - banks and retailers share blame for US weaknesses )

Magnetic swipe: Obsolete credit card tech makes US prime Target for fraudsters

Published time: December 22, 2013 21:57

Get short URL

AFP Photo/Anne-Christine Poujoulat

Share on tumblr

Exclusive: Target hackers stole encrypted bank PINs - source

BY JIM FINKLE AND DAVID HENRY

BOSTON/NEW YORK Tue Dec 24, 2013 8:43pm GMT

0 COMMENTS

Link this
Share this
Digg
Email
Print

People shop at a Target store during Black Friday sales in the Brooklyn borough of New York, November 29, 2013. REUTERS-Eric Thayer

Shoppers are seen at a Target store during Black Friday sales in the Brooklyn borough of New York, November 29, 2013. REUTERS-Eric Thayer

Thanksgiving Day holiday shoppers line up with television sets on discount at the Target retail store in Chicago, Illinois in this November 28, 2013 file photo. REUTERS-Jeff Haynes

1 OF 3. People shop at a Target store during Black Friday sales in the Brooklyn borough of New York, November 29, 2013.

CREDIT: REUTERS/ERIC THAYER

QUOTES

Bank of America Corp

BAC.N

$15.70

+0.01+0.06%

18:00:00 BST

Citigroup Inc

C.N

$52.43

+0.02+0.04%

18:00:00 BST

JPMorgan Chase & Co

JPM.N

$58.25

+0.01+0.02%

18:00:00 BST

(Reuters) - The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.

One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation.

Target spokeswoman Molly Snyder said "no unencrypted PIN data was accessed" and there was no evidence that PIN data has been "compromised." She confirmed that some "encrypted data" was stolen, but declined to say if that included encrypted PINs.

"We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date," Snyder said by email. "We are very early in an ongoing forensic and criminal investigation."

The No. 3 U.S. retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season, making it the second-largest data breach in U.S. retail history.

Target has not said how its systems were compromised, though it described the operation as "sophisticated." The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.

The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.

While bank customers are typically not liable for losses because of fraudulent activity on their credit and debit cards, JPMorgan Chase & Co and Santander Bank said they have lowered limits on how much cash customers can take out of teller machines and spend at stores.

The unprecedented move has led to complaints from consumer advocates about the inconvenience it caused from the late November Thanksgiving holiday into the run-up to Christmas. But sorting out account activity after a fraudulent withdrawal could take a lot more time and be worse for customers.

JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours. A Santander spokeswoman was not available for comment on Tuesday.

Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.

"That's a really extreme measure to take," said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. "They definitely found something in the data that showed there was something happening with cash withdrawals."

BREAKING THE CODE

While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.

Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target's PIN encryption was infallible until the investigation is completed.

As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.

The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15. Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.

On December 21, JPMorgan, the largest U.S. bank, alerted 2 million of its debit cardholders that it was lowering the daily limits on ATM withdrawals to $100 and capping store purchases with their cards at $500.

On Monday, the bank partly eased the limits it had imposed on Saturday, setting them at $250 a day for ATM withdrawals and $1,000 a day for purchases. (The usual debit card daily limits are $200 to $500 for cash withdrawals and $500 for purchases, a bank spokeswoman said last week.)

On Monday, Santander - a unit of Spain's Banco Santander - followed suit, lowering the daily limits on cash withdrawals and purchases on Santander and Sovereign branded debit and credit cards of customers who used them at Target when the breach occurred. Santander did not disclose the new limits, but said it was monitoring the accounts and issuing new cards to customers who were affected.

The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos Inc, led to the theft of data from more than 90 million credit cards over about 18 months.

and.....

http://www.zerohedge.com/news/2013-12-25/target-hack-included-pin-numbers

( Basically bank accounts are now at risk if you have used a debit card recently - Black Friday to mid December ( for now at Target but if the problem lies at the point of system technology level and not the merchant , it could be any debit card used anywhere during the timeframe at issue presently ... )

Target Hack Included PIN Numbers

Submitted by Tyler Durden on 12/25/2013 08:49 -0500

Ferrari

Reuters

When the first response taken by major banks such as JPMorgan, in the aftermath of the massive 40 million credit and debit card hack of the third largest US retailer Target, was to lower ATM withdrawal and purchase limits, it became clear that there was more here than simply a well-organized credit card number scrape. And indeed, as Reuters reports, the hackers who compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs) according to a senior payments executive familiar with the situation. And since from there to emptying bank accounts and saved deposits is only a keystroke away, with no credit card processor intermediate to offload liability to, banks had no choice but to immediately limit debit card access to as much 10% of their clients, in JPM's case, in an unprecedented first, which just may have shown the way of how to limit a cash withdrawal panic if and when the need to do so arises.

From Reuters:

Target has not said how its systems were compromised, though it described the operation as "sophisticated." The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.

The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.

...

Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target's PIN encryption was infallible until the investigation is completed.

As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.

The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15. Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.

And since in black hat hacker circles what is known by one is known by all, it is only a matter of time before America's other largest retailers, are hit by the same PIN scraping technique, which in turn "forces" the banks to once again lower ATM withdrawal limits on a few million other debit card users. Ironically, perhaps instead of focusing on where the poor and middle classes shop, it may be time for the black hat hacker community to take a look at companies like Netjets and Ferrari where the PIN "scraping" wouldn't drain the fund of the median income American but focus on those who have directly benefited from Bernanke's ongoing asset inflation monetary experiment.

and...

http://www.cnbc.com/id/101293579

Banks could sue over Target breach

Text Size

Published: Monday, 23 Dec 2013 | 2:04 PM ET

By: Lawrence Delevingne | Enterprise Reporter

Getty Images

Target announced that about 40 million credit and debit card accounts of customers who made purchases by swiping their cards at terminals in its U.S. stores between November 27 and December 15 may have been stolen.

Banks like Chase and Citibank could hit Target to help pay for the cost of cleaning up the mess of the retailer's recent loss of card information to hackers.

"Given the magnitude of the breach and what we've seen in the past, banks are likely to bring action," said information security expert Randy Sabett, an attorney at ZwillGen.

Target said on Dec. 19 that approximately 40 million credit and debit card accounts "may have been impacted" after being used to pay for purchases at its U.S. stores between Nov. 27 and Dec. 15. Chase and Citi moved over the weekend to monitor or impose limits on cards that were affected; Chase even reopened a third of its branches Sunday to help issue new cards and allow for large withdrawals.

Banks have sued merchants following large security breaches in the past. A 2007 hack of accounts at T.J. Maxx cost parent TJX Companies a reported $256 million in settlements with banks, credit card companies and others. And a 2009 breach atHeartland Payment Systems eventually cost the company $140 million, with more litigation ongoing.

Play Video

Banks respond to Target data breach

CNBC's Kayla Tausche has the details on how banks are responding to customers after Target's massive security breach. Account information is already being sold on the black market, reports Tausche.

It's not clear who will pay for potential fraudulent charges on the card numbers obtained by hackers, which are currently for sale on the black market. Typically, the banks that issue credit cards like Chase and Citi are reimbursed by merchants—via credit card companies like Visa and MasterCard—where a fraudulent purchase is made online or over the phone. But banks themselves are often on the hook if the purchase is made in person at a store.

What's less clear is if banks will be reimbursed for other costs, like replacing cards or extra branch hours. That's where lawsuits likely come in.

"The banks are definitely going to want to get their customer service cost back," said Avivah Litan of research firm Gartner. She said banks may sue individually or, more likely, go through Visa and MasterCard to reach a settlement with Target.

The central issue will be Target's potential negligence. Deciding to what extent the company is responsible will involve teams of forensic investigators and lawyers. Target will likely say it had the best security system possible and was compliant with industry standards, but that the hackers were just too sophisticated. Banks and credit card companies will likely argue that Target's data security was insufficient.

While merchants often pay for security breaches where they are at fault, "the mere fact that you had a breach doesn't mean you are necessarily liable," said attorney Sabett.

Target could also be fined for violations of credit card association rules if the data breach could have been prevented, according to experts.

Chase declined to comment on any potential litigation or the costs associated with the Target breach. "We are working to protect the accounts of our customers–that's our focus right now," said bank spokeswoman Patricia Wexler.

Bank of America also wouldn't comment on Target litigation. It did reiterate that its customers don't have to pay for fraudulent charges.

A spokesperson for Citi declined to comment on suing. "We are focused on taking steps to protect our customers," said Emily Collins.

Besides banks, Target could face legal actions from consumers and state officials. But it's unclear if they will be successful.

Three class-action lawsuits have already been filed and government lawyers from Connecticut, Massachusetts, New York and South Dakota have asked Target for information about the breach, according to USA Today.

Target did not comment on potential liability. "I can assure you that our guests will not be held financially responsible for any credit or debit card fraud," said spokeswoman Katie Boylan.

http://www.dailymail.co.uk/news/article-2529035/Target-warns-customers-aware-phishing-scams-hackers-steal-details-45-million-credit-cards.html

The hackers who attacked Target Corp and compromised more than 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers, according to a senior payments executive familiar with the situation.

Target spokeswoman Molly Snyder said 'no unencrypted PIN data was accessed' and there was no evidence that PIN data has been 'compromised'.

Hacked: The hackers who attacked Target and compromised more than 40 million credit cards and debit cards also allegedly managed to steal encrypted personal identification numbers

She confirmed that some 'encrypted data' was stolen, but declined to say if that included encrypted PINs.

'We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date,' Snyder said by email.

'We are very early in an ongoing forensic and criminal investigation.'

Target has not said how its systems were compromised, though it described the operation as 'sophisticated'.

The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.

The news comes as the retailer says it has learned of some incidents of scam emails related to its recent data breach.

The company says it is aware of 'limited instances' of scam emails, but does not have specific information.

The Minneapolis retailer says it is creating a section of its website for Target's official communications so customers can verify the authenticity of notes from the retailer.

Denial: Target says 'no unencrypted PIN data was accessed' and that there was no evidence that PIN data has been 'compromised'

The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.

CBS News reports the company faces at least 15 lawsuits seeking class action status as a result of the cyber-attack.

The suits were filed by people who claim their information was stolen, and they allege Target either failed to properly secure the customer data, did not promptly notify customers of the breach or both.

But so little information disclosed so far about the breach, it is unclear whether the plaintiffs will be able to prove their allegations.

Meanwhile, Democratic U.S. Senators, Richard Blumenthal of Connecticut and Chuck Schumer of New York, have asked the U.S. Federal Trade Commission to investigate the breach.

'If Target failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects their personal information,' Blumenthal said in a letter to FTC Chairwoman Edith Ramirez today.

'Its conduct would be unfair and deceptive.'

Litigation: Target reportedly faces at least 15 lawsuits seeking class action status

The unprecedented move has led to complaints from consumer advocates about the in

convenience it caused from the late November Thanksgiving holiday into the run-up to Christmas.

But sorting out account activity after a fraudulent withdrawal could take a lot more time and be worse for customers.

JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours.

A Santander spokeswoman was not available for comment today.

Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.

'That's a really extreme measure to take,' said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. 'They definitely found something in the data that showed there was something happening with cash withdrawals.'

Cyber-attack: The breach began on November 27 and continued until December 15

As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities.

He was able to access the closely guarded digital 'key' used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

In other cases, hackers can get PINs by using a tool known as a 'RAM scraper', which captures the PINs while they are temporarily stored in memory, Clemens said.

The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15.

Disclosure: Target publicly disclosed the loss of personal account data on December 19

Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.

On December 21, JPMorgan, the largest U.S. bank, alerted two million of its debit cardholders that it was lowering the daily limits on ATM withdrawals to $100 and capping store purchases with their cards at $500.

On Monday, the bank partly eased the limits it had imposed on Saturday, setting them at $250 a day for ATM withdrawals and $1,000 a day for purchases.

(The usual debit card daily limits are $200 to $500 for cash withdrawals and $500 for purchases, a bank spokeswoman said last week.)

Santander did not disclose the new limits, but said it was monitoring the accounts and issuing new cards to customers who were affected.

The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos Inc, led to the theft of data from more than 90 million credit cards over about 18 months.

http://article.wn.com/view/2013/12/23/Santander_Takes_Extra_Precautions_to_Protect_Debit_and_Credi/#/related_news

http://www.prnewswire.com/news-releases/santander-takes-extra-precautions-to-protect-debit-and-credit-card-customers-impacted-by-data-breach-at-target-237080601.html

Santander Takes Extra Precautions to Protect Debit and Credit Card Customers Impacted by Data Breach at Target

BOSTON, Dec. 23, 2013 /PRNewswire/ -- To protect customers who used their Santander and Sovereign branded debit and credit cards at Target between November 27 and December 15 when the retailer experienced a data breach, Santander Bank, N. A. today announced it is lowering the daily limits on cash withdrawals and purchases on these cards.

Santander is taking these precautions to protect its customers' accounts from fraud. The Bank is monitoring these accounts for suspicious activity and is issuing new cards to impacted customers.

Santander is encouraging customers to monitor their accounts and report transactions they do not recognize. Customers are reminded that there is zero liability for unauthorized purchases made without a PIN when Santander is promptly notified.

Customers can view their account online at Santander.com or via mobile banking. Customers who have questions can contact the telephone number on the back of their card. Due to the Christmas holiday, the Customer Contact Center will have limited service starting on the afternoon of December 24 through the morning of December 26.

Krebs on security articles....

http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/

Who’s Selling Credit Cards from Target?

The previous two posts on this blog have featured stories about banks buying back credit and debit card accounts stolen in the Target hack and that ended up for sale on rescator[dot]la, a popular underground store. Today’s post looks a bit closer at open-source information on a possible real-life identity for the proprietor of that online fraud shop.

Rescator[dot]la is run by a miscreant who uses the nickname Rescator, and who is a top member of the Russian and English language crime forum Lampeduza[dot]la. He operates multiple online stores that sell stolen card data, including rescator[dot]la, kaddafi[dot]hk,octavian[dot]su and cheapdumps[dot]org. Rescator also maintains a presence on several other carding forums, most notably cpro[dot]su and vor[dot]cc.

A private message on cpro[dot]su between Rescator and a member interested in his card shop. Notice the ad for Rescator’s email flood service at the bottom; this will become important as you read on.

In an Aug. 2011 thread that has since been deleted, Rescator introduced himself to the existing members of vor[dot]cc, a fairly exclusive Russian carding forum. When new members join a carding community, it is customary for them to explain their expertise and list previous nicknames and forums on which they have established reputations.

Rescator, a.k.a. “Hel” a.k.a. “Helkern” the onetime administrator of the Darklife forum, introduces himself to vor[dot]cc crime forum members.

In this particular thread, pictured in the screenshot above, we can see Rescator listing his bona fides and telling others he was “Hel,” one of three founders of darklife[dot]ws, a now-defunct hacker forum.

Rescator says his former nickname was “Hel,” short for Helkern, the administrator of Darklife.

The only darklife member who matched that nickname was “Helkern,” one of darklife’s three founders. Darklife administrators were all young men who fancied themselves skilled hackers, and at one point the group hacked into the venerable and closely-guarded Russian hacking forum cih[dot]ms after guessing the password of an administrator there.

Darklife admin “Helkern” brags to other members about hacking into cih[dot]ms, a more elite Russian hacking forum.

In a counterattack documented in the entertaining thread that is still posted as a trophy of sorts at cih[dot]ms/old/epicfail, hackers from cih[dot]ms hack into the Darklife forum, and post personal photos of Helkern and fellow Darklife leaders, including these two of Helkern:

And a self-portrait of Helkern:

So if Helkern is Rescator, who is Helkern? If we check at some of the other Russian forums that Helkern was active in at the time that Darklife was online in 2008, we can see he was a fairly frequent contributor to the now-defunct Grabberz[dot]com; in this cached post, Helkern can be seen pasting an exploit he developed for a remote SQL injection vulnerability. In it, he claims ownership of the ICQ instant messenger address 261333.

In this introductions page from Russian language gaming forum, a user named Helkern also was active in 2008 and claimed that same ICQ address. Helkern said his email address wasroot@helkern.net.ua, his Skype address was helkern_skype, and that he lived in Odessa, the third-largest city in Ukraine. Helkern — going by his shortened username “Hel,” also was a VIP member of xaker[dot]name. In this cached post we can see him again claiming the 261333 ICQ address, and pointing out to other members that his real nickname is Helkern.

Andrew from Odessa’s LiveJournal profile pic from the account ikaikki”

A historic WHOIS lookup ordered fromdomaintools.com shows that helkern.net.uawas first registered in 2008 to an Andrey Hodirevski from Illichivsk, a city in the Odessa province of southwestern Ukraine.

I located a relatively recent Livejournal profile (ikaikki.livejournal.com/profile) for an Andrew Hodirevski from Odessa, Ukraine that includes several profile pictures which are remarkably similar to the photos of Helkern leaked by the cih[dot]ms guys. That profile (“ikaikki“) says Hodirevski’s email address isikaikki@livejournal.com, that his Jabber instant message address isikaikki@neko.im, and that his Twitter account is “purplexcite” (that Twitter has since been deleted). In almost a dozen posts on LiveJournal, Hodirevski talks about his interest in Java programming, and even includes a few pictures of himself attending an instructional class on Java.

The same anime profile image for Andrew’s LiveJournal page is also on the LinkedIn profile for an Andrew Hodirevski from Ukraine, and the two pages share the aforementioned Twitter profile (purplexcite). Andrew’s LinkedIn page also says he is the administrator and Web developer at a hosting company in Ukraine called ghost.ua.

That site is no longer online, but a cached copy of it at archive.org shows that the business is located in Odessa at this address, and the phone number +38 (048) 799-53-13. Ghost.ua lists several pricing plans for its servers, naming them after different despotic leaders, including Fidel Castro and Muammar Gaddafi (it is spelled “Kaddafi” on Ghost.ua). Recall as I mentioned at the top of this post that one of the clones of the card shop at Rescator[dot]la is kaddafi[dot]hk.

This page at it-portfolio.net lists an Andrey Hodirevski from Odessa with the same anime profile image, the “purplexcite” Twitter profile, and a Skype address by the same name. It says his professional skills include programming in Java, CakePHP and MySQL, among others. This Google groups discussion about CakePHP includes a message from an Andrey Hodirevski who uses the email address andrew@purpled.biz.

Purpled.biz is no longer online, but a cached copy of it from archive.org shows it was once Andrew’s personal site. Here we learned that Andrew’s current goals (as of 2010) were to get married to his girlfriend, buy the $20,000 Toyota Solara pictured below, move to Helsinki, and to achieve world domination. In order to accomplish the latter goal, Andrew jokes that he “will probably have to rob all the banks in the world.”

After searching my huge personal archive of hacked cybercrime forums for Andrew’s various email and Jabber addresses, I found several private messages sent by different users on theSpamdot[dot]biz forum who recommended to other members the “ikaikki@neko.im” Jabber address as someone to contact in order to hire a service that could be used to flood someone’s Gmail inbox with tens or hundreds of thousands of junk messages. Recall that this Jabber address is the same one listed at Andrew’s LiveJournal profile.

To bring this full circle, one of the many services that Rescator sells these days is a popular email flooding service at rescator[dot]me. Turns out, Yours Truly has already been the direct target of an attack launched through Rescator’s service; I wrote about it in this July 2012 story,Cyberheist Smokescreen: Email, Phone, SMS Floods.

The email flood service at rescator[dot]me

I have no idea if Rescator/Helkern/Andrew was involved in hacking Target, but it’s a good bet that he at least knows who was. I sought comment from various contact addresses listed above for this individual, and received a reply from someone at kaddafi[dot]me who said he knew Andrew and would relay my questions to him. Ultimately, he came back to me not with answers, but with a bribe not to run my story.

(1:48:35 PM) krebs//: hi

(1:48:44 PM) krebs//: brian krebs here

(1:49:05 PM) krebs//: trying to reach rescator

(1:49:11 PM) krebs//: aka andrey

(1:51:12 PM) krebs//: don’t believe it’s really krebs?

(1:51:15 PM) krebs//: http://krebsonsecurity.com/wp-content/uploads/2013/12/kaddaficon.png

(1:53:32 PM) krebs//:

(1:53:53 PM) krebs//: tyt?

(2:00:14 PM) kaddafi.me: Hello Brian

(2:00:24 PM) kaddafi.me has not been authenticated yet. You should authenticate this buddy.

(2:00:24 PM) Unverified conversation with kaddafi.me/Muammar started. Your client is not logging this conversation.

(2:00:30 PM) kaddafi.me: ooo you’ve got OTR

(2:00:37 PM) kaddafi.me: Afraid of NSA? )

(2:01:38 PM) kaddafi.me: Why do you want to talk to Andrew?

(2:03:46 PM) krebs//: i am more afraid of others

[Image] (2:03:56 PM) The privacy status of the current conversation is now: Private

(2:04:11 PM) kaddafi.me: Yeah well you should after someone sent you drugs from silkroad.

(2:04:24 PM) krebs//:

(2:04:59 PM) krebs//: you’re right of course, it’s andrew

(2:05:17 PM) kaddafi.me: What’s all the commotion about Rescator anyways?

(2:05:20 PM) krebs//: well i have a story about him going up tomorrow

(2:05:23 PM) kaddafi.me: Did you even notice other shops are selling same shit?

(2:05:32 PM) krebs//: sure

(2:05:46 PM) krebs//: but I’m not looking at other shops right now

(2:06:05 PM) kaddafi.me: Well you should )

(2:06:10 PM) krebs//: in time

Kaddafi promised a response by 10 p.m. ET yesterday. This morning, not seeing a response, I pinged this individual again, and received the following response:

(10:08:46 AM) kaddafi.me: Hi.

(10:09:19 AM) kaddafi.me: You better contact me from another jabber that’s not associated with your name, I’ve got an offer for you.

(10:11:12 AM) krebs//: why from a different jabber?

(10:11:33 AM) kaddafi.me: Because I’ve got an offer for you. So you don’t think I’m trying to play games and fool around with logs after you read my offer.

(10:11:52 AM) krebs//: what kind of offer?

(10:12:27 AM) $10.000 not to post your article

Obviously, I did not take him up on his offer, assuming he was not just messing with me. Here is a mind map I put together (using MindNode Pro for Mac) that outlines how much of this information was derived and connected.

http://krebsonsecurity.com/2013/12/non-us-cards-used-at-target-fetch-premium/

Non-US Cards Used At Target Fetch Premium

An underground service that is selling credit and debit card accounts stolen in a recent data breach at retail giant Target has stocked its virtual shelves with a new product: Hundreds of thousands of cards issued by non-U.S. banks that were used at Target across the United States during the retailer’s 19-day data breach. It’s not clear how quickly the non-U.S. cards are selling, but they seem to be fetching a much higher price than those issued by U.S. banks.

On Dec. 20, this blog published a story about the “card shop” rescator[dot]la. That piece explained how two different banks — a small, community bank and a large, top-10 bank — had bought back their customers’ stolen cards from the fraud service and discovered that all of the purchased cards had been used at Target during the breach timeframe. The shop was selling data stolen from the magnetic stripe of each card, which thieves can re-encode onto new, counterfeit cards and use to go shopping in bricks-and-mortar stores for items than can easily be fenced or resold.

As I wrote in that story, a key feature of this particular shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle” (also an island in the Caribbean long associated with pirates). The small bank similarly found that all of the cards it purchased from the card shop also bore the Tortuga base name, and all had been used at Target.

Cards stolen from non-US customers who shopped at Target are sold under the “Barbarossa” base.

On Friday, the proprietor of this card shop announced the availability of a new base — “Barbarossa” — which consists of more than 330,000 debit and credit cards issued by banks in Europe, Asia, Latin America and Canada [side note: one Russian expert I spoke with said Barbarossa was probably a reference to Operation Barbarossa, the code name for Germany's invasion of the Soviet Union during World War II].

According to one large bank in the U.S. that purchased a sampling of cards across several countries — all of the cards in the Barbarossa base also were used at Target during the breach timeframe.

As with cards sold under the Tortuga base, debit and credit cards for sale as part of the Barbarossa base list the country of origin for the issuing bank, and then directly underneath include the state, city and ZIP code of the Target store from which the card numbers were stolen.

When I first became aware that this card shop was selling only cards stolen from Target stores, I noticed a discussion on a related crime forum wherein customers of this shop seemed very enthusiastic about this ZIP code feature. I couldn’t figure out what the big deal was: I’d assumed the state, city and ZIP described the bank that issued the card.

Later, I learned from a fraud expert that this feature is included because it allows customers of the shop to buy cards issued to cardholders that live nearby. This lets crooks who want to use the cards for in-store fraud avoid any knee-jerk fraud defenses in which a financial institution might block transactions that occur outside the legitimate cardholder’s immediate geographic region.

Non-U.S. cards used at Target generally fetch higher prices than U.S. cards, between $67 and $100 apiece.

The cards for sale in the Barbarossa base vary widely in price from $23.62 per card to as high as $135 per card. The prices seem to be influenced by a number of factors, including the issuing bank, the type of card (debit or credit), how soon the card expires, and whether the card bears a special notation that often indicates a higher credit limit, such as a Platinum card.

The prices also appear to be influenced partly by how rare it is to find cards for a specific bank available on the black market. The highest-priced cards I found for sale were issued by banks in Singapore, South Korea and the United Arab Emirates.

Barbarossa base cards issued by Canadian banks. Note that city, state and ZIP code listed indicate the location of the Target store from which the card was stolen.

http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/

Cards Stolen in Target Breach Flood Underground Markets

Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.

Prior to breaking the story of the Target breach on Wednesday, Dec. 18, I spoke with a fraud analyst at a major bank who said his team had independently confirmed that Target had been breached after buying a huge chunk of the bank’s card accounts from a well-known “card shop” — an online store advertised in cybercrime forums as a place where thieves can reliably buy stolen credit and debit cards.

There are literally hundreds of these shady stores selling stolen credit and debit cards from virtually every bank and country. But this store has earned a special reputation for selling quality “dumps,” data stolen from the magnetic stripe on the backs of credit and debit cards. Armed with that information, thieves can effectively clone the cards and use them in stores. If the dumps are from debit cards and the thieves also have access to the PINs for those cards, they can use the cloned cards at ATMs to pull cash out of the victim’s bank account.

At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach. One of those institutions noticed that one card shop in particular had recently alerted its loyal customers about a huge new batch of more than a million quality dumps that had been added to the online store. Suspecting that the advertised cache of new dumps were actually stolen in the Target breach, fraud investigators with the bank browsed this card shop’s wares and effectively bought back hundreds of the bank’s own cards.

When the bank examined the common point of purchase among all the dumps it had bought from the shady card shop, it found that all of them had been used in Target stores nationwide between Nov. 27 and Dec. 15. Subsequent buys of new cards added to that same shop returned the same result.

On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15. Not long after that announcement, I pinged a source at a small community bank in New England to see whether his institution had been notified by Visa or MasterCard about specific cards that were potentially compromised in the Target breach.

This institution has issued a grand total of more than 120,000 debit and credit cards to its customers, but my source told me the tiny bank had not yet heard anything from the card associations about specific cards that might have been compromised as a result of the Target breach. My source was anxious to determine how many of the bank’s cards were most at risk of being used for fraud, and how many should be proactively canceled and re-issued to customers. The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.

On the other hand, this bank had identified nearly 6,000 customer cards — almost 5 percent of all cards issued to customers — that had been used at Target stores nationwide during the breach window described by the retailer.

“Nobody has notified us,” my source said. “Law enforcement hasn’t said anything, our statewide banking associations haven’t sent anything out…nothing. Our senior legal counsel today was asking me if we have positive confirmation from the card associations about affected cards, but so far we haven’t gotten anything.”

When I mentioned that a big bank I’d spoken with had found a 100 percent overlap with the Target breach window after purchasing its available cards off a particular black market card shop called rescator[dot]la, my source at the small bank asked would I be willing to advise his fraud team on how to do the same?

CARD SHOPPING

Ultimately, I agreed to help in exchange for permission to write about the bank’s experience without actually naming the institution. The first step in finding any of the bank’s cards for sale was to browse the card shop’s remarkably efficient and customer-friendly Web site and search for the bank’s “BINs”; the Bank Identification Number is merely the first six digits of a debit or credit card, and each bank has its own unique BIN or multiple BINs.

According to the “base” name for all stolen cards sold at this card shop, the proprietor sells only cards stolen in the Target breach.

A quick search on the card shop for the bank’s BINs revealed nearly 100 of its customers’s cards for sale, a mix of MasterCard dumps ranging in price from $26.60 to $44.80 apiece. As one can imagine, this store doesn’t let customers pay for purchases with credit cards; rather, customers can “add money” to their accounts using a variety of irreversible payment mechanisms, including virtual currencies like Bitcoin, Litecoin, WebMoney and PerfectMoney, as well as the more traditional wire transfers via Western Union and MoneyGram.

With my source’s newly registered account funded via wire transfer to the tune of USD $450, it was time to go shopping. My source wasn’t prepared to buy up all of the available cards that match his institution’s BINs, so he opted to start with a batch of 20 or so of the more recently-issued cards for sale.

Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.

A graphic advertisement for stolen cards sold under the “Tortuga” base.

A key feature of this particular dumps shop is that each card is assigned to a particular “base.” This term is underground slang that refers to an arbitrary code word chosen to describe all of the cards stolen from a specific merchant. In this case, my source at the big bank had said all of the cards his team purchased from this card shop that matched Target’s N0v. 27 – Dec. 15 breach window bore the base name Tortuga, which is Spanish for “tortoise” or “turtle.”

Indeed, shortly after the Target breach began, the proprietor of this card shop — a miscreant nicknamed “Rescator” and a key figure on a Russian-language cybercrime forum known as “Lampeduza” — was advertising a brand new base of one million cards, called Tortuga.

Rescator even created a graphical logo in the Lampeduza forum’s typeface and style, advertising “valid 100% rate,” and offering a money-back guarantee on any cards from this “fresh” base that were found to have been canceled by the card issuer immediately after purchase. In addition, sometime in December, this shop ceased selling cards from other bases aside from those from the Tortuga base. As the month wore on, new Tortuga bases would be added to shop, with each base incrementing by one with almost every passing day (e.g., Tortuga1, Tortuga2, Tortuga3, etc.).

Another fascinating feature of this card shop is that it appears to include the ZIP code and city of the store from which the cards were stolen. One fraud expert I spoke with who asked to remain anonymous said this information is included to help fraudsters purchasing the dumps make same-state purchases, thus avoiding any knee-jerk fraud defenses in which a financial institution might block transactions out-of-state from a known compromised card.

The New England bank decided to purchase 20 of its own cards from this shop, cards from Tortuga bases 6-9, and Tortuga 14 and 15. The store’s “shopping cart” offers the ability to check the validity of each purchased card. Any cards that are checked and found to be invalid automatically get refunded. A check of the cards revealed that just one of the 20 had already been canceled.

The bank quickly ran a fraud and common point-of-purchase analyses on each of the 19 remaining cards. Sure enough, the bank’s database showed that all had been used by customers to make purchases at Target stores around the country between Nov. 29 and Dec. 15.

“Some of these already have confirmed fraud on them, and a few of them were actually just issued recently and have only been used at Target,” my source told me. Incredibly, a number of the cards were flagged for fraud after they were used to make unauthorized purchases at big box retailers, including — wait for it — Target. My source explained that crooks often use stolen dumps to purchase high-priced items such as Xbox consoles and high-dollar amount gift cards, goods that can be fenced, auctioned or otherwise offloaded quickly and easily for cash.

My source said his employer isn’t yet sure which course of action it will take, but that it’s likely the bank will re-issue some or all of the 5,300+ cards affected by the Target breach — most likely sometime after Dec. 25.

The bank is unconcerned that its cards compromised in the Target breach might be used for online shopping fraud because the stolen data does not include the CVV2 — the three digit security code printed on the backs of customer cards. Most online merchants require customers to supply the CVV2 as proof that they posses the legitimate, physical card for the corresponding account that is being used to fund the online purchase.

Update, 5:20 p.m. ET: In a message to consumers, Target CEO Gregg Steinhafel said Target would be offering free credit monitoring for affected customers. Not sure how credit monitoring helps with this specific breach, but at any rate here’s the rest of his statement:

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.

We want our guests to understand that just because they shopped at Target during the impacted time frame, it doesn’t mean they are victims of fraud. In fact, in other similar situations, there are typically low levels of actual fraud. Most importantly, we want to reassure guests that they will not be held financially responsible for any credit and debit card fraud. And to provide guests with extra assurance, we will be offering free credit monitoring services. We will be in touch with those impacted by this issue soon on how and where to access the service.

We understand it’s been difficult for some guests to reach us via our website and call center. We apologize and want you to understand that we are experiencing unprecedented call volume. Our Target teams are working continuously to build capacity and meet our guests’ needs.

We take this crime seriously. It was a crime against Target, our team members, and most importantly, our guests. We’re in this together, and in that spirit, we are extending a 10% discount – the same amount our team members receive – to guests who shop in U.S. stores on Dec. 21 and 22. Again, we recognize this issue has been confusing and disruptive during an already busy holiday season. We want to emphasize that the issue has been addressed and let guests know they can shop with confidence at their local Target stores.”

3 comments:

Kev12/25/2013
Merry Christmas,
The Target card theft articles were very informative and interesting. I guess the black ops side of government must be getting a cut from fraud like this because it would appear that they could easily track down the perp's if they wanted to.

37 tons for Germany and they are probably lucky to get that. The PM story gets more interesting everyday.

Catharsis Ours

Tuesday, December 24, 2013

Magnetic swipe: Obsolete credit card tech makes US prime Target for fraudsters

Exclusive: Target hackers stole encrypted bank PINs - source

QUOTES

Target Hack Included PIN Numbers

and...

Banks could sue over Target breach

Santander Takes Extra Precautions to Protect Debit and Credit Card Customers Impacted by Data Breach at Target

Who’s Selling Credit Cards from Target?

Non-US Cards Used At Target Fetch Premium

Cards Stolen in Target Breach Flood Underground Markets

3 comments:

Tuesday, December 24, 2013

​Magnetic swipe: Obsolete credit card tech makes US prime Target for fraudsters

Exclusive: Target hackers stole encrypted bank PINs - source

QUOTES

Target Hack Included PIN Numbers

and...

Banks could sue over Target breach

Santander Takes Extra Precautions to Protect Debit and Credit Card Customers Impacted by Data Breach at Target

Who’s Selling Credit Cards from Target?

Non-US Cards Used At Target Fetch Premium

Cards Stolen in Target Breach Flood Underground Markets

3 comments:

Magnetic swipe: Obsolete credit card tech makes US prime Target for fraudsters