Two men arrested by authorities in Texas may have used credit card numbers that were recently stolen from some 40 million Target customers.
McAllen, Texas, Police Chief Victor Rodriguez said Monday that two Mexican citizens arrested Sunday at the U.S.-Mexico border used account information stolen during the Target security breach. The chief said the alleged fraudsters bought tens of thousands of dollars' worth of merchandise.
A spokesman for the department said federal investigators have indicated the card numbers used were connected to the Target data theft.
"The accounts used last week, it's our understanding that they're related to that breach," Lt. Joel Morales said. "The department has teamed up with [U.S. Immigration and Customs Enforcement] and the Secret Service and financial and banking institutions, and we learned that these accounts are part of that breach."
However, the Secret Service has not confirmed that the cards are connected to the data breach. Secret Service officials say they are working with other agencies to determine if there is any connection, but so far have not made that determination.
If the account numbers in question in Texas were among the numbers stolen from Target customers, it's also possible they were not actually part of the data breach. The numbers could have been obtained by other criminals through other means, including unscrupulous merchants and retail and restaurant employees who steal numbers. They also may be from a data breach at another retailer.
"Only time will tell," said Mark Lanterman, chief technology officer for Computer Forensics Services of Minnetonka. "But they certainly could have been obtained some other way. Some other retailer may have been breached. I believe it's premature to state this information is directly linked to the Target data breach."
Lanterman, a former member of the U.S. Secret Service Electronic Crimes Task Force, said cards stolen from Target customers are for sale on a website operated by the same Russian teenager suspected of writing malicious software that infected Target's point-of-sale terminals. The malware grabbed payment card numbers and passed it along to waiting hackers.
The breach lasted from late November to mid-December.
Lanterman said stolen card numbers are selling for 50 cents to $200 each, depending on how many someone is willing to buy and the possible value of the cards to crooks.
Some with payment card numbers can easily make cards that can be used in stores, at gas pumps and other locations by taking readily available equipment and putting it to criminal use.
"They have [card] printers out today that have integrated mag-stripe readers and writers," said Chris O'Ferrell, Chief Technical Officer at Virginia-based Cyveillance. "A lot of people use them for security access. Hospitals use them. Hotels use them."
So do criminals.
O'Ferrell said the machines can produce very good looking clones of payment cards.
"You can literally print the cards out double-sided, encode the magnetic strip on the back of the card and then stick it into one of these embossing systems and put the actual number on the card so it has raised letters, which gives it a more realistic feel," he said.
Blank cards can be purchased for 15 cents or less when bought in bulk. Some work with ink jet printers.
O'Ferrell said thieves could buy everything needed to create fake credit cards -- a card reader, writer, printer and embosser -- for about $1,500. They could buy the devices on Amazon.com and elsewhere online, or directlty from manufacturers.