Target's data breach link to 'the Amazon of stolen credit card information'

Target shopper
A customer signs a credit card statement next to a scanner in a Target store on Dec. 19, 2013 in Miami, Florida.
Joe Raedle/Getty Images

If you're looking for stolen credit or debit card numbers, they're just a few clicks and keystrokes away.

One place to find them is the Internet store front of the Russian teenager suspected of writing malware that infected Target's point-of-sale terminals, allowing thieves to steal credit and debit card information on 40 million consumers.

Target urged to continue response to security breach

"This is like the Amazon of stolen credit card information," said security expert Mark Lanterman, who has been browsing the wares for sale, after carefully cloaking his identity to remain anonymous.

But there is one serious drawback: the site is run by a very sophisticated criminal who could do serious harm to naive visitor.

Far from looking like a dodgy underworld operation, the website is clean and user friendly with lots of white space.

Credit card information

Drop-down menus and check boxes are reminiscent of shopping sites that sell cars and homes. But this one is selling stolen credit and debit card numbers. Shoppers can filter their search by expiration date, city, state, issuer and other factors. Plenty of the numbers are from Minnesota.

Single account numbers have been selling lately for $7 to $200 each. But big discounts are offered for bulk purchases.

"This is like the Amazon of stolen credit card information."

How do the site's customers pay? The Target hacker accepts Western Union, MoneyGram and Bitcoin - but no credit cards.

"And if for whatever reason you're dissatisfied with the stolen credit card information you've just purchased, they'll actually give you a replacement," Lanterman said.

That's good customer service, since some card numbers can turn out to be canceled and worthless. In the case of the Target data breach, the nation's big banks and credit unions have already replaced some 20 million cards whose numbers were stolen. But that still leaves millions of cards for fraudsters to exploit.

Hosted in Russia and elsewhere, the website is well beyond the reach of U.S. law enforcement, said Lanterman, a former member of the U.S. Secret Service Electronic Crimes Task Force.

He said there are plenty of other places to purchase stolen card numbers.

"There are tens of millions of numbers for sale," Lanterman said. "You can buy them so easily online, little risk of detection. And they're so cheap."

Banks and law enforcement authorities often monitor the sites to determine what cards are for sale, seeking signs of as-yet-undetected big data heists.

Lanterman said the markets for stolen numbers tend to be regional as it's easier for the buyers to avoid detection when they stay close to home.

"It's not unusual for a Minneapolis credit card to be used in Minneapolis," he said.

The equipment to create fake credit cards with a stolen number is relatively cheap and available online. But Lanterman said it's more convenient to alter a legitimate card.

"Normally, they just rewrite the data on the back of the magnetic strip card. It's a lot easier," he said. "Mag writers are available on eBay for $100. It's just easier to do than trying to counterfeit your own physical card."

Like many experts, Lanterman said the current payment card technology is much too easy for crooks to beat. He said retailers, banks and consumers have to make payment card fraud harder to pull off by pushing for the adoption of more sophisticated technology to fight thieves.

Historically, card fraud losses haven't been damaging enough to inspire all the parties to move to new, more security technologies, said Douglas King, a payment systems risk expert at the Federal Reserve Bank in Atlanta.

"That tune appears to be changing based on how great this breach was and how many cards are needing to be reissued, and what the potential for fraud on those cards could be," he said.

Target hack sparks move away from magnetic stripes

King said the United States also is seen as an easy mark for card fraud, as much of the rest of the world adopts higher security standards, including so-called smart cards that are harder to counterfeit.

That has caught the attention of officials in Washington. On Tuesday, a senior Target official will be at the witness table when the U.S. Senate Judiciary Committee takes up the massive Target data breach.

The hearing likely will receive a lot of attention and could put some political pressure on the banking and retail industries as they weigh the economics of boosting card security.

Your support matters.

You make MPR News possible. Individual donations are behind the clarity in coverage from our reporters across the state, stories that connect us, and conversations that provide perspectives. Help ensure MPR remains a resource that brings Minnesotans together.