Millions of the stolen credit cards snatched from Target shoppers in recent weeks are being sold on the black market, it’s reported, amid some banks holding off freezing potentially compromised accounts out of uncertainty around the extent of the issue. Target admitted earlier this week that around 40m customers had potentially been affected by credit and debit card thefts in stores between November 27th and December 15th; now, new research indicates many of those cards have ended up being sold online, with the banks that issued them either unaware or reluctant to cancel them so close to the holidays.
Brian Krebs, of Krebson Security, reports that some banks have been buying up black market credit card details offered at well-known “card shops” online, to check them against their customers. At least one bank confirmed that its fraud team had independently confirmed the Target hack as a result of the stolen card matching.
In fact, the bank had been alerted to the possibility when it spotted a well-known “card shop” notifying its cybercrime customers that more than a million new cards had been added to its catalog.
However, that’s said to be more warning than many banks have been getting from card companies and legal teams. One regional bank claims to have heard nothing from either law enforcement or state banking associations, leaving it effectively in the dark as to whether its customers were impacted by the Target breach.
Instead, it had to turn to the online card store to buy a selection of stolen credit card details and match those with its own records itself, confirming in the process that its customers were affected.
The problem now – or at least one of them – is that the bank faces the decision of whether to cancel a broad range of cards it suspects might have been compromised, at a shopping period where customers are highly likely to be using them. Since debit cards – also used for ATM transactions – were also among the stolen haul, if cancelled customers might be left unable to withdraw cash over the Christmas holiday.
The bank tells Krebs that it expects it will most likely wait until after December 25th to reissue the more than 5,000 cards it now believes to be affected.
However, in one glimmer of good news, the card sales did not apparently include the related card security codes printed on the signature strip, which would be required for online purchases. That was, however, said to be among the stolen details according to Target.