I was just thinking whether I had ever bought anything at Target, and then remembered, yes, but that's 7 years ago, and I've gotten new credit cards since. But then I wondered which other online services I had used with my credit card, and it occurred to me how awesome it would be if I had one-time throw-away credit cards, that I could use for only one purchase at one retailer and then throw it away. Now, I know that gift cards work this way, and could theoretically be used in such a way, but they're usually locked to a specific retailer or one can't use them for online purchasing.
Then I realised that, really with all the flack it is getting, Bitcoin is such a solution. Once the conversion from $ to BTC is done, there's no way to get your credit card data or anything. You're practically immune against any data theft at the place where you're purchasing.
Now, of course the problem only shifted as you have to guard your private keys now, but that's more or less a question of tooling and usability of proper BTC clients (which hopefully come up in the future). I'd rather have the valuable information stored in an open source application used by millions with strong code review, than in a closed source web app where an intern wrote the code in php and forgot the salt or stored everything plaintext.
This alone sounds to me like a pretty strong incentive.
BofA has a feature called ShopSafe that lets you generate virtual credit card numbers tied to your main card. They got it when they acquired MBNA/FIA Card Services. According to the Wikipedia article[1] a couple of other banks have offered similar services over the years as well (though looks like a couple have been canceled).
With ShopSafe, each virtual card has a custom expiration of 2-12 months, a max spending limit (ex: $100), and only a single merchant can bill to it. That last feature is important as it means that even if it's leaked before the shorter expiration period nothing should be able to be charged to it. Recurring charges are possible though (ie the same initial merchant can charge you again) so you can use it for situations that require recurring billing. Either way the spending limit still applies.
Anonymity aside, I'd argue that virtual credit cards are even better than BTC from a consumer's perspective as you still have the power of charge backs. Each one has the same rights as your original card including the right to declare a purchase as fraudulent (ex: the merchant didn't ship the goods).
Would be cool if someone would create a physical version of these virtual cards that gets created on the fly for each transaction. I was hoping that Coin or one of the other "virtual physical cards" would do that but I guess that'll come later.
Central Europe has good security tools for this. For example whitelist for transaction. Or approval for each transaction via SMS. Or temporary unlocking card while shopping
The killer feature to me would be the ability to load up one time card numbers on a device like coin (or something similar). Virtual card numbers work great online, but don't seem to fill a similar purpose offline.
Meh.. My Citi Card has one-time use codes with the benefit of the normal protections of having a credit card (insurance, fraud prevention, customer service, etc). This problem is solved for people that care to solve it.
I'm not trying to shill for Citi, I'm actually dropping them for other BS, but I assume other cards have it as well.
Thanks, I didn't know that. May be something which hasn't turned up in Germany yet, or my quaint old bank has never come around to implement this. I'll go and see if there's a way to get that for my credit card.
Except you're already immune to fraud/theft because your bank has a Zero Fraud Liability policy.
The security of your credit card number is quite simply not your problem. It's up to the people who actually are on the hook to fix the infrastructure, and so far they still find it cheaper to eat the losses than to upgrade security.
Those already exist. They're Visa cards or Mastercards and you can purchase them at most major retailers. You load them with moneys at the retailer, then you can use them anywhere, like you would a debit or credit card. They've existed for the better part of 10 years in the general public. I honestly thought that was common knowledge.
Prepaid cards cost a shitload of money (15€ p.a. fee, plus 1-5€ per top-up). While this may be something for you if your credit report is too smashed for banks to give you a "real" one, I consider the prepaid cc's as last-resort.
The prepaid cards I've seen only cost about $0-2.50 USD. I've never seen one as high as $20 USD (which is what 15€ currently exchanges to).
Arguably, prepaid cards from shopping malls aren't a good solution anyway. If you're paying for them in cash, then you'll never build up a credit history. And if you pay for them with your credit card... well then that's pointless since you may be buying them from the next Target.
> If you're paying for them in cash, then you'll never build up a credit history.
Unless you rent or buy a home, have utility bills, rent or buy a car, etc. You don't have to use credit cards for retail transactions to build up a credit history.
Yes, except the volatility of BitCoin makes it too risky for the average consumer to try and use it as any kind of a currency. Plus, couldn't the bitcoin exchange that you input your credit card to get similarly hacked? There wouldn't be just one, basic rules of competition would mean there would be multiple outlets offering this service. And in the course of rushing to market, most of them would implement broken security.
There's a big difference, however: if your credit card is stolen, the maximum loss you have to worry about is $50 and it's usually $0. With Bitcoin there's no way to reverse theft unless you can get the entire world to rollback to a known state making it impossible to recover losses other than by suing and getting alternative payments.
I used to have a credit card from a company (FIA, I believe) that offered this exact feature. You'd go to their website and request a one-time-use (or perhaps it was a very short time limit) credit card number and specify a purchase limit for it. It was a great feature. A bit cumbersome to use a lot, but it worked.
People tend to use these for purchase they deem are high-risk such as from an unknown or shady looking merchant.
The problem we are seeing is that it's often the big, legitimate merchants that are targets (ha) of high-tech theft. The kind of merchant for which you'd never think to use a one time use card.
Last week I got an email saying I made a $1,000 payment on my credit card. Except, I didn't. It wasn't bill pay time of the month. I brushed it off as a well formatted spam.
An hour later, it still bothered me. I logged in to check. Yup, there was a $1,000 payment recorded as of 4am my local time the same day. WTF? Oh, look, there's also fraudulent charges showing up now. How odd.
It turns out: my card didn't have enough free on the credit line for the losers to buy their xbox, so they called in and requested a $1,000 payment from my bank account on file. The credit card company happily issued it, my credit limit increased by $1,000, then the guy went out and bought his xbox.
While I was on the phone explaining this to the credit card company, three more fraudulent charges showed up in pre-auth.
Incompetents all around (except for whoever stole my credit card number).
The whole "stolen credit card number" doesn't hurt very much (since all bad charges are covered), but what really is annoying is someone getting away with purchasing things fraudulently.
I am ideologically opposed to ever letting money leaving my bank account, except under my close supervision with direct instructions on time and amount and to whom.
That means nobody has a right to ask for money from my bank. I tell my bank whom to give money and how much. Not my credit card. Not my mortgage company. Definitely not my gym.* Nobody. Never.
Therefore I never used debit cards. Wells Fargo kept sending me debit cards when my ATM card expired. I changed banks. I do not want any ambiguity about the balance in my bank.
"But they promise me all kinds of protections!" That sounds nice, but there are two problems:
First, you are giving up a wonderful kind of protection: the ability to walk away. If I disagree with my credit card company, I can pay what I deem correct and cancel my card. They can see me in court about the remaining balance, if they think they can win. I am whole. I still have my money in the bank account. It is approximately never going to be a problem, because the credit card companies understand the score. They have a strong incentive to play fair with an honest credit card holder.
Second of all, the moment the bank/credit card company thinks something really fishy is going on, you are screwed. You know how you said you were wondering about those security questions and whether you would recognize the voice? Think carefully. If the bank suspects your nephew who stayed the weekend last month or a roommate or an ex-SO are directly involved, it all becomes your problem. The bank will not restore any funds to your account. The local police will laugh at you. And now you see the problem. The fact of your emptied bank account will not be changed, and those promises you were banking on are worthless. (Have money to hire a lawyer? That one is lose-lose.)
* Private gyms love to get bill your bank account and be authorized for automatic payment. The thing most people do not realize is most banks consider this to be completely and totally your problem now. If you cancel your gym membership, and the gym makes a "mistake" and keeps billing you, the bank will not help you. In fact, some banks will tell you that your only recourse (from their POV) is to get a new bank account to protect yourself in the future. Those "mistakes"? Your problem.
Most gyms will also happily give you a discount (often substantial) if you pay cash (or check) in advance. Typically a year, you might be able to talk them into 6 months.
I frankly prefer not having to either deal with the automatic deduction or remembering to cut a check every month.
A good reason to NEVER link your bank account for payments on any other credit account.
Also points out a security hole; normally credit card companies are a lot less concerned about verifying identity when someone wants to make a payment on an account. Here's an example of why they should.
This is actually a great point, even when it comes to paying non-credit card related bills. When you authorize a business to remove cash from your bank account using ACH, it's a "withdrawal first, ask questions later" arrangement.
I remember seeing a news story about a gas company who had thought a customer damaged their gas meter. They replaced it, then deducted the $1000+ cost of replacement from the customers bank account. Since the customer authorized the ACH access, they were out of luck in getting the money back right away. If they hadn't linked their bank account, they would have gotten a bill and could have figure out an arrangement before handing over any cash!
Exactly. When you pre-authorize money to be removed from your account, the bank will happily believe every future charge from that party. From their point of view, your emptied bank account is your problem.
In fact, some banks will not even give you an effective means of removing such authorization. You may literally need a new bank account to keep your account from being emptied in the future.
There really is no such thing as "pre-authorized" from the bank's point of view. You never tell your bank "it's OK for Utility Company Foo to debit my checking account"
You give the bank's routing number and your account number to the utility or whomever. That's all they need. That information, by the way, is present in clear text on every paper check you write. The bank doesn't pre-authorize anything, nor can they block anything short of closing your account and giving you a new account number. Your protection is that presenting a fradulent check (electronic or physical) is a crime.
Actually, there is. If you're doing ACH, you need an authorization, in one of several forms depending on the circumstances. The bank doesn't check the authorization unless there's a significant issue, but they have a right to demand it. I've only seen it happen when there's been a bunch of fraud going on.
You can reverse ACH transactions by going to your bank and filling about a form and making a declaration under penalty of perjury. It goes back to the merchant as an R10, and the merchant usually deals with it in some other form, though if they've got a good relationship with their bank, they can dishonor the return.
Then pile on the fact that I've tried to use my AX legitimately to buy hardware over the last month and was denied 2 separate times because it 'seemed suspicious'. Really makes you wish for a more secure payment system which can be used for such transactions.
I'm curious, my purchase history with my CC was generally local stores, groceries, gas, restaurants. Large purchases were rare, and then I finally bought some computer hardware (~1k purchase for the whole kit, all at once). BoA called me and confirmed it wasn't fraudulent, things went on. Then I moved and hadn't spent much in the new area (I use cash most of the time), when I finally decided to upgrade from my 13" CRT. Go into Best Buy, pay with the CC, again BoA called me and once the call was through the transaction cleared and I had my new TV.
Does your CC company not call to confirm things? Were the purchases clearly out of line with your previous purchase history (by location, type or amount)?
Someone should come up with a two factor authentication system for CC purchases. I swipe my card, then the processor pings my phone for approval. It would be great for validating tip amounts as well.
Well, I had something like $240 free on the credit card, which wasn't enough for their xbox.
They called in to issue a $1,000 payment from my bank account (on file for recurring monthly payments) to the card. The phone rep allowed it apparently. (They later said the person who called in knew my family info and passed all "security questions." I wish I could have gotten a recording of that call to see if I knew who it was.)
Now, with $1,240 available on the card, they bought their xbox and other crap.
As a mater of principle, I had them refund me the $1,000 I didn't authorize. They sent me a check a week later and re-adjusted all balances appropriately.
I had my debit card skimmed at a local gas station in October. Within a couple hours, it was being used at stores in Los Angeles. I live a 3+ hour drive from LA so there's no way the skimmer/data was physically taken down there–the data had to have been transferred (cell?) to someone down there pretty quickly.
My card was used at a restaurant and a few different stores, but several times per store. Total amount charged was about $2K. All purchases were < $100 and most purchases were for very even amounts at drug stores. Based on research, this is because buying gift cards is a favorite use of stolen cards. Gift cards can be turned into cash online for about 75-85 cents on the dollar.
Chase was very good about freezing the card and crediting back all the fraudulent charges.
TIPS:
- Use cash or a gas card for gas OR at the very least, use a pump close to the cashier
- Debit cards have a reputation for having less protection than credit cards. At least at Chase, this is no longer true. Chase has zero-liability for unauthorized debit card purchases [1]
- Check your online banking often
- Don't rely on your bank's automated fraud detection. Most alerts I've received from Chase have been false positives (legitimate purchases while traveling).
I don't know why people swipe debit cards. If that account get stolen, that's your hard cash that's going to be taken.
Imagine if someone steals your debit card number and you did not find out about it for a week. By then you could miss your next rent payment because you don't have available funds in your account.
At least with a credit card, you have a full statement period to clean things up.
My guess is there's a significant chunk of the population who, like me, simply don't own any credit cards. A quick search puts it around 25-30% of the US population. People do it for various reasons (don't qualify, don't believe in using them, etc.).
Debit cards are a convenient tool for these people.
If you use your debit card as credit, you get the same protection as a Visa/Mastercard credit card. Merchants and POS systems will generally steer you toward using it as debit (i.e. with PIN) because it's cheaper for them. If you feel bad about increased costs for merchants, use cash.
[I realize the parent didn't indicate that they themselves were in the "no credit card" camp, just thought it might be helpful information for someone].
You may get the same protection, but the debit card protection comes after you've lost the money from your checking/savings account. After checks may have bounced.
In general, I try and make all of my purchases on one credit card, and only use my debit card for withdrawing cash at atm's. That way I only have to monitor one account for fraudulent activity. Where this breaks down, is a lot of the discount/cheaper gas stations will only accept cash or debit. Also, the magnetic stripe seems to wear down pretty fast on my cards, which means I often have to use my debit card when the credit card isn't swiping. I agree though, get a credit card (preferably with rewards, mine does 1% cash back) and use that for all of your purchases.
I've also had plenty of false positives, but my bank (Bank Of America) has caught multiple actual fraudulent charges. It's easy to hate on big banks and big data and the loss of privacy, but it's pretty cool when your bank calls you up and says "We don't think that was you buying skateboards and polo shirts in Eastern Europe."
I have had this happen a couple time. I got a call one Saturday morning asking about 3 recent charges, including a Men's Warehouse in Waikiki.
My response: "You are calling me at my California home number. I WISH I were in Waikiki right now. How about you reverse everything today and send me a new card in the mail?"
That reminded me of one false positive that may be of interest to the HN community:
I was buying a custom-made suit at Indochino's "traveling tailor" event. It was at a pop-up storefront in Seattle (where I live) but my bank thought their mobile point-of-sale card processing system was in Vancouver, BC and declined the transaction until I explained to them what happened.
I live in a sort of love/hate relationship with BoA's fraud-detection system.
On the one hand, I had a number genuinely stolen a while back in the PSN hack, and a case where someone tried to use my debit card in a hotel in Tennessee. In both cases, I got a phone call almost immediately, was out zero dollars and had a new debit card number within 24 hours.
On the other hand, I travel a lot. Emphasis on a lot. And I have begun simply planning trips around the expectation that at least one of my BoA cards will be frozen every time I do so, because their systems don't seem to actually work off usage patterns. Instead, use of the card beyond a certain mileage radius from home address triggers a fraud alert. So even though quite a bit of my travel is to a small number of cities, I still have to deal with occasional random fraud alerts freezing my cards (example: I've been to Washington, DC around six times in the past year. Despite that -- and despite making the booking in advance, including the card number -- I still had one of my cards frozen when trying to check into a hotel there a while back).
Their customer service people have confirmed that it's just mileage radius, and anecdotally it seems that the radius is around 600 miles (I am based near Kansas City, and can safely use BoA cards in Denver and Chicago, but has a problem once in Austin, IIRC). Which probably makes sense for most people, but I am more than 600 miles from home at least a couple times every month. And there seems to be nothing for it aside from calling their fraud-prevention department every time I'm about to go somewhere, which is equally impractical.
For what it's worth, I found out that you can inform BofA about your travel plans via online banking. A lot faster than calling the fraud prevention line.
I don't know of any bank that don't offer this now. As part of FDIC Regulation E, the cap on consumer liability for credit card fraud is a max of $50 [1]. For most banks, it costs them more than that to try to get that from the consumers .
The reason why people say that debit cards are safer than credit is because credit card provides a buffer to your bank account. If there is fraud, you still have the cash while the fraud is investigated. With debit, you are out the cash until the fraud is reported.
[1]
http://www.fdic.gov/regulations/laws/rules/6500-1350.html
____________________________
(a) UNAUTHORIZED ELECTRONIC FUND TRANSFERS; LIMIT.--A consumer shall be liable for any unauthorized electronic fund transfer involving the account of such consumer only if the card or other means of access utilized for such transfer was an accepted card or other means of access and if the issuer of such card, code, or other means of access has provided a means whereby the user of such card, code, or other means of access can be identified as the person authorized to use it, such as by signature, photograph, or fingerprint or by electronic or mechanical confirmation. In no event, however, shall a consumer's liability for an unauthorized transfer exceed the lesser of--
(1) $50; or
(2) the amount of money or value of property or services obtained in such unauthorized electronic fund transfer prior to the time the financial institution is notified
____________________________
This is not true for debit cards. You skipped the next paragraph, which provides exemptions that mean you have unlimited liability if you don't report a problem within 60 days, or $500 liability if you don't report a lost card within two days.
Same link, one paragraph down:
"Notwithstanding the foregoing, reimbursement need not be made to the consumer for losses the financial institution establishes would not have occurred but for the failure of the consumer to report within sixty days of transmittal of the statement (or in extenuating circumstances such as extended travel or hospitalization, within a reasonable time under the circumstances) any unauthorized electronic fund transfer or account error which appears on the periodic statement provided to the consumer under section 906. In addition, reimbursement need not be made to the consumer for losses which the financial institution establishes would not have occurred but for the failure of the consumer to report any loss or theft of a card or other means of access within two business days after the consumer learns of the loss or theft (or in extenuating circumstances such as extended travel or hospitalization, within a longer period which is reasonable under the circumstances), but the consumer's liability under this subsection in any such case may not exceed a total of $500, or the amount of unauthorized electronic fund transfers which occur following the close of two business days (or such longer period) after the consumer learns of the loss or theft but prior to notice to the financial institution under this subsection, whichever is less."
Read the fine print (it's not provided at that link, that link says "Certain limitations apply. See deposit account agreement.") They literally give themselves an out if you have given your card number "to someone else". It's mighty hard to use a card without giving your number to someone else, so the protection policy could be interpreted to be utterly meaningless and it will be up to an arbitrator what "or ... someone else" means if you have a disagreement about this with your bank.
Debit cards do not have "a reputation" for having less protection in America. Debit cards do have less protection in America. With a credit card, you can lose $50. With a debit card, you can lose all of the money in your account and in all accounts linked to that account.
Chase has a policy of advertising zero-liability for debit cards. The US government has a federal law requiring $0 to $50 liability for credit cards ($50 if you lost the physical card and didn't report it before it's used, $0 otherwise). The US government has a federal law requiring tiered liability for debit cards depending on how fast you report a theft and providing no protection after 60 days. [1]
Meanwhile, bank policies may appear to offer better than federal law requires for debit cards, but in practice the fine print can ruin you, and it's up to the bank whether you get protected under their policy since it's not federal law, and at best you get arbitration to settle a dispute not a court.
See, for example, the exceptions Chase gives themselves in their 'zero liability' [2] & [3]:
"If your Card is lost or stolen, or your Card number is used without your authorization, if you notify us promptly, you are not liable for any unauthorized transactions, including transactions made at merchants, over the telephone, at ATMs, or on the Internet.
However, these special provisions do not apply where you were grossly negligent or fraudulent in the handling of your account or Card, where you have given someone else your Card, Card number, or PIN, or where you delay reporting unauthorized transactions for more than 60 days."
"You must provide us with all information we need to investigate the alleged error or item. You must also file any police reports and provide any supporting affidavits and testimony we reasonably request.
If
you do not comply with the requirements above, we are not required to reimburse you for any claimed loss, and you cannot bring any legal claim against us in any way related to the item or errors.
"You must notify us in writing within 30 days after we mail a statement or otherwise make a statement available (for example, paperless statements) if . . . An item that you did not authorize or that is altered is listed on the statement ... You must provide us with all information we need to investigate the alleged error or item. You must also file any police reports and provide any supporting affidavits and testimony we reasonably request.
If you do not comply with the requirements above, we are not required to reimburse you for any claimed loss, and you cannot bring any legal claim against us in any way related to the item or errors."
> They literally give themselves an out if you have given your card number "to someone else". It's mighty hard to use a card without giving your number to someone else, so the protection policy could be interpreted to be utterly meaningless and it will be up to an arbitrator what "or ... someone else" means if you have a disagreement about this with your bank.
Do you have any record of any credit card company trying to take that perceived out, ever?
It would be a strange thing for them to do, since they don't eat the costs of fraud anyway (the merchants do).
>so the protection policy could be interpreted to be utterly meaningless and it will be up to an arbitrator what "or ... someone else" means if you have a disagreement about this with your bank.
What?
I have contested charges on a debit card before. You don't go anywhere near having an arbitrator. You call them and explain the situation, they mail you an affidavit, you mail it back, money reappears.
These aren't theoretical/untested waters. People file chargebacks on debit cards all the time. The only downside (compared to credit cards) is that the money has left your possession until the bank puts it back (rather than you refusing to pay the charge until it goes away).
> Debit cards have a reputation for having less protection than credit cards. At least at Chase, this is no longer true. Chase has zero-liability for unauthorized debit card purchases
Yes, but it may be a couple of very stress filled weeks until you get your money back. It'll be even worse if you don't have cash elsewhere, or credit cards you can use for everything in the meantime. If you're one of the people who only have a debit card, well, you're screwed.
The reason a credit card offers higher protection is that the money never actually leaves your possession. Once you have contested a charge, you can short the bill by the amount of the charge and you won't be responsible for interest unless you "lose" the chargeback.
Whereas with a debit card, the money has effectively disappeared from your checking account until the chargeback process completes.
I bought something from Target in this window with a credit card (Wells Fargo).
I called them up to proactively report it stolen - the problem is they will immediately deactivate your current card and it takes 7-10 business days for the new one to show up. It is not possible to get a 2nd card number without deactivating the first (to avoid a no-card for 2 weeks situation). Or you can have them overnight it to you for $16.
Kind of annoying to pay $16 for a merchant error, or to not have your primary card for 2 weeks during the holiday season (and also the card you use to pay all service bills like cable tv, internet, city/trash/water etc).
Ultimately I decided to do nothing and just keep a close eye on account activity until January when it is less inconvenient to wait for the new one.
Very inconvenient. I wish more banks had the feature of Simple[1][2] where from the mobile app, you can lock and unlock your card at will. They emailed customers proactively regarding the Target breach and suggested that if you are really worried, you can leave your card in a locked state and then unlock it only when you need to swipe it.
Since they by default send a push notification on every transaction, it'd be overkill as long as you respond quickly in the even of an unauthorized one.
[1]http://www.simple.com
[2]simple is fantastic for a whole host of reasons. Check them out. I'm not affiliated in any way, but have been using them as my primary bank since early on in their beta.
I also have Wells Fargo. Whenever I have lost a card in the past (It used to actually happen a lot - I usually left them in ATMs). They would do what you said, only I could go in to any WF location and get a temp card until my new one arrived in the mail. If I was not near any WF location and I explained the situation, they would ALWAYS overnight it for free.
My wife shopped at Target twice, both times outside of the period given for the breach. I think we are still going to get the cards replaced just to err on the side of prudence.
I find myself wondering how this might affect Target. I almost never shop there myself. My wife, on the other hand, might have shopped there once a month or once every couple of months. Yesterday she told me she is not going back. Ever. There have to be other people on the same boat.
It'll be interesting if they ever release information on how exactly the breach was orchestrated. My biggest question is about all of that data moving about Target's distributed system without any encryption whatsoever. At least that's what it sounds like. The data capture had to be done at some central point in their infrastructure in order to affect some 1,800 stores.
Again, all of that data from 1,800 stores got to a central repository of some sort completely unprotected? Why isn't that information stored and limited to the within the walls of each store? It'd sure limit the exposure, well, a factor of 2,000. Anything leaving the walls of a store needs to be encrypted.
Perhaps someone with more experience in brick-and-mortar payment infrastructures of this kind can comment on this?
My guess is that they run all the stores through a centralized payment system. Encrypted in transit or not, the payment system needs the details in plain text to send to the payment processor. At or near the payment processing is where the information was likely copied.
The information can't only stay within the store, because purchases from one Target may be returned at any Target, and they may look up receipts by credit card used. At Target's scale, it makes more sense to do a centralized lookup (or local + centralized), rather than a query to every store.
At the very least, I believe they are responsible for paying the credit card companies to replace the stolen cards. I can't find my source on this, but I do remember a few times that a retailer was held fiscally responsible for new card distribution.
It's likely (mandatory, even) that all of that information travelled encrypted while being processed.
The likely scenario in this case is that Target uses a central hub for credit card processing, so there is probably at least one server that briefly looks at all of that credit card info. And if an attacker is able to install malware on one or more of those servers, they'll be able to silently record all of the card data as it comes in; even if it's completely encrypted to and from the server, the server itself will need to at least briefly have an unencrypted version of it in memory.
Basically, scenarios like this generally only happen in a deeply intrusive breach.
I had an interesting thing happen a few months ago. I kept having my credit card used for fraudulent charges, but they weren't buying TVs or electronics, just small purchases at Dollar General and gas stations in Texas. I was really confused. So I had the card cancelled and another issued, and there again it was being used in another state. This happened three times within a couple months. I have no idea how or why as I'm very careful purchasing things online and in person. I finally changed my PIN and it stopped. I don't know why or how they were using my card with my pin, but either by coincidence or luck that fixed it.
From the screenshot in that article, it looks like Target stored not just the credit card number, but also expiration date and full magnetic track information, including CVV1.
Why in the world would they do that? I would lose a lot of sleep over if I had to store just name and card number, but at least I could see some use for that. For example, you could look up a customer’s past purchases for returns or warranty claims.
Why did Target want to store the expiration date, so the card could be used on online stores that don’t check CVV2, and the magnetic track info with CVV1 so the cards can be cloned?
That's a good question. If the thieves didn't have the CVV1, it should have been a lot harder for them use the stolen cards. I would have thought the "no store" rules should apply to both CVV1 and CVV2 to help ensure that presence of a legitimate card.
--
Edit: if early reports are accurate, and the credit card data was stolen via malware on the POS machines as the cards were swiped, then it would make sense that they would capture every possible piece of data, including CVV1.
You don't need the CVV unless you're in the UK (or somewhere that requires it). I've made plenty of online cc forms for US based companies that did not have include it (that doesn't sound very good now that I write it out).
CVV1 is the code that is embedded in the magnetic track and allows you to swipe the card. CVV2 is printed on the back and used in many, but as you correctly point out not all, online stores.
I got a notification from simple last night that said they would be sending me a new card because I shopped at Target, but that my old would still work until the new one was activated.
Great service and I didn't even have to do anything.
So is it worth replacing my debit card and updating numerous automated payments that bill it, or just closely monitor my banking activity (like I already do)?
I just checked my CC account, and found a transaction at Target in that time period. I checked my other transactions, and everything was OK. However, I decided to cancel the card anyway and get it re-issued, just to be safe.
I have other cards I can use, so it is not inconvenience. I feel I dodged some trouble.
I bank with BoA and just before the breech was announced, I received an email saying that my card may have been involved in an unspecified data leak, and that a new card was in the mail. So, at least BoA is being proactive.
Yeah, I used two cards and one of them already got smurfed (I put on block on the other one as a prophylactic measure). At this point, if you used a card at any Target in the affected time period, just assume your card has been sold and is going to get used.
This is going to get macroeconomically expensive, I think.
Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card, KrebsOnSecurity has learned.
No fucking way (pardon my French)!
I haven't seen anyone comment on this yet, but doesn't this seem incredible? I.e. I don't believe it.
Am I to accept that transfers of $20,000,000 to $100,000,000 ($20 to $100 times a batch of 1 million) are occuring in payment for these cards.
Bullshit. I just don't believe it. This theft is now widely known. So no way that someone is going to plunk down $100,000,000 just to get a small portion of this info.
I think what they mean is that you can buy 100 stolen cards for $2000. And they guarantee that those 100 are still good numbers because they check them right after selling them.
No one is buying them in the millions. But plenty would buy 10, 20, 50 good stolen card numbers.
Ironically we only used Targets Red debit card. Can only be used at target and has a pin. Of all our cards that was the 'best' one we could have used in this case. We just changed the pin, even though no pins were taken.
As I mentioned in a pair of comments in an earlier thread,[1][2] I live so close to the local Super Target (walking distance), that we end up shopping there even though we like other stores better. But from now on, we will pay only in cash, and if that limits our purchases at Target, well that's too bad for Target.
Then I realised that, really with all the flack it is getting, Bitcoin is such a solution. Once the conversion from $ to BTC is done, there's no way to get your credit card data or anything. You're practically immune against any data theft at the place where you're purchasing. Now, of course the problem only shifted as you have to guard your private keys now, but that's more or less a question of tooling and usability of proper BTC clients (which hopefully come up in the future). I'd rather have the valuable information stored in an open source application used by millions with strong code review, than in a closed source web app where an intern wrote the code in php and forgot the salt or stored everything plaintext.
This alone sounds to me like a pretty strong incentive.