In a deliciously detailed post, security writer Brian Krebs has explained the path taken by credit card numbers stolen in the Target breach on their way to the carder black market. Krebs has far more information in his post but he’s discovered that some card shops have created Target-only sections for the trove of numbers.
Krebs described visiting a particularly infamous card shop where he and an anonymous bank representative found sets of cards belonging to a “base” called Tortuga. In carder slang, a base is simply a source of cards. And Tortuga cards, according to Krebs, belonged to a set of numbers stolen from target stores. Amazingly, many of the cards included zip code or state data, thereby circumventing the fraud protections, as many banks automatically treat out-of-state card purchases as suspect.
How quickly did customer react on hearing about the breach? Clearly not fast enough:
Should you be worried? If you shopped in a physical Target store and swiped your credit or debit card there between November 27 and December 15, then the answer is “Yes.” However, thieves cannot fully recreate your card and, say, withdraw cash from your account or make an online purchase. Target media representative Molly Snyder wrote:
Target CEO Gregg Steinhafel said that customers can enjoy a brief discount on everything at the store as well as free credit monitoring for a year.
The small bank Krebs assisted in the exploration of the carder site will probably re-issue all 5,300 of its customer’s cards after Christmas. That just leaves thirty-nine million nine hundred ninety-four thousand seven hundred more cards to check for fraud.