Target Data Breach: Millions of In-Store Credit Cards Affected
Update 12/24 5:10 PM Reuters is reporting that the Target hackers may have also stole encrypted personal identification numbers (PINs). Banks fear the hackers will be able to crack the encryption code and make fraudulent withdrawals from consumer accounts. Target confirmed that”encrypted data” was stolen, but have not confirmed that this included encrypted PINs.
Update 12/20 9:00 AM It is being reported that the credit card data from the Target data breach has been found on the black market.
Update 12/19 8:23 AM Target has confirmed the data breach, stating at least 40 million credit card numbers along with the three digit security codes have been compromised.
Multiple news sources are reporting that the Secret Service is investigating a data breach at Target in relation to millions of credit card and debit card numbers used in their stores.
So far it appears the breach affects all Target locations across the country and involves the theft of data stored on the magnetic strips on the cards. So far indications are that the breach from Black Friday to December 15th. However, the scope of the breach appears to be expanding as more information is discovered.
“The breach window is definitely expanding,” said an unidentified anti-fraud analyst at a top ten U.S. bank card issuer. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”
This is a case where even those who are not shopping online are affected, but those shopping at the physical stores with their credit cards. The attack itself might remind some of the attack on TJX Companies Inc., where 46.5 million credit card numbers were compromised over 18 months during a cyber intrusion.
Magnetic Strip Cards Increases Risk
The U.S. is one of the last markets to move away from the magnetic strip based cards to EMV (Europay Visa Mastercard) cards which provide greater security and safeguards from skimming and other forms of fraud that magnetic strips fall victim to.
The magnetic strip cards currently used in the US is based on technology developed in the 1960’s and is plagued with security and fraud issues. Using $25 hardware it is easy to replicate magnetic strip data onto a new card, if this is done en masse and orchestrated properly it can and has provided attackers with huge payouts.