An enthusiastic history buff can make the past come alive for new generations. Tim Grove's passion for the past has taken him from Colonial Williamsburg to the Cape of Disappointment,…
Guest Host: Christina Bellantoni
On Thursday, retail giant Target acknowledged a massive data breach that exposed as many as 40 million customers to credit card fraud. Target says it has heard “very few” reports of fraud, which is being described as the second largest credit card breach in U.S. history. But reporter Brian Krebs– who first broke the story– says that batches of credit card and banking accounts have been flooding underground black markets in recent weeks.
- Brian Krebs Investigative Reporter; author of KrebsOnSecurity.com
MS. CHRISTINA BELLANTONIWelcome back. I'm Christina Bellantoni, incoming editor-in-chief of "Roll Call," sitting in for Kojo Nnamdi. If you shopped at a Target store between Thanksgiving and mid-December, you should be checking your credit card and bank statements more closely than ever because if a fraudulent charge shows up on your statement and you don't catch it, you're the one who's out the money.
MS. CHRISTINA BELLANTONIThat's the advice from cyber crime experts following a huge security breach at one of the country's largest retailers during the busiest shopping season of the year. Target says thieves hacked into its computer system and stole the information coded onto the magnetic strip on the back of 40 million credit and debit cards. That data is showing up for sale in underground cyber stores.
MS. CHRISTINA BELLANTONIThieves buy the account information and program it into the strip on a fraudulent card. And then they can head out to shop, swiping the card at the cashier as the total rings up to your account. This latest data theft is raising new fears about who's ultimately going to pay and whether stores and individuals can't protect themselves. So joining us here in studio to talk through this is Brian Krebs, who's an investigative reporter covering cybersecurity and privacy.
MS. CHRISTINA BELLANTONIHe's the editor of KrebsOnSecurity.com. Thanks very much for being here, Brian.
MR. BRIAN KREBSHey, it's great to be back again, Christina. Thank you.
BELLANTONIThank you. So explain how thieves actually steal this information. What is encoded in the magnetic strip on the back of a card and how does a hacker find it and then use it?
KREBSSure. Well, there are lots of places in the underground that are selling these information on any given day. The information is basically a bunch of ones and zeroes. So once it has an information that you might see on the front of the card, the card number, the name, stuff like that and it's also got information about the bank that issued the card and some perhaps some proprietary information that relates to the way they encode this stuff on the card.
KREBSBut essentially if they have those ones and zeroes, they can take them and count them on a new card and they're off to the races.
BELLANTONIAnd of course sell those cards. And we're going to be getting to what's happening there.
BELLANTONITarget says the thieves didn't get the three-digit code or the four-digit code in the case of American Express that comes with each card. How does that limit the way the stolen account information can be used?
KREBSSure. That's a card security code is a three-digit code printed on the back of the card. And so you probably get asked to enter this code whenever you shop online. It's essentially a way for online retailers to make sure that you have the physical card in your hand and that's why it's, you know, Target is saying, hey, look, these were not -- this isn't going to cause a problem for online retailers because the bad guys don't have that.
KREBSNow, not all online stores ask for that information as they should, but a majority, the big ones, do.
BELLANTONIAnd it's starting to change. And that information is not coded into the strip, right? It's actually just printed onto the card?
BELLANTONISo you've been writing about how the stolen credit and debit card numbers are turning up for sales in this black market. So how does this work and how do people make money from stolen account numbers?
KREBSSure. Well, the way it works is it's very customer friendly. You create an account. You log on there. You fund your account with some virtual currencies like bit coin or something like that. And essentially you can search by any one of 20 different things. So you can search by the issuer, which bank issued the card. You can search by the expiration date, how quickly the card is supposed to expire naturally without being canceled for fraud by its issuer.
KREBSYou can search by country, some of them you can search by limit, stuff like this. And it's real interesting because the fraudsters who are no strangers to this type of commerce, they oftentimes will search for very specific banks. Cards issued by specific banks because typically they will have had an experience in the past where they were able to get away with a certain amount of fraud before that issuer got wise to what was going on.
KREBSOr maybe didn't have some of the fraud detection mechanisms that maybe some bigger issuers did. So they tend to like really like certain issuers and they'll go and they'll search for their favorite bank.
BELLANTONIAnd this could happen globally, right? These people could be searching on any device in the world.
KREBSFor sure. I would say a majority of the cards compromised in this breach were issued by U.S. banks. But I put up a post yesterday that looked at a new cards compromised in this breach that are specifically non-U.S. issued cards. And I think those are becoming more popular now, probably because domestic banks here are starting to put in a lot more security. You know, they're watching these domestic cards a lot closer.
BELLANTONIAnd that post of course is at KrebsOnSecurity.com. You can join our conversation, tell us if your credit or debit card information was stolen in the security breach at Target. You can give us a call at 1-800-433-8850. Send a tweet to @kojoshow or email firstname.lastname@example.org. I'm Christina Bellantoni sitting in for Kojo Nnamdi and we are talking with Brian Krebs of KrebsOnSecurity.com.
BELLANTONISo when we talk about this black market and the fact that anyone can be searching for information and then reselling that onto fraudulent cards, who are the types of people that are doing this and do they ever get caught?
KREBSSo there's a huge trickle down economy here. The guys who are hacking into retailers like Target, I guarantee you are not the same guys who are using these stolen cards. Typically what you'll find is organized crime groups are very involved in this type of activity. It's a real great thing to do if you've got a bunch of guys with a bunch of time on their hands and maybe don't mind taking a little bit of risk.
KREBSFrankly, there is not a whole lot of risk of getting caught for these guys and that's the sad part. So think of it this way. Let's say you have a bunch of stolen counterfeit cards in your pocket and you go to, surprise, surprise, a lot of these guys like to go Target to do this stuff and do…
BELLANTONIYou can buy anything there, right?
KREBSRight, right. And so, in fact, in talking to some of the issuers that have been -- excuse me -- some of the banks that have been affected are seeing fraud on the cards in monitoring breach as part of this intrusion are saying, you know, wow, well, we see fraud, we're really seeing a lot of fraud at Target. Well, it just happens that this is a favorite target for the bad guys. I hate to keep using that word, but that's essentially what's going on.
KREBSThey like to go in there because, like you said, they can get whatever they want. What they want tends to be stuff they can get rid of very quickly. Hot items you want for Christmas. You know, the Xbox, PS2 or PS4 or whatever it is up to now and gift cards. You can cash those out very quickly.
BELLANTONIAnd they sell gift cards to basically anywhere, could be a restaurant or an airline or another Target.
KREBSExactly. And the other thing I want to mention about the risk here is, you know, a retailer, you can just walk in and just pull the card and slide at the terminal because it's facing you. You don't have to give that to the cashier in most cases unless it's a really high priced item, then they'll ask for it. But if they do, the thieves just walk out.
BELLANTONIAnd especially if it's a busy holiday season, maybe they're not even checking whether the name matches what you might look like.
KREBSThey are running people through the registers as fast as they can.
BELLANTONIAnd then does the fact that so many people have self-checkout, that increase this as a risk.
KREBSI would say, yeah, if I were a fraudster, say, going to your local giant or grocery store, which by the way, all sell, you know, $100 gift cards or higher denomination gift cards, that's exactly what I would be doing is going through the self-checkout.
BELLANTONISo when law enforcement does eventually, you know, catch these people. Let's say they are caught in the act or somehow later through some sort of cybersecurity investigation, what are the penalties and do they actually get caught?
KREBSOccasionally they get caught. I couldn't tell you what the penalties are. I mean, you know, using someone else's credit card and stealing stuff with it probably carry some pretty heavy penalties, whether or not they see any jail time because of it would depend on a whole lot other things. But in the past, the guys they've caught have been pretty close to street urchins. I mean, you know, some of them are homeless. Some of them are drug-addicted folks that aren't going to ask too many questions. They're looking for a quick buck and they can make it with this type of crime.
BELLANTONIHow did people physically get the cards? Are they coming in the mail? Or is there a machine where you can encode this data into your magnetic strip?
KREBSAre you talking about the counterfeit cards?
KREBSYeah. So the tools that you need to create counterfeit cards are actually pretty ubiquitous and they're not that expensive. You can go on eBay and buy these card writers for a couple hundred bucks. And, you know, get some blank plastic and that's pretty much all you need in addition to the textbook...
BELLANTONIThis is not a how-to, of course. We should point that out. I was just curious. But that's, I mean, it's interesting because that's one way.
KREBSWell, it's part of the reason this fraud is so common because it's not that complicated.
BELLANTONIWe are talking with Brian Krebs, an investigative reporter and the editor of KrebsOnSecurity.com about what happened with Target. We're going to get into sort of what happens next if you found out that your data was compromised. But you can join our conversation and tell us if you've ever had your credit card or debit card stolen. What did you do? 1-800-433-8850. Send a tweet to @kojoshow or email email@example.com.
BELLANTONISo Sarah in Washington emailed to say, Target Red Cards, are they affected? I've not heard whether the thievery included those or just Visa and MasterCards. Are Red Card users safe?
KREBSSo Red Card, I think this is a card that you can only use at Target. Are they safe? I would figure that Target, of all people, knows exactly how many of those cards have been compromised. My guess is just the same percentage as all the other cards. For folks who aren't really sure what we're talking about here, Target debuted this interesting device called a Red Card and it is essentially a device that can be used as a debit card.
KREBSAnd you can tie it to your bank account. And so Target sort of manages this thing but the risk kind of lies in your bank, if you decided to tie it to your checking account. And that's a good example of how this is really kind of turned the banking industry upside down, this breach has, because anytime you have a breach of this size, there are so many different players that are impacted. There's so much cost, whether it's reissuing the cards or dealing with customer complaints, you know, for some things that really aren't your fault. It illustrates the complexity of this breach.
BELLANTONIAnd Target has said that they would pay for identity protection plans for people that call them, sort of a courtesy. I think for one year or something like that.
KREBSSo this is kind of the standard operating procedure when a company these days has a breach, but monitoring your credit file, maybe not the most effective thing in this case. I mean it's a nice token gesture, but kind of apples and oranges. Right? Where credit cards, it's an existing card, it's an existing account, it's not like the users are able to use this information and go open new lines of credit in your name or something.
BELLANTONIWe will be back with Brian Krebs, an investigative reporter and editor of KrebsOnSecurity.com after a short break. I'm Christina Bellantoni sitting in for Kojo Nnamdi.
BELLANTONIWelcome back. I'm Christina Bellantoni, incoming editor in chief of Roll Call, sitting for Kojo Nnamdi. I'm talking with Brian Krebs, investigative reporter and editor of KrebsOnSecurity.com about the security breach and the 40 million credit and debit cards and the information that was stolen from Target over the holidays. We are also taking your calls. You can join us 1-800-433-8850, send a tweet to @kojoshow or email firstname.lastname@example.org. Tell us how carefully you check your bank statement and credit card statements each month for fraudulent charges.
BELLANTONIAnd we have a caller from Washington. This is Patricia. Tell us what happened to you.
PATRICIAWell, thank you for taking my call. I got a telephone call from American Express on Saturday afternoon, which was the 15th. And they called me. They wanted to know was I in Target in Virginia attempting to spend $900 and had I been to Macy's and another Urban Outfitters. And I was like absolutely not. And they had processed the Macy's and the Urban Outfitters, but when the Target purchase of $900 came up it seemed suspicious because actually I'm somewhat of a skinflint. I don't necessarily go on shopping sprees.
PATRICIAAnd it was unusual purchases for me. So they had called to see if it was me. And anyway they cancelled my card, they issued me a new one, which I got last week. And they credited my account back. And then afterwards, a day or so later the story had came out.
BELLANTONIWow, well, thank you for sharing your story with us, Patricia. I appreciate it. Brian, if people are not as luck as Patricia, to get a call warning them immediately on this, what should they be doing if they think they might have shopped at Target at this time?
KREBSWell, this is a question I get a lot. People are saying, you know, should we call our bank and cancel the card? I think that might be a little overkill. That's for me personally. You know if it helps you sleep better at night, by all means go ahead and do that. It may not be the most convenient time for folks. And that's really what has a lot of the banks over a barrel right now. They would really like -- and I'm sure Target would really like this breach not to have come out until after Christmas. But it's real problematic for them to go and reissue tens of thousands or millions of cards right before Christmas. Right?
KREBSBecause people are traveling, they may not have access to their bank account if you do that and you might exacerbate the problem. So, yeah, people should be paying very close attention to their statements. If I were a bad guy and I had a whole bunch of credit cards, this is the time a year I would push stuff through. So whether or not you shopped at Target, it's real important that you keep a close eye on your statement.
BELLANTONIAnd that actually goes right to an email we got from Sarah in Alexandria, to email@example.com, asking if customers would abandon Target. "Is Target concerned that it may see a drop in sales because of this breach? Does it have any numbers yet indicating customers are going elsewhere?" Now, we know some of the fraudsters might be going to Target, as you pointed out before the break, what do you think, Brian?
KREBSYeah, and that's what Patricia told us, right? So I think we're starting to see that already. It was that Journal that was reporting today that they saw maybe it was a 2 to 4 percent or 3 to 4 percent reduction in the normal what they were expected to do this weekend in terms of sales. So it's clearly having an impact on them short term. The question is what will be the long-term impact, in terms of shoppers being willing to come back and buy stuff from the stores. The other question mark is how much is this going to cost Target?
KREBSBecause I guarantee you every single one of the banks that has to reissue the cards, these cards impacted, it's $3 to $5 a piece, not to mention the costs of dealing with the fraud, plus the opportunity costs that they can say, well, you know, our customers would have been spending a lot more if they didn't have this disruption, etcetera, etcetera. And then, of course, there's the cost that Target's going to have to put in place to sway investors and customers that they've done this and now that this isn't going to happen again.
BELLANTONISo -- and obviously this is just speculation. I'm no lawyer, but could this lead to some sort of big class action lawsuit against Target from all these banks?
KREBSIn fact there is already a class action lawsuit against Target. I think that's probably the least of their worries.
BELLANTONIIan, joins us from Bethesda, to share his experience on what happened to him when his data was taken. Thanks for joining us, Ian.
IANHi, there. Yeah, probably about 10 years ago I was on vacation visiting my grandparents in Florida. And I was just killing some time and I stopped in at Wal-Mart to buy a DVD and when I got to the checkout my Visa check card was declined as insufficient funds. And so that was kind of embarrassing and I paid for it on a different card. And then when I got back to my aunt's house where I was staying I got on my computer and I checked my online banking records and the first thing that I noticed was that there were a couple of very small charges in south central Pennsylvania, near where I used to go to college.
IANAnd I hadn't been there in years. And then right after that -- these were a couple of small charges at Giant. And after that they basically ran up as many large charges as they could until my check card had…
IAN…depleted my checking account. And I got all of the money back, so that wasn't too worrisome, but had I been paying closer attention, those two little pings certainly would have tripped alarm bells to my mind.
KREBSAnd this is something that you see a lot. Those two little pings are test transactions. Sometimes they do what they call preauthorization checks or if they have a the physical card they'll just go to a gas station and dip it in and see if it gets okay to do that. One of the things that I found personally fascinating about these shops that were selling people's stolen credit cards, was they had the zip code and states and country. And I looked at these listings of these cards for sale and in initially I thought, "Well, this is the state, zip and country of the cardholder or the bank or something." But no, it was the location of the store from which the data was stolen.
KREBSAnd I thought, wow, what's going there? And I talked to some fraud experts. They said, "Well, a lot of the banks put location blocks in place." So your card is -- you live in Washington, D.C., they'll say look, if this customer tries to make a purchase at a point of sale within say more than 90 miles from their home in D.C., we're going to block that and cancel that card. Well, this allows the fraudsters to go find out what are the cards that are available in the zip code that they live and then encode that data onto cards to go shopping right around the corner from the victim. If that doesn't creep you out I don't know what does.
BELLANTONIYou might even bump into the person at the register.
BELLANTONIWe have an email question to firstname.lastname@example.org, from Tina, who says, "I write a check for purchases these days. Is the info on my check, like my account number, at the same risk as compromised credit card numbers? I don't think checks were affected, but I was wondering."
KREBSThat's an excellent question. So, yeah, checks are one of these sort of anachronisms in today's economy, and they do include your account number on them, they do include your routing number. If somebody gets a hold of your checks, certainly there are some things they can do to cause you a lot of headache. But typically when people send checks they go directly to whoever you're paying for and hopefully they keep that information confidential.
BELLANTONIWe're talking with Brian Krebs, investigative reporter and editor of KrebsOnSecurity.com. And you can join our conversation. Give us a call and tell us your experience at 800-433-8850. Send a tweet to @kojoshow. Get in touch on our Facebook page, of course. Or send an email to email@example.com, like this one from Kimberly, who actually is defending Target, saying, "As much of a PR nightmare as this is for Target, this is not new to them. I had a fraudulent charge about six months ago. It was Target.com that actually found it. Target is coming clean. iTunes had a security breach for at least two years and no one mentions it. I will continue to give Target my business."
BELLANTONINow, this brings up a larger question about what lessons can be learned at a larger level? You know Target's willingness to discuss this, how does that affect what could happen in this sort of cyber-security industry going forward?
KREBSSure. Yeah, I think it's a fair point. I mean Target obviously is a victim here. But unfortunately, any type of large merchant breach there's going to be -- the affect is so dispersed to so many different parties, to consumers, to banks and everything. It's felt throughout the economy. But I do hope, I really hope that Target does come clean about this. My sense is they're still and the experts they're working with are still trying to figure out exactly what happened. But they may not decide to be that forthcoming about what they find. And I hope that they do because everybody has a chance to learn from their mistakes that way and hopefully improve the security of other retailers.
KREBSBecause I think there are a lot of other retailers out there kind of going, there by the grace of God go us. And in past breaches it's been fascinating to me to watch the different responses. Heartland Payment Systems, large credit card processor -- it's not a retailer. They process other people's transactions. In 2009 they came out on inauguration day and said they had a breach that they weren't sure how many it impacted. Later on, come to find out…
BELLANTONIWe call that a news dump.
KREBSYeah, right, burying the news. Right? Well, come to find out it was a 130 million credit and debit card transactions, the largest breach that anybody's ever known about involving credit cards. And they got accused of trying to bury it, but after that they came out and proselytized -- their CEO was out there talking about the need for end-to-end encryption, for retailers to really take this seriously, and they pushed the envelope on security. Last year, just in contrast, there was another major processor -- gosh, the name is escaping me at the moment -- but they had a breach and they didn't talk about actually what happened.
KREBSI mean it was it was a big deal. It impacted a lot of people and they decided -- they still haven't talked about what happened. So I hope Target does come clean once they know the real story.
BELLANTONIAnd when we talk about the type of system that people can search for to find a card, you know, whether that's data locations or the type of bank it's from, this could last for a long time, right? I mean, maybe your card's not compromised today and you're checking it while it's in the news, but a year from now that number might still be in that system.
KREBSThat's correct. I would anticipate that this breach is going to be a headache for banks and for consumers as long as those cards that are known to be compromised are still in circulation. So I would expect that after December 25th or at the very least after the New Year, we're going to see massive cancellations of these cards for that reason.
BELLANTONIWe are coming up on our last few minutes here so we're going to go Cathy, in Bethesda, Md. Tell us your story about trying to get a new credit card. Thanks for joining us, Cathy.
CATHYHi, thanks for having me. I went into my banking center on Friday to get a new ATM debit card. And I asked -- we're all assuming the bank says you're not liable for any of the charges, but I said if money went out of my account, what's the process for getting it back? And he said, "Well, you'd have to file a report, we'd have to review it, and then somewhere between three and five -- we're not really sure -- business days you get the money back into your account. So that's a long time to be without funds. And I just wondered if the guest could comment on the process of recovering actual money out of an account that was compromised?
KREBSThere's the rub between credit and debit transactions. Right? A lot of folk prefer debit because it keeps them honest, you know. They can't spend money they don't have. Unfortunately, there is a slightly larger risk when you're shopping, whether it's online or, as you've seen here, in main street stores, when there's a breach and that information is compromised. If they are able to pull money out of your account then, yes, you're not liable for that, but there may be a brief period and painful period where you don't have access to your cash. That's why I always encourage people to pay with a credit card, if they can, if they're shopping online. It's just a little bit less risk, a little bit less hassle when things do hit the fan.
BELLANTONIWell, we're getting a lot of callers and I'm sure we're not going to be able to get to, but of course you guys can keep up the conversation by emailing firstname.lastname@example.org, sending a tweet to @kojoshow or chatting about it on our Facebook page. We do have an email from Mike, saying, "I was once called by a credit card issuer who asked if I had made purchases in Brazil. When I said no, they cancelled the charges. The irony was that I had never used the card, it had remained in my dresser drawer. The lesson is that you are always susceptible to this. I always go through my statements the day they arrive, and call the card issuer if I have any questions."
BELLANTONIAnd then we had a tweet from Tom, that I think I'll use a little bit just for my quick last question about will this affect chip and PIN plans in the United States? Will it speed them up maybe?" So this is something that Europe has. They have these little chip identifiers. Is that something we could see here?
KREBSRight. Yeah, I hope we do. I doubt this will change the rollout there. The real sticking point with that is so this is a chip, it gets embedded in the card, but for backwards compatibility, even cards in Europe still have this magnetic strip on the back of the cards -- and it's a great source of frustration for them because when they get those cards stolen over there they get used over here. But the sticking point for the deployment of chip and PIN, which would make this type of counterfeit fraud much more expensive for the bad guys, it would probably would shift it onto other types of fraud like card-not-present fraud.
KREBSBut the sticking point here are the small retailers. They're the ones that have to pay. They're saying why should we have to pay so much more money to upgrade all of our software and hardware? And it's not an insubstantial amount of money that we're talking about here.
BELLANTONIWell, we'll keep an eye on it and so will Brian Krebs, investigative reporter and editor of KrebsOnSecurity.com. Thank you so much for informing our listeners today. Very good conversation.
KREBSThank you, Christina. Thanks for having me.
BELLANTONII'm Christina Bellantoni, incoming editor in chief of "Roll Call," sitting in for Kojo Nnamdi. After this break, we'll back to talk about an interesting case of diplomatic immunity. We'll be right back.
Most Recent Shows
We examine the ramifications for Democrats and for Maryland of U.S. Sen. Barbara Mikulski's announcement that she will not seek re-election in 2016.
With a deep background in law enforcement, author Marc Grossman shares both horror stories about hackers and a prescription for a national effort to protect the nation's digital networks.
D.C. Council Member Mary Cheh (D-Ward 3) and Arlington County Board Member Walter Tejada (D) join the Politics Hour crew in the studio.