How can they still be selling credit card numbers stolen from Target?
December 31, 2013 8:26 AM   Subscribe

My understanding is that a stolen card or card number has a shelf life of a couple of days at most, before someone gets wise to the theft and cancels the number. The stories I'm reading suggest that these stolen numbers are good for quite a long time. The online stores that sell them even guarantee they're still good! Are the owners of the cards failing to notify the bank after realizing that their cards were used at Target during the period when all the numbers were stolen? Are the banks not scanning their files to find out which cards were used at Target during the period, and taking the initiative in canceling them?
posted by markcmyers to Work & Money (19 answers total) 2 users marked this as a favorite
Are the banks not scanning their files to find out which cards were used at Target during the period, and taking the initiative in canceling them?

Many banks are definitely not doing that and they know if people have shopped at Target as they are contacting people first. They're also stating they're monitoring accounts for suspicious activity (moreso than usual, I guess?) But at least a good handful of large bank are not cancelling cards based on the cardholder having shopped at Target.

(FYI: This is why you should never, ever use your debit card to make purchases at stores.)
posted by griphus at 8:31 AM on December 31, 2013 [1 favorite]

My bank is not automatically canceling the cards that were used at Target. They stated that they are monitoring the accounts that were used at Target closely. They are giving their customers who used cards at Target during the compromised time period the option to get their card reissued, but they're not blanket-canceling every card used at Target. I think a lot of banks are doing this because of the sheer number of cards affected - straight-up canceling every card that was used by the 40+ million people affected all at once would probably overwhelm their card-issuing processes. (I realize that it's spread across lots of banks, but even if you have, say, 50,000 people canceling all at the same time it would be far more than the normal amount of cards they'd be issuing.)
posted by bedhead at 8:41 AM on December 31, 2013 [1 favorite]

My bank automatically reissued cards to everyone whose number was actually compromised--apparently they could distinguish this population from just "everyone who shopped at Target." They didn't automatically cancel anything; however, as soon as the new cards are activated, the old ones cancel.
posted by like_a_friend at 8:46 AM on December 31, 2013 [2 favorites]

My mother-in-law's bank talked her out of getting a new card when she asked for one (she shops at Target several times a week). I'm really annoyed because now she refuses to get a new one ("the bank said I was fine"). Gah.

My understanding about selling the credit card numbers is that the price fluctuates based on how old the numbers are. Old numbers = lower prices. But at the volumes we are talking about, even low prices per number could net a lot of money. My knowledge is just based on news reports though, so I don't know how reliable it is.
posted by OrangeDisk at 8:52 AM on December 31, 2013

It looks like it's about a 50/50 split between immediate reissue and wait-and-see, with some of the bigger banks and card issuers taking the wait-and-see approach. (Capital One are explicitly wait-and-see right now, perhaps because they already have a hair trigger for potential fraud.) That's probably on account of the sheer numbers and also because of it being the holiday period, when card use is at its highest. I wouldn't be surprised to see blanket reissues as soon as we get into January.
posted by holgate at 8:52 AM on December 31, 2013 [1 favorite]

It's as if this doesn't change things very much from the banks' point of view. The odds that a given credit card is already compromised must be pretty high in general.
posted by paper chromatographologist at 8:54 AM on December 31, 2013

Several banks imposed spending limits on ATM cards due to the Target compromise. Several friends were frustrated that they couldn't do their Christmas shopping without an alternate means of payment.
posted by Doohickie at 8:58 AM on December 31, 2013

If you want to learn more about the dynamics of stolen credit card numbers, I recommend the book, 'Kingpin'
posted by Multicellular Exothermic at 9:03 AM on December 31, 2013 [3 favorites]

Maybe they are selling the encrypted PIN information along with the card numbers? If so, there could be extra value.

Many people probably use the same PIN multiple places. If you get their debit card pin, you could get their credit-card PIN, their garage door PIN, their voicemail PIN, ...

Of course, the criminal would need to decrypt the PIN data first, but given enough time ...
posted by sarah_pdx at 9:29 AM on December 31, 2013

Are the banks not scanning their files to find out which cards were used at Target during the period, and taking the initiative in canceling them?

Forty million cards. Just before Christmas. That's a lot of unhappy customers and a lot of lost revenue for the banks if they just blanket cancel cards. They have surely determined that the costs of reissuing cards outweigh the benefits of forestalling fraud.
posted by payoto at 9:56 AM on December 31, 2013 [2 favorites]

My credit union's reissuing everyone's debit cards, has temporarily lowered daily limits on affected cards, and says it's doing heavier fraud monitoring on affected cards. They also noted that cardholders won't be liable for unauthorized transactions that are reported to them.

I'd only been keeping a daily eye on my account activity after I bought that mop, so I'm glad my CU's doing all this without my having to bother asking. I hope somebody pays well for my useless card info.
posted by asperity at 10:04 AM on December 31, 2013

The number I usually see for the cost of reissuing cards is around $5-$10. Smaller banks tend to just do that and eat the loss, but larger banks have more robust policies in place to handle fraud, as they deal with it on a more frequent basis (and on a larger scale). Brian Krebs, who broke the Target story, has some good articles on how underground card markets work. It's also fairly inexpensive for banks to "buy back" the compromised numbers from these underground sites.
posted by antonymous at 10:12 AM on December 31, 2013

I notified my card company. They told me they're monitoring purchases and will notify ME if they find suspicious activity. I was asked not to contact them.

I have to say, my card was compromised previously just before Thanksgiving. The card company caught it after 3 small purchases. They notified me, shut the card down (very unpleasant to have this happen during a holiday when I was out of town), and issued a new one. I'm still mopping up that mess and not looking forward to going through it again any time soon. This is the 3rd - 4th time this has happened in the 40 years I've had this card. I have no idea how they determine when there is fraudulent activity, since I tend to travel and spend money in odd places at odd times.
posted by clarkstonian at 10:39 AM on December 31, 2013

Chase is proactively cancelling cards, and then reissuing them. SunTrust sent a notice saying, "Notice you shopped at Target, keep an eye peeled."

So...that's were we are with it.
posted by Ruthless Bunny at 11:49 AM on December 31, 2013

I went to Bank of America, and they flat out told me that not only would it not do me any good to get a new debit card, that without me telling them that there was fraud on the account (and there wasn't, but I did use my card at Target) they would simply pass any of the charges on the old debit card (after it was canceled) through to my checking account.

They said that they'd be happy to issue me a new debit card for $5, if I wanted one, but that it would not stop fraud from happening on my account.
posted by needlegrrl at 12:33 PM on December 31, 2013

And on the other side, I got an unexpected replacement credit card in the mail from Bank of America in late November with a letter explaining that it was due to some unspecified compromise. Maybe that was Target (but I hadn't shopped there recently).
posted by hattifattener at 1:57 PM on December 31, 2013

Our debit card was compromised BEFORE the Target debacle (we were without our debit card during our apartment fire/sudden move which was insult to injury) and our bank notified US and made sure we were reimbursed. People need to realize it isn't just Target. Sometimes it's someone hacking into the banks!
posted by St. Alia of the Bunnies at 4:43 PM on December 31, 2013

I haven't shopped at Target for a while so this hadn't been much on my radar. On Friday I went into Chase to order a replacement for my damaged debit card, and the guy told me they didn't have to order one, that they can print them up right on the spot and, in fact, had been doing it non-stop since the breech. He also said customers were not happy about the temporary, lowered card limits right before the holiday. (There was no charge for this.)

It sounds like Chase is letting the banks handle replacements on branch level, but maybe if someone calls the 800 number they will get one mailed to them.
posted by Room 641-A at 4:57 PM on December 31, 2013

He also said customers were not happy about the temporary, lowered card limits right before the holiday. (There was no charge for this.)

Not happy is right! But primarily because they lowered the amount of $ one can withdraw from an ATM and put a low total daily limit on spending for the day, without telling customers ahead of time.

So, basically, suddenly, after waiting in a long line at a store, while doing Xmas shopping, or when you pulled into a gas station to fill the tank, your card was denied without explanation.

And then maybe you realized that you had also paid your mortgage and student loan payments from that account that day -- well exceeding the new, surprise spending limits.

And then maybe you waited for more than an hour on hold, at midnight, to find out if you were indeed going to be late paying those bills, and maybe customer service told you that some branches would be open on Sunday to help with the crisis, but couldn't tell you which branches.
posted by vitabellosi at 5:24 AM on January 1, 2014

« Older Cash and disclosure   |   Novels set in Westchester, NY? Newer »
This thread is closed to new comments.