The Black Market for Stolen Credit Cards

REPLAY VIDEO
Your next video will start in
Pause

Recommended Videos

  • Info

  • Comments

  • VIDEO TEXT

March 13 (Bloomberg) -- Computer Forensic Services CTO Mark Lanterman and Bloomberg Businessweek’s Michael Riley discuss stolen credit cards and resale on Bloomberg Television's “Bloomberg West.” (Source: Bloomberg)

Live from pier three in san francisco, welcome to "bloomberg west." an explosive story about the massive target data breach, bloomberg businessweek has learned the target systems quickly detected that someone had broken in the executives did nothing.

We will spend the next half hour diving deep into this story and looking at what went wrong plus the secret black market for credit card information and the underworld of who traded.

Amazon is raising the price of its rhyme membership by $20 to $99 per year.

Current members are being sent reminders about their renewal dates when they have to pay the higher cost.

The move will generate additional revenue for amazon.

Prime gives members access to free two day shipping and amazon video service streaming.

John donahoe is stepping up his game at ebay against harel icsahn who wants ebay to spin up paypal.

He has consulted with other icahn targets including tim cook and reed hastings for advice on how to handle the activist investor.

He has met with goldman sachs and institutional investors to make his pitch that paypal belongs with ebay.

It is the era -- it is the end of an era for google.

It has removed underlined links from his desktop search page print of shown up as underlined links when it first launched back in 1996. it has increased the size of results and even doubt the height of lines to make the desktop page easier to read and more consistent with the google mobile site.

The inside story of that massive target data breach -- we start with a look back at the timeline of events that led to the data breach that touch as many as one in three american consumers.

The first time the public heard the target had been hacked was on december 18, 2013. a blogger revealed the company was investigating a massive breach.

The breach itself actually began some time before that.

What did target now and when did they know it?

Hackers began capturing credit card data on november 27. three days later, sophisticated security spotted the malware.

Target had paid $1.6 million for it because of its ability to detect hacking and real-time.

Soon the security worker in india solvate fire eye alarm and send it to the.

Operationcenter and the alarms overlooked on december 2, security tools detected another version and this red flag also went undetected.

At target act on the alerts at this point, they would have been able to prevent one of the biggest data theft in history.

Instead, for more than two weeks, the hackers collected credit card information and bounce around the globe to place like moscow.

On december 12, federal law enforcement notified target that there is suspicious activity involving card payments.

The retailer hires an independent team to run a forensic investigation and on december 15, target confirms it has been hacked and removes the malware.

It issues the first public statement revealing that up to 40 million cards of and compromise.

20 days later, they notify customers that an addition to credit card theft, personal information for up to 70 million customers has also been stolen, affecting as many as 1/3 of american consumers.

Such a fascinating story.

It's like reading a thriller.

The amount of detail in the story and what happened and how and the fact that target did nothing when they first found out about it.

We will go into great depth in the story but the impact is important not just for target and not just for the tons of people affected but for every business involved with customers and technology which would mean pretty much everyone.

Michael riley is one of the authors of the story in this week's "bloomberg businessweek" joins us now.

The headline on the story is " target blew it." how did they blow it and why?

This seems to be a story about targeted all the right things to prepare for this kind of event and spent a lot of money in and bought some very sophisticated tools, fireye is that tool that catches the malware at an early stage and is used by the cia and the pentagon and intelligence agencies all over the world.

They created a security operations center which is a headquarters where specialists sit and analyze data that's coming in and look at alerts.

They had around-the-clock monitoring service including using a vendor in india and yet when the alerts actually -- when all of that technology and all that money spent actually found the malware as it was coming in, the malware that would have been used to take the data out, the alert was recognized in bangalore and went to minneapolis and nothing happened.

There is a human failure at the core of this.

It's unclear why the soc did not react.

There were management issues going on there.

There was an issue of how security teams deal with all of his alerts -- all of these alerts in a timely manner.

We know that their tools worked and they spotted the malware in time and they did not do anything to stop it.

We have a response from target.

This is the full statement.

They came back to you with a statement after you asked them questions.

It says -- target is facing some 90 different lawsuits.

It seemed like you guys saw past the mystery about how this happened f and the role ofireye that target had been using that caught this before anything was even stolen.

I think that what they are trying to do is figure out what actually went wrong on the human level.

These findings were all known to target as they went back.

They were notified by federal authorities that they have been hacked and then they went back to look and see what all of this expensive equipment and costly system they put together did not work.

What they found as they did that investigation is that it did work at least on the technology level and the question is where was the human fail?

Did they not react quick enough or was there a management issue that meant they did not react to the alerts?

The systems create a day loose of data fireye is a very specific and good system that does not create false positives.

Maybe they did not pay attention to the systems they should have.

I think that is what they are going through and the ceo says they are doing a complete top to bottom review of there could -- security system.

The company is trying to figure out why this happened and how is it that they could have found the malware in time and not done anything.

There is a suggestion they were used to using crummy tools but they got their hands on a good one.

Were they used to the crummy response previously?

We have seen a security boom in tools.

Every company is selling something that says it can save your network and there are many really good tools out there.

This is the set of next-generation tools that analyze behavior and does not look just look at digital signatures.

All of these big companies also have a lot of legacy tools and older tools.

They all have antivirus which can put up tens of thousands of alerts even in a day and there's a huge amount of information they have to go through.

We talked to customers who used fireye and they say it is a good tool but to have to have a security team that can respond in time and get what you want.

One of the ironies is that fireye has a function which when it response to a piece of malware like this, it can illuminate it automatically.

Target had that function switch off which sounds weird.

It's not that unusual because the it and security teams like to have the last step themselves and be able to go and look and see what the problem is.

The problem is, when it came to the last step, they did not do it.

We will talk more about what information was taken and who took it and where it went and how it was used in the next block.

I have to admit that i am one of those people who still scared to shop at target.

How safe is it now?

I think when companies suffer breaches like this, they tend to drive hard to learn from them.

It is safe in the sense that on december 15, they were able to identify the malware and eliminate it.

It was not a hard thing to do because of the way the target systems work.

They can justre-image all their pos machines all at once.

After december 15, the hackers have been cleaned out and those cards are not at risk.

The larger question is for target and other companies, are they suffering -- is there system vulnerable in ways hackers will continue to do this?

One thing about this hack is that it was not very sophisticated.

They were not the best hackers in the world.

They did some very smart things but a report was released that said if target had their act together, should have found these guys out before they did.

Don't go anywhere, you will stay with us through the next block.

Up next, how easy is it to buy a stolen credit card number on the black market?

We will take a look at the secret websites that are the amazon.com of credit card fraud and you can watch us on bloomberg television, streaming on your phone, your tablet, and bloomberg.com.

? we are talking about the massive data breach at target.

Once the hackers stole the credit card, what did they do with them?

The traffic to them through the credit card black market in ukraine.

It is a person we believe sells stolen credit cards through several websites print let's bring and the chief technology officer at forensic services.

He is a former member of the secret service electronic crimes task force.

Michael riley is back with us as well.

Mark, who is rescatore and what is their role in this?

His name is inside the code of the malware that was installed on the target pos system.

We know that he had something to do with the creation of this malware.

I think of him essentially as an armor.

A farmer plants a crop and waits for it to grow and harvest it and takes that crop to market.

That is exactly what has happened here.

Paint the underworld you describe in your article ofcarders and displacing ukraine were they apparently have conventions were a bunch of people get together and talk about how to use credit card information and they sell it and buy it.

Describe this place to me.

We know that the cyber underground is becoming increasingly well segmented machine that operates quite smoothly.

Secret service describes a lot of these sites compared to the " oceans 11" movie.

It is different guys with different skills and will do various parts of the hack but you can hire out or find somebody good at any piece of this unique.

Once they collect the cards, they've got a really efficient way of selling them.

You can go onto some of the best sites and they work like amazon.com.

You can go onto the site and sign in with a password which you have to get from the site's creator or because you are a client or known, once you're in there, you can search arts by the card round or the expiration date and by zip code so if you are buying these cards to commit fraud, you can do it in the same area where the cards are issued so that it does not trigger fraud engines.

They make it really easy to do.

Then you put your basket of stolen cars into an electronic check out basket and you pay for it using bitcoin or western union or whatever currency they want to take.

It is pretty automated.

Mark, one of the interesting things about the story was the notion that this was not just a bunch of guys in a darkroom on computers in eastern europe but there was physical breaches of security.

This is a complex operation with real spy-like characteristics that involve fake id badges.

Physical security is most important.

What troubles me most about this -- think of it like this -- target paid 1.6 million dollars for a smoke alarm and when it went off, they took the battery out without seeing if there was any smoke.

Described the way the black market works.

As i understand it, credit card numbers sell for anywhere from between $600-$2000. how quickly can they use these before they are detected?

The analogy i used earlier i think is pretty spot on.

The individuals in russia are making their money by selling the stolen information.

They need to make it convenient so they have put together this amazon.com for this is that.

-- data.

It is a no frills webpage but it does allow hackers to download very specific or to purchase very specific credit card information even coming back to a certain billing zip code.

They can even purchase specific cards with specific 4 digits, the final four digits on a card in order to circumvent human security at the checkout.

If you've ever purchased a tv at the checkout, the cashier will often ask you for the card and check the expiration date and they will check the last four digits to make sure it matches up with the information stored on the magnetic stripe.

These are very sophisticated customers ofrisgator.

Your story is amazing and nice work.

I wonder about prosecution and what happens.

Can they actually get their hands on these guys?

Is there cooperation cross-border?

Has that changed with the situation of russia and the ukraine?

The short answer is no.

There are gangs that have been operating for years in russia and elsewhere in eastern europe.

There was an indictment last year in new jersey that focus on a gang like this one that had been responsible for stealing 160 million credit cards at least from everyone from jetblue to citibank and it goes back to the heartland payment systems hack which was 2008. those guys have been operating for years.

They have been untouched in russia.

U.s. law enforcement, it's not like i have not tried but it depends.

I talked to a former at the eye agent -- a former fbi agent and he says it depends on the cooperation we get from the home country.

They say we can't do anything of they don't respond.

The one thing they have tried and have had some success as they try to lure these guys out to a different country.

For example, they will lure people out to do a business deal or have a party in the netherlands or amsterdam on the pretext that they are another bad guy.

If those guys get them a plan and fly to one of these countries where they have better law enforcement cooperation, then they can lay on hands on them.

Let's invite them on "bloomberg west." i'm not sure that will work.

It's a nice try.

Michael riley, fantastic piece m,ark, please read the piece in "bloomberg businessweek." still ahead, how safe is your data and what are companies really doing to protect it now you can also watch us on bloomberg television, streaming on your phone, your tablet, and bloomberg.com.

? welcome back.

Turning back to the inside story of what went wrong with target and how companies deal with credit cards and your information -- it is not just the bar -- back-and-forth of target but how it may serve as an object lesson for how not to screw up for others.

We got the perfect person to discuss this, the ceo of a credit card company.

How do you deal with it?

Security on the internet is a difficult thing.

You have to focus on it everyday.

We have an entire team dedicated and committed to it.

It's all about trust and credibility.

The story that you guys produced is a powerful about human mistakes.

What i like about what targeted afterwards is the ceo came clean and said this is a bad situation.

Eventually.

This really felt like a political thriller where you had an administration with an incompetent response to an evolving problem that could have been headed off.

I wonder how many credit card numbers to you guys receive?

We will do over 3 million transactions this year alone.

The business is growing very strong.

We started with textbook rental but we do digital subscriptions to learning material so it will just get bigger.

How big is your security team?

We will not give out information but it's pretty significant.

One of the smartest things that we did is by general counsel was before ebay with 10 years.

He has taken that responsibility since the first day he came.

Stick with us because we will talk more later in the show about the future of chegg and we will have more of "bloomberg west." ?

This text has been automatically generated. It may not be 100% accurate.

Advertisement

BTV Channel Finder

Channel_finder_loader

ZIP is required for U.S. locations

Bloomberg Television in   change