Possible Ongoing Card Data Theft Issue at Target

[RJM62]

I rarely shop at Target, not because I have anything against the company, but simply because there are no Target stores close to me.

Yesterday, however, I had some business to take care of north of here, and I visited a Target store somewhere in Upstate New York on the way back to buy some new frying pans. I paid using my PayPal debit card.

About an hour ago, I received two emails from PayPal notifying me of two purchases on my card at a Target store downstate, each charge being for the identical amount, which was several hundred dollars. (I'm being vague about the details for obvious reasons.)

I immediately called PayPal, who immediately canceled my card (after offering me the opportunity to go make an ATM withdrawal first if I needed to), ordered a new one with a different number for me, and credited the money back to my account. So that part's taken care of -- other than the inconvenience of having to wait for the new card to arrive.

My concern is that, as I said earlier, I rarely shop at Target, so I'm pretty certain that I didn't use the card late last winter, when they were had their previous card data theft problems. If the card was compromised at a Target store, then it almost certainly happened yesterday, which would mean that the problem is ongoing.

Of course, it's also possible that the card was compromised elsewhere, and my having shopped at a Target store yesterday and the fraudulent charges occurring today and appearing as if they were transacted at another Target store was a coincidence.

Whatever the case, I wanted to put this out there as a warning: Target's card data theft problem MAY be ongoing.

I don't want to slander the company, because again, maybe my card was compromised elsewhere. But the fact that it showed up as a register purchase at a Target store suggests that someone had access to their system. There is no other physical card, and I'm 175 miles away and had the card in my possession.

Also, I suggest that in general, people activate the email or text feature that most issuers offer so they're notified when their cards are used. I was on the phone with the issuer (PayPal) within minutes because I have that feature enabled, so I was able to quickly get the funds restored to my account and the card canceled before even more attempts were made and my account tapped out.

-Rich

 

[kgruber]

Last week my wife went to Target for the first time in years. Two days later American Express was calling me about the $500 women's shoes ordered off the net with her AMEX card.

They have not solved their security problem.

 

[Non Compos Mentis]

I shop at Target occasionally, and have no worries whatsoever about security. I use cash.

 

[jesse]

I have a fair amount of insider knowledge regarding this breach and am not aware of a continued issue. That said, it's certainly possible.

 

[TStewart]

I purchased an item from Target online a couple weeks ago and was contacted by AMEX for a $4,500.00 charge they declined 6 hours after my online order. I think they may still have security issues.


Sent from my iPad using Tapatalk

 

[RJM62]

I have a fair amount of insider knowledge regarding this breach and am not aware of a continued issue. That said, it's certainly possible.

The thing that makes me suspect the problem might be ongoing is that the charges showed up as if they had been made at a Target store downstate, but there is only one physical card -- and it is in my possession. Unless Target processes online orders through the store downstate, I can't think of too many ways that could happen unless someone breached Target's POS system.

I guess someone could have created a counterfeit card and made the purchases at the actual store, but that also seems unlikely. There were two charges, minutes apart, in the exact same amount. So they would have had to buy two identical batches of stuff (or two of the same item that came out to that amount), a minute or two apart, at the downstate store.

Then again, I suppose that would be possible if it were something like two identical televisions, asked that the two be rung up separately, and used a counterfeit card to pay for both of them.

-Rich

 

[RJM62]

Well, the compromise did NOT happen at Target. I can say that conclusively.

Early this morning, my credit union intercepted an attempted fraudulent purchase against the rarely-used debit card associated with my business checking account. Because I don't use that card often, I was able to narrow down the place where it was compromised to one of three: two gas stations and a local store, all in the town where I live.

This is, needless to say, a pain because I also had to block any of my other cards that have been used at any of those locations, including the card associated with my personal account at the CU. The credit union already has new cards with new numbers waiting for me at the branch, though, so that's a plus. The rest I have to wait for because they have to be mailed.

The Sheriff's Department is investigating, with the help of the State Police Cybercrime Division, which unfortunately will likely result in inconvenience to all three stores and their customers until the matter is resolved. My credit union has extended me a courtesy loan if I want it, and Allstate told me I'm covered for any potential losses under my homeowner's policy. (I only found that out because I had to call them to cancel a scheduled payment that was to be made against one of the cards.)

So Jesse was right. This time around, it wasn't Target's system that was at fault. It was one of three systems in my sparrow-fart village.

-Rich

 

[PPC1052]

In my case, I after I used my card at Target, I had some mystery charges in Turkey. I have never been to Turkey. The credit card company said that they had actual credit card swipes, so they must have made fake credit cards using the account number and data. The credit card company was very good about taking the charges off.

 

[RJM62]

In my case, I after I used my card at Target, I had some mystery charges in Turkey. I have never been to Turkey. The credit card company said that they had actual credit card swipes, so they must have made fake credit cards using the account number and data. The credit card company was very good about taking the charges off.

The attempted purchase on my CU business debit card this morning was in Thailand, and the CU's fraud-detection system blocked it, so there was nothing to reimburse. I haven't been in Thailand in the past 30 some-odd years.

I didn't ask if the attempt this morning was a swiped transaction. I'll leave those details to the Sheriff and the State Police.

I also called the parent company of the gas station whose ATM was the most likely source of the compromise (because it was the most recent place where both cards were used). The lady I spoke to said that she would call all of their stores and have them shut down and physically unplug all the machines pending the State Police investigation (because the stores are in different counties).

All of their ATMs are run by the same provider, and they don't want to take any chances. Probably the nickle-and-dime revenue from ATMs in the middle of nowhere isn't worth the potential liability for not doing due diligence once a possible compromise has been reported. In any event, the lady I spoke to on the phone seems to have either been through this before, or to have been very well-trained. She asked all the right questions and took all the right actions.

-Rich

 

[wsuffa]

Sounds to me, Rich, like a skimmer may have been installed on the machine. Chances are, it's been removed already & there is nothing left to find.

 

[RJM62]

Sounds to me, Rich, like a skimmer may have been installed on the machine. Chances are, it's been removed already & there is nothing left to find.

That's what the Sheriff suspects, as well. But they're looking into it anyway.

-Rich

 

[F01LA]

Last week my wife went to Target for the first time in years. Two days later American Express was calling me about the $500 women's shoes ordered off the net with her AMEX card.

They have not solved their security problem.

$500 in women's shoes? Sounds like a wife problem, not a security problem!

 

[Becky]

Doesn't it seem like a reboot of the whole credit card system is in order? Stopping the fraud up front, with verification technology, rather than chasing it around after the fact, and everybody having to absorb the losses? Does anyone know if anything like a more robust system is in the pipeline?

 

[flyingron]

I use my RED CARD and only my red card at target (and no where else) and I watch the bill like a hawk (mine is a Target only card not a Target branded MasterCard). If there's a loss Target and TD Bank (who runs their credit operation) can duke it out between themselves.

 

[RJM62]

Doesn't it seem like a reboot of the whole credit card system is in order? Stopping the fraud up front, with verification technology, rather than chasing it around after the fact, and everybody having to absorb the losses? Does anyone know if anything like a more robust system is in the pipeline?

The rest of the world already have it. It's called "EMV," for Eurocard, Mastercard, Visa, the three companies that developed it. It has a microchip in the card that encrypts the card information, and requires a PIN to be used, as well.

The technology's been around for decades, but it hasn't been widely adopted in the U.S. because the dirtbags running the U.S. banking industry have been dragging their feet. They don't want to spend the extra money. An EMV card costs about a dollar more to make than a Mag-Stripe card. Can't be cutting into profits like that, you know.

The POS terminals also cost about $50.00 more than Mag Stripe terminals, but the merchant, not the bank, typically pays for the terminals.

-Rich

 

[timwinters]

Doesn't it seem like a reboot of the whole credit card system is in order? Stopping the fraud up front, with verification technology, rather than chasing it around after the fact, and everybody having to absorb the losses? Does anyone know if anything like a more robust system is in the pipeline?

Yeah, as Rich described, there's already a microchip system in use that's far superior to our magnetic strip system. But the banks and retailers are too cheap to convert so...let them eat the fraud that results...

Just deserves.

 

[asechrest]

I believe I'm very susceptible to this type of problem because I use a credit union with no brick and mortar location near me.oSo all of my cash withdrawals are done from crappy little ATMs.

 

[wsuffa]

The rest of the world already have it. It's called "EMV," for Eurocard, Mastercard, Visa, the three companies that developed it. It has a microchip in the card that encrypts the card information, and requires a PIN to be used, as well.

The technology's been around for decades, but it hasn't been widely adopted in the U.S. because the dirtbags running the U.S. banking industry have been dragging their feet. They don't want to spend the extra money. An EMV card costs about a dollar more to make than a Mag-Stripe card. Can't be cutting into profits like that, you know.

The POS terminals also cost about $50.00 more than Mag Stripe terminals, but the merchant, not the bank, typically pays for the terminals.

-Rich

A pin is not required with EMV, though it is more secure if one is used. Chip and Signature works fine.

 

[poadeleted21]

Yeah, as Rich described, there's already a microchip system in use that's far superior to our magnetic strip system. But the banks and retailers are too cheap to convert so...let them eat the fraud that results...

Just deserves.

I believe it's the retailers that eat it.

 

[N801BH]

I believe it's the retailers that eat it.

I believe it is the CONSUMERS that eat it....

 

[RJM62]

I believe it is the CONSUMERS that eat it....

Ultimately, of course we do. But PayPal told me that in the case of the purchases made against their debit card, the bank (or in this case, PayPal) ultimately will take it on the chin. The merchant sold something to someone who presented an apparently valid card, and the issuer (PayPal) approved the transaction; so ultimately, the issuer is responsible unless they can prove gross negligence on the merchant's part.

PayPal's been great about the whole thing. Possibly it's partly because I'm both a long-time member (~ 15 years) and a long-time merchant who's never had a single complaint or chargeback request made against me. Apparently that's a bit unusual for someone who processes the volume I do. I use them as my card processor, as well as for the more ordinary PayPal transactions.

My credit union's been great, as well. They stamped out new cards right at the branch and handed them to me, after checking my ID. I also canceled some other cards that were used at the suspect locations, but I'll have to wait for those to arrive in the mail.

All the suspect machines have also been checked, but nothing was found. Probably the skimmer's been removed already. They're also reviewing the security camera tapes from the machines and the stores involved just in case there's anything there of interest. So I must say, once again I have been impressed by my county's Sheriff's Department. They jumped right on this.

-Rich

 

[Everskyward]

I also think it's the card issuer who gets to pay. I made one small purchase at Target during that time last year. I wasn't going to do anything about it since I watch what is posted to my account, but Capital One decided to issue me a new card anyway. They probably figure that issuing everyone who made a purchase at Target new cards is cheaper than being on the hook for fraudulent charges.

 

[pilot_dude]

Glad to read that all impacted agencies/companies are treating you well.

 

[jesse]

I also think it's the card issuer who gets to pay. I made one small purchase at Target during that time last year. I wasn't going to do anything about it since I watch what is posted to my account, but Capital One decided to issue me a new card anyway. They probably figure that issuing everyone who made a purchase at Target new cards is cheaper than being on the hook for fraudulent charges.

The card issuer is the last one to pay. They hold accountable whomever underwrote the merchant account. That entity then holds the merchant accountable. Unless the merchant literally can't pay, they will be paying for it, and Target is definitely paying out the ass. They'll have the cover the cost of reissuing the cards, plus the fraud, plus all the forensic work..Etc

..and I'm going to have to do a bit of a plug for myself here. If anyone here has any credit card processing or merchant account needs let me know. I've been building a credit card processing platform for the last two years and we're live and onboarding accounts now.
https://www.paymentspring.com

 

[comanchepilot]

Rich - the problem is not Target, or Paypal - its using a debit card.

If you did not use a debit card you would not care as much since its not your money being stolen -

I simply do not understand why ANYONE would own or use a debit card of any kind . . . or even own one - you need a firewall between your money and the marketplace. . .

 

[Everskyward]

The card issuer is the last one to pay. They hold accountable whomever underwrote the merchant account. That entity then holds the merchant accountable. Unless the merchant literally can't pay, they will be paying for it, and Target is definitely paying out the ass. They'll have the cover the cost of reissuing the cards, plus the fraud, plus all the forensic work..Etc

I see. I guess Capital One reissued everyone's cards because they weren't going to be the ones paying for them anyway. They can get Target to pay for all these cards even though there have not been suspicious charges?

 

[jesse]

I see. I guess Capital One reissued everyone's cards because they weren't going to be the ones paying for them anyway. They can get Target to pay for all these cards even though there have not been suspicious charges?

In a mess this large I'm sure there's more lawyers being thrown at this then I can count trying to sort out who pays for what. I can say confidently that in general the merchant is responsible.

 

[RJM62]

Rich - the problem is not Target, or Paypal - its using a debit card.

If you did not use a debit card you would not care as much since its not your money being stolen -

I simply do not understand why ANYONE would own or use a debit card of any kind . . . or even own one - you need a firewall between your money and the marketplace. . .

I like paying in cash (as in, not credit) without having to carry a huge amount of it around. I suppose I could accomplish the same thing by using a credit card and paying it in full every month, but they don't let you get away with that forever anymore. I've had a few cards not renewed because I never financed anything. I guess they can't cancel you for paying the whole bill every month, but they don't have to renew you, either.

There's always American Express, but I find that fewer and fewer places around here are accepting it these days. Hell, I don't even accept it anymore. Their fees just got too blasted high.

I also fired my old merchant processor, U.S. Merchant Systems, years ago and switched to PayPal. Aside from USMS's fees being high (plus all the nickel-and-dime stuff they always managed to hit you with), they also started demanding crazy security deposits back when the recession hit, even though I'd never had a chargeback. So I fired them and started using PayPal to process my plastic.

Nowadays I pay 2.5% plus $0.30 per transaction plus $30.00 / month, which includes the API access and the virtual terminal. Not great, but not horrible, either. It's less than I was paying USMS. And with PayPal, the money's in my account instantly. USMS took anywhere from three to five days to transfer the money into my account. So I really have no complaints about PayPal as a processor.

Jesse's service looks interesting, though. I'm going to have to do some math based on my last three months, and see how it would compare. I've always been very happy with PayPal, but I'm not married to them. And Jesse's probably the smartest guy I've ever known, so I certainly trust anything he has a hand in.

-Rich

 

[Walsh029]

In a mess this large I'm sure there's more lawyers being thrown at this then I can count trying to sort out who pays for what. I can say confidently that in general the merchant is responsible.

long time active lurker but very infrequent poster. Unfortunately, I can't mention my credentials; however, I can tell you with absolute certainty that in your typical fraudulent credit card transaction, the merchant is NOT liable for any charges as long as all required data is captured at the POS. ( ie: card swiped and not hand keyed, signature captured, last 4 captured if required etc...). Very rarely will the merchant receive a chargeback which is essentially the bank challenging the charges. The only exception to this is when a proprietary card is used and then the merchant is liable because the merchant owns the credit line.

My expertise is limited to the larger chains and financial institutions and I can't speak as to who is liable at your smaller mom and pop operations.

 

[jesse]

long time active lurker but very infrequent poster. Unfortunately, I can't mention my credentials; however, I can tell you with absolute certainty that in your typical fraudulent credit card transaction, the merchant is NOT liable for any charges as long as all required data is captured at the POS. ( ie: card swiped and not hand keyed, signature captured, last 4 captured if required etc...). Very rarely will the merchant receive a chargeback which is essentially the bank challenging the charges. The only exception to this is when a proprietary card is used and then the merchant is liable because the merchant owns the credit line.

My expertise is limited to the larger chains and financial institutions and I can't speak as to who is liable at your smaller mom and pop operations.

My experience suggests otherwise. If they can find something you did that violated PCI (and they always will) they use that to hang you. There is no way Target will get through this without writing many large checks.

http://techcrunch.com/2013/12/23/ta...-to-3-6-billion-from-credit-card-data-breach/ touches on this.

At the end of the day though in a breach this large everyone will be suing everyone and nobody is going to get out of this without paying money.

 

[flyingron]

The credit card issuer has the responsibility to make the card holder right.
The issuer/servicer then will go after the merchant if they feel they breached some responsibility in their mutual agreement.

 

[wsuffa]

Rich - the problem is not Target, or Paypal - its using a debit card.

If you did not use a debit card you would not care as much since its not your money being stolen -

I simply do not understand why ANYONE would own or use a debit card of any kind . . . or even own one - you need a firewall between your money and the marketplace. . .

I don't (and won't) use a debit card for purchases, but I do and will use one as an ATM card. I keep a secondary checking account with very low balance as the account I use for ATM withdrawals. Add more from primary account when needed. Limits the damage if ATM/debit card is stolen or skimmed.

 

[flyingron]

I'd be happier if my ATM card didn't bear a Visa logo. I was able for years to request one that did not, but they got progressively harder to obtain.

 

[JOhnH]

In a mess this large I'm sure there's more lawyers being thrown at this then I can count trying to sort out who pays for what. I can say confidently that in general the merchant is responsible.

And I can say with confidence that any and all losses by the retailers or the banks or their insurance companies will eventually be passed on to the consumers, in total.

 

[John Baker]

I believe it is the CONSUMERS that eat it....

I believe this could put target out of business.

-JOhn

 

[jesse]

I believe this could put target out of business.

-JOhn

No way, consumers forget quickly and the credit card companies want Target to remain as they do process a lot of cards...

 

[airguy]

I like paying in cash (as in, not credit) without having to carry a huge amount of it around. I suppose I could accomplish the same thing by using a credit card and paying it in full every month, but they don't let you get away with that forever anymore. I've had a few cards not renewed because I never financed anything. I guess they can't cancel you for paying the whole bill every month, but they don't have to renew you, either.

I've been doing exactly that with a Southwest Airlines Visa since early 2006, haven't paid a dime of interest and they just sent me a renewal card last month.

 

[denverpilot]

I like paying in cash (as in, not credit) without having to carry a huge amount of it around. I suppose I could accomplish the same thing by using a credit card and paying it in full every month, but they don't let you get away with that forever anymore. I've had a few cards not renewed because I never financed anything. I guess they can't cancel you for paying the whole bill every month, but they don't have to renew you, either.

There's always American Express, but I find that fewer and fewer places around here are accepting it these days. Hell, I don't even accept it anymore. Their fees just got too blasted high.

I've been paying my cards off monthly since at least 2000. Maybe earlier. I forget when it was that Karen and I broke our debt addiction and vowed to never go back.

Never had one cancelled. Might look into a credit union card. No fees. Slightly higher interest rates sometimes but if you're paying it off, who cares? Better managed than any bank I've ever dealt with. Better customer service. Etc.

I use Amex for most stuff and a credit union issued non-Amex for a) places that won't take Amex, b) mom and pop shops that I like because I know Amex rapes them.

I also have a non-Amex card from an airline but a) I don't like the airline anymore, and b) I don't like airlines in general anymore. Ha. So it is mostly unused these days.

Not a dollar of interest in all that time.

Amex doubles as the Costco membership card and costs me $50/year.

I hate Costco and actually don't shop there regularly at all, but who can turn down $500/yr in free stuff AFTER the annual fee? I fuel the airplane with the Amex. Hitting the cash back limit every year is easy.

I'm sure Costco and the folks carrying balances are buying me stuff. Kinda nice of them. I should send a Thank You card.

So we do an annual Costco run and either buy one big ticket item or non-perishables and paper goods and stash them. I think I'm still using Ziplock baggies of all sizes from the check four years ago. Heh.

I have a $550 check sitting here waiting to go to Costco. This year we will probably use it to outfit the RV trailer with whatever stuff we need from Costco.

So hunt down a better card Rich and enjoy letting someone else buy you stuff for being responsible with it. Heh. There's cards that won't get cancelled for paying them off. Even no-fee cards!

 

[RJM62]

I've been paying my cards off monthly since at least 2000. Maybe earlier. I forget when it was that Karen and I broke our debt addiction and vowed to never go back.

Never had one cancelled. Might look into a credit union card. No fees. Slightly higher interest rates sometimes but if you're paying it off, who cares? Better managed than any bank I've ever dealt with. Better customer service. Etc.

I use Amex for most stuff and a credit union issued non-Amex for a) places that won't take Amex, b) mom and pop shops that I like because I know Amex rapes them.

I also have a non-Amex card from an airline but a) I don't like the airline anymore, and b) I don't like airlines in general anymore. Ha. So it is mostly unused these days.

Not a dollar of interest in all that time.

Amex doubles as the Costco membership card and costs me $50/year.

I hate Costco and actually don't shop there regularly at all, but who can turn down $500/yr in free stuff AFTER the annual fee? I fuel the airplane with the Amex. Hitting the cash back limit every year is easy.

I'm sure Costco and the folks carrying balances are buying me stuff. Kinda nice of them. I should send a Thank You card.

So we do an annual Costco run and either buy one big ticket item or non-perishables and paper goods and stash them. I think I'm still using Ziplock baggies of all sizes from the check four years ago. Heh.

I have a $550 check sitting here waiting to go to Costco. This year we will probably use it to outfit the RV trailer with whatever stuff we need from Costco.

So hunt down a better card Rich and enjoy letting someone else buy you stuff for being responsible with it. Heh. There's cards that won't get cancelled for paying them off. Even no-fee cards!

That's true, actually. The last card that non-renewed me was from a bank (Cap One, I think). I've sworn off banks and switched to credit unions since then, and I actually have a Visa through one of my credit unions (First Tech) that I use so rarely that I almost forgot I had it. It was locked in the safe.

Thanks.

-Rich

 

[Everskyward]

I don't understand the non-renewal for paying off cards either. I've never been non-renewed and I've always paid them off. All my cards are from banks, none from credit unions.