NEW YORK — It does not surprise specialists that debit and credit card numbers stolen from Target’s computer systems might have surfaced among nearly 100 fake credit cards seized in Texas this week.
Even so, they say the bust is unlikely to lead to the hackers behind the breach, given the vast, labyrinthine nature of the global market for stolen data.
According to police in McAllen, Texas, two Mexican citizens arrested at the border used information stolen during the pre-Christmas Target breach to buy tens of thousands of dollars’ worth of merchandise. But the Secret Service said Tuesday its investigation into the possibility of a link between the Target data theft and the arrests is ongoing.
Target says hackers stole about 40 million debit and credit card numbers from cards swiped at its stores between Nov. 27 and Dec. 15. Personal information — including e-mail addresses — was taken for another 70 million people.
Millions of Americans have been left to wonder what has become of their personal information. Chester Wisniewski, senior security adviser for the computer security firm Sophos, says in cases where such a massive amount of information is stolen, criminals generally divide the data and sell the parcels in online black markets.
In many ways, those markets behave much like any legitimate marketplace ruled by the forces of supply and demand. Higher-end cards are worth a lot more than those with lower credit limits and so are cards tied to other personal information, such as names, addresses, and ZIP codes.
After thieves purchase the numbers, they can encode the data onto new, blank cards with an inexpensive, easy-to-use gadget. Or they can skip the card-writing process and use the card numbers online.
The underground markets always have a steady supply of card numbers on sale and their locations are always moving, says Daniel Ingevaldson, chief technology officer at Easy Solutions Inc., a firm that sells antifraud products and tracks the activity of the online black markets. A big jump in inventory usually indicates there has been a breach of a major retailer.
While many of these online bazaars are based in Russia and Eastern Europe, much of the chatter is in English and appears to have been written by Americans, Ingevaldson says.
Wisniewski says the people who buy card numbers online and produce the fake cards are not the ones who try to use them. Using the cards is the riskiest part of the fraud scheme, so the task is usually farmed out to others who are often recruited through spam e-mails.
Card users, once caught, often only have a handler’s e-mail address, making it nearly impossible to find the recruiters, Wisniewski says.