Target Breach: Cards Hit Black Market, Chase Restricts Transactions

NEW YORK (MainStreet) — Your credit card info may now be posted for sale. Millions of hacked credit and debit cards involved in the Target breach are already listed on the black market, according to Brian Krebs, the security industry reporter who first broke the story. Cards issued by non-U.S. banks are fetching premium prices.

Two banks – a "small, community bank and a large top-10 bank" -- have purchased their customers' stolen card data from an underground online service peddling the hacked card information, in an effort to confirm the validity of the breach.

Krebs reports the cards are being sold in batches sorted by Zip Codes, enabling fraudsters to buy stolen card data in proximity to their location. "This lets crooks who want to use the cards for in-store fraud avoid any knee-jerk fraud defenses in which a financial institution might block transactions that occur outside the legitimate cardholder's immediate geographic region," he reports on his blog KrebsOnSecurity.com.

The stolen card data is being sold for prices ranging from $20 to more than $100 per card, he says.

Meanwhile, JPMorgan Chase has notified card holders impacted by the Target breach that their cards will be restricted to $100 ATM cash withdrawals and $300 card purchases until replacement cards can be issued. The new limits impact nearly 2 million debit card accounts, but not credit card holders.

Multiple class-action lawsuits are underway, with reports of three such suits having already been filed, two in California and one in Oregon.

Although consumers are usually protected from losses regarding credit and debit card fraud, Javelin Strategy and Research says cardholders affected by a security breach such as the Target hack are nearly eight times more likely to become victims of identity theft. The firm says the number of notified card-breach victims who suffered fraud increased 340% from 2010 to 2012, resulting in $4.8 billion in losses.