On January 21st, another huge batch of over 2 million cards hit the black market forums. After inspection y the Easy Solutions team, it appears that this batch is from the Target breach as well, which took place with some degree of uncertainty between November 27th and December 15. Evidence of the Target breach was first detected by Easy Solutions on December 11th and the breach was confirmed on December.
So one full month after the breach, after hundreds of hours of television commentary, thousands of press articles and a month of being the center of the biggest datasecurity/infosec story, 2 million new cards are put up for sale. Just another day at the office.
The primary factor driving the price of a stolen card on the black market is validity. Cards are sold individually or in bulk, and the price is adjusted based on the validity percentage of the cards. Cards stolen and quickly resold are more likely to be valid and less likely to be monitored. But keep in mind, cards are only rendered invalid if the bank expressly decides to reissue the cards. There have been numerous reports of banks large and small re-issuing cards en masse, but not for the full 40 million. So what you end up with is a breach with an incredibly long tail. It is likely that the banks and credit card companies have cranked up their monitoring and controls for fraud detection across all credit cards in lieu of mass replacement. The costs are just too high. Estimates of the cost to reissue a card are as low as $1.00 for large banks and as high as over $6.00 per card for some of the smaller issuers. Additionally, while the black market is huge, it is unlikely that it can handle 40 million cards at once without causing the price the crash. The bad guys know this and maybe are mimicking OPEC by carefully controlling supply to maintain high prices. This activity suggests a high-degree of coordination between those stealing the cards and those selling them. The end result of all of this is that millions of Americans will continue to have their credit cards bought and sold for months after the news of the Target breach disappears from the headlines.