When a credit or debit card number is accessed by thieves, typical procedure for quite a few years has been to shut down the impacted cards and immediately re-issue the cards to those customers. This process means the customer will be without that card for anywhere from 2 days to sometimes a week. Thieves count on this, which is why they stage such massive attacks. They know that once it's discovered, they may have as little as an hour or two before the card data becomes worthless. That's why they try and monetize the stolen data—usually by making ATM withdrawals and retail purchases quickly, using lots of accomplices making simultaneous purchases/withdrawals.
In the Target breach, that's not happening—or at least not happening to the normal degree. JPMorgan Chase on Saturday (Dec. 21) announced that it would limit impacted Chase debit cardholders to $100 in cash withdrawals and $300 in total purchases per day. Why limit the cards instead of shutting them down? It's all about the calendar.
Bankers and retailers know that any day in December is generally worth far more than any day in March or June. Suffering a few days with no card would cost the banks a huge amount. Chase alone had more than 2 million debit customers impacted by the Target breach. When a card is shut down, it either means that the customer pays some other way, such as—heaven forbid—using a card issued by somebody else. Losing several days in December—especially mid-to-late December—is simply too expensive.
Starting Dec. 25, watch for these banks to indeed reissue the cards.
Another factor is the sheer volume of this attack, with Target having said some 40 million cardholders were impacted. (Historically, data breach numbers usually are higher than the initial numbers announced.) The act of reissuing so many millions of cards is another reason for the delay.
One Chase fraud customer service employee speculated on another—albeit much less likely—scenario: An after-the-fact honeypot. By publicly saying that they will keep these accounts open, this theory argues, the thieves may take a risk themselves and try and continue to try and monetize the stolen data.
This would be highly risky for the thieves and, given the sophistication and coordination of the attack, it seems unlikely they would fall for it. With stores on high alert for anyone using the stolen data, security personnel would be poised to immediately detain anyone using such data. ATMs would be only minutely safer.
If you think Chase is taking a big security risk, they may not be alone—nor even the most risk-taking. CNBC is reporting that Citibank "was also imposing limits on debit cards for affected customers if it sees suspicious activity, though the extent of those limits was not immediately clear." Wait a second. This is an order of magnitude riskier, if true.
When a major retail databreach happens, the list of impacted card data is everyone whose data was accessible—not necessarily accessed—to the thieves. It's akin to finding that a thief has broken into a fileroom filled with unlocked file cabinets. Initially, the only safe assumption is that the thief might have accessed each and every file there. That's the only safe assumption.
What Chase is doing is limiting the access of everyone whose data might have been touched. This report suggests that Citibank is finding customers whose has actually been used by the thieves or at least is data the thieves have likely used. To not immediately shut down those accounts is positively reckless. If this report is correct, Citibank is letting impacted cards have full payment/ATM authority and only limiting that exposure even if the card is actually used.
If there is any vertical that respects security policies and their rationale, it's banks. When the banks are willing to keep a security risk open deliberately to try and preserve revenue, you know that they have also internalized the holiday spirit. Maybe they're hoping the thieves don't want to work the holidays any more than they do.