Banks Report Credit Card Breach At Home Depot 132
criticalmass24 sends news that multiple banks are indicating Home Depot stores are the source of a new batch of stolen credit cards and debit cards that hit the black market today. "There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market." Home Depot is aware of the situation, and says they're investigating. The banks say this breach may have begun as early as April or May of this year and may extend to all 2,200 of Home Depot's U.S. stores.
Comment removed (Score:5, Insightful)
Re: (Score:3)
Read al
Re: (Score:3)
Bitcoin would be a better solution
Re: (Score:2)
Re: (Score:2)
That's why you include a fee with your Bitcoin transaction. The larger the fee the more quickly you should get confirms back.
Bitcoin really wasn't designed to be used as a currency; payment just happened to be one of the first applications developed using the protocol. If you need confirmation speed, you should take a look at Litecoin.
Re: (Score:1)
Re: (Score:2)
Mutual authentication and off (merchant) device encryption.
Re: (Score:2)
Probably because none of the vulnerabilities listed at wikipedia [wikipedia.org] involve cloning the card, they all incude forcing terminals into offline chip and pin mode which is not going to be supported by most US card issuers. I've been following EMV for many years now and outside of some very controlled lab experiments involving very cold temperatures and long side channel analysis nobody has managed to pull off a duplication attack for online transactions (at least nobody that's published information, and there have
Re: (Score:2)
One way to scam that is to put a shim in the terminal, forcing it offline. Look for an extra cable coming from the card reader.
Re: (Score:2)
One way to scam that is to put a shim in the terminal, forcing it offline. Look for an extra cable coming from the card reader.
Just don't support offline mode on the terminals then. Or maybe design the terminals so that offline mode only works if a manager enables it, and then it only works for 15 minutes. This would allow stores to not grind to a halt when there is a communications problem, but it would prevent stores from just systematically ignoring that 99% of their terminals are in offline mode 24x7.
ATM cards support offline PIN verification too, or at least the spec does. Nobody ever used it because it was known to be inse
Re: Chip and PIN (Score:2)
It's doubtful that offline mode could be enabled in firmware, certainly not without some serious work. But shimming the terminal 1. Intercepts the chip data stream, 2. Triggers an apparent non chip card insertion, 3. Captures the chip data and if the cracker is good, acts like a terminal and decodes data, 4. Sends stripe data as expected, 5. Terminal received the auth and is happy happy happy.
The shim stands in to intercept the chip data, fill the terminal intro accepting the card as a mag stripe, and doo
Re: (Score:2)
IT's already been done and demo'd at DEFCON.
Next.
Re: (Score:2)
Why do you think the chip or the information on it can't be duplicated or spoofed?
To duplicate an EMV card, you would need to take the card to a lab and do some serious meddling.
To duplicate a standard US credit card you need a cell phone and the card for 10 seconds.
The difference is significant.
Of course NFC will screw the pooch before the US catches up.
Re: (Score:2)
Why do you think that?
Re: (Score:2)
Because there are a string of documented attacks against NFC payment systems.
Re: (Score:3)
Yes it will, and then it will be compromised. Chip and Pin* has known defects.
NFC is also broken.
Digital money is a dead end.
*Sounds like a kids cartoon about encryption.
Re: (Score:2)
Chip + PIN effectively mitigates the weakness in magnetic strip data by embedding a chip (physical, something you have) and a pin (something you know) into the transaction process, plus many other security enhancements.
Since some of the cards stolen were debit cards, which require something you have (card with magnetic strip) and something you know (PIN), I don't see how chip+PIN is the holy grail you think it is.
Although there may be more negotiation/handshake at PoS with chip+PIN, it still comes down to two-factor auth to make that sale. And, if somebody can install software/hardware that grabbed mag strip + PIN, they likely can do the same for chip+PIN.
Re: (Score:2)
A PIN is not required to use a debit card today. The vast majority of them support running the transaction either through the debit networks, where you use a PIN, or through the credit networks (Visa or MasterCard) where, today anyway, you sign. So the thieves can still steal the card number off a debit card and use it just like a credit card. The only difference is that your checking account is the money that gets tied up in limbo until it's sorted out, instead of the the bank's money (in the form possibly
Re: Chip and PIN (Score:1)
Re: (Score:3)
Big deal. You're not on the hook for the fraudulent charges. You just have to check your bill and maybe your CC issuer will give you another card.
Re: (Score:2)
FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.
Re: (Score:3)
FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.
And what property of yours is missing? I'm thinking it's your sanity.
Re: (Score:2)
Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent. But mainly, while everything is pending, your money is gone. It may only be temporary, but you can't pay bills with IOU's.
Re: (Score:1)
Re: (Score:1)
You would be mistaken [ftc.gov].
Notice that the timer on reporting doesn't really start until you either 1) learn of the fraud or 2) have an opportunity to review a bank statement.
And if your credit doesn't suck (read: are a responsible adult), most card issuers won't charge you even that $50 limit because they'd rather have customers that don't badmouth them on the internet than people who are disi
Re: (Score:2)
Thanks for pointing that out in a completely non-condescending or stupidly myopic manner! Of course you can call the card issuer, or write a a letter.
As stated though, the main problem with these fraud cases is: when a debit card is involved, your bank account is *temporarily* drained. Which can lead to a bit of a headache.
Re: Chip and PIN (Score:1)
Re: (Score:3)
Well, for one I have to spend my time to submit a fraud report to my bank. If using my debit card, the money is gone until the fraud is confirmed. Second, I have to wait for a new card to arrive in the mail, then try to remember who I have set up on automatic payments using my old card. Call each one of them or visit their website to enter in the new numbers. The ones that I forget will possibly result in account suspensions, etc, until after the new number is entered. Fees may be charged, which most o
Re: (Score:2)
So it's their fault you have a sloppy financial system?
Lock on the info up with encryption is it's such a bother for you.
When it happened to me, I called the bank, 5 minutes latter my money had been returned, the was no longer attached to my account directly.
After that, when I got an email from varies companies that my CC was no longer valid, I just changed it. Never had any interruption in any service.
On a weird note, after that call, 2 weeks later a reoccurring charged on that account went through. I cont
Re: (Score:2)
I'm refinancing my house at the moment. Having my card stolen will raise all sorts of flags, and either about or delay the process.
My property won't be missing if I run up a massive credit card bill, but it would potentially cause me hours and hours of work, a bunch of money, and a shit-load of stress. I'd rather that the problem be fixed instead of ignoring it for another bunch of years.
Re: (Score:2)
FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.
And what property of yours is missing? I'm thinking it's your sanity.
No, it would be insane to invite all that hassle by advocating banks continue with ludicrous plaintext credentials on credit cards. Do you work for a bank?
Re: (Score:3)
That's not it - you're simply not clear on the concept. Those costs are paid by the consumer, through higher prices and/or fees.
Re: (Score:2)
Which is balanced against price point and competition. If the problem was magically fixed tomorrow, you fee wold not go down.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Me. I have the patience for "card present only" transactions. What's the big hurry?
Re: (Score:2)
Sure, chip and PIN messages can be intercepted, but the data that can be intercepted cannot be reused dor a second fraudulent transaction, and cannot be tampered with.
Chip and PIN moves the trust out of the merchants' terminals and out of the network. Only the chip and the bank's systems have the secret knowledge needed to participate in the conversation. You no longer have to wonder if Home Depot's readers are safe, because it won't matter.
Re: (Score:2)
The deadline to switch is in 13 months. That kind of massive national transition is not easy or fast.
After next October, businesses will be able to use the old swipe and sign terminals, but they will be liable for any fraud instead of the credit card company. Obviously nobody wants that liability.
Re: (Score:2)
And in the UK, the stories of pensioners being shoulder-surfed at the ATM (or worse) while they peck away at the keypad end with them at the bank being informed that their money is gone, and they must have disclosed their PIN to someone. "Sorry, but the system is totally secure. It isn't our fault". Not as if the camera at the ATM wouldn't be showing some hoodie emptying their account, though the banks have no real incentive to investigate.
Yeah, Chip n PIN is a real winner, for the banks.
Re: (Score:2)
Re: (Score:2)
Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.
And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.
Re: (Score:1)
Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.
And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.
It *could* if the store at least used the Chip + Pin to validate the person picking up the loot.
Granted, I still don't see how it helps stop people buying stuff on Amazon but that one example you provided should be fairly simple to avoid.
Re: (Score:2)
The chip and pin readers at Home Depot are not enabled. I had to swipe a card that had a chip. Maybe they will install the right software.
Re: Chip and PIN (Score:2)
That's as easy as it gets.
Re: (Score:2)
What do you care? the CC company pays for it, and they send you a new card.
Re: (Score:3)
As has already been pointed out, no, it's you that pays for it in fees.
The current interest rate on savings is what about 1%? Banks can take that money and charge 18-24%. They've got a license to print money. Do you really think they're just going to eat the loss? They're passing it on to you in dribs and drabs.
Re: (Score:2)
My grocery store has new Verifone readers with chip and pin slots. The things are so badly made that they reject my card on the mag strip reader until the clerks showed me a trick where you stick a plastic grocery bag between the card and mag head to make it work.
Re: (Score:2)
Re: (Score:2)
Even better, use bitcoin instead.
Seriously, problem fixed.
Re: (Score:2)
Also, I hate having to keep up with receipts. Electronic payments make recordkeeping so much easier.
Instead of naming stores (Score:1)
Instead of naming stores, how about naming the actual vendors in the headlines. You know, like IBM, NCR, etc ....?!
Re: (Score:2)
Because your average consumer doesn't know and doesn't care that Home Depot or Target runs an IBM or NCR system. They know that Home Depot and Target screwed up forcing them to watch their statements even more closely than normal and maybe get a new card issued requiring an update of all the auto-payment stuff and made things a pain in the ass.
Its up to Home Depot and Target to then apply leverage to IBM and NCR or jump ship to another vendor. Each vendor responds to their direct customer.
Re: (Score:2)
Fine.
In the slashdot summary, how about naming the actual vendors?
Re: (Score:3)
It's not NCR, IBM, etc. It's Ingentico, Verifone, the other terminal makers, and the acquirers (Paymentech, First Data, etc) that handle the data, but Home Depot needs to secure the transmission of that. And I bet most of this was skimmed off of databases that needed to be another layer away from intruders.
There is no such thing as absolute security.
Awesome (Score:2)
This will be the second time my credit card gets replaced this year.
The third time in 3 years.
I've tried to order stuff online and been forced to call in because the retailer subscribes to a service that considers me a 10/10 fraud risk.
And not because of anything I've ever done or any charges that have shown up on my bill.
Re: (Score:2)
If they change mine, it will be the second this year, fourth in two years, sixth or seventh in 3 years. Credit unions don't all own their card systems, and these issuers are lazy.
Some card issuers know that 40-60% of their cards in force are 'compromised'. They consider that normal, and perform fraud/risk monitoring as a normal course of business.
chip and pin? (Score:2)
Why not just go to Chip and PIN...I dont seem to hear these stories in Canada or other places that use it, but I could be missing them...
Re: (Score:2)
The US is finally going to Chip and PIN next year. It just takes a long time to get a million businesses to spend the money needed to convert their readers.
Re: (Score:2)
Why not just go to Chip and PIN...I dont seem to hear these stories in Canada or other places that use it, but I could be missing them...
I doubt Chip and Pin will close the security hole they have here. It's insecure POS's rather than insecure cards. Europe and Canada (and Australia) still have breaches but not as big as this for two reasons.
1). You're not allowed to pass the card details onto the POS. The POS passes the sale info to the processor and the processor passes back a PCI (Payment Card Industry) standard censored card number (the last four digits).
2). You're not permitted to store any payment details on the POS.
Breaches happ
Stupid banks... US credit cards have no security (Score:2)
The banks are reaping the rewards of years of sticking their heads in the sand on security. Europe has chip and pin which is much more secure. US credit cards are ridiculously easy to counterfeit. I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.
Re: (Score:2)
I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.
One of my recently replaced cards is chip and signature, and I think that's what most US-issued smart cards are using. Security-wise, it's kind of a half measure, but at least it's a step forward from complete reliance on the magstripe.
Re: (Score:2)
Chip and signature may not help against physical theft of the card, but it will put a stop to these massive breaches by hackers.
Re: (Score:1)
More to the point, the merchant is prohibited from declining any payment via credit card that has been approved by the terminal regardless of whether the signature matches. Further, they cannot request ID as part of the checkout---per their payment processing agreement.
Re: (Score:2)
You know, I think it's true that Europe had a much higher rate of fraud, which convinced them to move to chip&pin sooner.
Yes, I've heard that they're working to move to chip&pin, my bank sent out a notice that they're working on it. When I get closer to the expiration of my card I might call them up and ask to be moved over as I actually travel internationally occasionally and it'd be nice to be able to use my card in European stores.
Re: (Score:2)
Not any time soon - as it happens, I have an Amazon card from Chase and just got the replacement for an expiring card - no chip and pin, I called and asked about it and they sid they MAY have it when my next card comes in 3 years...so dont hold your breath.
I mention Amazon specifically because other commenters seem to think that anything Amazon is immune and safe...not so fast young grasshopper...
Re: (Score:2)
Nope, they will issue a new card with at least chip and signature by next fall, October 2015 is the deadline from Visa for the card providers to move over as well as the merchants. After that date if the card issuer has issued a chip card and the merchant uses the magstripe then the merchant is liable for the fraud, there is no way in hell any card issuer is going to give up that kind of liability offload for one moment, let alone 2 years. The idiot bots that answer the phone have no idea what's actually go
Hire those illegals out front to investigate (Score:2, Funny)
They work cheap.
Store branded credit cards (Score:2)
Still going to go through ye old checking account and verify there's no HD charges on there since April.
Re: (Score:2)
Stupid (Score:1)
If you don't want your credit card number stolen and displayed all over the Internet, you shouldn't use your credit card! What were these people thinking?!?!
And with that moral justification out of the way, let me go Google for those Jenni.... er credit card photos.
Are the POS providers total morons? (Score:2)
How hard is it to run an independent circuit that scrapes your OS and process executable memory and compute a verified hash? Do these systems run any kind of meaningful IDS at all?
Why do they keep doing it (Score:2)
Re: (Score:2)
Re: (Score:2)
Why do these mega corporations keep storing credit card information insecurely? Are they required by law to be stupid?
No. But they are not required by law to be smart about security. Since they charge back everything to the retailers, they don't care.
Chip and Pin isn't worth it. (Score:2)
Give us real security - a Token based system that generates a new single use credit card number for each and every purchase made using the card - both on and off line.
That number should only be reusable if you want to make it a reoccurring, monthly charge.
Re: (Score:2)
I live in Canada and now almost all debit / cc cards require chip + PIN (if it has a chip, and it's over $50, you must use it).
It didn't appear to cost them much, or even take much time to roll it out (about 2-3 years). What's the problem?
In the meantime.... (Score:2)
Multiple bank stolen credit cards .. (Score:1)
Re: (Score:2)
We need more talented H1B visa holders. (Score:1)
We desperately need more talented people in IT. This would never happen if local workers were replaced with overseas talent.
Thank you Mister Gates, Buffet and Adelson for pursuing what is right for this country.
Re: (Score:2)
Think that there is a relationship?
Re: (Score:2)
and they cut back on upgrading software / hardware.
So we can't lock down systems more as the older software and hardware does not work well with more locked down systems.
Bitcoin (Score:2)
Yeah;-
Bitcoin Bitcoin Bitcoin Bitcoin
Just saying...
Time to go retro ... (Score:2)
... back to the days of the credit card imprinter [cultureand...cation.org].
Then back to fax machines and snail mail.
Yes, these all have holes, but we know what they are and we know how to deal with them and foreigners would have the dickens of a time exploiting them and stuff.
They store credit card data with the transaction (Score:5, Informative)
Home Depot stores credit cards with the transactions.
I know this because when you go to return something I bought, they don't ask you for the credit card, and sort of highlight that this is a convenience that is unique to Home Depot.
I complained more than once to the cashiers about storing credit card numbers (it is not their fault, it is management and IT). The cashiers would say: "Don't worry, we don't have access to it!"
My response was: it is not you whom I am worried about.
Now we know that storing credit cards is a bad idea, and why ...
They store credit card data with the transaction (Score:1)
You do not need to store CC number to roll back transaction - you only need transaction or auth number.
Re: (Score:1)
The local Home Depot also ties CC #'s to your email, allowing you to receive copies of your receipts in email. This is very useful if you need to keep receipts for tax purposes. However, if they're tying this to the plain-text CC info, not good at all (I had assumed some modicum of intelligence and that the emails were tied to name+hash).
Re: (Score:1)
I've always assumed that they stored only the hashes of the CC number. In any case they (probably) don't store the expiration date
Big guys, nothing...small guys pay (Score:2)
Gee, it must be the HVAC again!!!! (Score:2)
Or is is far more likely that all of them using Windows, combined with using off-shore admin/coding, specifically India where the 60 rupees to $1 means that their engineers are making less than $10K / year, the far more likely route?
My bet is that the idiots, combined with those who are doing the bribes, continue to push the