Forgot your password?
typodupeerror
Security Cloud Privacy

Banks Report Credit Card Breach At Home Depot 132

Posted by Soulskill
from the another-day-another-breach dept.
criticalmass24 sends news that multiple banks are indicating Home Depot stores are the source of a new batch of stolen credit cards and debit cards that hit the black market today. "There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market." Home Depot is aware of the situation, and says they're investigating. The banks say this breach may have begun as early as April or May of this year and may extend to all 2,200 of Home Depot's U.S. stores.
This discussion has been archived. No new comments can be posted.

Banks Report Credit Card Breach At Home Depot

Comments Filter:
  • Chip and PIN (Score:5, Insightful)

    by DigiShaman (671371) on Tuesday September 02, 2014 @04:53PM (#47810769) Homepage

    Fuckers! Implement it like yesterday!!!

    Tell you what. You want me to continue to shop at the B&M stores, then do this. Otherwise, It's Amazon for me.

    • by Russ1642 (1087959)

      Big deal. You're not on the hook for the fraudulent charges. You just have to check your bill and maybe your CC issuer will give you another card.

      • FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

        • by Russ1642 (1087959)

          FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

          And what property of yours is missing? I'm thinking it's your sanity.

          • Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent. But mainly, while everything is pending, your money is gone. It may only be temporary, but you can't pay bills with IOU's.

            • Plus, if you have a bunch of bills going to the credit card, now you have to update all of them with the new number. Been there-done that...
            • by Anonymous Coward

              Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent.

              You would be mistaken [ftc.gov].

              Notice that the timer on reporting doesn't really start until you either 1) learn of the fraud or 2) have an opportunity to review a bank statement.

              And if your credit doesn't suck (read: are a responsible adult), most card issuers won't charge you even that $50 limit because they'd rather have customers that don't badmouth them on the internet than people who are disi

              • Thanks for pointing that out in a completely non-condescending or stupidly myopic manner! Of course you can call the card issuer, or write a a letter.

                As stated though, the main problem with these fraud cases is: when a debit card is involved, your bank account is *temporarily* drained. Which can lead to a bit of a headache.

          • by jjhall (555562)

            Well, for one I have to spend my time to submit a fraud report to my bank. If using my debit card, the money is gone until the fraud is confirmed. Second, I have to wait for a new card to arrive in the mail, then try to remember who I have set up on automatic payments using my old card. Call each one of them or visit their website to enter in the new numbers. The ones that I forget will possibly result in account suspensions, etc, until after the new number is entered. Fees may be charged, which most o

            • by geekoid (135745)

              So it's their fault you have a sloppy financial system?
              Lock on the info up with encryption is it's such a bother for you.

              When it happened to me, I called the bank, 5 minutes latter my money had been returned, the was no longer attached to my account directly.
              After that, when I got an email from varies companies that my CC was no longer valid, I just changed it. Never had any interruption in any service.

              On a weird note, after that call, 2 weeks later a reoccurring charged on that account went through. I cont

          • by Skynyrd (25155)

            I'm refinancing my house at the moment. Having my card stolen will raise all sorts of flags, and either about or delay the process.

            My property won't be missing if I run up a massive credit card bill, but it would potentially cause me hours and hours of work, a bunch of money, and a shit-load of stress. I'd rather that the problem be fixed instead of ignoring it for another bunch of years.

          • FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

            And what property of yours is missing? I'm thinking it's your sanity.

            No, it would be insane to invite all that hassle by advocating banks continue with ludicrous plaintext credentials on credit cards. Do you work for a bank?

      • by msauve (701917)
        "You're not on the hook for the fraudulent charges."

        That's not it - you're simply not clear on the concept. Those costs are paid by the consumer, through higher prices and/or fees.
        • by geekoid (135745)

          Which is balanced against price point and competition. If the problem was magically fixed tomorrow, you fee wold not go down.

    • Chip and pin does nothing. It's still interceptible and nobody in America has the patience for "card present only" transactions.
      • by PopeRatzo (965947)

        nobody in America has the patience for "card present only" transactions.

        Me. I have the patience for "card present only" transactions. What's the big hurry?

      • by plover (150551)

        Sure, chip and PIN messages can be intercepted, but the data that can be intercepted cannot be reused dor a second fraudulent transaction, and cannot be tampered with.

        Chip and PIN moves the trust out of the merchants' terminals and out of the network. Only the chip and the bank's systems have the secret knowledge needed to participate in the conversation. You no longer have to wonder if Home Depot's readers are safe, because it won't matter.

    • The deadline to switch is in 13 months. That kind of massive national transition is not easy or fast.

      After next October, businesses will be able to use the old swipe and sign terminals, but they will be liable for any fraud instead of the credit card company. Obviously nobody wants that liability.

    • by DogDude (805747)
      And how does Amazon get your chip and pin, exactly, Mr. Einstein?
    • by rickb928 (945187)

      Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.

      And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.

      • by ender- (42944)

        Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.

        And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.

        It *could* if the store at least used the Chip + Pin to validate the person picking up the loot.

        Granted, I still don't see how it helps stop people buying stuff on Amazon but that one example you provided should be fairly simple to avoid.

      • by wkk2 (808881)

        The chip and pin readers at Home Depot are not enabled. I had to swipe a card that had a chip. Maybe they will install the right software.

    • by geekoid (135745)

      What do you care? the CC company pays for it, and they send you a new card.

      • by PopeRatzo (965947)

        What do you care? the CC company pays for it, and they send you a new card.

        As has already been pointed out, no, it's you that pays for it in fees.

        The current interest rate on savings is what about 1%? Banks can take that money and charge 18-24%. They've got a license to print money. Do you really think they're just going to eat the loss? They're passing it on to you in dribs and drabs.

    • My grocery store has new Verifone readers with chip and pin slots. The things are so badly made that they reject my card on the mag strip reader until the clerks showed me a trick where you stick a plastic grocery bag between the card and mag head to make it work.

      • by GTRacer (234395)
        New trick? I learned that one 5 years ago at a grocery store where some of their old terminals were bad readers. Not entirely sure what the bag-wrapping does, but it worked!
    • by ASDFnz (472824)

      Even better, use bitcoin instead.

      Seriously, problem fixed.

  • by Anonymous Coward

    Instead of naming stores, how about naming the actual vendors in the headlines. You know, like IBM, NCR, etc ....?!

    • by NevarMore (248971)

      Because your average consumer doesn't know and doesn't care that Home Depot or Target runs an IBM or NCR system. They know that Home Depot and Target screwed up forcing them to watch their statements even more closely than normal and maybe get a new card issued requiring an update of all the auto-payment stuff and made things a pain in the ass.

      Its up to Home Depot and Target to then apply leverage to IBM and NCR or jump ship to another vendor. Each vendor responds to their direct customer.

      • by unrtst (777550)

        Fine.
        In the slashdot summary, how about naming the actual vendors?

      • by rickb928 (945187)

        It's not NCR, IBM, etc. It's Ingentico, Verifone, the other terminal makers, and the acquirers (Paymentech, First Data, etc) that handle the data, but Home Depot needs to secure the transmission of that. And I bet most of this was skimmed off of databases that needed to be another layer away from intruders.

        There is no such thing as absolute security.

  • This will be the second time my credit card gets replaced this year.
    The third time in 3 years.

    I've tried to order stuff online and been forced to call in because the retailer subscribes to a service that considers me a 10/10 fraud risk.
    And not because of anything I've ever done or any charges that have shown up on my bill.

    • by rickb928 (945187)

      If they change mine, it will be the second this year, fourth in two years, sixth or seventh in 3 years. Credit unions don't all own their card systems, and these issuers are lazy.

      Some card issuers know that 40-60% of their cards in force are 'compromised'. They consider that normal, and perform fraud/risk monitoring as a normal course of business.

  • Why not just go to Chip and PIN...I dont seem to hear these stories in Canada or other places that use it, but I could be missing them...

    • by plover (150551)

      The US is finally going to Chip and PIN next year. It just takes a long time to get a million businesses to spend the money needed to convert their readers.

    • by mjwx (966435)

      Why not just go to Chip and PIN...I dont seem to hear these stories in Canada or other places that use it, but I could be missing them...

      I doubt Chip and Pin will close the security hole they have here. It's insecure POS's rather than insecure cards. Europe and Canada (and Australia) still have breaches but not as big as this for two reasons.
      1). You're not allowed to pass the card details onto the POS. The POS passes the sale info to the processor and the processor passes back a PCI (Payment Card Industry) standard censored card number (the last four digits).
      2). You're not permitted to store any payment details on the POS.

      Breaches happ

  • The banks are reaping the rewards of years of sticking their heads in the sand on security. Europe has chip and pin which is much more secure. US credit cards are ridiculously easy to counterfeit. I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.

    • I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.

      One of my recently replaced cards is chip and signature, and I think that's what most US-issued smart cards are using. Security-wise, it's kind of a half measure, but at least it's a step forward from complete reliance on the magstripe.

      • by stdarg (456557)

        Chip and signature may not help against physical theft of the card, but it will put a stop to these massive breaches by hackers.

    • by Firethorn (177587)

      You know, I think it's true that Europe had a much higher rate of fraud, which convinced them to move to chip&pin sooner.

      Yes, I've heard that they're working to move to chip&pin, my bank sent out a notice that they're working on it. When I get closer to the expiration of my card I might call them up and ask to be moved over as I actually travel internationally occasionally and it'd be nice to be able to use my card in European stores.

    • Not any time soon - as it happens, I have an Amazon card from Chase and just got the replacement for an expiring card - no chip and pin, I called and asked about it and they sid they MAY have it when my next card comes in 3 years...so dont hold your breath.

      I mention Amazon specifically because other commenters seem to think that anything Amazon is immune and safe...not so fast young grasshopper...

      • by afidel (530433)

        Nope, they will issue a new card with at least chip and signature by next fall, October 2015 is the deadline from Visa for the card providers to move over as well as the merchants. After that date if the card issuer has issued a chip card and the merchant uses the magstripe then the merchant is liable for the fraud, there is no way in hell any card issuer is going to give up that kind of liability offload for one moment, let alone 2 years. The idiot bots that answer the phone have no idea what's actually go

  • I am suddenly grateful we've been using a store branded Home Depot credit card for the last few years. Replacing that with a new one won't be painful at all. I think I've paid cash if the amount was under $10, too.

    Still going to go through ye old checking account and verify there's no HD charges on there since April.
  • by Anonymous Coward

    If you don't want your credit card number stolen and displayed all over the Internet, you shouldn't use your credit card! What were these people thinking?!?!

    And with that moral justification out of the way, let me go Google for those Jenni.... er credit card photos.

  • How hard is it to run an independent circuit that scrapes your OS and process executable memory and compute a verified hash? Do these systems run any kind of meaningful IDS at all?

  • Why do these mega corporations keep storing credit card information insecurely? Are they required by law to be stupid?
    • by PRMan (959735)
      I've worked at several companies and most of them store passwords in plain text. They've been doing it for decades and I ALWAYS make a new task/story/project, etc. that involves implementing proper security. Only once did I get a company to prioritize it to the point where it actually got done.
    • Why do these mega corporations keep storing credit card information insecurely? Are they required by law to be stupid?

      No. But they are not required by law to be smart about security. Since they charge back everything to the retailers, they don't care.

  • The amount of money saved by chip and pin is relatively low. A mere password doesn't cut it. US fraud rate is so low that it is not considered worthwhile.

    Give us real security - a Token based system that generates a new single use credit card number for each and every purchase made using the card - both on and off line.

    That number should only be reusable if you want to make it a reoccurring, monthly charge.

    • by iONiUM (530420)

      I live in Canada and now almost all debit / cc cards require chip + PIN (if it has a chip, and it's over $50, you must use it).

      It didn't appear to cost them much, or even take much time to roll it out (about 2-3 years). What's the problem?

  • I am going to start using cash a lot more often until the system has it's act together. All of the crooks are busy robbing people the 21st century way anyhow. The good news is that between this and the NSA's shenanigans, security development efforts are on fire right now. It's long overdue.
  • And where does Microsoft Windows come into the equation?
  • We desperately need more talented people in IT. This would never happen if local workers were replaced with overseas talent.

    Thank you Mister Gates, Buffet and Adelson for pursuing what is right for this country.

    • Actually, we have replaced our talent with cheaper overseas ppl. In fact, everybody that is being cracked employ many overseas coders (along with Windows).
      Think that there is a relationship?
      • and they cut back on upgrading software / hardware.

        So we can't lock down systems more as the older software and hardware does not work well with more locked down systems.

  • Yeah;-

    Bitcoin Bitcoin Bitcoin Bitcoin

    Just saying...

  • ... back to the days of the credit card imprinter [cultureand...cation.org].

    Then back to fax machines and snail mail.

    Yes, these all have holes, but we know what they are and we know how to deal with them and foreigners would have the dickens of a time exploiting them and stuff.

  • by kbahey (102895) on Tuesday September 02, 2014 @08:26PM (#47812843) Homepage

    Home Depot stores credit cards with the transactions.

    I know this because when you go to return something I bought, they don't ask you for the credit card, and sort of highlight that this is a convenience that is unique to Home Depot.

    I complained more than once to the cashiers about storing credit card numbers (it is not their fault, it is management and IT). The cashiers would say: "Don't worry, we don't have access to it!"

    My response was: it is not you whom I am worried about.

    Now we know that storing credit cards is a bad idea, and why ...

    • You do not need to store CC number to roll back transaction - you only need transaction or auth number.

      • by phorm (591458)

        The local Home Depot also ties CC #'s to your email, allowing you to receive copies of your receipts in email. This is very useful if you need to keep receipts for tax purposes. However, if they're tying this to the plain-text CC info, not good at all (I had assumed some modicum of intelligence and that the emails were tied to name+hash).

    • by Tchaik (21417)

      I've always assumed that they stored only the hashes of the CC number. In any case they (probably) don't store the expiration date

  • As a merchant who accepts credit cards, a few years back they came up with PCI Compliance. First you had to show some very basic data security. Then, they tried to sell you insurance. Then, they required you to take the data security insurance. If you are "PCI noncompliant" then you get tagged $20.00 per month. I appreciate how they made this too into an opportunity to gouge the small merchant, to no effect at the high end.
  • Some of the stupidest ppl elsewhere and here screamed that target was caused by having an HVAC key. So, I guess that HVAC everywhere is making it possible to break into these systems?
    Or is is far more likely that all of them using Windows, combined with using off-shore admin/coding, specifically India where the 60 rupees to $1 means that their engineers are making less than $10K / year, the far more likely route?

    My bet is that the idiots, combined with those who are doing the bribes, continue to push the

Cobol programmers are down in the dumps.

Working...