Home Depot Confirms Breach of Its Payment Systems 111
itwbennett writes: Home Depot confirmed Monday that its payment systems had been breached, potentially affecting any customers who shopped at its stores in the U.S. and Canada since April. There's no evidence yet that debit card PINs had been compromised, the company said, though it is still figuring out the scope and scale of the attacks. Home Depot is offering a free year of identity protection services for anyone who used a payment card in one of their stores since the beginning of April.
Re: (Score:1)
Negative.
Of the 7 billion people in the world, I highly doubt even one tenth of one percent of them shopped at home depot since April.
And even considering just the US, and only major populated areas...your definitely stretching it. Certainly an inflammatory statement with no basis in truth.
Re: (Score:2)
Damn it, hire hackers as security professionals! (Score:2)
Yet another major computer security breach at a big retailer, compromising the payment details of uncountable customers.
It seems to me that the core problem is that companies won't hire actual experienced hackers as security consultants; for some reason, the idea terrifies them. Instead, they hire bozos that possess some worthless "security" certificate (like CompTIA).
Or even worse, they'll hire a hacker that was dumb enough to get caught and go to jail for his actions. For some reason, that gives them
Re: (Score:1)
You for got to mention How L33t you are, Anonymous I iz
Re: (Score:1)
PCs are the problem (Score:5, Insightful)
Remember when cash registers used to be glorified calculators? Now they are cheap PCs running poorly configured operating systems. You have tons of attack vectors open from USB ports to unneeded services. That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.
Re:PCs are the problem (Score:5, Insightful)
Now they are cheap PCs running poorly configured operating systems.
The important part. Brand new systems are still being deployed with Windows XP. Anyone who doesn't see how fucking idiotic that is should never be allowed to make an IT-related decision again, but unfortunately the people who make these decisions don't know and aren't held accountable for their stupidity.
Most of the local banks have installed new Diebold ATMs that scan checks automatically. I saw one reboot the other day. Take a wild guess what OS...
Fuck "enterprise IT" and the bullshit anti-update mentality. If you can't update, you're doing it wrong.
Re: (Score:2)
Now they are cheap PCs running poorly configured operating systems.
The important part. Brand new systems are still being deployed with Windows XP. Anyone who doesn't see how fucking idiotic that is should never be allowed to make an IT-related decision again, but unfortunately the people who make these decisions don't know and aren't held accountable for their stupidity.
Most of the local banks have installed new Diebold ATMs that scan checks automatically. I saw one reboot the other day. Take a wild guess what OS...
Fuck "enterprise IT" and the bullshit anti-update mentality. If you can't update, you're doing it wrong.
XP would be an upgrade from my retail experience everything from sco unixware, DrDOS, Netware, to IBM PCDOS is still used.
Re: (Score:2)
Re: (Score:3)
Why would you want to run an insecure OS like XP instead of an easily secured one like Unixware or PCDOS?
Being pretty doesn't make it an upgrade.
Re: (Score:2)
No, but being easier for barely capable techs to cobble something together that “works” in less time is considered an upgrade.
Remember: IT security is a separate cost of doing business. Cutting IT security costs improves the bottom line. Increasing costs for “only” security has no business benefit.
Re: (Score:2)
And you don't see the problem?
An OS designed for desktop retrofitted for appliance use.
Re: (Score:2)
Reference the scandals some years back regarding their voting machines...
Re: (Score:2)
Did I ever say I had a problem with Windows overall? I don't, at least no more than any other ordinary OS. It's that second part...the one that starts with an X and ends with a P. That's the problem. Like I said, deploying new Windows XP is fucking stupid.
Windows itself is a fine core platform these days. The key is these days, meaning not a full major revision and two lesser (but hard to call minor) revisions ago.
I'd still personally prefer Linux or a BSD, but I'd have a hard time making a purely tech
Re: (Score:2)
Fuck "enterprise IT" and the bullshit anti-update mentality. If you can't update, you're doing it wrong.
Fuck software "engineering" and the bullshit always-update mentality. Build shit that works so that it can be used 20 years later without issues. If I have to update, YOU are doing it wrong.
I say this as someone who has written software. Oddly enough, it was in C, has never had any exploits, has not needed updates, and has been running in a hostile environment since 1999, and is still just as reliable now as it was then (never needs to be restarted/rebooted, no memory leaks, etc). And it is not Hello World.
Re:PCs are the problem (Score:5, Interesting)
That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.
Well, you're going to start getting your (and my) wish starting around October 2015. That's the date the liability shifts. Then the liability shifts to the party implementing the least technology. So if the card issuer issues a chip and pin card, and the retailer has only swipe, the retailer is responsible for any fraud from customers with chip and pin cards. If the retailer has a chip and pin machine, but the card issuer has only swipe, then the card issuer is liable.
So essentially you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015. I'm sure it'll be a slow process, with small retailers taking many years to finally upgrade. But it'll happen.
Re: (Score:2)
That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.
Well, you're going to start getting your (and my) wish starting around October 2015. That's the date the liability shifts. Then the liability shifts to the party implementing the least technology. So if the card issuer issues a chip and pin card, and the retailer has only swipe, the retailer is responsible for any fraud from customers with chip and pin cards. If the retailer has a chip and pin machine, but the card issuer has only swipe, then the card issuer is liable.
So essentially you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015. I'm sure it'll be a slow process, with small retailers taking many years to finally upgrade. But it'll happen.
This hinges on the cost of liability being greater than the cost of upgrading.
You can bet that Home Depot or Walmart will find a way to push this cost onto the customer (and offer optional insurance for a nominal fee to avoid it).
In Europe the governments had to force retailers _AND_ banks to upgrade. Not that EMV (Chip and Pin is the UK/Ireland brand name) has improved security any, it's pretty much as vulnerable as the mag stripe (successful attacks on EMV started in 2006 in the UK). The problem wil
Re: (Score:2)
This hinges on the cost of liability being greater than the cost of upgrading.
It is. Far greater.
You can bet that Home Depot or Walmart will find a way to push this cost onto the customer
Home Depot has already installed chip-capable terminals (I use them all the time). Walmart already has in many locations as well.
Re: (Score:2)
Re: (Score:2)
The cost of everything is always passed to the consumer.
Tautologically true, but misses the point.
The cost of fraud gets passed to the consumer, also, either through higher bank card fees and rates, or through higher cost of goods at the merchant (mostly the latter). When merchants save money on fraud costs by spending money on new chip-capable terminals, that savings ultimately gets passed to the consumer as well.
Re: (Score:2)
They would have to ask each customer. I should say lost customer, because who is going to buy anything when the cashier's first words are, "Thanks for shopping at Home Depot. Would you like to buy liability insurance in case we get hacked?"
Re: (Score:2)
So let me get the story straight: the EU forced people to upgrade (which cost big buck and I am certain all those costs were passed to the customers), and then you seem to acknowledge that it really didn't accomplish much. So, what was the goal of the exercise? Am I missing something?
Re: (Score:2)
you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015.
So far only one retailer that I shop is chip-and-pin ready: Walmart. About six months ago, they started asking me to insert, rather than swipe, my chipped card.
Re: (Score:2)
you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015.
So far only one retailer that I shop is chip-and-pin ready: Walmart. About six months ago, they started asking me to insert, rather than swipe, my chipped card.
I sometimes do some contract work for POS companies. I write little demo apps to help them sell their terminals to merchants. The cheapest stuff coming out the door right now all seems to have chip and pin built into it. So don't worry, everyone is going that way. T-Mo uses it, my Target location has switched to chip and pin capable terminals as of 3 weeks ago, too.
Re: (Score:2)
Come on up to Canada, we're all chip&pin ready and mostly tap&pay as well.
Re: (Score:2)
If the retailer has a chip and pin machine, but the card issuer has only swipe, then the card issuer is liable.
One correction: The US isn't going to Chip and PIN, but Chip and Signature.
Given the federal laws that prevent issuers from placing (significant) liability on cardholders, there's less motivation for imposing the inconvenience of PINs (you can debate whether signature or PIN is more convenient, but US consumers have traditionally preferred the former). In the UK, for example, Chip & PIN has allowed banks to shift the liability almost completely to the cardholder, so in that sense US cardholders are be
Re: (Score:2)
Re: (Score:3)
I disagree, even XP can be made secure. The problem is the network implementation and the proprietary software that runs on the admittedly PIGGY-BACK of XP. More and more the routers and silly appliances with hard coded firmware passwords and insecure 3rd party installation is to blame. I have to agree on the credit card issue though. Isn't it odd that the companies responsible for credit DB's and ratings also run the so-called identity protection sites ?? That seems like a conflict of interest to me.
Re: (Score:2)
Remember when cash registers used to be glorified calculators? Now they are cheap PCs running poorly configured operating systems. You have tons of attack vectors open from USB ports to unneeded services.
This is pretty much why they wont hire anyone who knows dick about security.
The first thing they'll tell them is the unpatched Windows XP box running ShitPOS(TM) is inviting an attack. The problem with this is that the POS terminals they got were cheap and the director in charge of that procurement got a good bonus for getting the POS system in under budget. Getting a secure system costs money, time (which costs money) and effort (which isn't cheap either). This means the director and project manager can
Re: (Score:2)
I think that's changing, maybe the mess is finally more expensive than a preemptive fix.
My bank cancelled+replaced my credit card last week (without warning: they said it was because the # was recently reported stolen, I'm guessing it was the local supermarket chain but they won't say), and the replacement has chip
Re: PCs are the problem (Score:1)
Re: (Score:2)
FWIW, some places now request your postal zip code as a sort-of PIN, particularly unattended pay-at-the-pump gasoline. At first it sounds silly, but when you think about it, if someone scammed your credit card number by swiping the card track data, or out of a database, they're not likely to have your zip code too. (I suppose if they intercepted the zip-as-PIN they would have it, so hopefully it goes down the same encrypted route as debit PINs.)
If someone stole your wallet, sure, they would have your zip c
Understood. The new CompTIA is better than most (Score:4, Insightful)
I understand where you're coming from. As you may know, I've been doing infosec for a long time, and I know the difference between "compliant" and "secure". I'm rather surprised you chose CompTIA Security+ as your example of a bad security certification. The new one especially is quite comprehensive, in my view. Not that a single certification can ensure that a candidate is ready to perform any and all jobs related to security, but I'd say that if even 10% of the people designing and maintaining these systems had enough knowledge to pass Security+, we'd be in a lot better shape.
Re: (Score:2)
but I'd say that if even 10% of the people designing and maintaining these systems had enough knowledge to pass Security+, we'd be in a lot better shape.
I am sure all of them could pass it if they studied for it. That is why all certifications are useless. With enough studying, almost anyone can pass it without understanding the material, just regurgitating facts.
If you could force someone to take and pass such a test without studying, THEN your statement would be useful.
Studying your field might be a good thing (Score:2)
> I am sure all of them could pass it if they studied for it. That is why all certifications are uselessuselessb
With enough study, you can pass the exams to be a medical doctor. That is why exams to certify that medical doctors know what they are doing are useless. Unless of course you want someone who knows about the subject at hand. I kind of want a doctor, and a security professional, who have studied their fields. Sorry you couldn't pass.
> With enough studying, almost anyone can pass i
Re: (Score:2)
With enough study, you can pass the exams to be a medical doctor.
That is true... and I have had many bad experiences with medical doctors. Just because someone can pass a test immediately after studying for it, that does NOT mean that they understand whatever it is that they just passed.
I kind of want a doctor, and a security professional, who have studied their fields.
I want more than just studying. I want understanding of the material.
Sorry you couldn't pass.
Heh. You are funny. I passed Security+, Server+, CISSP, etc all without breaking a book to specifically study for all of those certifications. I have read lots of books. I have learned lots of stuff. Knowing that stuff w
Re: (Score:2)
Re: (Score:2)
It seems to me that the core problem is that companies won't hire actual experienced hackers
Most likely the problem was the exact opposite: They did hire a black hat, and this was an inside job.
Re: (Score:2)
Re: (Score:2)
It seems to me that the core problem is that companies won't hire actual experienced hackers
Most likely the problem was the exact opposite: They did hire a black hat, and this was an inside job.
No. If history is any indicator, and it usually is, this is just another case of system admin ass-hattery. In other words, bad practices; giving LAN access to the HVAC contractor, allowing remote desktop access by the POS system contractor, etc. All things we've seen before in other high-profile breaches.
CC system is flawed (Score:1)
Even chips are bullshit. Why aren't CCs issuing one time tokens per a transaction - this rendering subsequent transactions useless? (Or tying the token to a retailer for subscriptions / etc)
Re:CC system is flawed (Score:4, Interesting)
Why aren't CCs issuing one time tokens per a transaction - this rendering subsequent transactions useless? (Or tying the token to a retailer for subscriptions / etc)
Hopefully someone brings out a system like that soon. [macrumors.com]
Re:CC system is flawed (Score:5, Insightful)
You'd have to do better than that. If the payment terminal is compromised, an attacker could just sit there and wait for a card to be available at one of the payment terminals, then process two transactions in a row very quickly, one of which is the real one, and the other of which is an arbitrary transaction. There's a fundamental law in computing—not sure if it has a name—that goes something like this: If you cannot fully trust both endpoints of a communication channel, you cannot trust the communication channel itself. Period.
The only way to really improve the situation is to have credit cards treat the payment terminal as an untrusted network connection. Put a screen on the card itself, and require the user to push a button on the card itself to approve the transaction. Then use some form of PK crypto in the device itself to sign the transaction and send the response back to the payment processor's servers, which can then send a confirmation code to the register as proof that the transaction was accepted.
And no, I don't mean cell phones here. Cell phone payment systems certainly have the potential to be an easier way of paying for things, but security-wise, they just replace one attack target with another, without any obvious security benefit. Why? Because they're general-purpose computers that are constantly in use for other purposes like web browsing, so if they contain any security holes, the risk of them getting compromised is non-negligible.
More to the point, the risk of compromise for a cell phone is orders of magnitude higher than the risk of somebody finding a bug in a specialized card in your billfold and attacking it using nothing but NFC (because an attack on a cell phone doesn't require you to be in the same country as the victim, much less within a few feet).
And assuming all things are equal, the odds of a cell phone being compromised should be higher than the odds of a payment terminal being compromised (ignoring the "physically swap it out" risk), because the payment terminals should be segregated onto their own private network, and shouldn't be communicating with unrelated Internet servers for unrelated purposes. This does not appear to be the case in practice (as far as we know), but then again, until enough payments happen on cell phones, they won't be a high-priority target, so such comparisons may or may not really be valid.
Now it is theoretically possible to make a cell-phone-based solution as secure as a card with a screen, but the minimum requirements would be:
Anything short of that improves security only to the extent that the odds of simultaneously compromising a payment terminal and the phone that's talking to it are less than the odds of compromising one or the other, and there's a small chance that the customer might notice if the screens don't match, so an attacker really ought to compromise both of them. With that said, when there's a mass compromise of the payment systems of a major national company, it doesn't take a very high percentage of compromised cell phones before you would start seeing situations where both devices are compromised, at which point the cell phone doesn't make things appreciably more secure than a chip-and-pin system, which is, in turn, not all that much more secure than a magstripe system, whereas a mostly dumb crypto card with a screen and a pushbutton does.
Re: (Score:2)
It is easier than that; the token needs to have merchant, amount, date/time hashed in; you approve that information before entering your pin.
There are hard issues... like what to do with credit reports that rely on a non-random 9-digit social security number as keys to the kingdom, but securing the transaction between consumer, merchant, and bank isn't that hard.
Re: (Score:2)
No, it really isn't easier than that. If an attacker is in control of the device that controls the screen, they can make it show you anything that they want, including showing the right text for the transaction you're actually making. Then, when you enter the PIN, they can perform your transaction, and repeat the process for a second one using the PIN data that they already captured. If a device vendor manages to somehow make it physically impossible to perform two transactions without entering the PIN
Re: (Score:2)
It is easy if the security token is a single-purpose device; hard if it is a smart phone.
The Real Story... (Score:1)
.
Film at 11.
Re: (Score:2)
This. Everyone seems all panicked about this (along with Shaws, a regional supermarket chain) - But why care? I shop regularly at both stores, use only plastic, and... I will lose exactly zero dollars even in the worst-case scenario.
I know people who currently refuse to shop at TJ Maxx because of that breach a decade ago. Yet, such people never seem to hav
Re: (Score:2)
Oh, wow did I misread that! Sorry, my bad.
Clearly we disagree, rather than agreeing. Ah well, I probably would have responded with the same thing, just intro'd slightly differently.
Re: (Score:2)
Call the police every time as well as your bank.
Duh.
Re: (Score:2)
After the Target breach, the bank that issues my credit card cancelled that card and sent me a new one. They didn't give me a choice, and they didn't give any warning.
Every account that relied on my card information had to be updated. One of my bills - car insurance - bounced because they cancelled my old card before I had time to update that account with the new card info. It's quite galling to pay a late payment fee and have my credit rating potentially dinged for not paying a bill that I had enough ca
Cash (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
And a half hour later after the cashier has marked every bill, held it up to the light to observe ALL the security features, and then had to call two levels of management over to repeat the process to authorize accepting $50s or $100s.
Maybe it wasn't quite a half hour, but the above happened to me recently. The guy in front of me was paying with several $100s. It too far too long to complete the transaction.
Re: (Score:1)
Re: (Score:2)
repeat the process to authorize accepting $50s or $100s.
yes, give a $100 bill at any store and they will spend some time examining it. Except in Las Vegas, that gets as much attention as a quarter (unless things have changed in past 10 years). I read leading counterfeit bills are $10. $100 attract attention, $1 not worth time counterfeiting, but the $10 bill is good candidate because Treasury Dept is always changing the colors so nobody really keeps track on what an authentic bill looks like.
But how does a suspected counterfeit feels like? the real bills are s
Re: (Score:2)
The Treasury Dept in 1998 said $20 get 5x the number of counterfeits as $10 but $100 has 3x the value of counterfeit notes. Source [federalreserve.gov], page 53
I wouldn't imagine the numbers have changed that much since than. I had always heard that $20s are the most frequently
Re: (Score:2)
Re: (Score:2)
Agreed. I started using cash a few months ago so that I could keep better track of my spending, but the side benefit is a smaller digital footprint. I don't live in a high crime area, so the tradeoff is mostly positive.
Re:Who cares? (Score:4, Interesting)
We get worked up because, inevitably, one day soon (and without warning) our credit cards will stop working, our automated recurring card charges that are on file with our utility companies will bounce, and we will get a letter from our CC company saying:
"A data breach at an undisclosed partner has occurred and we are therefore issuing you a new card, which will arrive in several more days under separate cover, for no reason other than to increase the inconvenience for you. In the meantime, enjoy the fact that we only sent this letter after we disabled your card so you are only finding out about our unilateral action officially now, several days after your card stopped working. Be grateful we are working to 'protect' you, maggot, even though you have zero fucking liability for fraud anyway."
It's a goddamn pain in the ass to deal with this, and we are not compensated for the hassle or the bounced payment charges that happen through no fault of our own.
Re: (Score:2)
The card issuers are the ones I am angry with for how they handle the problem. I don't care about Home Depot, Target, or any of these other breachers. I don't have any liability either way.
Fwiw, it seems counterproductive to "boycott" a merchant by .. giving them more of your money... besides, there is no law in the US to force anyone to accept payment in any form of cash or coins. If you believe there is such a law, please cite a credible source that states that explicitly.
These are new systems... (Score:3)
Home Depot deployed new card readers at all their stores (of the ones I saw at least) almost overnight shortly after the target breach. I had guessed it was in response to the breach to beef up security...
But it looks like it was the new ones that were compromised... (or else it was coincidental).
Re: (Score:2)
Home Depot deployed new card readers at all their stores (of the ones I saw at least) almost overnight shortly after the target breach. I had guessed it was in response to the breach to beef up security...
But it looks like it was the new ones that were compromised... (or else it was coincidental).
I doubt the new readers had any relationship to the Target breach. Home Depot was just being proactive and getting the new tech in well ahead of the liability shift, which is coming late next year. The Home Depot near me got them over a year before the Target breach. I know because I started using my Google Wallet there in late 2011.
The fundamental problems, though, depend on the cards, not just the terminals. As long as you're swiping a magnetic stripe you're vulnerable because (a) the POS system receive
Re: (Score:2)
But are they implemented?
My credit card company has just recently send new cards with the microchip.
Now I have seen the chip reader on 80% of the card readers I have seen.
And only Wal-mart has it implemented and working. Target has the new reader, but it isn't implemented.
So the upgrading of the card readers happened to make people feel good, however like so many other IT projects their implementation was half assed.
Re: (Score:2)
It probably IS implemented, it's just waiting on the processor to actually flip the switch to enable the chip reader.
It's a bit more involved than just swapping out old hardware with new hardware - the whole operation of chip+pin is completely different. And it's
Heads must roll, or they aren't serious. (Score:2)
The CEO's bonus must be docked, the CIO must be fired, all the top executives who were in the decision chain of the security decisions must have their bonus forfeited, pay docked and a few of them should be fired too, Unless we see a strong
Junk quality; why bother? (Score:2)
Re: (Score:2)
Most local family-owned shops are effectively Ace or one of the other franchises. While not all the inventory comes from the franchiser, it's quality is usually lower to be at the same retail price. Lowes seems to have higher quality, higher-priced products consistently, but it seems to miss the balance on the value scale.
I bought a Husky tool cabinet last year for under $300, where the comparable product from Lowes was $700. Lowes was hands-down better in terms of construction quality, design, and featu
Canada: Chip and PIN (Score:2)
I've shopped at our local Home Depot, but here in Canada everything's been chip-and-PIN for quite some time. So... am I at risk? It's not clear from the news media whether or not the chip-and-PIN system has protected me from this breach.
Chip and PIN cards affected too (Score:3)
I'm in Canada, and we've been using chip cards for a few years now. I just called my bank 45 minutes ago after noticing a fraudulent charge on my credit card from August 30th. Since I bought a bunch of stuff at Home Depot in May/June, I'm assuming they managed to clone my card from the stolen data. The charge was only $4.56, at a gas station halfway across the country, so I would guess that someone was testing the clone to see if it was a valid card number (maybe testing one number from a batch of 100s or 1000s, to see if the numbers were legit.)
Just so we're clear, I'm not saying the fraudulent purchase itself was made using the chip. I only ever use chip + pin when making purchases, but I suppose a cloned card could use NFC (eg: PayWay) for a purchase that small, or even just the magstripe, neither of which requires them to have compromised my pin. My point is that I thought I was being safe using chip + pin, but still got hit regardless. Fortunately, banks seem to be good about this sort of thing, and my new card is on its way.
Re: (Score:2)
I've twice taken random trips and had a phone call waiting for me when I get home from my CC company asking if I'm the one who made the random purchases in question because they don't match my normal profile and they want to prevent fraud.
I also only use chip&pin or NFC for payments (also Canadian).
Identity theft monitoring (Score:1)
Hire better IT talent (Score:1)
Free Credit Monitoring for Life! (Score:1)