Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.
Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating.
“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store — rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.
A massive new batch of cards labeled “American Sanctions” and “European Sanctions” went on sale Tuesday, Sept. 2, 2014.
In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.”
It is not clear at this time how many stores may have been impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico.
This is likely to be a fast-moving story with several updates as more information becomes available. Stay tuned.
Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.
Follow-up reporting:
Data: Nearly All U.S. Home Depot Stores Hit
Home Depot: 56M Cards Impacted, Malware Contained
In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes
Home Depot Hit by Same Malware as Target
In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud
Are credit card breaches on the rise or are there just more focus on them?
It seems like new breaches occur everyday now.
All I can tell you is I used to have a happy feeling when I saw a Brian Krebs email in my queue. Now not so much. It certainly seems to me to be happening with increased frequency, not just because it’s reported more often, something you see in other crime statistics.
That said, I’m not carrying cash any time soon.
It looks like a trend in malware targeted towards retail POS systems. But I think the impetus of the trend is that most major retailers have moved away from the old IBM 4690 POS registers to Windows-based systems.
IBM4690 is very difficult to work with, very DOS-like, not very friendly to attackers. It’s been the workhorse of the retail industry for decades.
The 4690 system is rock-solid. Used it for many years at a retail job both on the front and back ends.
Target used to run IBM but have shifted to NCR and Windows based systems. I’m not sure what Michael’s is using but would be interested to know how many breaches occurred on the 4690 platform. So far I know of none.
When it comes to large scale breaches like this, the store level POS register is usually not the place the breach occurs. The large retail chains have their own centralized gateway that the traffic flows through before it goes on for processing which is the high value target for hackers who know where to get the most bang for their buck. This has been the source of the breach for most of the large breaches and gets the hacker the card data from all location by breaching one critical area of the retailer’s infrastructure.
Once the data leaves the terminal, it’s encrypted. Is it not? As with the Target breach, malware was installed on the terminals themselves to extract unencrypted data. Hackers breach the network at one or more points to deploy malicious software to the terminals. At least, that’s how I understand it.
In Target’s case, the malware could have been uploaded to a software update server so when the terminals do periodic software updates they download the malware as well.
IT IS NOT…..well, it CAN be, but not all POS systems do. There are a few ways to look at it, but true end to end encryption from the pad to the bank is rare, mainly because it takes from the bottom line. You pay an additional charge per transaction for true E2E encryption. Most POS systems use encryption for most of the process, and generally always over the wire. BUT, you HAVE to have that data in the clear at some point, unless you are using a true e2e solution. Generally there are 2 places for that to occur: at the register / at the payment gateway server (some POS’s have 1 or 2 per organization, some have one in every store.)
In general, most of these attacks (as I know of them from what Visa has disclosed to us, as well as other digging) is that they are infecting the POS register or payment server / gateway (depending on what you want to call it) because at some point the card data is in the clear in memory, and the malware just sits there scanning the memory over and over for regex strings matching card info, then saves it an exfiltrates it.
Despite how well our environment is secured, Im getting nervous, luckily we arent a high value target.
All 2200 stores! This could be as big as the Target breach, if that’s confirmed.
Sounds like it could be bigger, by about 600 stores. Interesting timing, just as the summer is winding down and home improvement spending will be dropping off a bit.
By about 600 stores? Above it cited there was only 287 stores outside the US (Canada, Guam, etc). Are there more internationally, or was the US-count incorrect?
Target has 1800 stores in the U.S
Home Depot has 2200 + 287 in PR, CA, and others
Got it – misunderstood; thought you meant there were 600 additional Home Depot stores, in addition to the 2200 mentioned here.
I realize in this instance it is too early to know, but does anybody have a reliable place for infosec folks to gather information about the attack vectors that are being used? Giant breach notifications like this are helpful but their usefulness is limited unless we have some info on how the attacks are occurring.
Though I don’t subscribe to receive: Some info seems to trickle out from DHS (Dept of Homeland Security) advisories.
Matt, not sure if there’s any direct information to the group Brian is referencing or if they have any hand in the US-Cert alert about Backoff Malware:
https://www.us-cert.gov/ncas/alerts/TA14-212A
But the info here is good to be thinking about anyway, it seems we tend to open more un-secured doors to our networks in the name of convenience and accessibility, more often than not they are the entry points.
@Matt,
The Verizon Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/2014/ is a compendium of the prior year’s attacks that resulted in data breaches, and has lots of info about various techniques used by the attackers. Unfortunately, knowing about the attackers and thwarting them are two very different things.
Ive tried to put together a group for this, with little luck. I am going to bring it up again next week at the PCI meetings and see if we cant get some informal group started.
@JD, that would be hugely beneficial. I am a member of the Retail Cyber Intelligence Sharing Center (R-CISC) that gained traction after the Target breach and will be attending a national meeting at Target’s HQ next week and plan to ask the same question there. Do you mind if we keep in touch offline regarding the formation of a group or the inclusion of this group with the PCI council?
The Target breach was initially due to a contractor that had been given access to their systems to submit invoices. I believe it was a HVAC contractor and the hackers gained access to the Target system via the HVAC access credentials.
Anyone worrying about the slow adoption rate for Bitcoin and crypto currencies need not be concerned. The disintegration of bank and card security before our eyes will drive the authorities towards Blockchain based money and payment processing.
Is the disintegration of bank security faster than Mt. Gox?
Mt Gox was an insecure website, not an insecure currency. Fiat is inherently insecure. Bitcoin is cryptographically secure. Homework homework….
Couldn’t you argue that Home Depot was vulnerable, rather than the cards in themselves? Whether it’s a credit card or a private key to your bitcoin wallet, there’s always some sensitive data that could be compromised.
Indeed there is always some sensitive data to be compromised. Better to have a choice about which way to control it. Bitcoin allows users the choice to control that security. Credit cards require me to trust Home Depot, banks, credit card companies, and and any other 3rd parties.
don’t get it wrong. it isn’t the banks that lack the security. when is the last time you got a story indicating the bank/credit union was breached. it’s the retailer who has no responsibility for incurring the losses that are getting hacked. until there are legal ramifications to the retailer for the losses incurred, they will never be as vigilant in protecting the data.
@dan When was the last time I heard of a bank being breached? Uhh… 4 days ago:
http://chicago.cbslocal.com/2014/08/28/asking-local-experts-how-worried-should-chase-customers-be-about-security-breach/
Yesterday. JPMorganChase hacked for just under 90 days. I think that’s because they chose to run quarterly audits instead of monthly/continuous audits.
Beaten with better informatino by ND.
Thanks for the link ND
The cards are themselves, insecure. They are designed to be freely-readable by any mag-stripe reader. There’s no encryption involved.
Thus, the cards are the largest part of the problem.
@Phil Cooper – That’s not true. There are plenty of solutions available that encrypt on the swipe head. So as the data is read across the head, it’s encrypted. And those keys rotate as often as we designate on the app server the devices are hooked to.
@Michael,
Encrypting at the read head simply kicks the can down the road a few feet, but does nothing to really protect anything. A mag stripe is static, easily copied data. Stealing it once allows continual replay attacks, and it doesn’t matter how or where it’s stolen. Put an encrypting read-head in the terminal and the bad guys will infect those terminals with malware. Or they’ll put skimmers in the ATMs, payment terminals, gas pumps, or in the hands of crooked waiters. And some intermediary still decrypts the data – and payment processors certainly aren’t immune to hackers – ask Heartland Payment Systems.
The real answer is a rework of the system, where the cryptography makes theft of the data worthless. Chip and PIN is a very solid solution, because the security is moved to a tamper-resistant endpoint. With chip and PIN, it doesn’t matter if someone knows your account number, because they don’t have your actual chip and so are unable to produce a securely signed authorization token.
Once chip cards are deployed, and the mag stripes finally retired, the value in the data carried by the retailers will vanish. Data breaches on this scale will move from retailers to banks. I’m not saying there will never be another breach, but at least the value will be concentrated in the businesses whose primary job is to protect our money.
Retailers just want your money, but they have a lot of other things to worry about, and there are 6 million of them. Banks are focused on security, and there are only tens of thousands of them.
well put.
sorry, but chip and PIN isn’t the final solution. it’s a good one (albeit old) at preventing card cloning. But it’s fatal flaw is a number that is the same as your credit card number today and is printed on the face of the card and encoded in the chip. Fraudsters having been using that info to commit online fraud in Europe for years now. and that online fraud is growing showing no sign that EMV has done anything to stop it.
today, the best way to protect the entire payment ecosystem is to move to EMV, yes, but also use encryption and tokenization to remove the payment data from the merchant environment.
But to be honest, in the future the best way to protect payments is what enterprise authentication systems already know how to do well: authenticate the person and authenticate the thing they have.
EMV doesn’t really do this right. it’s too patchy, complex, filled with options that allow for attacks. And it’s still based on a card number that “authenticates” the transaction and can be used online without EMV authentication or PIN authentication. The future fixes to EMV (yes, they are coming) involve more attempts to isloate the PAN used on an EMV chip from other payment presentment channels (online). But it still doesn’t solve it right and will be complex and buggy.
The only way to do this right is to start over with a solution that works both online and off, based on known cryptographic techniques, and is simple to deploy. (authenticate the person and the thing they have, don’t just “authenticate” the account number).
One example (I have no association with this org) of how this could be done is the Fido alliance. https://fidoalliance.org/
There are ways to do this right.
I don’t care what you’re doing on the head.
The fact remains, I can buy a mag swipe reader for $20, and read ALL the data off the credit cards as they presently are.
This is, I’ll say it again- insecure.
In my personal opinion, it should be getting harder for merchants, banks and other financial organizations to convince anyone, let alone use credit\debit cards.
Too bad nobody ever cares until it happens to them.
“Straight Cash, Homey…” … unless I absolutely need to use a card.
Does the fact that I haven’t lost a single dollar in 40 years to credit/debit card fraud mean anything to you? I’m not affected so I will carefully continue to use my credit and debit cards. You can pay cash all you want but be wary of the guy with the gun; there’s no protection against him unless you also carry.
Yes, but it is a nuisance when you get a new card. You have to remember who is set up to autopay with the old card. And for that matter, we all pay higher prices, as the losses ultimately get passed on to all of us.
Yes, but it’s also a nuisance when you have to update the expiration date every three or four years. But you do it, don’t you?
I agree that we all pay a little more due to credit card fraud. But we pay a little more every time a corporation figures out a way to not pay income tax. And that’s not going to get fixed either.
Your good record sounds like luck.
Yes, I’m sure I’m lucky but these breaches are no reason to give up credit cards and go to cash or checks.
1 out of 3 Americans have though.
Indeed, because if there’s one thing that people like more than having their credit card stolen and being without a credit card for a period of time (while the bank investigates the fraud), it’s losing the entire contents of their bitcoin wallet and having absolutely no way of getting their funds back.
Ding! Exactly!
sorry, fanboys- but cryptocurrency is only good at evading the establishment when you want to conduct elicit business. To claim it’s not a fiat currency and is therefore so much better than the US Dollar, et al, is complete foly.
Put another way: what is your mathematical puzzle worth when TSHTF? Exactly nothing. At least USD can be used to build a fire.
Matt,
There are several intelligence sharing communities, but of course for several reasons, these are difficult to get into without some sort of membership-based reason for accessing such information. Your best bet is to join in as many LinkedIn groups, as once such information is leaked, people will post and share with others.
I think what we’re seeing is repetitive downside to status quo with fraud in the US banking system.
[excerpt from a Paul Murphy blog]
Last month one of my corporate cards was cloned. A copy was used to buy over $6,000 of goods in Brooklyn.
Cost to my company: $0.
Cost to my bank: $0.
Cost to Mastercard: $0.
So who pays the $6,000? We all do. The cost of fraud is passed on to every consumer or business that pays credit card fees. The estimated cost of credit card fraud in the US is $500 million. That’s a big number, but when that number is spread across hundreds of millions of cards, it’s not even noticed.
But there are lots of other costs that aren’t included in that $500 million:
Time
Anxiety
Inconvenience
Trust
So if the banks are willing to build fraud into their risk model and their margins, and merchants can’t protect payment data, what tools are consumers going to adopt to be proactive about protecting their payment information?
Ben,
where did you get the $500mln figure from? According to the FICO/Nilsen reprot in 2013 US sustained $5bln in total losses from credit card fraud.
Evgueni
You obviously don’t understand the payment system YOUR BANK paid that fraud expense. YOUR BANK ate ALL of those losses. Whenever breaches like this happen – IT IS YOUR CARD ISSUER that pays for those fraud costs!
If you don’t believe me – ASK YOUR CARD ISSUER.
If the card issuer does get to sue, the card issuer only gets pennies on the dollar.
Banks and merchants eat the costs, for sure. I think Paul’s point (reiterated by Ben) is that banks get reimbursed through interchange fees and merchants get reimbursed by charging consumers more. This adds to overall system costs, whether that’s in high interchange fees or a 5% markup on your bag of Doritos.
Actually Brad, it’s very rarely the card issuer who suffers the loss. It’s almost always charged back to the merchant. Coming from a merchant’s perspective, it’s very, very difficult to get the issuing bank to take the collar.
Absolutely not true in the case of counterfeit cards.
Absolutely not true in the case of counterfeit cards. Banks eat fraud losses on counterfeits.
That is definitely not true. The card issuer eats the fraudulent charges for counterfeit cards, nor can the issuer generally recoup via chargeback the full amount of a card lost/stolen.
Banks eat these losses 99.999% of the time on card present transactions. Banks are usually able to chargeback on card not present transactions. That is why retailers pay an interchange rate – to help banks absorb some of these losses when they happen – and to make a profit. Retailers don’t pay an interchange rate on checks and they take the losses as well.
when a poor person misses payments on certain bills, whether or not he gets the money back, their world can be already rocked.
Brad, you’ve clearly not seen a merchant agreement. The bank is not out that amount, the merchant is. In fact merchants get shafted three times – they’re out the goods, the money, and the chargeback fee.
The exception is if it’s a card not present transaction and they attempt a 3DSecure validation (which shifts the liability to the merchant bank)
Actually, I work with merchant agreements all the time. And I work with debit cards all the time as well for fraud and chargeback purposes. So, I get to see both sides of the coin.
Come and see me in my job. We don’t chargeback on card present transactions done at stores because we CAN NOT. We can dispute transactions for services not rendered – but that’s it. Counterfeit cards used a grocery stores, walmart, target, sears, etc.. are all eaten by the banks and credit unions. And Walmart is stealing the world blind. They have a special agreement with at least Mastercard where banks and credit unions are only earning 10 cents per transaction – which exceeds the cost of the transaction when you factor in the network cost, mastercards cost, and fraud cost.
Brad is 100% right, banks eat the cost. Banks got royally screwed by the Target breach. They ate lots of fees with that. They’ll eat lots here too.
This is true, the merchant covers the cost. I think it’s done this way as the merchant is the one accepting and performing the transaction. It’s up to the merchant to properly check the ID of the consumer trying to purchase the items. Merchant’s most likely weigh out the costs of time in comparison to the cost in fraud loss and make a determination on which level to take this protection on a individual basis. They make the same decisions related to time/convienence when they decide if you sign the receipt or not.
Brad, thank you for pointing out that it is the Banks that bear the loss on these.
Cash
Oh boy here we go again. Call from The Krebs “Say have you noticed any unusual activity with your network, says Mr. Krebs”. Response “We take privacy very seriously and are investigating”. Rinse and repeat.
Right. Really, these statements simply need to say: “Blah, blah, blah, etc.”
It’s time for these merchants to stop trying to protect their infrastructure and just start encrypting the payment data inside the secure terminal and be done with it. Every terminal vendor offers this and most credit card processors do as well. At this point, if Visa/MC/Amex doesn’t require encryption at the merchant terminal, congress probably will
This kind of malware scrapes the info out of RAM before they are encrypted and sent on their way
Full E2E thwarts that, but due to it being a cost per transaction, and retail in general not having a high margin, its a hard sell….trust me….
encryption in a secure payment terminal (PCI PTS certified and encryption performed with PTS SRED module preferably) when such terminal is used as the point of swipe (not a dumb wedge mag reader on the side of a cash register) does not expose any data to the RAM scraping malware on the cash register.
I.e., encrypted before the RAM scraping malware can see it
@concerned,
They are already moving to a much more secure system, chip and PIN. This moves the encryption of your authorization onto the card itself, with a secret key pre-installed by your bank. You no longer have to depend on the trustworthiness of the retailers’ terminals. The retailers will still need to protect them to ensure they get paid, but this is to protect their money in the transaction, not yours.
This switch is already scheduled for October of next year.
depending on what you call a “terminal” we will always have to depend on the security of a retailer’s payment acceptance device (PIN pad, chip card reader, call it what you will). there are many attacks against chip cards if attackers control the card reader. (re: Ross Anderson research, etc).
Also, a friend at a card issuer assures me that during a chip card payment, the account numbers that is the same as what is printed on the chip card face is sent during a payment transaction and can be used by the same RAM scraping malware to skim card data.
A little Googling shows that fraud is occurring in other countries using this data. I can’t believe that chip transactions provide any security other than card cloning protection.
A little off topic but some relevance to Ben’s post about protecting customer data. Received the following in our Chase statement today:
“Effective November 16, 2014, we will be updating your agreement. The updated agreement will explain that if you allow anyone to use your bank Card, or if you don’t exercise
ordinary care (examples of not exercising ordinary care: if
you keep your PIN with your Card, or select your birthday as
your PIN) you will be responsible for all authorized and unauthorized transactions.”
That doesn’t sound good. Since those are “examples” of an insecure PIN, it sounds like Chase will get to decide what “ordinary care” is. For “example”, is using a 4-digit PIN insecure? Well, yes, but kind of by definition that must be “ordinary care”.
I believe that this is for “Electronic Transfer of Funds” business accounts only.
The ongoing revelations about retail credit card breaches never seems to end.
What I find interesting is that at my local HD, the POS terminal has the slot for EMV cards. But it is not yet active – whenever I go, I try it, but nothing happens.
A week ago I got a replacement card (with EMV chip), all due to some unspecified breach.
I should add that the local REI also has EMV capable POS terminals. Those are not yet active either.
My understanding is that EMV is worthless if you can bypass it. In other words, clone your EMV card with a regular card that will be accepted everywhere!
When you insert your card into an EMV slot, the POS terminal is not reading the magnetic stripe on the card. Thus if the slot had been active, and had I used a card there, the malware would not get anything that the crooks would find to be of value.
@Bruce, “if you can bypass it” is not quite that simple and is really a classic “it depends” answer.
Yes, you can clone the mag stripe but the system knows you have a chip. Convincing it the chip is dead and getting payments accepted is sometimes possible but it’s inconsistent. The use or not of chip vs. swipe for cards is also something else they can use to monitor fraud on a card. In any event as fraud increases in this way expect it to become more consistently tighten up.
Shopping at non-chip merchants is one way you can be sure, but as fraud increases there will be fewer of these.
Card not present security is different mechanism.
The point of all this is not to make things instantly more secure as consumers would be very vocal about being put out, but to improve things over time. The thing about striking a balance is that there will always be a room full of opinions with most being that the balance is wrong one way or another.
Not a for or against opinion, just an observation on how things work (or don’t) – YMMV.
As I read the description of processing the EMV card, the card is put into a slot. If I can compromise the reader, I can add a magnetic head that can read the stripe as the user is inserting the card or removing the card. If the reader has both a magnetic stripe reader and an EMV reader, I can compromise the software to intercept the magnetic stripe data even if the reader uses the EMV chip instead and ignores the magnetic strip data. Finally, getting a PIN is a bonus. How many systems will use two PINs, one for the EMV chip and one for the debit card part? None; too complicated for the simple user to remember.
My point: Cards will continue to be compromised even with chip and PIN. It may be harder to do, but it will still be done.
@Bruce,
You described an attack on the mag stripe, not on the chip. Yes, during the transition, the weak system will continue to remain vulnerable, but without the transition, we can never correct the actual problem.
The transition is expected to move rapidly, because the liability shift will put all the risk on the companies that don’t upgrade. Given the low cost of cheap card readers (a decade ago USB smart card readers were already under $10,) and of cheap phone-based terminals like Square and Quicken, the expensive mag stripe terminals of today are going to rapidly vanish, even from small businesses with little money.
In just a year or two after the shift, look to the banks to start removing the mag stripes.
EMV will help with these types of breaches, for now. I have used my EMV card at Sam’s Club and when I try to swipe the magnetic strip, it won’t work and the cashiers says I have to do it the other way, so that **should** prevent the cloning. Many of these retailers have the units installed already, but almost all of them are reliant on their software vendors (First Data, Global, TSYS, etc.) to be able to update the units to accept it. Until that happens, the breaches will be non-stop until the Banks complete the issuance and acquirers get rid of all the mag-stripe readers. Even with the liability shift coming in 2015 (2017 for pay at the pump), these emails will be non-stop, but the scale will be much smaller, like restaurants and other low margin businesses that cannot afford to invest in the equipment.
Actually SAMS club and Walmart play games with the credit/debit system. If they know you can enter a pin, they will fail to pass the transaction onto the proper network and will tell you it was denied by the bank. As the bank, I can tell you those transactions never make it onto the network. If you use your card elsewhere, it magically works…
Of course, the bank may be denying the transaction if they only allow pin transactions from the merchants that have EMV capable terminals. You will have to ask the bank if they even saw your attempted transaction.
EMV doesn’t solve the problem. Look in Europe where chip & pin (EMV) is everywhere and yet online fraud is through the roof.
Yes, you can’t clone an EMV card, but a breach would capture your credit card data which can still be used for online fraud, sold on the carding forums, and results in you having to get a new card. what’s different?
The fraud you speak of is due to mag stripe theft, not EMV theft. Once the USA rolls out chip and PIN, there will be only a few smaller markets that still have mag stripes, and most banks will quickly stop supporting them.
Of course, the use of chip and PIN for web transactions needs to change, too, in order to close the last of the security holes. Look to either a chip card reader attachment for your computer to be the next big thing that everyone has to get, or a hand-held reader like the Vasco DigiPass (much more secure.)
EMV sends up unencrypted cardholder data in the clear (PAN is field 5A, Track equivalent data is field 57, discretionary data is tags 9F1F, 9F20).
These fields can be scraped by RAM scraping malware and used for fraudulent online transactions.
Online fraud in Europe uses EMV (chip & PIN) PAN numbers. there’s not enough mag usage in Europe to account for all the European online fraud.
Here’s a fairly recent article about that fraud: http://www.paymentscardsandmobile.com/uk-fraud-increases/
Under EMV, your account number does not need to remain secret. It is obviously pointless to try to keep it secret, as it’s been failing as a security strategy for 30 years. So under EMV, PAN is no longer sufficient to make a charge, and other secret information is required to indicate your authentication. Online transactions can be well-protected by an offline card reader and PIN pad to generate an encrypted code, or poorly protected by a static CVV2.
And don’t confuse the temporary transition state with the end state. Until we can fully get rid of all mag stripes, we still have to accept them.
Under EMV your non-secret PAN can be used without CVV for fraudulet transactions at merchants that don’t check CVV2 codes. sorry.
if EMV was the answer to all fraud, the card brands wouldn’t be spending so much effort and time and money trying to figure out how to stop online fraud of EMV cardholder accounts.
EMV data absolutely must be protected (encrypted) to prevent online fraud.
There are potential solutions from the brands coming down the road that prevents the EMV PAN from being used online, but we’re not there yet. If HD or Target had been a breach of 100% EMV cardholder data, that data couldn’t have been used for fraudulent card present transactions (cloned cards) but can and would be used for fraudulent online transactions. it happens all the time.
again, EMV is not the answer!
C&P is only secure for POS, since then its generating a unique digital signature. C&P prevents skimming thus its part of the solution.
If you are purchasing online, then transactions are susceptible to the same type of fraud as conventional cards.
Bryan, I think Russian history is not your forte, but it is mine. And what instantly raised by eyebrow in this story is the names of the dumps, “European Sanctions” and “American Sanctions”.
This is extremely suspicious. Underground criminal organization were never patriotic, and were always very hostile towards the governments. This was true in Imperial Russia, then the Soviet Union, and in Russia now. These recent Western sanctions clearly target government officials, and government officials only.
Such “patriotism” as hacking Western institutions in retribution seems very very suspicious. High tech criminals are leaps and bounds more intelligent than street criminals, and the current propaganda machine in Russia is not sophiticated enough to influence anybody except the bottom quartile of the population. These criminals certainly belong to the upper quartiles.
I’m suspecting Russian state involvement in this.
Tell us more about Russian involvement. I don’t doubt it.
Based on comments over the weekend from government officials, nation states (Russia) appear to be involved in these schemes. We keep beating up the retailers and banks, they are easy targets. But which of us wants to put our networks up against a hacker(s) backed by a government? Isn’t this why we have a Federal Government? To protect us from foreign threats? No bank or retailer has the resources to go up against a nation backed hack.
Should we be at all surprised that Home Depot is using the same NCR based POS software as Target? Both heavily modified but the same underlying core software. On machines running Windows XP.
When is the industry going to realize that their ancient OS needs to be updated. How is this not part of PCI compliance? Whenever I see a terminal boot and it flashes a Windows XP logo, I die a little inside.
We should see that shake out in a dramatic shift in merchants who were once PCI compliant falling onto the non-compliant list. Part of the certification process requires installation of the latest security patches…which for XP, we all know there are none.
We have to remember that PCI compliance is a point in time. it also doesn’t mean it cannot be breached, just that best practice IT procedures are being followed.
Payment data should be encrypted at the point of swipe inside a secure cryptographic device (SCD)/tamper responsive security module (TRSM) with a key known only to the device and the decrypting payment acquirer. ANSI, PCI, Visa have had encryption standards out for years.
Encryption is what protects against breaches. the rest is just nice to have in protecting your IT infrastructure. But wont prevent a determined outlaw going after the stage coach looking for the gold.
Yeah, but PCI-DSS is really a function of audit and not one of IT Security. Although this is said tongue-in-cheek, I can see the audit people with their checksheet asking “Have all the latest security patches been applied?” – the answer “Yes, all the latest security patches have been applied” will get a check for that checkbox. PCI is about getting checkboxes to the light requirements.
That particular edition of Windows XP is called Windows XP POSready and its still supported – and patched – for a few more years. One of the ways to continue getting patches for your home PC in fact is to modify your registry to claim your SKU is POSready.
Patched only via WSUS, and still based on the xp core which is probably not fully fixable at this point. Its ancient and giving such long support has only made the problem worse instead of pushing vendors to update. How many are simply clinging to WEPOS for another 2 years before they even start trying to get something newer out the door? How much hardware will end up in the landfill because they have no intention of back porting hundreds of thousands of capable machines because they sold it 7 years ago.
They just need to get rid of the buggy Windows software and move to an operating system that is no so prone to accept unauthorized malware installs.
Too many companies are still using XP POS. I’ve even seen them at Lowe’s in their self checkout aisles when they reboot. How long before they are the ones saying “Protecting our customers’ information is something we take extremely seriously”
I started dying inside when I first realized that POS and ATMs use any form of Windows (or OS/2). General purpose operating systems (even stripped down ones) don’t seem like a good idea for specialized systems that should be highly secure.
Do we know for a fact that these systems are running on XP, or is this just conjecture?
Granted, I have enough experience in the InfoSec field that I know it’s not at all unusual to find mission-critical systems built upon outdated OS and technology, but if this is an assumption we’re running with, let’s at least make sure we’re not being inaccurate.
Well, #@$%! I almost NEVER go to Home Depot, but did about a month ago.
I got caught up in this breach (fraud) or whatever you want to call it. On Saturday, 2 mysterious charges of $54.95 appeared on my bank statement. I called immediately to question what these charges were. My bank said, they would probably drop off my account and never actually get the money taken from my account. Well, that isn’t what happened! The money WAS taken from my account (we live on a fixed income after hubby’s stroke) and now we had to de-activate our credit card/ATM card and await the replacement card. Then we tried using checks which also were declined at a local retail establishment in our little gedunk town. So looks like these MFs fu**ed us royally. Have no access to our money for 2 weeks. Glad friends and family can help us out or we’d be going hungry. The credit card number of ours these people used wasn’t a Home Depot credit card either. Glad I got this rude awakening, now no one will get my credit card information . . . if they don’t have a paypal option of paying, I won’t be purchasing. PERIOD!!!!
RuthE
This can be painful, takes discipline and took me some conscious effort to master but it is the only way to go.
Get yourself a good Credit Card that offers some decent rewards, use it for purchases, online shopping etc. and pay it off every month. Save your ATM/Credit card for the ATM to get cash only, like you I cant afford to have my bank account impacted by a breach issue. With the credit card I let the bank hash it out and never feel the impact. In your case since its tied to your bank account it hurt until it was resolved.
Make sure your friends and family are aware as well, ATM/Credit card convince is a thing of the past and should never be used as a credit card IMHO.
*convenience – credit card convenience :p
Mr. Krebs – the unique about this most recent occurrence involving HD (if I recall correctly), is the customer can pay leveraging their PayPal account while at POS. Does that create any additional exposure for this event compared to similar documented events in the past (Target, NM, etc.)?
That’s true – you can use paypal at HD. I would need to be suffering from dementia before I ever used it though.
Besides, my PP password is long and complicated, and not one that I would want to try and enter on a POS terminal.
Why on earth would you enter the PP password on an untrusted system, in the first place?
Paypal is hardly a viable solution to credit card theft. First of all- they’re not subject to banking laws, and can be outright thieves themselves!
PP encrypts the data on the wire from inside the terminal. so that data is probably safe. it’s what HD should be doing with the rest of the data
The same thought crossed my mind, and I have been frantically searching for any indication that PayPal accounts have been compromised. I am still in the guessing phase but since the main carder site nor any Tor/.onion sites I keep an eye on have any new PP, that either means a) the attack didn’t actually happen on the terminal, b) “less sophisticated” criminals did the actual work (by using easy to find, off the shelf malware), or c) the Home Depot/PP integration is a joke. I don’t know which one is true, but it’s got to be one of them.
I haven’t been to HD recently.
http://www.fool.com/investing/general/2014/05/21/paying-with-paypal-at-home-depot-just-got-a-lot-ea.aspx
http://community.homedepot.com/howto/DiscussionDetail/Using-my-Paypal-account-9065000000006Z5
Claim that you enter your phone number (and a PIN).
https://www.paypal.com/webapps/mpp/pay-in-stores
https://www.paypal.com/us/webapps/mpp/accept-payments-in-store
https://www.paypal-media.com/videos
https://www.paypal-media.com/au/videos
The Australian demo of check-in to pay looks pretty reasonable. It’s up to you to decide whether you’d leave your PayPal account on your phone authenticated. If you do, then there aren’t any passwords to deal w/ (and when your phone gets stolen, you need to cancel things, just like when your wallet gets stolen — but you already need to do that for both, no real change in behavior).
Should we all revert en masse to carrying a checkbook until US stores upgrade to European style cards?
Well I just canceled my card and ordered a new one. I think I am going to be using google wallet with the NFC in my nexus 5 more often now. As at least that only gives out a virtual pre paid card and requires a the security pin be entered in my phone in the last 15 minutes to even issues one.
EMV will solve this in stores as you will be forced to use the chip. They really should remove mag swipes from US completely. Also they should figure out an at home solution for EMV as Online transactions will be the next logical point for hacks.
see my other comments.
EMV card data is unencrypted (the printed account number is the same as what is on the chip) and can (and will) be used for online fraud if breached.
The chip contains a cryptographic key used to authenticate the card for “card present” transactions. but online, the PAN can be used at many retailers that do not validate the printed card security code (many issuers do not validate it either), and thus the EMV data if breached is sufficient for online fraud.
EMV is not the answer. the card brands know it. Europe knows it. online fraud in Europe is through the roof.
EMV is no help for the online case, but it works fantastically for hacks like this, abusing cards that were used in person in a store. I think you are confused about the role of the PAN and CVV1 and CVV2 — EMV reveals very little useful info for a criminal.
Maybe change your name to EMV Is Half The Answer!
@icknay
I actually do agree that EMV is half the answer 🙂
But I’m not confused about the difference between CVV1 and CVV2 and the dynamically generated card authentication. But perhaps you’re unaware about the state of card not present fraud in Europe and what criminals can do with plaintext EMV card data.
There are actually many ways that criminals can use EMV card data to commit fraud. they cannot clone cards, sure (although it is possible in some cases to make fake mag data that will work at some merchants). But there are plenty of ways to purchase goods and make money using EMV data.
For example, the PAN in the EMV data is the same as what’s printed on the front (and encoded in the mag stripe as the first chip cards in the US have all three).
There are ways to guess the card security code (1000 options or less). there are ways to use the PAN (account number) without knowing the card security code (not all merchants require card security codes online or for mail or telephone order).
I’m not sure if it will continue be valuable for criminals to continue to skim payment data after 100% move to EMV (or just guess at PANs as they sometimes do now). I suspect that data will be valuable to criminals. But I do know that fraud will move to online (card not present or CNP fraud) in the states just as it has in Europe. (google CNP fraud EMV or online fraud chip and pin).
And, as we will continue to see transition from mag to EMV for many years, we need to protect all data equally now by combining EMV with encryption and tokenization. consumers deserve better than what merchants are doing now.
Bitcoin not affected.
I wasn’t aware that HD’s POS accepted Bitcoin.
If counterfit cards are being sold the I would expect this to be a breach at the POS terminal, unless Home Depot is not complient or at least following best practices. Raw card swipe data is only supposed to be kept at the POS to validate the card and perform authorization. It should then be deleted and only needed card information sent on to other internal systems. If they can get to your POS they will to get this raw swipe data.
My credit info has been stolen 5 times in the last 4 years. I use my credit card everywhere. But, every time someone illegally used my info, it was for ONLINE purchases. There is a SIMPLE way to end all of this cyber crime: changeable CVC numbers (the 3 digit code on the back of the card). Every time you want to make a credit card purchase, you need a new 3-digit code from your bank that is good only for that day, and you have to plug it in like a PIN number for a debit card. You get it via text or email whenever you use the card for the first time that day. How easy this would be to program all credit card machines (and online stores) to require this. And, if someone tried to use an old 3-digit code illegally, the bank would know where the card was used that day, and hunting down the offending location would be easy. For people without cell phones, they could just use the regular 3-digit code that comes with the card, but with the added risk that the info can be stolen. This is not rocket science, folks.
Its a good idea Sandy, but these criminals will be able to quickly crack the algorithm that generates the “random” daily 3 digit CVC code, and we’ll be back in the same boat. Using 2 factor authentication is a similar approach but uses a key fob to generate a one time code. Its much more secure, but expensive to implement and maintain for all CC holders. But I expect that would be cracked also in due time.
The algorithm should be secure whether it is known or not, if it includes a customer generated piece of data it would still be difficult to figure out especially if it was different for every single card out there.
It looks like that Home Depot is a Cisco’s Sourcefire IDS shop. I am looking for other major retailers/banks who also uses Sourcefire boxes that might be attacked as well. See this Security Engineer job description http://www.simplyhired.com/job/sr-security-engineer-it-security-soc-irteam-86409-job/home-depot/ce2hxq3ses?cid=cmolvttbolmbemrxszqecnoehleourgu
I literally just got off the phone with my Credit Union and had a card locked out. This card hardly ever gets used which prompted me to check the credit card history and sure enough
05/29/2014 -THE HOME DEPOT
I had 14 charges on this account in the past 12 months and 12 of them are the local YMCA the other two are Home Depot on the date shown.
*Mistakenly posted to last posts comments and couldn’t see how to delete it*
I gotta admit, “American Sanctions” is funny!
PCI standards have proven to be a joke. There are ways to increase the security of transactions but so long as the banks and credit card companies find such costs manageable, they are not going to force changes. Retailers can rely on insurance for these costs, but if the reports that Target had $90 million of insurance for their breach are correct, the insurance will fall short.
As there are as yet no details on the extent of this breach, one can only speculate as to the costs. But they will not be small. And if Home Depot had insurance similar to Target, then some of the costs will be offset. But again, not likely much. One wonders how much longer insurers can handle these hits.
Ironically, I informed my local Home Depot Store this past Sunday that their data may have been breached. Without going into details, one of my cards info was used to make a purchase I did not order (a purchase separate from Home Depot). The order came from an email address similar to mine, but one character off. Most importantly, the date of the sham purchase was the date I spent a great deal of time in Home Depot to purchase upgrades for my kitchen. I sent this information to the FTC.
I was at my local hardware store this weekend to pick up something for a yard project I was working on… This wasn’t HD, but a small-town hardware store. When I walked up to the counter, which has two terminals, I noticed that the teenaged kid running the other register was busy surfing ESPN.com on it… I put away my debit card and paid cash instead.
…why is this article dated September 14th?
The big number is the day.