Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.
Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating.
“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store — rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.
A massive new batch of cards labeled “American Sanctions” and “European Sanctions” went on sale Tuesday, Sept. 2, 2014.
In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.”
It is not clear at this time how many stores may have been impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico.
This is likely to be a fast-moving story with several updates as more information becomes available. Stay tuned.
Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.
Follow-up reporting:
Data: Nearly All U.S. Home Depot Stores Hit
Home Depot: 56M Cards Impacted, Malware Contained
In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes
Home Depot Hit by Same Malware as Target
In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud
Both businesses and cybercriminals have financial gain in sight, however hackers benefit from not being limited by budgets, whereas IT departments must live with several constraints, fully knowing security cannot be guaranteed.
Would a ban on credit card payments help, considering organisations are not coping with the security requirements?
Until the CC is faded out, hackers will continue trying to get their hands on them.
All you need is chip and pin cards. Credit cards will never be phased out and shouldn’t be.
Really? Chip and Pin only helps to lessen card present fraud. Do some homework before publishing your incoherent statement
EMV chip cards only help prevent Card present or Counterfeit card fraud.
Card Not Present (online, over phone etc) are not prevented by EMV chip cards.
Chip card issuance / adoption will create a spike in Card Not Present fraud which as of today the payments landscape is not prepared to handle.
How does EMV change the attack surface for card not present transactions? I don’t see the volume of those transactions changing significantly. After the EMV rollout, hackers do not suddenly gain new powers.
EMV decreases the attack surface dramatically. Everyone will be much less exposed.
re EMV & Card Not Present:
For electronic and mobile transactions each EMV user has to insert the physical EMV charge card into a handheld reader and enter the personal identification code (PIN). The reader displays a one-time password to validate the user’s identity. The user then has to enter that password on the merchant checkout page or an on line banking site.
see http://www.SmartCardAlliance.org/pages/publications-emv-faq#q12
When was the last time you ran a “card not present” auth/capture at a store? EMV will kill nearly all fraud originating from stores, because the unencrypted track data won’t be exposed to anything.
After the EMV renaissance the only thing you’ll have to worry about is someone copying your card number (eg. at a restaurant), which isn’t really amenable to large scale attack, or stealing it in an insecure online transaction / man in the middle attack.
EMV shifts liability for fraud to the stores. It’s a good thing.
“EMV shifts liability for fraud to the stores. It’s a good thing.”
EMV/Chip+Pin shifts liability for fraud to the cardholders. That is a very bad thing.
I would think a class action lawsuit will arise immediately as soon as cardholders become “liable” for fraud when in fact they will have done everything they can reasonably do to protect their cards (such as keep them private, not let anyone else use them).
So if a store is breached after EMV, and data stolen, I bet we see lawsuits start flying from class actions from consumers against the stores for not doing THEIR part. (Although it really should be against the whole CC industry for not creating a better system when they are smart enough to know how to do it.)
This has been discussed here several times. While this was true in Europe and has been a major criticism of EMV type cards for a long time, federal law prevents such liability shifting onto the cardholder in the US. It is mandated that cardholders are to be shielded from fraudulent use and limited to a maximum liability of $50. As a practical matter, even that gets waived; Visa explicitly has stated a zero cardholder liability policy and stated in the news that they will continue that for EMV cards. Moreover, all participants in the US EMV push have held discussions on liability assignment for fraud, and in none of their published works have they even included the consumer; it’s been focused on the security of the merchant vs the precautions the card issuers take, period.
While it’s true such liability shifting to the cardholder has been a problem in Europe, it’s incorrect to use that as a prediction for what happens in the US. Federal law prevents it from happening.
track data is still used during EMV transactions – with a different service code+cvv, so there is some (albeit minimal) exposure to card number and expiry date…and potentially brute force of cvv potentially exploitable as a fallback mag transaction.
Incoherent? I think your unpleasant attitude would make you look less like a stroppy teenager if you bought a dictionary.
^Thank you.
The only reason why credit cards have been invented is to enable the vast majority of consumers to buy what they cannot afford.
As a result, these consumers are now being stolen the money they do not have, and incredibly, criminals are able to buy what they will never have to pay.
In the end, Banks have to bear the cost.
Therefore until the impact of cyber crime impacts the financial institutions in a repeated and widespread manner, or until one specific institution with enough reputation and impact to lead by innovation moves away from cards, no one else will.
Fact is, even the retailers benefit from credit cards because anyone holding a piece of plastic can check out.
Banks must lead.
An interesting aside… Target and Home Depot have more than a breach in common. New Target CIO Bob DeRodes is a former Home Depot CIO (with a brief and unproductive stint at First Data Corp. in between the two gigs).
Best of wishes to Bob in his new gig as he has his hands full.
I wouldn’t blame Bob, he’s been gone a long time from Depot. Matt been their 6 maybe 7 years.
Another American company with franchises in Canada – will Canadian franchises escape again or are they included this time?
Target, Sally Beauty, Dairy Queen, Michaels etc – the Canadian franchises were not part of the breach – why? Why the difference – simply down to a different POS system or chip and pin?
Canuck, you raise an interesting point. As a fellow Canadian, we seem to have escaped some of the large attacks made on our American cousins. Does this have something to do with how our chip/pin cards are setup? I am not a retail expert and have limited knowledge of the PCI DSS compliance in Canada, but either Canada is lucky, we are not a big enough target or there is something fundamentally different in the way Canadian retailers handle credit/debit card transactions.
Home Depot in Canada uses EMV not magnetic stripe
This report is from the furture!!!
Nope, you just need to be more liberal in reading dates.
The big number at the top is the day. In this case it means the day is the 2nd.
Below it is the month, SEP. September.
Next to the month is the year. 14. 2014.
So, that means the article was posted on the 2nd of September, 2014.
In other words, it’s a DD/MM/YY format. Not unusual at all, especially in computer circles.
Personally I prefer a YYYY-MM-DD format but that’s because it makes sorting easier. With DD-MM-YYYY you sometimes end up with a mixture of DD-MM sorted next to each others, if the sort is lackadaisical.
Well, technically it’s DDMMMYY format. :p
The story starts with Jonathan Swift’s 1726 epic Gulliver’s Travels.
A little more detail
http://en.wikipedia.org/wiki/Date_format_by_country
http://www.theguardian.com/news/datablog/2013/dec/16/why-do-americans-write-the-month-before-the-day
Brian,
I live in Barcelona (Catalunya, Spain), and seeing your reports of stolen CCs and DCs in the USA makes me wonder why aren’t similar crimes happening on this side of the pond? Or, perhaps they are, but, there’s nobody telling the story? Well, let’s hope it’s not happening.
Thanks for the wonderful site!
There may also be a tendency to simply assign the fraudulent charges to the customer, similar to ATM fraud, by simply saying ‘we presume that the attacker could not make the purchase without your knowledge and consent.’
Regardless, when in France a researcher showed how the ATMs were storing pins on the machine in plaintext, HE was immediately put in prison, and the status quo was defended.
So in that way, absence of news of a crime does not imply news of absence of the crime.
You only know about this hack, it is being told there have been three in the last few years. The CISO outsourced all the security functions to vendors because he is really clueless about security and could not managed people. That’s why he fired around 47 people when he first took over. He and the CIO are to blame for the hack. Also they don’t monitor their network, they outsource everything to telco carriers who are not doing a good job. PWC might be to blame as they had kids in thier doing security audits fresh out of college. A waste of money.
The only correction I can make to what you said is most of the people quit, they were not fired.
We got insiders…
It’s likely that Home Depot uses Cisco’s Sourcefire IDS which is probably not the most powerful system in the market place. http://www.simplyhired.com/job/security-engineer-86418-job/home-depot/xx6oorkrsx?cid=izxnqtkxpjlykvdafhjcfvzmokfvuect
Actually, Cisco’s Sourcefire IDS is basically pro version of Snort, which IS the most powerful system in the marketplace. It’s also probably the most widely deployed IPS/IDS in the world.
I think that Jack’s comment and your comment typify the problem with security, the obsession with tools over process and people. I find that most tools will work fine under their operational constraints, but that companies do not hire enough people and do not have the right processes in place to run, maintain and monitor the tools adequately.
Jill makes a great point, and Neman Marcus a prime example. They were receiving alerts, but they were less than 1% of their alerts and they were over looked.
You can have all the logging and advanced correlation engines you want, but if you do not have the right people and enough of the right people looking at those tools you basically have expensive tools to look at after you are hacked.
Yep. We want to buy some new piece of equipment/software, plug it in, configure in 10 minutes and then say “We’re safe.”
Nope. Hardware/software does not make security without a true expenditure of best practices and per-system configuration.
Interesting that the same CIOs (and cronies) will circulate between these companies. Reminds me of the failures that have happened in the financial sector where trust is based on having a drink/dinner/etc. with someone or their spouse.
Unless there is a verifiable external trusted way of testing a company’s systems (internal and external) then we are just relying on the PR bulletins:”How we care about your privacy.”
What makes you say that Sourcefire is not the most powerful system in the market place? Just curious. It has always been highly regarded and if you believe in the merits of the Gartner Magic Quadrant, it has always been in the upper-right corner as a solid performer – outperforming all the others.
There are mulitiple layers of defense and if we assume they are using Sourcefire IDS/IPS (or any other for that matter) the IDS/IPS is only one part of the security layer.
There are so many factors as to why this breach was presumably not seen by their security folks. Unless you are in the security profession and do this for a living, most have no idea how difficult it is to see something amiss on the network. There are so many factors that come into play when it comes to security monitoring. So many false positives, trying to track down a particular system (who owns it, what is stored on it, what does it communiate with, etc.), determining a normal baseline of network traffic, visibility into all areas of the network, etc.
I’m certainly not trying to make excuses, but it is so easy to point fingers when one actually isn’t in the heat of the fire. The fact that so many breaches have occurred and have been publicized in the media – the last two years alone – suggests there is much work to be done.
Bitcoin user (in this case shopping via Gyft cards) unaffected.
Tell me you’re still unaffected when malware cleans out your wallet the instant you open it.
Barely 20% of US “money” is cash. The rest is electrons running around in on account or another. BTC is all electrons and they are hardly safe because of it.
http://www.eweek.com/security/thief-with-insider-network-access-hijacks-traffic-to-steal-cryptocoins.html
Brian,
I can say pretty clearly this is either a hack or internal fraud. I got a NEW card from Home Depot a few months ago, never used it or even ACTIVATED it. Never wrote the account information anywhere. I have the card in my home, never seen the light of day. And the account was used fraudulently in a store in another state to buy some lumber.
So pretty clear to me this was a hack in their systems or internal fraud.
Home Depot credit cards come already activated in the mail and they require your social security number and license to be looked up in the store if the card is not present so either someone made a copy of your card or you have bigger fish to fry and someone stole your identity..
which state did the transactions occure
Brian, once again you’re ahead of everyone on this. I wish I had checked you out before I went shopping at Home Depot this morning! The “mainstream media” had a below the link nonstory crediting you begrudingly on breaking the story. These guys ought to be paying you.
The fraud does not (typically) take place at the same merchant in which the card was compromised from. You would almost certainly know if you’ve had fraud on your account – as they typically keep making attempts until your card is maxed out or account is drained of funds.
Jacob, good luck to them on that. Business has been slow for me since Spring, everything is already maxed out!
Saw a story on Daily Finance this morning, AP feed, what would these guys do without the Associated Press? They quoted and credited Brian Krebs. They really should be paying him. http://www.dailyfinance.com/2014/09/03/home-depot-data-breach/
Just my luck. I hadn’t shopped at Home Depot in about seven years, and on Saturday Aug 30 I bought some kitchen cabinet knobs. What was the cutoff date..
You got a mention on Canada’s national broadcaster about this story but they too didn’t say one way or the other if Canadian franchises are included in the breach.
I had my credit card cancelled Saturday night after being notified of possible fraudulent purchases. After calling my card company and reviewing the charges, 5 fraudulent charges for ~$200 were made on Saturday August 30th. I live in New Jersey and the charges were made in Tennessee at a Beer Store, Dollar Tree and fast food store, but I don’t recall the other 2 stores. I’ve been waiting for news to see which retailer was breached and reviewed my transactions over the past month after reading of the Home Depot article. I made an $18 purchase on August 22nd from Home Depot in Flemington NJ, so my card was either sold before today or was part of another breach.
Had one suspicious transaction over the weekend that I definitely did not perform. I have a couple home depot transactions from October 2013.
They hacked my husbands debit card from home depot just two months ago. Thank goodness the bank caught it. He had went to a local home depot here in Ohio and bought some casters for a table then within one week he had a charge on his debit card from a home depot in Ind. then another in a Fla. home depot. I think it is within the home depot employee ring myself.
“They hacked my husbands debit card” People! We need to greatly modify our use of debit cards. Start by calling them a “key” card, a key to your checking account, the place where your greatest treasure is stored, your paycheck. Thus a debit card should only be used at a place that has the highest possible security, the lobby of your bank or, knowing of the possible added risk, the drive-up ATM in the bank’s parking lot (“bank’s car park” for those on the east side of The Pond). That’s it. The rest of the time that “key” card is stored in a secure area somewhere within your home.
When I sent a recent debit card horror story to a financially secure relative, I got the response “We don’t have debit cards.” Now there is an idea.
Announcements by major companies and Government organizations that they’ve been hacked and have lost millions of private records that we entrusted to them are now as routine as the morning weather forecast on TV news. These announcements are usually followed by an assurance that from now on everything will be just fine, along with an urgent request that everyone change their passwords. Requirements for the passwords are getting more sophisticated – instead of a plain four-letter word they are supposed to include some characters requiring the shift key.
This is totally useless advice for two reasons: one is that these “sophisticated” passwords are in practice just as easy prey for a modern computer as the proverbial four-letter word, and the second is that no real hacker is going after your individual account unless he happens to be your curious next-door teenager or your nosy grandmother. In the real world hackers aren’t dumb. Why would they go after a few million accounts one-by-one if they can simply hack the organization’s server at the root or Administrator level and get all the data in every account with just a single hack? Any hacker worth his salt knows this, and this is exactly what hackers do – they hack the server, and that makes our individual passwords irrelevant.
These “change-your-password-for-a better-one” announcements likely have some other subliminal agenda. It looks like the real reason for asking you to change your password is to make you feel responsible for your data security. In other words, to blame the victim.
Furthermore, victims are majorly misled in a couple of other ways too. First of all, after a hack all your private personal data are gone, and they’re available to any criminal is cyberspace for a nominal fee. You cannot take them back. You can change your password, but you cannot change your name, date of birth, social security number, address, phone number; even changing you mother’s maiden name is difficult. All these are available to identity thieves.
And there’s another aspect that your favorite bank won’t tell you about: every competent hacker will leave a dormant cyber mole deep inside the hacked system. These are practically impossible to detect despite all political and marketing claims to the contrary. So even if the entire security program of a system is changed the cyber mole will report all the changes to its master. Including your new sophisticated password.
So a hack is forever.
The Home Depot card itself is different from this hack. They have been doing that for years, as a customer service, a card holder can enter their SS# at the POS. If someone gets your SS#, they can just make a DL with your name on it and buy whatever they want. You can turn that feature off though, for added security
You are also required to have the Drivers License that is on-file. If not, no go.
I had the impression that fraudulent transactions had not started showing up from this compromise yet (as of this morning) and the individuals/banks that identified this did so by purchasing cards directly from the card shops… Can anyone confirm or deny this?
If they’re for sale.. It means many have been sold, and likely used. With so
many recent national breaches, it has mostly been cards used at Jimmy John’s, then the various Supervalu, and most recently DQ locations that have had fraud. I’m sure that this has started to some degree though as well…
Often times it takes months, even well over a year before they get around to creating counterfeit cards. Eventually… They end up hitting almost all of them though.
Come on, this must be the HVAC guy, just like target. After all, so many of you declared it that way.
There is absolutely NO CHANCE that this could have anything to do with the fact that ALL OF THESE COMPANIES HAVE 2 THINGS IN COMMON:
1) they run Windows.
2) they are using admin or coders from India, where they make less than $10K / year, which makes it trivial to bribe them.
This might be an ignorant question, but why do these retailers need to store people’s credit card information in the first place? Isn’t it enough to use the information to process the transaction, then delete the card info? Whatever purpose there is behind keeping it, is it worth the risk?
They aren’t allowed to store the information per PCI standards. It passes from the card swipe device, to the point-of-sale machine, to Home Depot’s internal servers and then off to their payment processor.
What’s most likely happening is, just like with Target, thieves are capturing the card data as it moves through the point-of-sale machine. Because the point-of-sale machine is ‘passing’ the data along, it has to write the data to RAM, which is the machine’s temporary memory. That’s how most point-of-sale malware works, and why they’re called RAM scrapers.
I heartily agree. I would rather reswipe my card on a return, or re-enter it for online transactions than have ANY company “store” my info.
At least delete it after the return window expires at a minimum(!) because after that NO ONE needs it – except HACKERS!
Try an even stranger point of view – why does the merchant need the actual confidential consumer credential at all? If the merchant gets paid and the consumer gets billed who cares what is used? As long as the consumer is authenticated to the provider, who cares?
What merchants don’t have crooks can’t steal.
Yet again? Home Depot is the worst, I shop there so frequently that searching fraudulent charges is going to take a while.
The real kicker is that these hacks have hit so frequently that as other commenters have pointed out, it’s all out there. I’ve started getting the IRS scam phone calls now… pretty sure there’s an amount of spear phishing there to complete a fullz and really make life miserable. Time for putting blocks on new credit activity.
So the big corporate account customer base should bring in a nice price, different clientele from Target 😉
Don’t the stores read the news? You’d think that, having read about Target, Neiman-Marcus, UPS at al. that they’d take a look at their own security practices, and not make the same mistakes.
It’s very easy to make POS transactions totally secure, as described in this blog:
http://www.finextra.com/blogs/fullblog.aspx?blogid=9812
First let me state that the credit card data was not stolen from individual credit transactions at the stores. It was hacked from their servers. The in store security is good enough to stop anyone trying to get PIN numbers from cash register communications or sales. Hackers go after large amounts of data, so they hack into database data. Target changed their POS credit terminals, but their problem was from their data security in their home office. So stop trying to say that EMV Chip and Pin would have made any difference stopping the data from being stolen.
However, the EMV data would have been useless, as you can´t resell it to create counterfeit cards.
What are you basing you assessment on that it was hacked from their servers?
The reason EMV is not subject to this sort of attack is that the important piece of data remains on the chip in the card and is *not* sent up to the POS or server or whatever for processing. Instead, the chip sends up one-use token that is mostly, though not completely, useless for criminals.
Ummm, one-use token or not, EMV has its own weaknesses exposed by Professor Anderson and his team at University of Cambridge as far back as 2008. Here are some links. Watch the BBC video.
February 2008 University of Cambridge Technical Report 711
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf
February 2010
http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html
http://news.bbc.co.uk/2/hi/science/nature/8511710.stm
September 2012
University of Cambridge, Cloning EMV cards with the Pre-Play attack
http://www.cl.cam.ac.uk/~rja14/Papers/unattack.pdf
Excellent BBC summary with video on the above report
http://www.bbc.co.uk/news/technology-19559124
Not sure if others commented on this, but HD’s point of sale software associates an email address with a credit card number and asks if you’d like an email receipt at the time of purchase. Convenient for returns? Yes. Convenient for fraudsters? Absolutely.
This may well be worse than the Target breach once the dust settles – primarily due to the email/cc link.
Earlier comments refer to fraud liability shift moving to the consumer or the retailer. This statement is not accurate. EMV, who manage all credit cards globally have mandated chip & pin cards must be in place by October 2015. If not, then the fraud liability shifts. What this means is that if your card is compromised and your bank hasn’t given you a chip card, the bank pays. If you have a chip card and the retailer doesn’t have a chip reader, the retailer pays.
They is a bigger issue here. The chip cards must also be contactless compliant, so you can “tap & pay” to speed up queues at the register. A contactless card can be read with a cell a phone or pocket scanner from a distance. Think of it as an EZ pas for credit cards. Consumers need to protect their cards with a contactless card shield, which large stores such as home depot should provide. You can read much mote about this issue at http://www.idcardguard-us.com
EMVco, who I assume you refer to, don´t make any mandates at all when a market shoudl move to EMV and whether they should support PIN or signature as CVM.
Market migration and liability shifts are a matter for the schemes. EMVco who writes the technical standards hasnothing to do with that.
And just the US of A as the international laggard has till October 2015, the rest of the world has moved or is nearing completion.
EMVco is the consortium of major credit card providers and collectively they have mandated the change and yes, primarily to make the USA catch up to the rest of the world!
The USA has 25%of the global credit cards and yet 47% of the global credit card fraud happens here in the USA. The elephant in the room is the contactless payment system. ALL contactless cards operate off the same radio frequency, so at a payment or transit terminal you can pay with the wrong card without knowing it. (known as card clash)
In Chicago for example, since July 1, you can only pay with a contactless credt/debit card OR a contactless Ventra transit card. If you have a transit card AND a contactless card in your wallet the entry/exit terminal will take the payment from the 1st card it “sees” via the RFID terminal. When the CTA installed this system in 2013 they had over 1,000 complaints in one day of bank cards being charged instead of the transit card.
A few bucks on a contactless card shield protects you and much cheaper than an RFID wallet.
watch http://bit.ly/CardSkim to see how easy it is to steal your card data.
You can try to sell your RFID shield through the comments all you want, as long as Brian tolerates it.
That doesn´t change the fact the EMVco does not make liability shift rules. Otherwise, why would different reions and card schemes have differing timelines? Because the schemes/regions set the business rules.
The only mandate is that Visa, MasterCard, American Express, and Discover expect processors and networks to certify by April 2013 that they can handle EMV data in online transactions, in compliance with their network specifications. No one is forced to comply with the liability shifts; however, all stakeholders must be aware of the potential consequences for non-compliance, as the liability for counterfeit fraud shifts to the non-EMV-compliant party.
A full explanation can be found at: http://www.emv411.com/2013/03/08/waivers-mandates-liability-shifts-my/
As a bank employee, I don’t want anything to do with contactless “RFID” cards for myself or my customers. Near Field Technology would be fine – worked with that before.
RFID for consumer payments is junk – too easy to steal.
I saw that EMV has specifications for contactless, but would have to see more info on it before we implement it.
The article you point out refers only to the US to encourage a quicker adoption of EMV Compliance. For the countries that have been compliant for a while, the liability is on the customer and not the merchant, if a chip and pin card is in play, otherwise liability is on the least EMV compliant.
I meant to say if both the customer and merchant are EMV compliant the liability lies with the customer.
BITCOIN, BITCOIN,BITCOIN
We need to change how we do things and Bitcoin is the answer to these issues…
BITCOIN in it’s CURRENT form is not the answer.
It has technical problems and there are big acceptance problems (legality in many jurisdictions).
Ross et al at Cambridge did a paper on it’s problems. (Nice to know he picks on everyone equally).
Bitcoin is a nice alternative –
However, not sure if it is covered under Regulation E – which protects consumers against unauthorized transactions. Don’t think it is. And if you do, how are you going to put it on a card for your day to day transactions. Do you think every mom and pop is going to pony up for a smart device that can then be hacked. Probably not.
Definitely not ready for mainstream yet if the mom and pop can’t even secure their business PC or smart device.
After reading all of this I am still not sure:
Is HD still compromised, or did they plug the leak?
Of course the spokesperson did not say anything about this, but what is the likelihood that it has been plugged?
Personally, I’d assume it’s still compromised until a week after an announcement to the contrary.
Consider how a classic computer virus works:
1. It runs on your computer
2. It opens another file on your computer and infects it
3. It repeats 2.
4. You turn off your computer
5. You turn it on
6. When you run an infected program, the virus is running again.
If you insert a step between 4 and 5 where you only delete the virus from one of your infected programs, then when you reach 6, you’re still no better than before.
With “simple” software, you could have a signature from the author to verify “yes, I wrote this software”. Microsoft signs most of its software, Google and Mozilla sign most of their software, Adobe signs most of their software. So, validating those programs is “relatively easy”. (I’m hand waving about boot sector / bios viruses)
Companies, unfortunately tend to write their own “custom software”. If they bother to sign their in house software, the probably have their signing keys somewhere on their network. If they’re unlucky, and their adversary bothers to, the adversary could sign the malware with the company’s own keys.
Otoh, most companies probably don’t sign their software at all. Which means that they sort of have to go back and rebuild / reverify everything. (Imagine trying to clean termites out of a house?)
And that only works if you’ve found the way the bad guys got in in the first place.
If you haven’t closed the initial hole, then even if you do clean things up, nothing prevents them from getting back in.
So, … I wouldn’t trust an impacted vendor until a week after they claim they’ve “Fixed” their problem.
Now, what does not trusting mean? I personally don’t like carrying cash… If you’ve already used your card at an impacted vendor, I’d personally continue using the same card at that vendor until it’s replaced. You can only get a given “infection” once. So consider it a form of “immunity”. Sure, your bank won’t be happy since they’ll have to think about each transaction, but that’s what they earn money off your transactions to do :).
It also doesn’t mean you should assume some other vendor isn’t impacted. Just because you haven’t read about them here yet, doesn’t mean they won’t be on krebsonsecurity.com tomorrow. You could consider picking vendors who have recently been impacted and investigated and “Fixed”. Ideally the scrutiny they’ve been forced to accept means they’re slightly safer than the average vendor.
But, most importantly: NEVER use a Debit Card at anything other than your own bank’s ATM.
A debit card does *not* have the consumer protections provided by credit cards. And generally it has much more capabilities.
This 2 min 30 second video shows contactless chip cards being skimmed in a coffee shop & on the street: http://bit.ly/CardSkim
Protect your cards – It’s estimated there will be at least one chip card per household by the end of the year.
@Phil,
Just to be clear there are two different types of chips: EMV and RFID which have very different risks.
EMV – the big one the size of a fingerprint that does the insert/dip contact transactions. Needs PIN (or signature in the states).
RFID – a very small one that handles contactless transactions. No signature or PIN and it’s passively powered by the merchant’s (or thief’s) receiving antenna. This is the one you’re worried about.
Do we know if the Home Depot registers are still using Windows XP? I was in a local store in late March and saw XP still in use, while support ended in April.
I shop at home depot several times a week, and just a few days ago I had several unauthorized charges to my debit card. Obviously I canceled it, but this explains it. Ugh.
Probably because it likely wasn’t XP. XP Embedded is supported until January of 2016, and POS Ready 2009 (Basically XPE) is supported until April of 2019. So you will see it on POS terminals for a bit yet.
I”m not a fan of government micromanaging the private sector, but the US needs an IT security version of SOX, and corporate executives that don’t do due diligence and due care should face jail time.
Actually, the government is well into micro managing banks. Not so much on the credit unions. Smaller banks are being crushed under the barrage of new regulations that do nothing to protect your accounts.
Recognize where the breaches are occurring that affect consumers – merchants – time and time again.
And its the banks that get to foot the bill in all of these breaches. Our reimbursement from the TJMaxx breach was like 7 cents on the dollar.
Anyone here know someone who has uk fullz or from forum l33t