September 18, 2014

The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding could mean thieves stole far fewer cards during the almost five-month breach than they might have otherwise.

A self-checkout lane at a Home Depot in N. Virginia.

A self-checkout lane at a Home Depot in N. Virginia.

Since news of the Home Depot breach first broke on Sept. 2, this publication has been in constant contact with multiple financial institutions that are closely monitoring daily alerts from Visa and MasterCard for reports about new batches of accounts that the card associations believe were compromised in the break-in. Many banks have been bracing for a financial hit that is much bigger than the exposure caused by the breach at Target, which lasted only three weeks and exposed 40 million cards.

But so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure.

Sources now tell KrebsOnSecurity that in a conference call with financial institutions today, officials at MasterCard shared several updates from the ongoing forensic investigation into the breach at the nationwide home improvement store chain. The card brand reportedly told banks that at this time it is believed that only self-checkout terminals were impacted in the breach, but stressed that the investigation is far from complete.

MasterCard also reportedly relayed that the investigation to date found evidence of compromise at approximately 1,700 of the nearly 2,200 U.S. stores, with another 112 stores in Canada potentially affected.

Officials at MasterCard declined to comment. Home Depot spokeswoman Paula Drake also declined to comment, except to say that, “Our investigation is continuing, and unfortunately we’re not going to comment on other reports right now.”

85 thoughts on “In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes

  1. John

    If you are able to plant malware within the network it really does not matter what OS is on the POS terminals.

  2. peter

    Brian, a question not a comment. albeit a naive one.

    i’ve been a frequent user of the HD self-checkout line during the time in question. i have a “chip & sign” card from chase. am i right in thinking that the chip helps in absolutely no way to safeguard the account information sucked off the magnetic stripe? further, is it true that the chip will not help until the vendor’s readers are glomming on to the chip info rather than the stripe info (at some future time)


    1. Anthony

      My understanding of card/EMV tech (limited as it is), is that a card has three CVV/CSV codes to try and validate card present and card not present transactions.

      There’s the one printed on the back of the card (front for AMEX), mostly used for card not present transactions (such as telephone and internet orders). This is not stored on the card electronically and is unchanging.

      There’s the one on the magstripe – this doesn’t change, and can be skimmed electronically.

      Then there’s the one on the chip which can be read via NFC or contact with the chip, but it changes each time it’s read. Banks then have the option of rejecting or flagging transactions where authorisations are attempted using the CVVs obtained from the chip out of order (Eg. If someone polled the card multiple time for CVVs, but then you went and used the card later on for another transaction, the CVVs pulled before that final transaction could be flagged if used out of sequence).

      Retailers also have a choice about the way their payment systems work. Some setups involve the PIN pad having independent encryption between itself and the bank, such that the outside of the PIN pad, the POS equipment never receives the full card number – in some cases, the PIN pad is leased by the bank to the retailer.

      On the other hand, for “drop in” compatibility with existing legacy systems, some POS equipment will simply dump the card data into the POS software. Even in this latter case, however, the CVV code will be unique.

      Bottom line though, to speak directly to your question, even if your card has a chip, if the magstripe’s been read, the data from it can be cloned onto another card and used in other magstripe transactions. This puts the onus on retailers in areas where EMV hasn’t been rolled out.

      Australia (where I live) is on the tail end of an enforced “Chip and PIN” rollout and so apparently skimmed card data from here is often now exported.

      (Someone please correct me if I’m wrong)

    2. Ken

      Are you inserting the card in the EMV slot or swiping it in the MSR (mag stripe reader)? If you’re swiping, the chip is irrelevant to the transaction and you are correct, the chip offers no protection. Once retailers switch to EMV (chip) and card holders start inserting their cards for processing as EMV, you’ll be better protected. Given HD’s troubles, and timing, I’m pretty sure they’re not processing via chip yet.

      1. peter

        ah, depends on whether i am in europe or the us of a. i have yet to see a chip capable reader in the usa. should i just wait (and wait) for applepay?
        (behind the paywall i expect:

        1. Ken

          Merchants are deploying EMV _capable_ pinpads quite rapidly right now, although the only retailer I know of that currently accepts EMV in the US is Walmart. Note there is a difference between having hardware and the software infrastructure being in place. There is a liability shift for merchants related to EMV on Oct 1, 2015. Not a mandate, but a strong recommendation. I expect you’ll see a lot of places accepting EMV at or around that date.

          1. Anthony

            One thing I noticed here in Australia is that a lot of merchants deployed EMV capable devices well in advance of their use, but then when EMV was actually introduced, a lot of them were replaced again, anyway 🙂

    3. David Luesley

      Depends on the transport mechanism. If all the transaction data is encrypted during the the swipe in the payment terminal and transported for authorization, then none of your personal data is stored in clear text and thus not available. Is this the architecture all POS stations use, no.

Comments are closed.