September 18, 2014

The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding could mean thieves stole far fewer cards during the almost five-month breach than they might have otherwise.

A self-checkout lane at a Home Depot in N. Virginia.

A self-checkout lane at a Home Depot in N. Virginia.

Since news of the Home Depot breach first broke on Sept. 2, this publication has been in constant contact with multiple financial institutions that are closely monitoring daily alerts from Visa and MasterCard for reports about new batches of accounts that the card associations believe were compromised in the break-in. Many banks have been bracing for a financial hit that is much bigger than the exposure caused by the breach at Target, which lasted only three weeks and exposed 40 million cards.

But so far, banking sources say Visa and MasterCard have been reporting far fewer compromised cards than expected given the length of the Home Depot exposure.

Sources now tell KrebsOnSecurity that in a conference call with financial institutions today, officials at MasterCard shared several updates from the ongoing forensic investigation into the breach at the nationwide home improvement store chain. The card brand reportedly told banks that at this time it is believed that only self-checkout terminals were impacted in the breach, but stressed that the investigation is far from complete.

MasterCard also reportedly relayed that the investigation to date found evidence of compromise at approximately 1,700 of the nearly 2,200 U.S. stores, with another 112 stores in Canada potentially affected.

Officials at MasterCard declined to comment. Home Depot spokeswoman Paula Drake also declined to comment, except to say that, “Our investigation is continuing, and unfortunately we’re not going to comment on other reports right now.”


85 thoughts on “In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes

  1. JC

    Hi Brian,

    I guess these self-checkout machines are more complex than traditional POS systems. Are there any clue this was a reason they were targeted?

    1. TravisE

      Just a hunch, but the self checkout systems are by far more GUI and user friendly if memory serves, possibly running a different OS. Pure speculation on my part however. 🙂

      1. Peter

        Even if true, which I don’t know, it is still 100% unrelated as these devices aren’t connect to the internet. So the malware came through their trusted intranet.

        And also likely they don’t run XP at all, but XP Embedded which is still supported by Microsoft.

        1. Donn Bly

          I can confirm that the systems ran XP. I noticed it several months ago when I was checking out and the system next to mine had crashed and was rebooting – the splash screen said XP Pro.

      2. Steve

        Poorly segmented networks and poor / shared remote access passwords are a much bigger factor here than using Windows XP.

  2. Regret

    Brian – I’m only a curious observers, but do you have any speculation on why self checkout terminals would be more susceptible to data thieves? I could see how individual terminals might be a target (pun intended) for card skimmers, but unless Home Depot uses a completely different vendor for the self checkout terminals than their normal POS terminals, I’d think the software and security would be standardized for all terminals.

    1. A Guy

      I would imagine it’s that the attacker would have access to the device unsupervised. It seems most likely to me that a skimmer (or a lot) may be the culprit. Assuming, though, that it was indeed strictly malware, it would still have been much easier to exploit/upload thanks to the fact that the attacker would be (mostly) unobserved.

    2. Mike

      From my experience shopping there, the GUI is different b/w the self-checkout and regular cashier-POS terminals, so my guess is different systems or different configs by whoever they outsourced the cfg/install to. Might be another reason to put a provision in any 3rd-party contract regarding security & responsibility for insecurity!

    3. DB Cooper

      The reason self checkout was targeted was because the main POS system is a more complicated system to crack, self check-out is a canned solution. Their main POS system runs mainframe middleware emulation among other things and has the ability to pull up custom orders made in other departments of the store so that customer can pay for those items during regular checkout. The self-checkout system has none of that highly customized functionality, self-checkout is a canned solution easier to crack, more is known about it outside of HomeDepot than their homegrown primary POS system. Same system Lowes uses in a big-picture view.

    4. DJL

      They likely receive much less scrutiny that the human POS stations. Assumption that the automated POS terminals are much less likely to make mistakes or be “misused”.

  3. Matt

    Regret & JC – It is probably not the case that the Self Service checkout terminals are more susceptible, but more the case that is what was targeted. They are different than the cashier terminals, and from the criminal’s perspective, there is greater volume, thus more opportunity in the Self Service lanes.

  4. Cosmic

    The image of the HD self-checkout station, indicates that it accepts PayPal in addition to the regular card brands. Is that a PP debit card, or a direct transaction to a PP account balance ?

    1. blah

      Direct link to PP acct. Also the ped devices at each regular check out at home depot accept PP

    1. Bob

      Yes, but for several years I don’t think I’ve ever seen more than two of them open at one time.

      1. Wzrd1

        I’ve found more than two open at a time during busy periods, but off of peak business, they’re pretty much a two register store.
        Personally, I prefer dealing with a human cashier.

  5. blah

    They’re using a third party, cheap software called Fujitsu, the actual hardware is NCR but they wouldn’t purchase the secure software

    1. Patti

      So the ultimate cause of this breach is capitalism itself, then, i.e., the profit motive. Did they really think it would bankrupt the company to be secure? Or did they just not care, or not bother to know?

      What did Microsoft do to millions and millions of dollars of installed hardware and software by abandoning WinXP? (Yes, they gave warning, but see above questions.) Is Microsoft going to bankrupt itself if it doesn’t drop support for XP? Maybe it just doesn’t care about the massive installed base and financial ramifications (and near financial impossibility) of a system-wide changeout?

  6. Tom Seaview

    I’m pretty sure we just got hit from the Home Depot hack: a company in Seattle had a pre-authorization on our account for over $2000. Of course, Chase killed the charge and is sending us a replacement.
    However, we live in Delaware and shop at aqn Acme, so maybe I’m too quick to blame Home Depot…

  7. Jack

    The Home Depot’s own PR today after market didn’t say anything about the self-checkout lane POS.

  8. Jack

    My last comment was deleted. Why? Why there’s no self-checkout lane comments in Home Depot’s own PR?

    1. Jack

      Forget it. It took a while for the comment to show up. Anyway, it’s odd that THD’s PR has no mentioning of terminals in self-checkout lanes.

  9. chrissie

    I just got a new card after the Home Depot scam. I was outta a town for a few days and when I get home I find that my old card got hacked a second time from a Dollar General store and they wiped out my account. I do use the self check out sometimes but I feel that I will be going back to the cash only standard.

    1. John Henry

      Yeah, I just got hit as well. Going to be using a lot more cash from now on.

      1. JATny

        So far, no problems for me. I moved this summer and used Home Depot a few times during the breach period. Neve use self-serves though, I hate the little buggers. I also set up phone alerts for any purchase or use over $200, which most of my purchases are under anyway what’s a few extra text messages, eh?

    2. Chickenhawk

      Hadn’t heard Dollar Stores had experienced breaches as well.

      1. FI Employee

        Chickenhawk,

        I believe Chrissie means that she had counterfeit card transactions at Dollar General. That doesn’t mean that Dollar General experienced a breach. The information is stolen at the site of the breach (called a CPP–for Common Point of Purchase or a CPC–for Common Point of Compromise.) Then the fraudster uses the card someplace else for electronics, gift cards, or something else that he/she can turn around and sell.

        1. Team CU

          We have seen a lot of fraud transactions take place at Meijers stores on an unnamed breach. Although we are pretty sure where those are coming from we can’t disclose since the business hasn’t. We have seen Dollar General and Walmart transactions (locally) on the Home Depot breached cards. That is when we decided to just shut down all of the Home Depot breached cards. It’s a shame these businesses aren’t required to disclose a breach immediately. In the meantime, the financial institutions have to spend excessive time and resources to try to figure it out and create our own lists to keep an eye on. I would think that the longer it takes for businesses to disclose the more valuable these cards are on the black market.

      1. patti

        Good point – but it isn’t the cash, but the bank account, which is at risk. Who in their right mind would carry $2000 in their pocket? But that’s just a *tiny* credit card…

        I’ve been taking online classes in computer security and crypto. The bad guys are all moving to *circumventing* crypto (POS attacks, etc.). So, the only way to avoid being targeted is not stronger crypto, but just not using the vapormoney system.

  10. Bob Parks

    NBC is reporting that Home Depot said “56 million cards had been put at risk.”

  11. Michelle

    I learned yesterday my MC was compromised. I suspect Home Depot, but how I can confirm that, I dont know. I shop online with Amazon.com, amazon.ca, Paypal, Walmart.. and very few other places. I only go to my bank to withdrawl money.

    I’m so glad I decided to check my MC account though, and saw some $0.00 charges under “Pending transactions” from futureshop and called my bank right away.

    The only way I found out what happened, was calling Futureshop who said someone tried a $1400+ purchase on my MC but it was denied.

    1. Jason

      Highly suggest you split up your transactions between multiple cards. Use something like BankAmerica’s ShopSafe CC number generator that lets you specify a limit and unique expiration for each CC (CitiBank’s version which does just the unique CC number generation) for all online purchases. Then never use that BofA/Citi card in person (don’t even carry it in your wallet), and only use your in-person CC for in-person charges, and never for online. Much easier to contain/spot breaches when you know that one CC will only have local/in-person charges and the other will only have online charges.

  12. Andy

    At my Home Depot, there are 4 self check outs that are always open and rarely more than two staffed checkouts.

  13. TheOreganoRouter.onion.it

    Funny, because I read that Home Depot was using a outdated version of a Enterprise Symantec Antivirus on their P.O.S. computers

    1. patti

      Apparently antivirus software is pretty useless on the new cyber black market. These guys form corporations which directly compete with McAfee, etc., and their tactics are always changing, whereas AV software techniques haven’t fundamentally changed in decades…

  14. peter

    When I tried yesterday, the terminal on the self-checkout did not have the chip-reader active. Present, but not working.

  15. Michael

    So I have a specific card that I use for ‘home’ stuff – like things I buy at The Home Depot. Today, I was alerted that my card has possible fraudulent charges on it – and sure enough, starting yesterday (a day after these numbers apparently went on the market) I had six different charges for things around the city that I didn’t buy equaling about $1K. Card closed. Coincidence?

    1. Adam

      I highly recommend the BlueBird card from AMEX. For one, it is completely free and includes free checks as well. A few things I like about it:

      1 – The checks are worthless until you pre-authorize them. They can’t be cashed unless the pre auth code is written on the actual check. Yeah, it may sound inconvenient, but that is the way it should be IMO.

      2 – Like I said, the card/account is completely free and is packed with tons of features. Direct deposit, sub-accounts, no ATM fees (use at any MoneyPass location [credit unions]).. the list goes on and on.

      So, just don’t keep a large balance in your main account and instantly move funds from a checking account if needed. Or, keep your money in a sub-account which you are unable to spend. Then, just move it over when you need to. If you lose your card and someone picks it up and tried to use it, it is next to worthless. Of course if something does happen, the card includes zero liability for fraud so you’re covered.

      1. Wzrd1

        One problem with that, Alan. Regulation D.
        That limits transfers from a savings account or money market account to six per month.
        So, in your version of purchasing, one would make only six purchases per month.
        Or one would have additional checking accounts, with each also having its debit card to keep track of.

        1. Adam

          The FED “limits” the # of times per billing period that you can transfer or make payments from a savings account to 6 per billing cycle. Most banks allow over 6 if you pay a fee.

          Anyhow, this is besides the point. You wouldn’t normally use savings as your payment/checking account anyways, so I am unsure as to how your point is even relevant.

          1. Wzrd1

            Adam, the limitation *is* Regulation D.
            One has a six transaction limit, no fee can overcome federal law. One can perform six transactions from a savings or money market account per month to checking.
            The only realistic way around that law is to have a second checking account, where transactions to and from it are not regulated.
            Something still leaving one with exposure, for every institution I’m aware of issues a debit/ATM card with such accounts, as well as paper checks.

            1. Adam

              Wzrd1,

              Wrong, as I can make as many withdrawals as I want from my Chase savings account as I want per month. If I go over 6, I am hit with a $5.00 fee per transaction.

              Anyhow, I was never talking about using a savings account. My point was to use Bluebird and only keep as much money in your master account as needed in order to stay safe. Plus, there are other ways to get money into your BB account aside from linking it to checking or debit. Never said anything about savings.

              1. Wzrd1

                Adam, if Chase classifies your account as savings and charges a fee for excess transactions covered under “Regulation D”, they are violating the law.
                12 CFR 204.133 – Multiple savings deposits treated as a transaction account.
                (b) Background. Under Regulation D, 12 CFR 204.2(d)(2), the term “savings deposit” includes a deposit or an account that meets the requirements of § 204.2(d)(1) and from which, under the terms of the deposit contract or by practice of the depository institution, the depositor is permitted or authorized to make up to six transfers or withdrawals per month or statement cycle of at least four weeks. The depository institution may authorize up to three of these six transfers to be made by check, draft, debit card, or similar order drawn by the depositor and payable to third parties. If more than six transfers (or more than three third party transfers by check, etc.) are permitted or authorized per month or statement cycle, the depository institution may not classify the account as a savings deposit. If the depositor, during the period, makes more than six transfers or withdrawals (or more than three third party transfers by check, etc.), the depository institution may, depending upon the facts and circumstances, be required by Regulation D (Footnote 5 at § 204.2(d)(2)) to reclassify or close the account.

                (c) Use of multiple savings deposits. Depository institutions have asked for guidance as to when a depositor may maintain more than one savings deposit and be permitted to make all the transfers or withdrawals authorized for savings deposits under Regulation D from each savings deposit. The Board has determined that, if a depository institution suggests or otherwise promotes the establishment of or operation of multiple savings accounts with transfer capabilities in order to permit transfers and withdrawals in excess of those permitted by Regulation D for an individual savings account, the accounts generally should be considered to be transaction accounts. This determination applies regardless of whether the deposits have entirely separate account numbers or are subsidiary accounts of a master deposit account. Multiple savings accounts, however, should not be considered to be transaction accounts if there is a legitimate purpose, other than increasing the number of transfers or withdrawals, for opening more than one savings deposit.

                So, what you are calling a savings account must be, per law, a transaction account.
                I have a regular savings account and was surprised when I redeployed home to find I couldn’t transfer funds to checking in a way I was accustomed to.
                Hence, I learned of the regulation and researched it.
                That code was copied from the statute on Cornell’s federal code pages.

                1. Adam

                  Wzrd1,

                  It’s a savings account.

                  I don’t know.. Maybe they have some way around it or an agreement with the FED. All I know is that it is a savings account. Certainly, Chase would never break the law 🙂

                  See here: https://www.chase.com/content/chasecom/en/savings/mobile/savings-account-n_fl.touch.html

                  5 Withdrawal Limits and Fees
                  Chase SavingsSM Withdrawal Limits and Fees
                  You receive the first six withdrawal or transfers out of this account per monthly statement period at no charge.
                  A $5 Savings Withdrawal Limit Fee applies for each withdrawal or transfer out in excess of six, including withdrawals in person, at a branch and at an ATM.
                  Other transaction fees may apply.

                  1. nov

                    In addition to the limit explanation, the Chase Deposit Account Agreement and other bank agreements I’ve seen–Section B, item 14, document page 7– “… We [Chase] are required by law to ensure that you comply with this limit. If you exceed this limit after we’ve notified you of a violation, we will change your account to one we choose that doesn’t limit withdrawals…” https://www.chase.com/content/dam/chasecom/en/checking/documents/deposit_account_agreement.pdf (a link off the page Adam provided)

                    1. nov

                      @ Adam (and Wzrd1)

                      In Regulation D terminology, “the depository institution may, depending upon the facts and circumstances, be required by Regulation D (Footnote 5 at § 204.2(d)(2)) to reclassify or close the account.” (First paragraph, last sentence of Wzrd1’s comment–Regulation D.)

      2. Patti

        Hi Adam – another problem – if you have a secure way to move that money around (unless you’re spending time and gasoline to drive to the bank every time you need to buy something) then that “secure” way probably has an attack path, right?

        I’m not wealthy, but about $1,000 per month works for me. That’s basically a weekly trip to the bank for a couple of hundred bucks. Of course, I live in a very safe neighborhood…

  16. Steve Matsukawa

    The question no one is asking is how are these devices being compromised? Does this mean that anyone can just walk in and do whatever it takes to compromise the machine/software?

    America has fallen so far behind the rest of the world, but then when you have crooks in all levels of government and at the corporate level, well what does one expect.

    As long as crooks and thieves are running the game, we the consumers are going to lose our money.

    1. patti

      Well, corporations don’t loose money and so don’t care – the card folks could be doing more, but aren’t. It’s also likely that *someone* powerful in the US has a vested interest in cybercrime (think Enron, the GMO labeling scandals, Akre vs. New World Communications, etc.), or, at the very least, a fundamental Conflict Of Interest (i.e., more interested in profit now than future security).

  17. Paul

    I’m glad I didn’t purchase anything from there during the April and September 2014 period. I did purchase stuff from there the previous year.

    1. Wzrd1

      Annoyingly enough, I did happen to make a single purchase at a Home Depot during that period.
      Fortunately, if our intrepid host is to be believed, I used a human occupied register, as has long been my habit.
      That habit borne of a desire to see humans gainfully employed.
      Well, that and at Home Depot, my military retiree card gives me a discount. At other businesses, it’s purely out of a desire for human interaction when making a business transaction.
      But, to be sure, I enrolled in the Home Depot funded identity theft protection program that they referred me to.

      1. JATny

        I’m with you Wzrd1, I like seeing humans gainfully employed. My favorite chain pharmacy made a big deal of rolling out its self-serve machines. A year later, the stores went from having half a dozen cashiers and a couple of machines to having half a dozen machines and only couple of cashiers. I understand efficiency, but I keep telling store managers … machines don’t shop and neither can people with no jobs!

        1. patti

          Unfortunately, this is the Fundamental Flaw of Capitalism. People stop thinking about people. Economists do not talk about this because you can’t write it into a mathematical equation…

        2. Robert.Walter

          You folks do realize that these machines create jobs for the people who design, build, service and maintain them, don’t you?

  18. KrebsonSecurityFan

    I have noticed that this year at the Home Depot store that I shop at the self-checkout registers were down a lot. There are four self-checkout registers at my store (one supervisor) and rarely have all four of these registers been in-service at the same time.

  19. Jim Dekle

    So what OS is on the shelf checkout? I read that the problem was the same as Target because both companies had not undated the OS on the registers. The report said they were both using Windows XP embedded.

    Is that true?

    Thanks so much.

    1. Guest

      Yes, that is correct. They are using an unsupported OS (windows xp).

      1. Wzrd1

        Per Microsoft:
        Windows XP Embedded (Toolkit and Runtime), all versions January 30, 2002 January 12, 2016 January 30, 2017
        The first date was general availability, the second date is end of support, the final date, end of license.

        So, it’s obviously still supported.

        1. meh

          Yeah still ‘supported’ like xp was supported 6 months ago, doesn’t mean it isn’t still swiss cheese or a good decision.

  20. Stacy

    We had 5,000 stollen from our account three weeks ago!!! We are building a home and shop at Home Depot at least twice a week for a year now!! Our bank nor Home Depot are of any help to us!!

  21. Winston

    What percentage of POS terminals are wireless? Are they more susceptible to hacking or interception of data?

  22. Anon

    They also use unsupported (no patches available), 10+ year old versions of AIX on some of their backend systems. Management is well aware of this and just doesn’t care because it’s “too costly and resource intensive” to actually do something like upgrade.

  23. JD

    Why should Home Depot or anyone pay for Credit Monitoring/Protections/etc.?

    That’s clearly a rhetorical question- to get people to think.
    In a perfect society, I should be able to post my Social Security number on a billboard next to a busy highway- and nobody (but me) would be able to *USE* it for anything other than *MY* approved transactions.

    In today’s reality- it’s the consumer that needs to protect their information.
    This seems completely backwards to me, and I’ve never understood why consumers don’t demand the (U.S.) government to reverse the current mindset.

    WHY aren’t credit reporting agencies held responsible for accounts that are opened fraudulently (due to stolen social security numbers?). THAT system itself is horribly broken and if it were fixed- the need for “credit monitoring” services would
    disappear or significantly reduced.

    But- there’s the rub! Consumers (and Merchants) can be charged EXTRA for the Credit Reporting agencies to do what they *should* do (better) anyway, and for FREE.
    If people can be duped into thinking they “need” to spend money for something that should be expected by ‘default’ -that just fuels the economy even more.
    Apparently profits always trumps [business] ethics. Wait… did I just use the words business and ethics in the same sentence? Silly me.

    Other governments, such as Germany, have much more strict usage laws of consumer data.

    1. timeless

      +1

      Please write to your congressional representatives.

      But note that Germany and other countries may not be in as great shape as you think. It’s possible that their press isn’t as strong, or that it isn’t as profitable to fleece Germans (smaller population / market).

  24. TheHumanDefense

    This issue of POS Malware will continue to be an issue. In fact, I think that this will become the crime of choice. Deploying encryption at the POS itself will solve the problem only for so long until the attackers determine how to get around that, but make no mistake, the monetary profit will out way the time it will take to develop new ways to commit fraud.
    If this intrusion and breach are found to be the cause of risky habits by either a 3rd party vendor (like in the Target breach) or an employees risky habits, maybe organizations will start to realize it’s time to make people part of the defensive measures.

  25. Confusedformer employee

    I am a former employee as well as a person who has been notified that my card may be compromised. Are the purchases only showing up as Home Depot or for other places? I feel like everything is so hush hush and nothing is being said how to see what might have been taken.

  26. Dave

    I was amazed to find that so much runs on Windows XP (my GPS for example). It also displays typlical Windows XP characteristics such as hanging and the blue screen of death (BSOD).

    So I wonder how anyone could base software such as payment software or bank terminals on something so clearly fragile. I’ve seen these kinds of management decisions made with catastrophic consequences. Especially when there are other options which are much more reliable, secure and cheaper. “No body ever got fired for buying IBM” became “No body ever got fired for buying Microsoft” and I think a few people should have been fired for that.

    1. timeless

      People knock WXP, but what can you think the alternatives are?

      Would you rather a company whose core business isn’t Operating Systems make their own RTOS with support for lots of hardware including USB input, ethernet networking, and various displays?

      The reason XP is chosen is because it’s a “choose once and forget”.

      If you chose Ubuntu 10.10 Maverick Meerkat in 2010, it’s already out of support and you would almost certainly be vulnerable to something.

      If you chose Ubuntu 8.04 Hardy Heron in May 2008 and shipped it in all of your devices (and never updated it — who updates software?) — you had a totally broken SSL stack.

      If you shipped Ubuntu 12.10 Quantal Quetzal in 2012, you probably were vulnerable to Heartbleed. And again, you almost certainly didn’t update your software.

      Sure you could deploy somehow based on OpenBSD, but let’s face it, you’d probably write really insecure PHP or shell scripts or something vulnerable to Bobby Tables, or something else.

      Security isn’t your core business, you make cash registers, not banks!

      1. patti

        Good point. These are Economist’s “externalities.” But at least updates to Linux are always free. Microsoft will be historically considered a major flaw to Western Civilization for making such an insecure operating system. Much like finding plumbium (Lead) in Gaul by the Romans – who used it for water pipes. Mad Hatter’s Disease. 😉

        Seriously, in a sense, the collapse is already going on all around us. The Romans had to worry about highway thieves, but thieves enter our homes via the internet on a daily basis. Howz that for a scary thought?

  27. Peter

    So bottom line, if using such self service check outs ensure that a credit card is used rather than a debit card to ensure that you have a level of protection.

Comments are closed.