September 8, 2014

Nearly a week after this blog first reported signs that Home Depot was battling a major security incident, the company has acknowledged that it suffered a credit and debit card breach involving its U.S. and Canadian stores dating back to April 2014. Home Depot was quick to assure customers and banks that no debit card PIN data was compromised in the break-in. Nevertheless, multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.


The card data for sale in the underground that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores. But if the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs.

Experts say the thieves who are perpetrating the debit card fraud are capitalizing on a glut of card information stolen from Home Depot customers and being sold in cybercrime shops online. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards.

Here’s the critical part: The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device).

This is especially helpful for fraudsters since most Home Depot transactions are likely to occur in the same or nearby ZIP code as the cardholder. The ZIP code data of the store is important because it allows the bad guys to quickly and more accurately locate the Social Security number and date of birth of cardholders using criminal services in the underground that sell this information.

Why do the thieves need Social Security and date of birth information? Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks. One is that the system checks to see if the call is coming from a phone number on file for that customer. It also requests the following four pieces of information:

-the 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card;
-the card’s expiration date;
-the customer’s date of birth;
-the last four digits of the customer’s Social Security number.

On Thursday, I spoke with a fraud fighter at a bank in New England that experienced more than $25,000 in PIN debit fraud at ATMs in Canada. The bank employee said thieves were able to change the PINs on the cards using the bank’s automated VRU system. In this attack, the fraudsters were calling from disposable, prepaid Magic Jack telephone numbers, and they did not have the Cv2 for each card. But they were able to supply the other three data points.

KrebsOnSecurity also heard from an employee at a much larger bank on the West Coast that lost more than $300,000 in two hours today to PIN fraud on multiple debit cards that had all been used recently at Home Depot. The manager said the bad guys called the customer service folks at the bank and provided the last four of each cardholder’s Social Security number, date of birth, and the expiration date on the card. And, as with the bank in New England, that was enough information for the bank to reset the customer’s PIN.

The fraud manager said the scammers in this case also told the customer service people they were traveling in Italy, which made two things possible: It raised the withdrawal limits on the debit cards and allowed thieves to withdraw $300,000 in cash from Italian ATMs in the span of less than 120 minutes.

One way that banks can decrease the incidence of PIN reset fraud is to require that callers supply all of the requested information accurately, and indeed the bank employee I heard from in New England said a nearby financial institution she’d contacted that used the same VRU system saw its PIN fraud drop to zero when it began requiring that all questions be correctly answered. The bank on the West Coast that I interviewed also said it had already begun requiring all five elements before processing PIN changes on any cards that have been used at Home Depot since April.

Still, some of the world’s largest banks have begun moving away from so-called knowledge-based authentication for their VRU systems toward more robust technologies, such as voice biometrics and phone printing, said Avivah Litan, a fraud analyst with Gartner Inc.

“We saw this same activity in the wake of the breach at Target, where the thieves would call in and use the VRUs to check balances, remove blocks on cards, get the payment history and of course change PINs,” Litan said.

Voice biometric technologies create an index of voice fingerprints both for customers and various fraudsters who conduct VRU fraud, but Litan said fraudsters often will use voice synthesizers to defeat this layer of detection.

Phone printing profiles good and bad callers alike, building fingerprints based on dozens of call characteristics, including packet loss, dropped frames, noise, call clarity, phone type and a host of other far more geeky concepts (e.g., “quantization,” and “taggers“).


The fact that it is still possible to use customer service or an automated system to change someone else’s PIN with just the cardholder’s Social Security number, birthday and the expiration date of their stolen card is remarkable, and suggests that most banks remain clueless or willfully blind to the sophistication of identity theft services offered in the cybercrime underground. I know of at least two very popular and long-running cybercrime stores that sell this information for a few dollars apiece. One of them even advertises the sale of this information on more than 300 million Americans.

ssnfind copy

Banks are long overdue to move away from knowledge-based authentication. Forget about the fact that most major providers of these services have been shown to be compromised in the past year by the very crooks selling Social Security numbers and other data to identity thieves: The sad truth is that today’s cybercriminals are more likely to know the correct answers to these questions than you are.

I bring this up mainly because Home Depot is, predictably, offering credit monitoring services to affected customers (which, given the length of this breach is likely to impact a significant chunk of the American population). Credit and debit card fraud is annoying and inconvenient and can be at least temporarily expensive for victims, but as long as you are keeping a close eye on your monthly statements and reporting any unauthorized charges immediately, you will not be on the hook for those charges.

Please note that credit monitoring services will not help with this task, as they are not designed to look for fraud on existing accounts tied to your name and personal information. As I’ve noted in several stories, credit monitoring services are of dubious value because although they may alert you when thieves open new lines of credit in your name, those services do not prevent that activity. The one thing these services are good for is in helping identity theft victims clean up the mess and repair their good name.

However, given the fact that your Social Security number, date of birth and every possible answer to all of these knowledge-based authentication questions can be had for $25 in order to establish new lines of credit in your name, it makes good sense for people to avail themselves of free credit monitoring services. But there is little reason to pay for these services. If you don’t already have a credit monitoring service for free then maybe you haven’t been paying close enough attention to the dozens of companies over the past year that have likely lost your data in a breach and are already offering these services for free.

For more information about the benefits and limits of credit monitoring services — as well as other helpful tips to proactively safeguard your credit file — see this story.

More information, including an FAQ about the breach, released by Home Depot is available at this link.

214 thoughts on “In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud

  1. Shinki-itten

    I haven’t used a debit card (with or without credit option) for a purchase in several years. However, the points of this article are much broader than just purchases. Even on the phone with my cable/internet/phone supplier, I can do anything on the account just by telling the representative my name, billing address, and last 4 of my social. For that reason, I never use my cable company-provided email address for security/registration on any other account.

  2. antonio

    We are part of the problem. Banks will go lax on their security to keep customers happy. All it takes are a few angry people cussing out a rep because they wouldn’t reset a PIN and the bank relaxes the rules. And then when there is a breach, we don’t look at our addiction to convenience, we just point fingers at the bank, the government, whoever; never ourselves.

    1. Andrew

      You have a very interesting point. Our addiction to convenience with a side of assisted lethargy makes us want all the good and think there is absolutely no way anything bad could come from our decisions, and if so it was in no way our fault.

      I suppose a loose line could be drawn between this and parenting… don’t raise the child right, and blame it on everything except one’s own parenting. I guess what I’m saying here is not only is there an addiction to convenience but also a lack of responsibility these days. People will gladly raise their hand when asked who put the idea that saved the company $1,000 in the suggestion box, but it’s rare to get someone to actually come forward over something that cost the company say $100.

  3. Ray

    Hi Brian,
    I respectfully disagree with your comments about credit monitoring.
    When ever there is a change in my credit, even if I’m the one making the change, I get an email.

    I can login and see who pulled my credit and why. If I didn’t authorize it I can immediately take steps to remedy the situation.

    That’s much better than waiting until I get the next statement to see tons of unauthorized charges or having the card co call me after the fact.

    1. BrianKrebs Post author


      Will your credit monitoring service stop thieves when they apply for credit in your name from 50 different places at once? No, they won’t. They’ll let you know that someone just did a bunch of hard pulls on your file, and each time that happens, guess what? Your credit score takes a ding. I had my credit score drop 100 points because of fraudulent applications before I froze my credit.

      Also, I think you missed the one thing that I said was useful about credit monitoring services: They do help you repair your credit should bad things happen. My point is that they don’t do squat to block the fraudulent activity.

      1. MEP

        And when you look at who the credit monitoring services are, you should have even less confidence. After my card was grabbed in the Target breach, Target offered me free credit monitoring with Experian, the company that gave millions of customer details to an identity thief in Thailand and was never held accountable.

        With friends like these…

        1. MEP

          Vietnam, not Thailand. Getting my breaches mixed up. There are too many of them anymore.

      2. Ray

        I didn’t realize they’s apply 50 times all at once. That’s a new one on me and I’m a credit expert. I can see how that would be an issue.

        I have a reliable firm in Florida that removes inquiries. Let me know if that would help you or your readers.

        I can’t think of anything that would stop this except immediately putting a fraud alert in your report.

        1. timeless

          Fraud alerts are annoying. They require you to have an incident handy.

          Everyone is able to freeze their credit records (as Brian and I have done). It costs $5-15 per reporting agency (the amount varies by state according to state law – it can be free if you have a police report). I froze with the big four American reporting agencies.

          I’d imagine that most Americans are not applying for new mortgages/credit cards each year and that they would benefit from freezing their reports. It’s simpler than waiting for someone to offer an awkward monitoring service. When you want to apply for credit, you contact the reporting agency with your PIN and indicate how long to unfreeze your report.

          For Canadians, two of the big three American reporting agencies exist in Canada, and the freezing process should work about the same way.

            1. David Longenecker

              I see a fraud alert as a happy middle ground between doing nothing, and putting a hard freeze (which costs to apply, and costs to remove if I do have reason to open new credit). An “Initial Security Alert” is a 90-day fraud alert that costs nothing, does not require a fraud incident or report, and can be renewed every quarter.

              With a fraud alert, if I choose to open a new credit account, the creditor calls to verify it is in fact me that is applying for credit – essentially 2FA for credit applications. Sure it can be defeated, but it adds a significant hurdle.

          1. meh

            Freezing is pointless. The real problem is that the credit bureaus are hardly better than the crooks. I kind of hope there is a tool made that will add millions of unverifiable activities to every report they have, and wipe the whole stupid exercise in stupidity. They will never be secure when their primary goal is hiding your info from you and letting everyone else in the world buy it or alter it at will.

            1. BrianKrebs Post author

              Right. So in the meantime, between your grumbling about how the credit bureaus are crooks and the inevitable quick response by Congress to do something about it, you feel it’s best to sit back and do nothing? Placing a freeze on your account is the only sane way to opt-out of the credit monitoring madness and from the credit bureaus selling your file to anyone they choose.

              1. meh

                I take a similar view to that as paying student loans, it just reinforces the broken system and encourages them to keep on taking advantage more and more every year. I want to see these bureaus dragged into congress and explain why year after year 2/3 of the country is paying more and unable to resolve even basic issues and hear their stammering bean counter tell the entire government that they have no visibility, control, or way to fix it.

                1. timeless

                  Well, have you written your congressional representatives and asked them to do this?

                  1. meh

                    Yeah but they’re one of the more tea partiest ones and they think government regulation is the problem and already far too onerous on these poor massive banks and credit bureaus. I wrote to Senator Warren instead, seems like a better use of my time.

                    1. SeymourB

                      If your congressional representative doesn’t represent your views, you need to do one thing: vote.

                      Better yet, encourage others to vote too, even if they don’t hold your views. It’s because of low voter turnout that aberrations get into office.

                    2. Diane Trefethen

                      “It’s because of low voter turnout that aberrations get into office.”

                      Unfortunately that it is not true. The get-out-the-vote propaganda is designed to make citizens who don’t vote feel guilty and to lay the blame for our governments’ failures at the feet of said non-voters. The truth is that on the whole, political party machines choose who will appear in a primary by the simple expedient of telling maverick candidates that they should expect no financial help from their party. When such people run anyway and by chance garner enough votes to be one of the two candidates on the November ballot, “their” party often continues to refuse to support them by saying they’re not really Republicrats and that they don’t uphold the principles of the party.

                      The two major parties “own” elections and are far more alike that not. Witness the current calls for war in the Middle East by both the hawks (Republicans) and the pro-peace faction (Democrats). And Democrat Obama’s promise to declare and wage war in the ME despite the Constitutional prohibition against that. If he does that, he should be impeached but he won’t be because the Republicans know that if they do that (the House brings impeachment charges and the House is over 50% Republican), the Dems will do the same thing to their next President when he too oversteps his Constitutional authority. While Progressives bemoan that our nation’s voters are stupid “sheeple,” the fact is they’ve figured out that it doesn’t matter which party gets elected because they are just mirror images of each other. If it doesn’t matter, why vote? If you doubt that, check with friends who voted in the last presidential election and see how many didn’t really support the guy they voted for but are willing to state that he was the lesser of two evils.

                      So year by year our voter turnout declines. Again, why bother if there is no difference, if once elected, the winner will sponsor legislation (including so-called tax reform) that favors her/his donors over the best interest of the people? And those big money interests donate to BOTH candidates so it doesn’t matter to them either which one wins.

              2. JATny

                Brian, are you suggesting that people not use the credit monitoring services being offered by Home Depot (and others)? Fyi, I’ve been offered these services in the past for everything from a breach at my mortgage company to the pension files at a major corporation where I worked for over a decade. I am eligible for the HD-offered service, but I haven’t accepted yet.

            2. Phil C.

              I don’t know whether to grumble along with you, cry or laugh. I’ve maintained for the last 25 years that credit reporting outfits like Experian, Equifax and TransUnion are legally sanctioned criminal enterprises. They’re quick to load up their databases with all kinds of false garbage about individuals, but make it all but impossible to remove said garbage. In most other arenas it would be called “libel” and “character assassination”, and would be actionable in a court of law.

              1. JATny

                Phil C, you do have a point. I have battled with the credit report companies for years, who all claimed that I lived at a spurious address in the Bronx, NY. I’ve lived in an entirely different part of NY for over 30 years. When I get “security” questions when I check my own credit, I have to “remember” that I “lived” at an address that I never heard of, except from these credit companies. I have never been successful in getting the address removed. One company’s guy even joked that I should be thankful because whoever it was took out accounts in my name and paid them on time. This is a classic old-school ID theft trick, before all the big time hacking. I did put a stop to these accounts, but no one could ever tell me who this ghost was, and apparently they got the message that the accounts had been closed and moved on. I was “lucky” on that score.

      3. Andrew

        I took your advice presented in an earlier article to set a fraud alert. Thus far there is no apparent unwanted activity, but that’s not to say it couldn’t or will never happen! The assumption that since everything is okay right now it will stay okay just because I go about the same routines is entirely too dangerous these days, especially as I believe I will be affected by the “Depotgate,” I guess the media might call it.

        While I was there (I activated fraud alert via Equifax) I ordered a full credit report to see what was at stake… I had no idea it was as high as it was, it’s not trying to break the needle but it’s definitely well-off, I couldn’t even fathom having a number that high, or watching it plunge to the depths of credit hell because thieves refuse to work for their money, or are addicted to the thrill of crime, or whatever other “reason” they have.

        I certainly am glad I came across your blog, it’s provided me some very neat insight into the realm of digital security, thanks again!

  4. David O

    Since HD has offered PayPal for the last year or two, is there any concern/evidence of phone number and pin combos having been stolen in this breach?

    1. Anonymous

      don’t think PP data would be at risk. that data is encrypted in the PED where they are entered and can only be decrypted by PP, and never exposed in the clear to RAM scraping malware in the register or the network.

      If only HD had encrypted your card data also in the PED like many other large merchants are doing, then we wouldn’t be having this discussion.

  5. Wladimir Palant

    Interesting, I never knew that you could change the PIN of a debit card in some countries. Just in case I was totally clueless here, I checked the information of my German bank on this (approximate translation):

    > What should I do if I forgot the PIN of my Maestro card?
    > For security reasons, the PIN of the card isn’t known and isn’t being saved. Generating a new PIN for an existing card isn’t possible for that reason. Should you have forgotten your PIN please order a replacement Maestro card. This one will have a new PIN.

    As far as I know, that’s what all German banks do – you cannot change the PIN, you can only get a new card with a new PIN.

    1. BrianKrebs Post author

      Thanks for sharing that, Wladimir. I’m guessing that part of that is that banks perhaps feel it’s not the best idea to let consumers pick their own PINs?

      1. EUman

        > I’m guessing that part of that is that banks perhaps feel it’s not the best idea to let consumers pick their own PINs?<

        No, the own pin is not a concern – here you can select your own pin (i.e. change the existing PIN when you know the old one) for your chip card (anytime),

        before (with magstripe-only cards) it wa possible to request New Pin which was then securely sent by snail mail

        I think banks' concern is the cardholder verification/authentication (how banks can be sure that it is really the genuine client, not fraudster), exactly what is mentioned above at the end of article.

        1. Jonathan Rosenne

          The banks are not so concerned since when the PIN was used they can disown responsibility.

          They should be concerned because customer selected PINs are commonly very weak.

          Furthermore, once you made any purchase on the internet you should assume that the crooks have a fair chance to obtain access to all the data you had entered, including CVV2/CVC2.

          HCE addresses these concerns, but will be useless when coupled with customer selected PINs.

      2. timeless

        Actually, I’d bet it was based on implementation sequence, if PINs were implemented earlier in certain parts of Europe, their ATMs probably didn’t support rewriting PINs, so they were always issued randomly w/ no provision for changing them and no worries about confusing instructions like “you can change your PIN at some ATMs, but not all of them”.

        Most likely, the countries that did PINs later were able to deploy machines/technology that supported changing the PINs. — UK cards apparently support changing their PINs — Ireland cards support it — Australia supports it — Finland on getting your PIN reissued (without a new card)

        I know that in Finland PINs were issued with the cards, I think I included links talking about how to get some of the Finnish banks to reissue PINs in some of your other articles (I’ve only dropped in a Nordea link here, but Sampo and OP should be easy to find — the price lists were amusing). At least one of the banks (Nordea) seemed to have the PIN somewhere on file, such that they could charge you a fee to mail you just your PIN.

        (I suppose I could try sticking my Finnish CC into a Canadian ATM to see if it would let me change the PIN, but I’d expect the ATM to eat my card, and I don’t really want to lose it.) — AmEx cards support changing their PIN at “any” ATM. — The german picture is a picture (!) , but it roughly says:
        Obtain visa card by post.
        Assign it Your request PIN in personal area under administration; my data; card data.
        Personalized PIN with a TAN to activate.

        [My German translation is potentially totally bogus]

        Note that technically your average Chip based debit card has two PINs, a mag-stripe PIN, and a Chip PIN. By convention, they’re the same. But technically they’re independent and can have distinct values. My understanding is that the reason that banks issue them synchronized is because banks didn’t trust consumers to be able to remember two distinct PINs/keep them straight.

        1. Mark

          With the old magstripe debit cards in Europe it worked like this: there was a ‘master’ PIN that was held in a big central server. This is what you were issued with.

          Then, on the magstripe, there was a ‘PIN offset’ which was 0000 by default but could be set by ATMs. This allowed ATMs to change the PIN code for a customer without actually writing the PIN on the card: it wrote the difference between the user-chosen PIN, and the real PIN. At each withdrawal, ATMs would check whether + ==

          No idea how it works now with the EMV/chip cards… 🙂

      3. Wladimir Palant

        Yes, I would certainly consider customer-chosen PINs an issue – chances that the customer chooses 1234 or 1111 are way too high. The banks I dealt with so far always assigned a random PIN and didn’t let you change it.

        As timeless notes, not all German banks do it this way apparently. ComDirect indeed allows you to set your own PIN for their VISA card, and it even allows changing it without knowing the old PIN – as long as you have access to online banking ( The PIN for their debit cards can be changed at the ATM machines. It’s not clear what their approach is if people forget the PIN – but I suspect that phone support will work in this case.

    1. Peter

      Maybe. I have Apple stuff and like what they don But I’m not lining up to buy iPhone 6. I will wait a bit and see what the details are.

      That said, the fingerprint security (I have iPhone 5s) is excellent. Far better than anything else I have ever used.

      All the POS terminals will have to be updated by next Fall (some are done already) and my guess is that all the new ones will include NFC. So this time next year almost all businesses in the U.S. will be able to accept this.

      I have a card (CC) that has been used a bunch at HD and so far no weird charges have appeared. Things may change …

    2. timeless

      Probably not.

      Given the stories about being able to restore someone else’s iPhone data (yes, typically via an exploit, possibly social, of iCloud). I can’t imagine Apple Pay as part of the solution.

      Now, the fact that Apple will be driving NFC acceptance by vendors is a different story.

      But, let’s temporarily imagine that Apple does get 100% of vendors in the US to accept NFC based payment tomorrow, and that 100% of consumers in the US are issued NFC cards.

      You decide to go to HD, or the Apple Store to make a purchase. Guess what?
      Odds are, you won’t be able to pay with NFC.

      Why? If you’re trying to buy an iPhone, or a Watch, or most devices at the Apple Store, they’ll cost more than $100 (see below). If you’re shopping at Home Depot, you might be just buying a few screws, but you’re more likely to be buying a bunch of things whose total will exceed $100.
      *Signature or PIN is not required for PayPass transactions of CAD $100 or less at participating merchants. doesn’t list the limit, but it’s probably the same as MasterCard
      Seems to indicate you’ll probably be hit at $25 — claims that in theory you can charge up to your credit limit.

      1. Peter

        The low limit is for wave-to-pay cards, as I understand it. I have not seen anything definitive but would be amazed if there was such a low limit for ApplePay transactions. This would gut the whole thing.

        This would be even more surprising if, as has been reported by some, Apple assumes some of the fraud risk (in return for receiving a part of the fee).

  6. JimV

    Although I saw nothing amiss in the recent bank statement that arrived a few days ago, I’ve been to Home Depot 5-6 times over the past 3 months or so where my debit card was used; I decided after reading BK’s latest post to cancel it and today had my small-town bank issue a new card.

    About 3 months ago, this bank (which is independent and not a branch of some larger chain, and whose managers long ago became familiar with BK’s website following my strong recommendation) had decided to change their debit cards from VISA to MasterCard (so all customers got new cards then). As I don’t shop at Target I wasn’t too concerned about the earlier big-time security breach until this past week when BK broke the original story. I had checked the ZIP code lookup webpage BK referenced before and noted that the nearest Home Depot I tend to use was reflected there (the only HomeD store in that rapidly-growing suburban ZIP), so with today’s update my concern rose significantly.

    While at the bank making the debit card change, I chatted with one of the staff who is a good friend who told me they had already seen a lot of fraudulent transactions with this Home Depot breach in the past week, but all were related to credit cards the bank had issued and so far there had been none associated with their debit cards. The particular pattern of fraudulent activity was associated with cash advances at ATM machines in a much larger city (Dallas), where fraudulent cloned cards were repeatedly used at one machine until that ATM’s cash advance or withdrawal maximum limit was reached, then at another ATM machine etc. until the card itself was permanently blocked from further use.

    After recognizing this pattern, the bank immediately notified its credit card company to block ALL cash-advance transactions for ALL of the credit cards it had issued, which at least stopped their financial loss from that practice since the bank is liable for those fraudulent charges not the cardholders. He reiterated that they hadn’t seen any such pattern with their debit cards, but he thought my action was certainly not unwarranted under the circumstances.

  7. deb

    well I guess people should return to the mom and pop stores and leave the big box stores. They make millions off of us and don’t care about our security. They’ve had plenty of wake up notice since Target. People are concerned that all this money theft leads to China, Russia and Isis.

    1. anon

      Right, because mom and pop are so much more secure. Crooks don’t even need malware when even small timers can sit out in the parking lot.

  8. Rick

    “KrebsOnSecurity also heard from an employee at a much larger bank on the West Coast that lost more than $300,000 in two hours today to PIN fraud on multiple debit cards that had all been used recently at Home Depot.”

    Those are the sort of losses that gets changes effected.

  9. Paul Creswick

    “even advertises the sale of this information on more than 300 million Americans.”

    I know they’re bad guys and so not to be trusted but over 90% of the US population compromised? Really?

    1. BrianKrebs Post author

      I believe what they are doing is abusing credentials to services that allow these lookups on most Americans, so yes, that’s pretty accurate.

        1. shinki-itten

          Because many adults have several credit cards, the census data is not helpful.

        2. shinki-itten

          What I should have also noted is the frequency of multi-duplicate records which arise not just from multiple credit cards, but many other sources. Databases I have access to usually give several entries for each person.

  10. riverfest

    My question is for Brian or any other security professional here. Is the credit card PCI standard being broken here (i.e. not followed by even the biggest companies even though they attest they are following the guidelines) or has the credit card PCI standard been circumvented by the thief’s?

    1. Ex Employer

      Home Depot was never PCI compliant and isn’t to this day. They have used the same assessor for years, and they are basically buying the report. The so called ciso is to be blamed single handedly for this mess.

  11. Diane Trefethen

    Wladimir’s post got me thinking. Besides forgetting your PIN/password, are there any other reasons why you would need a new PIN? If there are, like this one, is there any reason why you couldn’t wait and go to your bank to get a new card instead? So you are in Italy. There are banks in Italy and all Europe where you can go to obtain cash from your American bank. Is it a hassle? Probably (I’ve never done it). But maybe the hassle will teach you not to forget your PIN when you travel 🙂 It is instructive to keep in mind that travelers from all over the world were able to get cash in the days before ATMs existed. I suspect that all the procedures to do so are still in place.

    1. timeless

      Speaking as someone with banks in three countries on two continents, and having traveled to 3 continents, and having left my wallet (with credit cards) on the wrong side of an ocean, lost my phone in your capital city, and having had a different credit card hit its credit limit while abroad…

      I’ve also left my passport and glasses at home for various trips — usually rushing back to get them. I remember one instance where someone else left their passport behind and we helped get it to them at the airport.

      > Besides forgetting your PIN/password, are there any other reasons why you would need a new PIN?

      The main reasons for changing a PIN are:
      1. You don’t know it
      2. Someone else now knows it

      (Personally, I think calling PINs personal-identification-numbers is silly. They’re publicly-interceptable-numbers — especially now that we use them to make purchases at every restaurant / coffee shop we visit.)

      > is there any reason why you couldn’t wait and go to your bank to get a new card instead?

      I was in France for a week before a replacement credit card arrived from North America. If I didn’t have a pre-booked hotel that was going to charge me at the end of the week, and perhaps needed to pay for the hotel sooner, I would have been in trouble. Oh, and if I hadn’t wired money (using a second replacement credit card’s cash-advance-via-wire service), I wouldn’t have been able to eat.

      Usually, the following are necessary:
      1. Shelter
      2. Clothing
      3. Food

      I’ve had an airline decide not to deliver my luggage to me for two days (while on a 3 day trip). I tried buying clothing in Italy to fix this (I failed, but, if I had found something that fit me, I’d have needed a credit card, which I thankfully had).

      As for “carry cash”, yeah, um, that was in my wallet. As for “carry cash in two places”, well, sure. If you’re really rich you can carry it in three places — thankfully I haven’t lost things in combination, and sure, I should carry some spare cash in secondary places (I think I usually do carry a bit, but I’m not wealthy, I can’t hide $1000 in a shoe, and $1000 in a wallet — and if I did, I’d probably get in trouble at a border crossing — I’ve been to some interesting border crossings).

      > So you are in Italy. There are banks in Italy and all Europe where you can go to obtain cash from your American bank.

      How? I was in Italy. My bank (in Finland) wouldn’t talk to me outside its business hours (…) (see below about knowing whom to call, the credit card didn’t have the useful 24 hour number) — I couldn’t buy food (thankfully a colleague covered the meal on an expense account). I was in France. My bank (in Canada) wouldn’t let me activate its (business!) credit card outside of its business hours (!!). — Note, as a non French speaker, I’m thankful for having a French speaking host who helped me retrieve the wired funds. I would have been helpless in Italy trying to get money somehow from a bank.

      Talking to banks in other countries is not fun. Trust me, you don’t want to do it.
      1. It requires a phone with a decent charge, and service, and an understanding of how to even make that call, and whom to call (and you need to expect to lose hours of time, and the billing cost for hours of international roaming calls). (Do you know what “011” or “001” do? — Many people don’t know what “+” does, or what “112”, or “999”, or “911” do — trying to call outside the local country, especially while frustrated because you’re missing something important and need to get something done — sucks)

      > Is it a hassle? Probably (I’ve never done it).

      Very much so.

      > But maybe the hassle will teach you not to forget your PIN when you travel 🙂

      grr. PIN. PIN. SIN. SSN. TIN.

      The number of things that one collects that are 3-4, or 9, or 10 digits long really sucks.

      Each country gives you at least one “unique” ID (some give you more than one — thanks Canada). Each credit card gives you at least one “personal” ID (for people who deal w/ multiple countries, that’s probably 3-4 per country, as debit and credit cards are often distinct, although some times they aren’t). Just in that batch, I’m near 20 numbers. Most of which I rarely use. Except, when traveling. Sure, you can try to put the numbers into a file somewhere. I recently discovered that my file management solution ate one of these numbers so, I’m short a number until I go home and look it up. It’s also possible to lose your phone (yep, done that too).

      > It is instructive to keep in mind that travelers from all over the world were able to get cash in the days before ATMs existed.

      Yeah, my parents carried these things called “Travelers checks”, they were issued by a very good global company called “American Express”.

      For reference: If you have an AmEx (US, CA, or other), and you lose it and fly to Paris, you can get AmEx to issue you a new one the same day. (For other places, it might be a day or two longer, but certainly better than my experience w/ a big-4 Canadian bank.)

      Similarly, if you lost your travelers checks (or if they were stolen), you could go to an AmEx office (I’ve seen the office in Boston), and get new checks — on the spot. They were a great service.

      Sure, they asked you to show your passport (or perhaps for the US, your driver’s license). But they (globally) knew you, and could do business with you, and wanted to do business with you.

      AmEx traveler’s checks were iirc organized by AAA.

      Unfortunately, traveler’s checks are dead.
      offers AmEx, Visa, and MasterCard prepaid cards instead.

      > I suspect that all the procedures to do so are still in place.

      Mostly, yes. If you are a member of AAA (as a non driver, and not based in the US, I have never been), or an AmEx customer (I am now, and will never again have the problems I’ve had in the past thanks to them).

      But, many people are naive. I certainly was, I didn’t think I needed AAA or AmEx. (I didn’t learn the AmEx side of my lesson until my second expat country.)

      Seasoned travelers are usually fine. It’s the occasional travelers who suffer the most.

      1. George G

        “For reference: If you have an AmEx (US, CA, or other), and you lose it and fly to Paris, you can get AmEx to issue you a new one the same day. (For other places, it might be a day or two longer, but certainly better than my experience w/ a big-4 Canadian bank.)”

        I was in Europe when the bank that issued my VISA card stopped it (detected fraudulent transaction that took place in Michigan). When I called they offered a replacement card (new account # of course) delivered to me within one business day.

  12. Lancery

    I think there’s one detail you mentioned in your post that’s worth elaborating: Do (credit card number + full name + location info of the home depot store) give enough for the hackers to determine a person’s social social number? If so, that is a major security flaw in the existing system. After all, it’s night and day between an annoying credit card fraud case versus a full-blown identity theft, where hackers can open a line of credit in your name.

    If this is indeed possible, can you talk more about that? In particular, what are the chances of that, and whether it’s worth it to undertake significant measure such as credit freeze to mitigate relevant risks?

    1. Ollie

      I would like to know the answer to this question also. Based on what I have read here it sounds like getting enough information from different sources to solve a puzzle.

      1. BrianKrebs Post author

        Lancery, Ollie,

        The starting point is that there are cybercriminal services in the underground that advertise the sale of SSN and DOB data on most Americans. To use these systems effectively (i.e., to not pay for information for someone other than the person you’re looking for) it helps to give these services as much info as possible, including city, state and zip of the person. With that information, it’s usually possible to buy the SSN and DOB on a person. The credit card number has nothing to do with it.

        1. Ollie

          Brian, that information is in the phone book.
          Does this mean that if I know where my neighbor works I can claim his tax refund?
          Our local paper reports police activity and almost every week someone files a police report because someone else has claimed their tax refund.

          1. BrianKrebs Post author

            Claiming someone’s tax refund is a bit more complicated, because you need to know what they declared as taxable income on their previous year’s returns. Usually, those cases are the result of someone compromising someone’s employer’s payroll records, but they certainly can try to file false tax returns on your behalf with information that is purchasable in the underground. Happens all the time.



            1. Lancery

              Thanks for the reply Brian. Ollie brings up a good point. A person’s full name, city, state and zip-code is easily determined by looking in the phone book or less conventional means (i.e. social media). Therefore, it would suggest to me that the data breach of Home Depot doesn’t really add significant risk to full-blown identity theft (where a line of credit can be opened). It’s more of a case of credit card fraud. Do you agree? If so, it confuses why HomeDepot is offering credit monitoring, which is reactive measure. Wouldn’t it be better for HomeDepot to suggest customers to simply close their existing credit card account and open a new one?

              1. timeless

                You’re more or less correct, and Brian mentioned this (in the article?) when he talked about the monitoring as mostly useless.

                Note that you shouldn’t “close your account” — that dings your credit record.

                You just ask for a replacement card with a new number.

                Mostly HD (or pick your victim-vendor-of-the-month) are running around like chickens with their heads cut off. They don’t really know what to do, or what to say. They aren’t in a position to study a best-practices (it’s clearly a bit late for that).

                Credit-Report-Monitoring is something they’ve read that everyone offers, so, they offer it. My guess is that relative to their other losses, the cost is pretty small, so it’s an easy thing to do. (Note: there are different levels of monitoring, and most of these incidents result in the vendor buying the cheapest level possible for one year.)

                1. Ray

                  Closing your account is not necessarily bad. It depends on how old the account is. If it’s the oldest account then yes, it’s bad because 15% of your score is how old the oldest account is. Older being better. The bureaus have more history on older accounts so your scores are higher. (assuming you pay on time)

                  If the account is a credit card closing it could lower your score slightly because 30% of your score is calculated by comparing the balances to the limits on revolving debt. Lower balances being better. Indicating more responsible use of the credit line.

            2. Ray

              The only defense against this is to file your taxes as early as possible so if crooks try to file they get the “already filed” message instead of you.

              1. timeless

                Actually, the best defense is to be victimized once.

                Once you’re victimized, you can get the IRS to issue you a PIN:

                It’s like the code you use to thaw your credit report. Without it, filings for your SSN will be rejected (or at least investigated heavily).

                I’m not really recommending this route. I’d much prefer to not be a victim — the cleanup is presumably awful.

                But please write your congressional representatives and ask them to instruct the IRS to expand the PIN program to not require victimhood for eligibility.

  13. Rosemary

    Thank you as always for informing all of us. We saw your name mentioned in the New York Times 9/9/14. It is very sad when a blogger such as yourself discovers this breach and not the security folks!
    We need to address this as a country because it can only get worse!

  14. Erik

    Home Depot debit card shopper here. Got a call at 8:30 last night from my bank’s fraud detection unit.

    Someone had counterfeited my debit card information and used it to run about $450 of purchases at rite aid in the same metro region that I live in (Denver).

    My debit card was not lost. The charge hit right away rather than a day later, so I believe that means it was used in ‘debit’ mode vs ‘credit’ mode. Which I believe means they needed a PIN that works.

    1. Kim

      I too got a phone call from my bank last Friday. My debit card had been part of the HD scam. I didn’t lose any money, as Bank of America froze everything immediately, but it is a pain in the behind to know I’ve been compromised. I will not use my card at HD, and at this point, I’m considering going back to cash only.

      1. Erik

        Follow up to my last comment: went into my credit union to deal with the theft. I was one of 20 at my CU last night that had accounts robbed.

      2. brown

        Why go to cash, if someone steals your wallet good luck getting your money back. At least with a credit card and/or debit card you get your money back since you’re not responsible for the fraud. Keep in mind with a credit card, the money being stolen isn’t yours, it belongs to the issuing bank, it is in their best interest to reimburse any of “your losses”.

  15. nov

    Another “way that banks can decrease the incidence of PIN reset fraud is to require” in-person (at a branch or atm) change, instead of by automated call-in system Voice Response Unit (VRU). At least one bank in the west is doing this.

    1. brown

      Not all banks have an ATM or branch network that they can use for PIN management. Also from a customer experience stand-point it is a lot more convenient for me to be able to change/unblock my PIN from home. the elderly and the disabled also appreciate the convenience especially in countries like Canada where it is winter for 6 months of the year. The amount of PIN fraud that occurs as a percentage of all PIN management via IVR/VRU is very very small. Last I checked, we had 1 incident of PIN fraud for every 700,000 PIN changes in our IVR.

    2. timeless

      As a traveler, this is a disaster.

      I’m not opposed for it being something that you can let customers choose in/out. Or even, pick based on profiles (non-traveling-customer).

      There are very very few nationwide banks in the US. Mostly they’re regional.

      There’s a reason your card has 4-8 different networks on the back (Pulse, Novus, Cirrus, Abby, ACCEL/Exchange, Acculink, Alberta Regional Network, Alert, Allpoint, Armed Forces Financial Network, ATH, BankMate, Cactus, CarIFS, Cash Station, CO-OP Financial Services, Discover Network, Explore, Honor, Interac, Interlink, Jeanie, Money Access Center, MoneyPass, MOST, NYCE, Presto!, SHAZAM, STAR, SUM, TYME, Via)

      While very few Americans have passports/travel international. Many more travel outside their banks region. I was traveling for years before I got a passport (even unattended minors fly transcontinental).

      While historically people were in families of 4, today many more are single, and thus can’t rely on a spouse to help them from their home region when they’re stuck.

      We also don’t want to encourage fraudsters to do the “hey, buddy, I lost my wallet, can you advance me funds” email things. Right now, most attempts at that fail, because most people don’t believe their buddy would be in place X and not have a way to get what they need w/o asking a buddy for help over the internet. — But that would change, if suddenly too many avenues for fixing things dry up. Suddenly, it would make sense for me to send an email to friends asking for money wired to WesternUnion.

  16. leallan

    What about the impact to all the small business people whose business may now be at risk? The roofer who gets hsi nails from HD, the builder who gets lumber and so forth.

    1. peter

      These people are the most exposed with regard to debit cards. There’s a very short window (2 days, I think) to report problems and errors with a commercial account. Personal accounts have 60 days.

    2. timeless

      1. no one should be using debit cards
      2. they need to get their credit/debit cards replaced ASAP, since as noted, businesses have much less protection under the (US) law.

  17. Dan

    5 Million Google Passwords Leaked
    Stolen Credentials Surface on Russian Cybercrime Forums

    If you are a user of Gmail, now might be a good time to change your password.

    The passwords and email addresses for close to 5 million Gmail accounts have been posted to a Russian Bitcoin forum in the form of a text file.

    While forum admins were quick to remove any and all passwords from the file, there is no doubt some accounts are now compromised.

  18. Brett

    I am a law enforcement supervisor at a large municipal department and in my opinion the worst part of cyber crime is that most of the time the actual people responsible for the breaches never get prosecuted due to jurisdictional issues (believe it or not even Canadian companies (like Kik) require a Canadian court order to release IPs/ subscriber info and most fraud reports don’t get investigated due to jurisdiction issues), extradition issues (many countries don’t cooperate with US Law Enforcement), and technology issues (law enforcement is simply not equipped to deal with the massive amount of fraud).

    Privacy groups such as the ACLU constantly fight the police and their ability to investigate crimes while fraudsters are able to get the information quicker and easier than law enforcement. You always hear in the news about massive data breaches and that the FBI is investigating but you rarely see arrests made beyond the people that buy the information and act stupidly when carrying out the crimes.

    The rise in call spoofing apps, free calling and texting apps, prepaid burner mobile plans, encrypted phones, and free public and unsecure wifi access have all essentially destroyed chances of prosecution in many cases I have seen. We have created a monster in this country of accepting criminal activity as the “cost of doing business” and it is time for Americans to wake up. I am not advocating destroying any of the Constitutional protections that make American a great place to live, but I know that I could quit my job tomorrow and become a millionaire by year end by committing financial cyber crime and I know my chances of being caught are slim to none. People simply don’t understand that these hackers and criminals are not necessarily that intelligent, they simply are taking advantage of a system that favors the criminal. I ask one question, for all those that have been a victim of financial fraud which is probably the majority of people, how many of you saw the criminal prosecuted?

    1. nov

      I’d want to see FBI stats on the number of unsolved cyber crimes with criminals in the US. And, I’d want to see the numbers of unsolved cyber crimes occurring in the US with outside origins (which right now I haven’t seen and haven’t looked for).

      I have faith in seeing high-level cyber criminals and cases brought before a court by the FBI, Federal Prosecutors, US Secret Service, etc–even cyber crimes originating from outside the US–even if municipal law enforcement doesn’t have the jurisdiction to be involved.

    2. Larry

      Yeah, that whole Forth Amendment thing is sure a drag. Wouldn’t your job be so much easier if you could just download everybody’s web traffic in realtime instead of messing with garbage like warrants and stuff?

      1. Brett

        Nowhere did I say that I want to avoid going through the court for a search warrant or court order. To give you an example, let’s say you are a victim of a cyber crime that originated on the popular “kik” messenger app. The key to solving the case is for law enforcement to identify the user from “kik” that has been communicating with you. This company is based out of Canada and will not respond to any court from the United States. They will only respond to a Canadian court. Law enforcement does not have the resources available to seek assistance from Canadian authorities to solve minor cyber crime. It is also extremely difficult to deal with proxies that come from out of the country. People scream for less regulation on the internet, but they have no clue what they are asking. It is complete anarchy. If the banks and merchants stopped covering the losses, the internet freedom fighters would change tune very quickly. Nobody is asking to take away personal liberties and right of expression on the internet; however if you are committing crimes on the internet, law enforcement should be able to stop you. Our current system simply does not work.

        1. Larry

          “This company is based out of Canada and will not respond to any court from the United States. They will only respond to a Canadian court.”

          If Canada were to recognize U.S. warrants to gain access to Canadian companies, what’s to stop another country from filing warrants to gain access to U.S. companies?

        2. Diane Trefethen

          @Brett & Larry

          Larry’s point is well-taken. No country wants to surrender its citizens to the authority of the courts in another country, nor should they. What should happen is that the courts worldwide should cooperate with each other, at least to the extent that they issue warrants and subpoenas on probable cause if that is what they would do were the same petitions brought before them by their own law enforcement agencies.

    3. timeless

      I’m sure the answer is very small (as a percentage).

      The only reason crooks get caught is that while they don’t get caught the first 10 times, they keep doing it, and eventually they do something for which you can arrest them.

      I appreciate your problem.
      I don’t know of any solutions.

      Open WiFi is not new (it’s >>10 years old).
      Network jumping dates to 1986 and earlier —'s_Egg

      Phreaking dates to the 1950s –

      There are many countries with underdeveloped/broken law systems.

      Parts of South America, parts of Eastern Europe — including Greece, parts of the Middle East — including Turkey, parts of South Asia, parts of Africa, Russia as a whole.

      For a while, Mexico was one of the lawless countries. To some extent, (post NAFTA?) it has improved tremendously, and my impression is that cooperation w/ US LEA is much better than it was three decades ago.

      So, the only roadmap I can point to is “help the other countries develop properly” — a middle class solves most problems.

  19. Ollie

    I am trying to understand who these bad guys are. I can understand someone who wants to accomplish the impossible (eg climbing Mt Everest or hacking a website) as opposed to someone who wants to grab a credit card number off a web site and see how much money they can get. If this is the case then someone who wants to brag about their accomplishments will spend lots of time to achieve their goal and they will probably brag about it. On the other hand if they just want to make some bucks then maybe a few obstacles in their path will make them look elsewhere. The guy who posts someones credit card number on a web site has achieved their goal. On the other hand the person who buys it may find that it doesn’t work.

    As a cautionary note, we should not jump to the assumption that all bad guys, in the world of hackers, are men.

  20. Stumped

    Today when I checked my checking account balance, I found out that there were 4 charges of about $75 from one gas station about 25 miles away from me. These charges were done on the same day and posted to my account today. I was told that outside pumps at gas stations only allow $75 max charge. I called my bank to cancel both mine and my husband’s check card. I asked the teller which card it was and she gave me the last 4 digits of a card that neither of us have. I asked for an explanation and she said its too complicated. Can anyone please explain to me how this is even possible? We both had our cards, they were never lost, and there is some random way that someone uses my checking account to buy gas?

    1. timeless

      1. Visit your bank in person.

      It sounds like an additional card was “added” to your account. Probably w/ a different mailing address.

      This is more or less “Identity theft” as opposed to the basic cloning that most people here are talking about. It’s definitely a risk as described by Brian.

  21. nov

    Seems to me the teller says there’s an additional card associated with your account (as the teller stated) and simply didn’t explain it (I’m not going to fathom how it happened). Personally, I’d consider getting a “more complicated” answer to satisfy my reason to stick with such a bank or get another bank.

  22. Nathan

    I’m very happy to uncover this site. I need to to thank you for your time for this particularly wonderful read!!
    I definitely savored every bit of it and i also have
    you saved to fav to look at new things on your web

    Feel free to surf to my site :: webpage (Nathan)

  23. Richard Lanier

    before I looked at the receipt which had said $6780 , I didnt believe that…my… mom in-law woz like they say trully earning money part-time on their apple labtop. . there aunts neighbour has done this less than 13 months and just cleared the dept on their cottage and bourt a great new Honda NSX . check my source
    See This Site……………………. ᵂ­ᵂ­ᵂ.moneykin.ᶜ­ᴼ­ᴹ

  24. west region states

    Hi! I understand this is somewhat off-topic however I had to
    ask. Does operating a well-established website such as yours take a lot of work?

    I’m completely new to operating a blog but I do write in my journal everyday.
    I’d like to start a blog so I will be able to share
    my personal experience and thoughts online.

    Please let me know if you have any kind of recommendations or tips
    for brand new aspiring blog owners. Appreciate it!

  25. Ray

    Interesting experience.
    I’ve not experienced any problems yet with the debit card I use at Home Depot. However, I took the precaution of cancelling the card at my bank and reissuing a new one.
    While I’m waiting for that one to show up I purchased something at Home depot today with the card that will be cancelled soon. I mis entered the pin (which I changed already) and went to correct it and to my surprise my purchase was approved without me re-entering the correct pin. Go figure.

  26. JATny

    Brian: a couple of grammar corrections:

    Brian, thank once again for an excellent post. People are asleep out there, but at least here on the Krebs blog, we try to stay awake. I moved into a new space this summer and used Home Depot several times since April. Thanks to this post, I have now changed my debit pin, set several account debit alerts, gone paperless, changed my online password, and signed up for HD’s free security monitoring. It’s annoying, but everyone’s getting hit. We have to be realistic for now and support changes for the future.

    What shocked me, maybe even more, is that when I tried to post comments to several online & financial news organizations some of the info from here, I got constantly blocked by requests to give up yet more personal info and allow these organizations to use that info to send me sales material or insistence that I allow them to use and/or post on my behalf to Facebook. Huh? Several outlets have picked up the essence of your post, so hopefully the real news will get out faster, and at some people will be saved from getting hit by these jerks.

  27. Mike


    Keep it up.. I received the link to this page from a friend, from a co- worker, etc. But the comment they made was, “Hybrid fraud example. Read the article it is excellent. Krebs is a pain, but he knows his stuff (usually)”

    You should be proud… I also forward it to my old office.

    Thanks for the good work,

    Retired in LA

  28. Frank Mills

    I got to know of BLANK ATM CARD that hacks all atm machines,when my friend who we were both living in the same hostel ,all of a sudden became rich. I noticed changes in his life in a couple of days, his financial life just changed with no much effort. So I decided to ask him ,how he did it. So he told me he found a testimony of this same nature online,of how a man got this blank atm card from:( He contacted them too,and he got the card within 2days of applying. He could use it on any atm machine,anywhere and at anytime,provided no security agent is there with you. I also contacted them and I got mine, and as I’m talking to you now,my life has changed for good. The minimum cash I get from it in a day is nothing less than $20,000. So friends,let’s start making money. Though its illegal,but the government can’t provide all my needs,so I use this method to meet up now. If you have interest,simply contact the hackers on email address for yours today:

  29. NotSA

    “Anyone on Ripple (or Stellar) can be a gateway or market maker and provide liquidity on the network. There’s nothing special about Stripe, except that they have more money and reputation than most of us do.

    It does mean that lots of people will trust Stripe to hold USD balances on their behalf.

    If you’re totally paranoid, with Ripple or Stellar, you can decide to only transact fiat currencies with people you know and trust and act as gateways for each other ( The beauty is you can transact with people outside of your circle if one of your friends has extends trust to someone you don’t know. You don’t have to trust them, but as long you trust someone in common, you can transact with fiat.

    This is the complete opposite design principle of Bitcoin which requires absolutely no trust in any specific authority.

    Because the bitcoin protocol doesn’t take into account the concept of gateways between the blockchain and fiat currencies, bitcoin users are left with relying on exchanges like Mt. Gox to address this. How did that work out?”

    Whatever exchange they are using is authorizing transactions it should not. Not only that, it is authorizing transactions (ATM) in Italy?

Comments are closed.