Krebs on Security broke a story about Home Depot being breached, with an update stating that the banks believe the breach goes as far back as late April/early May.
Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.
[...]
In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labeled “European Sanctions.”
Home Depot's stock price also took a dive when the news was released.
Related Stories
In a follow-up to the initial story, Home Depot has released more information about the breach. From the Ars Technica article:
The cybercriminals that compromised Home Depot's network and installed malware on the home-supply company's point-of-sale systems likely stole information on 56 million payment cards, the company stated on Thursday.
In the first details revealed in its investigation of the breach, the company said the malicious software that compromised those payment systems had been custom-built to avoid triggering security software. The breach included stores in the United States and Canada and appears to have compromised transactions that occurred between April and September 2014.
It's worth pointing out that an article by Brian Krebs states the investigation is focused on the self-checkout terminals, which might explain why more cards weren't affected.
ArsTechnica reports:
Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by the New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.
In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating LLC in
Charelston, South Carolina[sic] Charleston, West Virginia—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot’s security until he pled guilty to federal charges in January of 2014.
See our earlier stories: Credit Card Breach at Home Depot and Home Depot Estimates Data on 56 Million Cards Stolen by Cybercriminals.
[Update: EverVest was reported by Ars Technica to have been in Charelston, South Carolina but according to the linked indictment was actually located in Charleston, West Virginia.]
(Score: 2, Redundant) by Subsentient on Thursday September 04 2014, @03:01PM
Heard about it from my friend, a PC repairman in Florida, two days ago.
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 0) by Anonymous Coward on Thursday September 04 2014, @03:06PM
This laddies and gentleman is why you should not use a debit card. I keep thieves away from my money by making the people I want to buy things from eat the cost. If they eat the cost enough they will fix it.
But good news is that is a buying opportunity for home depot stock. Home improvement is not going away. They are one of the biggies.
(Score: 2) by TK on Thursday September 04 2014, @06:09PM
Meh, it's not phenomenal. Between September 2nd, before this was announced, and this morning when it reached the lowest point of the week, the maximum dip was ~4%.
~$93 to ~$89 [google.com]
YMMV, but I personally don't have $10k to buy HD stock.
The fleas have smaller fleas, upon their backs to bite them, and those fleas have lesser fleas, and so ad infinitum
(Score: 3, Insightful) by frojack on Thursday September 04 2014, @07:24PM
Agreed, it has to dip quite a bit more for it to be a buy.
However if it gets back to july pricing, or perhaps a bit lower it might be worth it.
Basically Home Depot is Tracking the DOW [goo.gl] and has not been a spectacular investment.
No, you are mistaken. I've always had this sig.
(Score: 2) by nitehawk214 on Thursday September 04 2014, @09:28PM
And why we need to move to chip-and-pin or some other actually secure credit system.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2, Insightful) by DeathMonkey on Thursday September 04 2014, @09:09PM
Heard about it from my friend, a PC repairman in Florida, two days ago.
Who probably read it on this Krebs article that was posted, coincidentally, two days ago.
You do know how this site works, right?
(Score: 2, Insightful) by Chillgamesh on Thursday September 04 2014, @03:09PM
Eventually corporations will realize that the risk of cutting corners on information security is greater than the money saved.
In my fantasy dream world I would love for corporations to band together to create high quality open source software that benefits them all, and saves them from these embarrassments.
In reality the hack was probably secretly orchestrated by Lowe's.
(Score: 4, Insightful) by bob_super on Thursday September 04 2014, @03:20PM
Eventually, the credit card industry will finally move the US to chip-and-pin like most of the world (or whatever newer better thing they can think of), so that it stop being ridiculously easy to use stolen US card numbers.
It's too expensive to change terminals? The russians are going to fix that detail.
I'm coincidentally waiting for a new card, after someone got my number and effortlessly filled a couple big SUV/RV with it... Zip code safety my ass...
(Score: 5, Informative) by frojack on Thursday September 04 2014, @06:41PM
Chip and Pin provides no protection against this type of massive credit card thefts.
Most of these stolen cards numbers get used for Mail Order or Telephone Order fraud. (MOTO)
Moto fraud is actually on the rise in much of the EU, and especially Russia. The TYPE of fraud is changing, fraudsters don't bother to clone cards any more, they just use them for internet orders [atmmarketplace.com].
Very comprehensive report here: http://www.ecb.europa.eu/pub/pdf/other/cardfraudreport201402en.pdf [europa.eu]
Chip and pin had beat down stolen and cloned card ATM and POS usage in the EU, but it has done nothing to suppress CNP (Card not Present) fraud. (page 10). And this is exactly the type of fraud these massive card heists are used for.
Still C&P can't hurt in the US, where a lot of these stolen cards numbers are sold into, because its still easy to clone a card in the US. Arstecnhica [arstechnica.com] also had an article on this, questioning whether it would be wise to hop onto 20 year old technology.
In spite of this, credit card fraud rates in the US, while staggeringly high in Dollars are still only 6 cents on 100 dollars, and that rate is still FAR lower than the EU rate after 10 to 15 years on C&P. The size of of us fraud in dollars simply demonstrates the size of the US econemy compared to the EU, and the extent to which we use credit cards for everything.
No, you are mistaken. I've always had this sig.
(Score: 1) by ibennetch on Friday September 05 2014, @03:27AM
Unfortunately, there's very little motivation for the credit card companies to initiate this change and very little unity from the vendors to force such a change. The credit card companies don't absorb the loss; they push the loss from fraud back on to the store/vendor. The credit card companies themselves have no financial incentive to improve the situation and ultimately, no one likes change and no one likes to be the manager that spends a lot of corporate money making changes that no one is going to like anyway. I'm a big fan of making improvements to our (US) credit card security, but I just don't see the motivation there from the companies and the vendors are too scattered and disinterested to band together -- I just don't see any big changes coming any time soon.
(Score: 3, Insightful) by bob_super on Friday September 05 2014, @05:34AM
The Ars article linked by Frojack (above) actually says Chip-and-pin will happen in the US over the next few years.
It cuts on fake card fraud, which was pretty important before the internet happened.
I do prefer to keep my card in my hand and get a terminal to type a pin on, rather than give my card for some teen to take to the back for 5 minutes out of sight. It won't prevent database hacks, but it reduces the odds of petty fraud.
(Score: 2, Interesting) by darthservo on Thursday September 04 2014, @03:19PM
I'm curious to know if anyone has insight as to whether or not mobile payments from phones using NFC and wallet apps are more, less or just as vulnerable or severe in these kinds of attacks.
Just running through a scenario in my mind, it seems like there would be less sensitive data (or at least data that is easier to personally modify to prevent future attacks) when using NFC payments. From what I understand, the retailer would never see a customer's physical debit/credit card number and PIN, so if anything one would only need to perhaps change their NFC PIN or request a new virtual card in the event of such a breach. (Unless the breach was against the Wallet authority itself of course. I suppose it could just be shifting the target.)
"Good judgment seeks balance and progress. Lack of it eventually finds imbalance and frustration." - Dwight D Eisenhower
(Score: 5, Interesting) by Thexalon on Thursday September 04 2014, @04:45PM
I would expect that mobile payments would be more vulnerable to attack:
1. You can now target a consumer device (the phone) rather than a business-controlled device (the POS system). The security of business-controlled devices is obviously far from perfect, but it's light years ahead of the average consumer device.
2. The retailer seeing a physical card isn't the big problem, the problem is what happens once you go from a physical object to a stream of bits. If anything, mobile payments mean more streams of bits involved (mobile phone to wallet over cell network, wallet to retailer, retailer to payment processor, payment processor to banks), and fewer human eyes looking at the transaction.
3. As you mention, the wallet authority now makes a very juicy target.
4. In the case of a breach like this, it is not uncommon for new physical cards to be issued, which is not that much slower than switching virtual cards.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1) by darthservo on Thursday September 04 2014, @05:09PM
Thanks. I certainly see how targeting the device would be easier than POS. And yes, it seems likely that wallet authorities are going to have larger and larger targets painted on them in the near future. (We'll see with time, I guess)
I guess my question was more focused around a hypothetical case where someone did go to Home Depot during the identified range of breached data but instead of using a physical card they'd used a mobile payment. (Idk if Home Depot even accepts that, but let's go with the hypothesis here) Supposedly the only data Home Depot would have would be the virtual card info. So the consumer's physical card data should still be safe as wallets should only ever be handing the virtual card info, (the transaction to a physical card should only happen with the wallet authority). From this scenario I'm just trying to figure out if that would be more/less disruptive/vulnerable than just using a physical card.
"Good judgment seeks balance and progress. Lack of it eventually finds imbalance and frustration." - Dwight D Eisenhower
(Score: 1, Interesting) by Anonymous Coward on Thursday September 04 2014, @06:12PM
Sure, it probably is more robust against this very narrow and specific type of attack. So it would make for great PR for people selling "mobile payments" systems. But what really matters is total system vulnerability - its kind of like saying that getting shot in the heart is great because at least you didn't get knifed in the heart. Either way you are dead.
Cash wins everytime because your maximum possible loss is limited by what you chose to carry in your pocket so it is completely under your control - and loss of control (of costs and more broadly data about yourself) seems to be a major theme here at the start of the 21st century.
FWIW, I bought a $3K washer/dryer pair from Home Depot with cash during this time period and I explicitly told the saleswoman that I was doing it because I knew it was only a matter of time until they got hit just like Target had been hit. She said she believed me, but she was probably just being agreeable on the off chance that I would get pissed and go somewhere else instead. I wonder if she even remembers me now...
(Score: 2) by frojack on Thursday September 04 2014, @07:44PM
I actually think your reasoning is closer than the GP's reasoning, in that Mobile based Virtual payments can be tied to a Pin Lock on the phone, Two Factor Authentication of the phone, and carry a unique, encrypted, one time, key that couldn't be used for anything else, and, because it is solely in the hands of a single company, say Google, or PayPal, it could be nimble as hell.
This is the beauty of NFC systems, they don't have to get tied down to physical things (cards) and the terminals just have to submit what the phone sent them via NFC without understanding anything about it's content other than which wallet authority to send it to.
Can people clone your phone right down to the IMEI and the IMSI, wifi MAC and serial number? Probably, but not without disrupting the network and leaving clues.
What we risk is the tyranny of wallet authority. Many people have problems with PayPal, (although you won't if you tell them ahead of time about any increase in your business, etc).
No, you are mistaken. I've always had this sig.
(Score: 2) by nitehawk214 on Thursday September 04 2014, @09:30PM
Well in Google's case, they are already a giant giant target. But I expect a lot more security from Google than Home Depot Target. [pun intended]
But I thought the idea behind NFC type systems is that simply knowing the wallet number does the hacker no good, they would also need to know the pin or password to push the auth through?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 2, Interesting) by SrLnclt on Thursday September 04 2014, @03:54PM
Home Depot's stock price also took a dive when the news was released.
(Score: 2) by evilviper on Thursday September 04 2014, @04:09PM
Home Depot says they will offer free credit monitoring and protection services to all customers who ask:
http://www.thestar.com/business/2014/09/03/home_depot_offers_free_credit_monitoring_to_customers_as_it_investigates_possible_breach.html [thestar.com]
If I was you, I'd make damn sure to ask them...
I've spent a ton of money there, but I always pay in cash. I've ordered a few items online that weren't available in stores, but paid with paypal, so I'll probably be unaffected.
Hydrogen cyanide is a delicious and necessary part of the human diet.
(Score: 1, Informative) by Anonymous Coward on Thursday September 04 2014, @06:18PM
Home Depot says they will offer free credit monitoring and protection services to all customers who ask:
Credit monitoring is just a PR move. It doesn't actually stop any abuse, just tells you about it after the fact. You still have to go through all the hassle of cleaning up afterwards. The companies selling credit monitoring are making a killing off these events but the utility for anyone who actually gets targeted is minimal. If they were serious they would cover the expenses (time and money) of anyone who has to clear the fraud off their record.
(Score: 2) by frojack on Thursday September 04 2014, @06:50PM
I use a Home Depot credit card when I shop there.
Its no good anywhere else, neither is a Target card or a Macy's card. Much as I hate carrying a zillion cards around, it compartmentalizes any losses, to a single chain.
On the other hand, I've never lost a penny due to credit card thefts or breaches. I've had my cards replaced out of the blue a couple times with vague explanations about breaches at a merchant I visited in the past.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Friday September 05 2014, @05:56AM
You didn't lose an actual penny, but you are even more vulnerable to identity fraud because every place you have a store card now has a copy of all the information necessary to apply for credit in your name. Plus, that's only the most straight-forward risk, that information might be used to manipulate family members or to trick you into doing something that makes you more vulnerable at some point in the future. After all, your birthdate won't ever change and your home address and phone number don't change very frequently. CC#'s are the low-hanging fruit, but once that's plucked they will be looking for new ways to exploit stolen information.
(Score: 2) by frojack on Friday September 05 2014, @06:43AM
True. I'm pretty paranoid about all of that stuff.
And when I say I haven't lost a cent, it wasn't exactly accurate because prices go up to cover fraud, and credit card clearing companies end up charging higher interest rates just to cover losses.
No, you are mistaken. I've always had this sig.
(Score: 1) by pnkwarhall on Thursday September 04 2014, @04:22PM
I recently received a replacement card from my bank -- unrequested -- with an accompanying notice mentioning activity such as this, and this spate of recent CC-related compromises has definitely made it seem more risky to use my debit card at major retailers (I'm sure I'm not the only one). I also recently became aware of how incredibly lucrative the charge-card business is from a charge-per-transaction standpoint (please forgive my naiveity -- I previously thought it was a flat fee per credit transaction, as opposed to a percentage).
In an effort to not automatically "look where the finger points", I wonder if there are other motives at play here. Could these high-profile compromises be jihadi-backed FUD attacking a very basic part of the financial ecosystem? A general shift to more cash transactions would have a negative and unprofitable effect on "big business" (CC companies and mega-corps), while being a relatively minor nuisance to most smaller businesses/targets.
Lift Yr Skinny Fists Like Antennas to Heaven
(Score: 2) by tibman on Thursday September 04 2014, @05:38PM
I wonder if that's not a bad idea to occasionally do. Just get a replacement card and redo all your subscriptions once a year. I'm already use to the reformat and reinstall cycle with windows.
SN won't survive on lurkers alone. Write comments.
(Score: 0) by Anonymous Coward on Thursday September 04 2014, @06:22PM
> Could these high-profile compromises be jihadi-backed FUD
Lol.
Seriously that doesn't even pass the laugh test.
These crimes are happening because (a) it is relatively easy and (b) it is very profitable.
No need to come up with crazy ass theories about cave-dwellers being master mafioso hackers.
(Score: 3, Insightful) by digitalaudiorock on Thursday September 04 2014, @07:16PM
My main credit card is a Mastercard. I've never had any fraudulent activity on it ever, luckily. However over the last few years, due to stuff like this, they've sent us new cards six times over the last few years, because our card may have been involved in some breach.
Every time of course means making credit card number changes all over the fucking place. Since I use that card ar HD I almost guarantee this will make seven.
I think the primary reason for all this is companies thinking they can get good IT people for shit salaries. You get what you pay for...and ironically we all get to pay for this,
Oh yea...and debit cards...I've NEVER used a debit card as anything but an ATM card at my bank...period. Remember when "ATM cards" where all you got? I remember when I had my first debit card forced on me by my bank in place of my ATM card. I wanted no part of it because of the added risk for something I had no use for. I even called them about it, but that was all they offered. Scumbags...all of 'em.
(Score: 4, Interesting) by frojack on Thursday September 04 2014, @07:54PM
Ever had your card get replaced while you were traveling?
Grrrr, that's really a pain in the ass. They say they can get you a new card in 24 hours, (which they usually can't), so you better have another card to live off of while that happens.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by tangomargarine on Thursday September 04 2014, @09:01PM
I like the "feature" where they fine you $14 (or was it $35? I accidentally did it once) to cover an overage payment. It's DEBIT--it's not supposed to LET you overdraft!
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"