Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday September 20 2014, @03:32AM   Printer-friendly
from the is-there-a-cardiologist-in-the-house? dept.

In a follow-up to the initial story, Home Depot has released more information about the breach. From the Ars Technica article:

The cybercriminals that compromised Home Depot's network and installed malware on the home-supply company's point-of-sale systems likely stole information on 56 million payment cards, the company stated on Thursday.

In the first details revealed in its investigation of the breach, the company said the malicious software that compromised those payment systems had been custom-built to avoid triggering security software. The breach included stores in the United States and Canada and appears to have compromised transactions that occurred between April and September 2014.

It's worth pointing out that an article by Brian Krebs states the investigation is focused on the self-checkout terminals, which might explain why more cards weren't affected.

Related Stories

Credit Card Breach at Home Depot 29 comments

Krebs on Security broke a story about Home Depot being breached, with an update stating that the banks believe the breach goes as far back as late April/early May.

Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

[...]

In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labeled “European Sanctions.”

Home Depot's stock price also took a dive when the news was released.

Home Depot Ignored Security Warnings for Years 26 comments

ArsTechnica reports:

Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by the New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.

In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating LLC in Charelston, South Carolina[sic] Charleston, West Virginia—and he sabotaged that company’s network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot’s security until he pled guilty to federal charges in January of 2014.

See our earlier stories: Credit Card Breach at Home Depot and Home Depot Estimates Data on 56 Million Cards Stolen by Cybercriminals.

[Update: EverVest was reported by Ars Technica to have been in Charelston, South Carolina but according to the linked indictment was actually located in Charleston, West Virginia.]

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by kaszz on Saturday September 20 2014, @04:15AM

    by kaszz (4211) on Saturday September 20 2014, @04:15AM (#95756) Journal

    From krebsonsecurity.com: In Home Depot breach, investigation focuses on self-checkout lanes [krebsonsecurity.com]:
    Seems the breach occurred on the self checkout terminals. They use GUI and stuff, so it's a fully featured system. But the fine print seems to be that it runs Microsoft, Windows XP Embedded. And some of their backend seems to run 10+ year old versions of AIX systems that is then unpatchable.

    Add to this that it seems possible to use stolen social security numbers (SS) to create credit cards (CC) that you are responsible for. To hinder anything detrimental to your financial wellbeing, you then need a “credit monitoring” service. For a fee of course. Such that you pay for other peoples sloppy practices.

    Obviously there are technical solutions so that's not the problem. The solution lies with the management both of this company and of the country (financial rules).

    As for now the advice perhaps is to keep your credit card out of any terminal that seems to intelligent, ie runs anything Microsoft for starters. And instead use the cashier checkout but those may also be Windows GUI infestations. Subscribe to at least one credible “credit monitoring” service and sue any entity with sloppy credit card handling for profit (why not profit when you have to pay anyway). Make use of BankAmerica’s ShopSafe CC with expiry date or CitiBank unique CC generation but without expiry date.

    Still seems weird that unencrypted credit card numbers are even allowed to leave the customer terminal at all! They should be challenge-response and any cleartext numbers should not even be exposed outside the physical card.

    • (Score: 2) by Leebert on Saturday September 20 2014, @05:01AM

      by Leebert (3511) on Saturday September 20 2014, @05:01AM (#95764)

      Subscribe to at least one credible “credit monitoring” service

      Why would I do that? Every year some huge retailer gives me a free year's monitoring. :)

      • (Score: 2) by rts008 on Saturday September 20 2014, @02:30PM

        by rts008 (3001) on Saturday September 20 2014, @02:30PM (#95858)

        Well played.
        Thanks for that one! :-)

        How I miss Monty Python... :-(

    • (Score: 2) by Ezber Bozmak on Saturday September 20 2014, @05:24AM

      by Ezber Bozmak (764) on Saturday September 20 2014, @05:24AM (#95770)

      Credit monitoring services are a waste and when a company like Target or Home Depot gives away a 'free' year's subscription it is just PR. The problem with credit monitoring is that it is after the fact. You still get hosed, you just fined out about a little bit sooner. You aren't liable for credit fraud committed in your name anyway. The hard part is proving that it was fraud in the first place. But none of the services do anything to help you clean up that mess.

      • (Score: 3, Interesting) by frojack on Saturday September 20 2014, @06:57AM

        by frojack (1554) on Saturday September 20 2014, @06:57AM (#95777) Journal

        No, its not that hard to prove its fraud, in fact you would be amazed how much of the time the credit card companies block fraud before you even know you've been exposed.

        They know goddamed well you aren't going to present a card for payment half a continent away on the same day you pump gas at your favorite station. They know you don't have travel booked because you always book travel with your Amex even thought the charge showed up in New Jersy was on your Visa.

        Worried about Home Depot? Use a Home Depot card. Thieves don't even bother to steal these because they are harder to monetize anywhere away from your local home depot stores.

        --
        No, you are mistaken. I've always had this sig.
        • (Score: 2) by Ezber Bozmak on Saturday September 20 2014, @08:26AM

          by Ezber Bozmak (764) on Saturday September 20 2014, @08:26AM (#95788)

          Your presumption is that credit card fraud is the only kind of credit fraud. That would be false.

          It is true that in general credit card fraud is relatively easy to dispute, but a credit monitoring service can not tell you if your current CC# has been used fraudulently. So that's orthogonal to any possible value of using a credit monitoring service.

      • (Score: 2) by kaszz on Saturday September 20 2014, @12:56PM

        by kaszz (4211) on Saturday September 20 2014, @12:56PM (#95829) Journal

        How does one prevent any credit card fraud attached to your name in the first place?

        • (Score: 2) by Ezber Bozmak on Saturday September 20 2014, @01:16PM

          by Ezber Bozmak (764) on Saturday September 20 2014, @01:16PM (#95838)

          You can put various kinds of holds on your credit. It is needlessly complex, you have to contact each major credit reporting agency and tell them. Most of the kinds of holds available to you expire in less than a year.

          • (Score: 2) by kaszz on Saturday September 20 2014, @02:03PM

            by kaszz (4211) on Saturday September 20 2014, @02:03PM (#95846) Journal

            How many major credit reporting agencies are there?

  • (Score: 1) by Nail_Biter on Saturday September 20 2014, @04:31AM

    by Nail_Biter (4135) on Saturday September 20 2014, @04:31AM (#95761)

    This piece was a bit of an eye opener:

    Why do massive credit card hacks keep happening? [semiaccurate.com]

    • (Score: 2) by frojack on Saturday September 20 2014, @07:08AM

      by frojack (1554) on Saturday September 20 2014, @07:08AM (#95779) Journal

      A useless rant if you ask me.

      --
      No, you are mistaken. I've always had this sig.
    • (Score: 1) by pnkwarhall on Saturday September 20 2014, @05:09PM

      by pnkwarhall (4558) on Saturday September 20 2014, @05:09PM (#95896)
      FTLA:

      Only one link in the chain has the power, and that is the top.

      The power of what, exactly?

      In the case of credit itself, the companies like Visa and MasterCard are offering something of value. But for the majority of consumers, the service offered by these companies is merely convenience. The business being paid via payment card doesn't gain anything out of the payment card transaction -- in fact, it loses (the fees-per-transaction paid*)! In other words, the business is the entity paying for our ability to pay with more convenient methods than cash. Other than the not-insignificant fact that a majority of customers pay via card (and would lose these customers to competitors who do take the payment card as tender), the business gains nothing out of this system.

      So the power of the payment card company is that of taking advantage of collective human nature -- the impulse to take the easy, convenient route -- at the expense of the individual (business and human). Of course the payment card company is more powerful than the individual! The collective is always more powerful than the individual. But the power of that single link is built on many, many "weaker" links created by habit and base instinct...


      *I know that many merchants take these fees into account when setting prices. But how they take these fees into account depends heavily on their nature.

      --
      Lift Yr Skinny Fists Like Antennas to Heaven
      • (Score: 0) by Anonymous Coward on Saturday September 20 2014, @07:06PM

        by Anonymous Coward on Saturday September 20 2014, @07:06PM (#95939)

        > the business gains nothing out of this system.

        That is incorrect. Electronic payment systems eliminate the risk of employee skimming the till (which is surprisingly common) and they also reduce the risk of robbery because the less cash on hand the less incentive to rob. For my family-owned business taking that deposit bag to the bank every friday afternoon was one of the riskiest parts of doing business.

        • (Score: 1) by pnkwarhall on Sunday September 21 2014, @12:57AM

          by pnkwarhall (4558) on Sunday September 21 2014, @12:57AM (#96083)
          Thank you for your input -- I had not thought of those benefits.

          But with respect to the "less cash/less robbery incentive" benefit, the major point of the linked article in OP's post was that the major financial loser when these credit card compromises occur is the business itself. So doesn't the use of electronic payment systems just shift the risk to a different form of robbery?

          (I'll concede a small, local business would be a less-lucrative target for these type of compromises, and thus would be less likely to experience this.)
          --
          Lift Yr Skinny Fists Like Antennas to Heaven
  • (Score: 2) by Leebert on Saturday September 20 2014, @05:04AM

    by Leebert (3511) on Saturday September 20 2014, @05:04AM (#95765)

    My own take on these things is colored by somewhat recent personal experience.

    I did the lion's share of the forensic analysis in this incident [computerworld.com]. Trolled through all of that data for weeks extracting records from files, but never found myself in any of them. It would have been nice to have at least gotten some credit monitoring out of it for my troubles. But anyway...

    Having gone through that experience, I have what is probably a fairly unique level of sympathy for the technical folks dealing with this. You're busy trying to do some pretty heavy lifting technically while also having to be constantly keeping management up to date so that they can not only manage the PR aspects of the breach, but also communicate as much actionable information to the affected people as quickly as possible. Which you definitely want to do because you want to make sure people get the right information to assess the risk and take steps to protect themselves. And you become very aware that any mistake you make in your analysis can exacerbate the situation pretty significantly - you have no desire to be the reason why your organization is putting out information, then retracting it, or changing it, or conflicting itself... It's pretty stressful.

    I feel for Target and Home Depot. Sure, they screwed up in protecting sensitive data. But realistically, the root problem here is the stupid credit card system we have in this country. If our payment card weren't based on not-so-secret secret numbers instead of sound authentication schemes, there wouldn't even be something they'd have to protect that COULD be compromised. Visa and friends continue to use such a stupid system in spite of having more than enough resources to have corrected it over the past couple of decades, then Home Depot and Target take the fall for the inevitable failure of that broken system which people SHOULD be blaming on the credit card companies instead.

    • (Score: 2) by Ezber Bozmak on Saturday September 20 2014, @05:18AM

      by Ezber Bozmak (764) on Saturday September 20 2014, @05:18AM (#95767)

      But realistically, the root problem here is the stupid credit card system we have in this country. If our payment card weren't based on not-so-secret secret numbers instead of sound authentication schemes, there wouldn't even be something they'd have to protect that COULD be compromised.

      No, it is only that CC#'s are the lowest hanging fruit. If and when they are eliminated (perhaps with chip and pin, presuming there are no exploitable vulnerabilities with that) the thieves will move up the tree. We already know that the Target breach included phone numbers, mailing address and email addresses. [target.com] We'll see them going after the information necessary to impersonate people and/or impersonate the institutions people trust ("Hello, this is Bank of America calling, there seems to be a problem with your account. For security purposes, before we begin I will prove that I am calling from BoA by telling you your last 10 purchases...").

      The problem isn't just CC#'s the problem is too much data collected unnecessarily and then poorly secured because the businesses involved have responsibility without accountability.

      • (Score: 2) by opinionated_science on Saturday September 20 2014, @03:22PM

        by opinionated_science (4031) on Saturday September 20 2014, @03:22PM (#95871)

        I agree, there should be stiff liability based on , say, a %age of gross operation. So Mom and Pop store is clearly less responsible than Home Depot.

        It might also help if two-factor was used more often with cell-phones. For example, when >$limit you get a text message with a secondary code that the terminal needs to complete the transaction. As they would be one-time, the CC number would be no use, and this is better than chip-pin, which has the weakness of a non-changing pin.

        My instincts are just like voting machines, these are all "special" terminals with bespoke software, so I am not holding my breath....

  • (Score: 2, Insightful) by Whoever on Saturday September 20 2014, @05:23AM

    by Whoever (4524) on Saturday September 20 2014, @05:23AM (#95769) Journal

    At my local home depot, the majority of people are directed to the self-checkout terminals. The terminals with an operator are limited to the garden area and the building materials area. There are 4 self-checkout terminals and 4 traditional terminals, not all of which are typically manned.

  • (Score: 0) by Anonymous Coward on Saturday September 20 2014, @10:47AM

    by Anonymous Coward on Saturday September 20 2014, @10:47AM (#95808)

    Time to start paying cash only...