SoylentNews is people
SoylentNews
Krebs on Security broke a story about Home Depot being breached, with an update stating that the banks believe the breach goes as far back as late April/early May.
Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.
[...]
In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labeled “European Sanctions.”
Home Depot's stock price also took a dive when the news was released.
(Score: 5, Interesting) by Thexalon on Thursday September 04 2014, @04:45PM
I would expect that mobile payments would be more vulnerable to attack:
1. You can now target a consumer device (the phone) rather than a business-controlled device (the POS system). The security of business-controlled devices is obviously far from perfect, but it's light years ahead of the average consumer device.
2. The retailer seeing a physical card isn't the big problem, the problem is what happens once you go from a physical object to a stream of bits. If anything, mobile payments mean more streams of bits involved (mobile phone to wallet over cell network, wallet to retailer, retailer to payment processor, payment processor to banks), and fewer human eyes looking at the transaction.
3. As you mention, the wallet authority now makes a very juicy target.
4. In the case of a breach like this, it is not uncommon for new physical cards to be issued, which is not that much slower than switching virtual cards.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1) by darthservo on Thursday September 04 2014, @05:09PM
Thanks. I certainly see how targeting the device would be easier than POS. And yes, it seems likely that wallet authorities are going to have larger and larger targets painted on them in the near future. (We'll see with time, I guess)
I guess my question was more focused around a hypothetical case where someone did go to Home Depot during the identified range of breached data but instead of using a physical card they'd used a mobile payment. (Idk if Home Depot even accepts that, but let's go with the hypothesis here) Supposedly the only data Home Depot would have would be the virtual card info. So the consumer's physical card data should still be safe as wallets should only ever be handing the virtual card info, (the transaction to a physical card should only happen with the wallet authority). From this scenario I'm just trying to figure out if that would be more/less disruptive/vulnerable than just using a physical card.
"Good judgment seeks balance and progress. Lack of it eventually finds imbalance and frustration." - Dwight D Eisenhower
(Score: 1, Interesting) by Anonymous Coward on Thursday September 04 2014, @06:12PM
Sure, it probably is more robust against this very narrow and specific type of attack. So it would make for great PR for people selling "mobile payments" systems. But what really matters is total system vulnerability - its kind of like saying that getting shot in the heart is great because at least you didn't get knifed in the heart. Either way you are dead.
Cash wins everytime because your maximum possible loss is limited by what you chose to carry in your pocket so it is completely under your control - and loss of control (of costs and more broadly data about yourself) seems to be a major theme here at the start of the 21st century.
FWIW, I bought a $3K washer/dryer pair from Home Depot with cash during this time period and I explicitly told the saleswoman that I was doing it because I knew it was only a matter of time until they got hit just like Target had been hit. She said she believed me, but she was probably just being agreeable on the off chance that I would get pissed and go somewhere else instead. I wonder if she even remembers me now...
(Score: 2) by frojack on Thursday September 04 2014, @07:44PM
I actually think your reasoning is closer than the GP's reasoning, in that Mobile based Virtual payments can be tied to a Pin Lock on the phone, Two Factor Authentication of the phone, and carry a unique, encrypted, one time, key that couldn't be used for anything else, and, because it is solely in the hands of a single company, say Google, or PayPal, it could be nimble as hell.
This is the beauty of NFC systems, they don't have to get tied down to physical things (cards) and the terminals just have to submit what the phone sent them via NFC without understanding anything about it's content other than which wallet authority to send it to.
Can people clone your phone right down to the IMEI and the IMSI, wifi MAC and serial number? Probably, but not without disrupting the network and leaving clues.
What we risk is the tyranny of wallet authority. Many people have problems with PayPal, (although you won't if you tell them ahead of time about any increase in your business, etc).
No, you are mistaken. I've always had this sig.
(Score: 2) by nitehawk214 on Thursday September 04 2014, @09:30PM
Well in Google's case, they are already a giant giant target. But I expect a lot more security from Google than Home Depot Target. [pun intended]
But I thought the idea behind NFC type systems is that simply knowing the wallet number does the hacker no good, they would also need to know the pin or password to push the auth through?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh