Sophos Cloud Optix
Last week, we wrote about a possible data breach at Home Depot, the world’s largest DIY chain.
Home Depot has 2266 stores across the United States, Canada and Mexico, so a data breach caused by a Target-type malware infection right across the company’s network would be a big deal indeed.
Crooks effectively took over Target’s point-of-sale terminals throughout the USA in 2013, and were able to harvest about 40,000,000 credit card records, apparently in less than three weeks.
You’ll find various guesses at how long Home Depot has been pwned, from “more than three months” to “as many as six months.”
That has led to speculation that the Home Depot breach may yet turn out to be bigger than Target’s – the company has more stores than Target, and may have given the crooks significantly more time to harvest financial data.
(Target’s breach, however, was at the very peak of the US retail season, between Black Friday and Christmas.)
Breach now officially confirmed
Just how big and bad Home Depot’s woes will turn out to be is still unknown; all we know so far is that the company has officially confirmed that, yes, there was indeed a breach:
The Home Depot, the world's largest home improvement retailer, today confirmed that its payment data systems have been breached, which could potentially impact customers using payment cards at its U.S. and Canadian stores.
There is no evidence that the breach has impacted stores in Mexico or customers who shopped online at HomeDepot.com.
The silver lining is that is sounds as though the payment devices themselves, where you swipe your card and enter your PIN if you have one, were not taken over by the crooks:
While the company continues to determine the full scope, scale and impact of the breach, there is no evidence that debit PIN numbers were compromised.
In US-style credit card transactions, the card data sent from the payment device to the cash register, typically a Windows-based computer, is pushed unencrypted over a USB cable, as though typed on a keyboard.
This means that malware on cash registers can keep its eye on data arriving in memory (credit card data is rather easy to recognise as it passes by, because it has a well-defined structure) and steal it.
Trojan Horses of this sort are wryly known as a “RAM Scrapers“.
The credit card data is only encrypted after it reaches the cash register, a cryptographically poor design given that cash registers are generally easier for crooks to attack successfully than the payment devices themselves.
Debit card PINs are not transmitted in cleartext from the payment device to the rest of the payment network, so they can’t be scraped from RAM along with the card data, making PINs harder for the crooks to harvest.
→ Never say never, of course. Hardware payment devices can be compromised and substituted, either in the supply chain, so they reach retail stores ready-wired for crime, or in place at the store.
Home Depot has reassured its shoppers by emphasising that “no customers will be responsible for fraudulent charges to their accounts,” and is offering the usual after-the-fact precautions such as free credit monitoring.
We suggest, if you have shopped at Home Depot stores in or after April 2014, that you keep a closer-than-usual eye on your credit card statements, just in case.
I’m trying to understand the full process…
With a debit card there is the card data and a PIN. The card data is open text while the PIN is encrypted from the payment device.
With a credit card there are at least four methods I have been exposed to
1. Swipe and no sign for amounts less than “insignificant”
2. Swipe and sign
3. Swipe and PIN
4. Tap and go
Is the PIN in case 3 encrypted? What are the vulnerabilities of case 4 with regards to harvested open text data?
Ok, so a debit card used on the swipe machines did not have the PIN stolen and they say debit cards are safe. What about credit cards used on the swipe? Are those the ones compromised? All stories on this are so far unclear.
The dumps went up on the 2nd, on the 3rd I started seeing charges for airline tickets I didn’t buy. Oh, and I’ve been at home depot pretty much every week in the last 5 months.
Having had at least seven credit/debit cards compromised in the last two years (including Target), one thing I’m trying to understand is how the stolen credentials are permitted to be used.
I could understand if the cards were used to buy merchandise from Amazon/BestBuy/WalMart online, and the merchandise were then fenced, but that’s risky and hard to do on a large scale. Instead the crooks seem to be able to open Merchant Services accounts at the drop of a hat and simply make bogus charges in amounts small enough ($US 50-75) that they hope the cardholder won’t notice. In the last 60 days I have had two charges to outfits with names like 1-877-1234-567.com or slenderab1-234-567-8901.
How can the card companies issue merchant services credentials to outfits with names so clearly bogus that they jump off my statement when I open it? What are they thinking? Are there no background checks done when these merchant services accounts are applied for?
Here in the US I cannot even open a bank account without multiple forms of government-issued identification. Yet these folks seem to be able to open merchant services accounts at the drop of a hat. Something’s wrong here.
When are we going to hold the credit card companies liable for their antique and insanely insecure product? PCI regulations are a huge money maker and could be greatly reduced if Visa and the others fixed the problem at the source.
Sadly, there is no incentive for Visa, Master Card, et al to do so. When fraud occurs, it’s the banks that issue the card who have to absorb the costs. But they don’t control the standards! I have no idea how we got into this mess, or how we will get out of it.
I seem to recall seeing a PayPal logo on Home Depot Point of Sale equipment during the past year, at least locally. I wonder if they are somehow involved.
Nice of HD to offer credit monitoring, but how do you use it???
HD’s “after-the-fact” credit monitoring offer is AllClear ID PRO. An article at cleveland.com touts the wonderfulness of the AllClear ID PRO product. Okay, I decided to bite.
Signing up of course requires handing over the keys to your kingdom; name, address, social, DOB, phone.
Seeing as how the news article said the service “…allows you to register your existing credit or debit card accounts. The service would monitor those numbers on the web…”, I then looked to log in to my new account at ACID, since the sign-up did not prompt for CC numbers.
But – where the heck is the log in link? It’s not on the main page. Back on the window of the completed sign-up, there was a log in link at the bottom of the page. Clicking that (www[dot]allclearid[dot]com/login), one is greeted with:
“Your enrollment in AllClear ID protection was successful.
Due to high volume and to ensure all customers are able to enroll in AllClear ID protection, this feature has been temporarily disabled.”
Ain’t that nice! AllClear ID’s facebook page has many posts from angry folks who have run into the same problem, including one going back to a Molina Health Care breach in May! AllClear does not appear respond to any of these FB posts. Has ANYBODY ever been able to log into this thing?
I get that AllClear’s severs might be under pressure with the extent of the HD hack, but their tactics (burying the log in link, no time frame given, and unresponsiveness) do not inspire confidence. Quite the opposite.