Slashdot Mirror

← Back to Stories (view on slashdot.org)

Banks Report Credit Card Breach At Home Depot

Posted by Soulskill on from the another-day-another-breach dept.

criticalmass24 sends news that multiple banks are indicating Home Depot stores are the source of a new batch of stolen credit cards and debit cards that hit the black market today. "There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market." Home Depot is aware of the situation, and says they're investigating. The banks say this breach may have begun as early as April or May of this year and may extend to all 2,200 of Home Depot's U.S. stores.

132 comments

  1. Chip and PIN by DigiShaman · · Score: 4, Insightful

    Fuckers! Implement it like yesterday!!!

    Tell you what. You want me to continue to shop at the B&M stores, then do this. Otherwise, It's Amazon for me.

    --
    Life is not for the lazy.
    1. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Why do you think Amazon is immune?

    2. Re:Chip and PIN by Russ1642 · · Score: 2

      Big deal. You're not on the hook for the fraudulent charges. You just have to check your bill and maybe your CC issuer will give you another card.

    3. Re:Chip and PIN by ctime · · Score: 2

      The problem is that these data compromises are going to happen and that the current magnetic strip technology is laughably obsolete and insecure. Chip + PIN effectively mitigates the weakness in magnetic strip data by embedding a chip (physical, something you have) and a pin (something you know) into the transaction process, plus many other security enhancements. Current magnetic strip cards are authenticated purely by a string of digits (something you know) and are easily copied and reproduced.

      Read all about it here: http://en.wikipedia.org/wiki/E...

      Chip + pin WILL be happening in America. http://blogs.wsj.com/corporate...

      NFC-based payment system may have a chance to become popular in the mean time.

    4. Re:Chip and PIN by TechyImmigrant · · Score: 1

      FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    5. Re:Chip and PIN by slashmydots · · Score: 1

      Chip and pin does nothing. It's still interceptible and nobody in America has the patience for "card present only" transactions.

    6. Re:Chip and PIN by Ralph+Wiggam · · Score: 1

      The deadline to switch is in 13 months. That kind of massive national transition is not easy or fast.

      After next October, businesses will be able to use the old swipe and sign terminals, but they will be liable for any fraud instead of the credit card company. Obviously nobody wants that liability.

    7. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Current magnetic strip cards are authenticated purely by a string of digits (something you know) and are easily copied and reproduced.

      What exactly do you think the chips do?

    8. Re:Chip and PIN by Russ1642 · · Score: 2

      FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

      And what property of yours is missing? I'm thinking it's your sanity.

    9. Re:Chip and PIN by msauve · · Score: 2

      "You're not on the hook for the fraudulent charges."

      That's not it - you're simply not clear on the concept. Those costs are paid by the consumer, through higher prices and/or fees.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    10. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Still doesn't make Amazon safe. In fact, if magnetic stripe is so obsolete, then Amazon's type your number in is even worse. While I agree that Chip & PIN will limit problems, initially anyway, hackers will find a way to exploit its weakness as well.

    11. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Exactly. The chip and pin simply protect that string a little bit longer. In the end though, it all needs to be sent over the wire, and as a result, somebody just needs to be in the right place.

    12. Re:Chip and PIN by afidel · · Score: 1

      Mutual authentication and off (merchant) device encryption.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    13. Re:Chip and PIN by rogoshen1 · · Score: 1

      Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent. But mainly, while everything is pending, your money is gone. It may only be temporary, but you can't pay bills with IOU's.

    14. Re:Chip and PIN by DogDude · · Score: 1

      And how does Amazon get your chip and pin, exactly, Mr. Einstein?

      --
      I don't respond to AC's.
    15. Re:Chip and PIN by kenai_alpenglow · · Score: 1

      Plus, if you have a bunch of bills going to the credit card, now you have to update all of them with the new number. Been there-done that...

    16. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Why do you think the chip or the information on it can't be duplicated or spoofed?

    17. Re:Chip and PIN by jjhall · · Score: 2

      Well, for one I have to spend my time to submit a fraud report to my bank. If using my debit card, the money is gone until the fraud is confirmed. Second, I have to wait for a new card to arrive in the mail, then try to remember who I have set up on automatic payments using my old card. Call each one of them or visit their website to enter in the new numbers. The ones that I forget will possibly result in account suspensions, etc, until after the new number is entered. Fees may be charged, which most of the time will be waived but that again takes more time to deal with.

      The credit card companies need to fix this, and chip/pin is not the answer. It should solve retail store card theft, but as online purchasing becomes more and more popular, chip/pin will do nothing to combat it. We need a rotating pin device, similar to PayPal and World of Warcraft uses, and tie that number to the authorization. That number/pin combo would be useless for future transactions other than follow-on transactions to/from the same merchant for subscription or refund purposes. That way when a card number is compromised it is useless since the attacker won't be trying to get more money for the original merchant. Instead the card issuers just tout "$0 fraud liability!!!11!!!1!" to the consumers and pass the buck off to the merchants. Chargback fees from merchants are a profit center for card issuers, so why would they want to fix the problem?

    18. Re: Chip and PIN by Anonymous Coward · · Score: 0

      1 October 2015 is 394 days away, which is over 14 moon periods away.

      But yeah, we in the "rest of the world" have been using this stuff for a decade or so.

    19. Re:Chip and PIN by afidel · · Score: 1

      Probably because none of the vulnerabilities listed at wikipedia involve cloning the card, they all incude forcing terminals into offline chip and pin mode which is not going to be supported by most US card issuers. I've been following EMV for many years now and outside of some very controlled lab experiments involving very cold temperatures and long side channel analysis nobody has managed to pull off a duplication attack for online transactions (at least nobody that's published information, and there have been no wide scale attacks that can be traced back to fraudulent duplicates used for online transactions).

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    20. Re:Chip and PIN by rickb928 · · Score: 1

      Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.

      And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    21. Re:Chip and PIN by rickb928 · · Score: 1

      One way to scam that is to put a shim in the terminal, forcing it offline. Look for an extra cable coming from the card reader.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    22. Re:Chip and PIN by geekoid · · Score: 1

      What do you care? the CC company pays for it, and they send you a new card.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    23. Re:Chip and PIN by ender- · · Score: 1

      Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.

      And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.

      It *could* if the store at least used the Chip + Pin to validate the person picking up the loot.

      Granted, I still don't see how it helps stop people buying stuff on Amazon but that one example you provided should be fairly simple to avoid.

      --
      Nothing to see here
    24. Re: Chip and PIN by rickb928 · · Score: 1

      And in the UK, the stories of pensioners being shoulder-surfed at the ATM (or worse) while they peck away at the keypad end with them at the bank being informed that their money is gone, and they must have disclosed their PIN to someone. "Sorry, but the system is totally secure. It isn't our fault". Not as if the camera at the ATM wouldn't be showing some hoodie emptying their account, though the banks have no real incentive to investigate.

      Yeah, Chip n PIN is a real winner, for the banks.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    25. Re:Chip and PIN by geekoid · · Score: 2

      Yes it will, and then it will be compromised. Chip and Pin* has known defects.
      NFC is also broken.

      Digital money is a dead end.

      *Sounds like a kids cartoon about encryption.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    26. Re:Chip and PIN by geekoid · · Score: 1

      IT's already been done and demo'd at DEFCON.
      Next.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    27. Re:Chip and PIN by PopeRatzo · · Score: 1

      nobody in America has the patience for "card present only" transactions.

      Me. I have the patience for "card present only" transactions. What's the big hurry?

      --
      You are welcome on my lawn.
    28. Re:Chip and PIN by PopeRatzo · · Score: 2

      What do you care? the CC company pays for it, and they send you a new card.

      As has already been pointed out, no, it's you that pays for it in fees.

      The current interest rate on savings is what about 1%? Banks can take that money and charge 18-24%. They've got a license to print money. Do you really think they're just going to eat the loss? They're passing it on to you in dribs and drabs.

      --
      You are welcome on my lawn.
    29. Re:Chip and PIN by geekoid · · Score: 1

      So it's their fault you have a sloppy financial system?
      Lock on the info up with encryption is it's such a bother for you.

      When it happened to me, I called the bank, 5 minutes latter my money had been returned, the was no longer attached to my account directly.
      After that, when I got an email from varies companies that my CC was no longer valid, I just changed it. Never had any interruption in any service.

      On a weird note, after that call, 2 weeks later a reoccurring charged on that account went through. I contacted the bank and they told be not to worry about it and to please change my number on that service. I suspect they where keeping it active to try and get more information

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    30. Re:Chip and PIN by geekoid · · Score: 1

      Which is balanced against price point and competition. If the problem was magically fixed tomorrow, you fee wold not go down.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    31. Re:Chip and PIN by wiredlogic · · Score: 1

      My grocery store has new Verifone readers with chip and pin slots. The things are so badly made that they reject my card on the mag strip reader until the clerks showed me a trick where you stick a plastic grocery bag between the card and mag head to make it work.

      --
      I am becoming gerund, destroyer of verbs.
    32. Re:Chip and PIN by Skynyrd · · Score: 1

      I'm refinancing my house at the moment. Having my card stolen will raise all sorts of flags, and either about or delay the process.

      My property won't be missing if I run up a massive credit card bill, but it would potentially cause me hours and hours of work, a bunch of money, and a shit-load of stress. I'd rather that the problem be fixed instead of ignoring it for another bunch of years.

    33. Re:Chip and PIN by Anonymous Coward · · Score: 1

      Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent.

      You would be mistaken.

      Notice that the timer on reporting doesn't really start until you either 1) learn of the fraud or 2) have an opportunity to review a bank statement.

      And if your credit doesn't suck (read: are a responsible adult), most card issuers won't charge you even that $50 limit because they'd rather have customers that don't badmouth them on the internet than people who are disillusioned with the system and hate them. Perhaps that last part is where you have trouble.

    34. Re:Chip and PIN by Anonymous Coward · · Score: 0

      You could use cash, you know. Oh, but then you'd have to earn it somehow before you spend it, unlike the other way around with a credit card.

    35. Re:Chip and PIN by ASDFnz · · Score: 1

      Even better, use bitcoin instead.

      Seriously, problem fixed.

    36. Re:Chip and PIN by Anonymous Coward · · Score: 0

      The costs of "stronger" security tech would also be paid by the consumer. Anybody have any real data on which is cheaper?

    37. Re:Chip and PIN by ASDFnz · · Score: 2

      Bitcoin would be a better solution

    38. Re:Chip and PIN by rogoshen1 · · Score: 1

      Thanks for pointing that out in a completely non-condescending or stupidly myopic manner! Of course you can call the card issuer, or write a a letter.

      As stated though, the main problem with these fraud cases is: when a debit card is involved, your bank account is *temporarily* drained. Which can lead to a bit of a headache.

    39. Re:Chip and PIN by TechyImmigrant · · Score: 1

      FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

      And what property of yours is missing? I'm thinking it's your sanity.

      No, it would be insane to invite all that hassle by advocating banks continue with ludicrous plaintext credentials on credit cards. Do you work for a bank?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    40. Re:Chip and PIN by GTRacer · · Score: 1

      New trick? I learned that one 5 years ago at a grocery store where some of their old terminals were bad readers. Not entirely sure what the bag-wrapping does, but it worked!

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    41. Re:Chip and PIN by TechyImmigrant · · Score: 1

      Why do you think the chip or the information on it can't be duplicated or spoofed?

      To duplicate an EMV card, you would need to take the card to a lab and do some serious meddling.
      To duplicate a standard US credit card you need a cell phone and the card for 10 seconds.

      The difference is significant.

      Of course NFC will screw the pooch before the US catches up.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    42. Re:Chip and PIN by GTRacer · · Score: 1

      No thanks! Once my bank offered me a "Visa check card" - debit card processed through Visa's credit network - I signed up and haven't looked back. For me at least having a card isn't about spending future money, it's about not having a paycheck's worth of cash on me or my wife. It's about convenience in bill payments and purchasing. And these days, it's a wonder when paired with self checkout technology!

      Also, I hate having to keep up with receipts. Electronic payments make recordkeeping so much easier.

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    43. Re:Chip and PIN by nabsltd · · Score: 1

      Chip + PIN effectively mitigates the weakness in magnetic strip data by embedding a chip (physical, something you have) and a pin (something you know) into the transaction process, plus many other security enhancements.

      Since some of the cards stolen were debit cards, which require something you have (card with magnetic strip) and something you know (PIN), I don't see how chip+PIN is the holy grail you think it is.

      Although there may be more negotiation/handshake at PoS with chip+PIN, it still comes down to two-factor auth to make that sale. And, if somebody can install software/hardware that grabbed mag strip + PIN, they likely can do the same for chip+PIN.

    44. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent.

      The onus is very small, you just have to inform the bank as soon as the fraud occurs and cooperate in the subsequent investigation. You're off the hook even if you are the victim of trickery or intimidation. Besides, if you have a lot of money in the bank to begin with, (a) you're dumb, (b) you're rich. Either way, who cares about you! The top poster is simply correct, this is a problem for banks and credit card companies. Fuck these stories.

    45. Re:Chip and PIN by Anonymous Coward · · Score: 0

      cash is better yet.

    46. Re:Chip and PIN by Anonymous Coward · · Score: 0

      You have to do this anyways when the expiration date changes. Every 18-24 month, depending on the card, I have to change my billing information. If this is too hard for you, go bad to using cash and checks.

    47. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Good thing the bank always eats all those loses and NEVER passes them on to the consumers via fees, surcharges, interest rates, etc....

      You are right, who cares if there is fraud, just get another card...

    48. Re:Chip and PIN by OldCodger · · Score: 1

      The point is that if Chip&Pin is used then the bank takes the hit (at least in the UK it does) - swipe and you're f**ked.

    49. Re: Chip and PIN by caveqat101 · · Score: 1

      Sorry you are wrong. Been busted , there was a proof of concept at the last black hat meeting. A west coast college presented it. Read about the hack several weeks ago, you should be able to buy the single by now. Yes it was conceptual, but the prior writeup sounded just like the chip and pin, along with further work on the NFC concept of card. As NFC was being introduced they were showing the weaknesses. The only one not busted so far is the encrypted transmission to the bank. But sure homeland has a backdoor, which will be its downfall sooner then later.

    50. Re: Chip and PIN by caveqat101 · · Score: 1

      Sorry about this, but you still owe the "bounced check" charge. Your bank may waive it but any in line company won't. Remember they tally at the end of the day. Your balance doesn't always show correctly till the end of day occurs at the bank. Even on debit cards.

    51. Re:Chip and PIN by wkk2 · · Score: 1

      The chip and pin readers at Home Depot are not enabled. I had to swipe a card that had a chip. Maybe they will install the right software.

    52. Re: Chip and PIN by rickb928 · · Score: 1

      That's as easy as it gets.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    53. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Assuming you use a credit card.. swipe in the USA and the bank takes the hit..

    54. Re:Chip and PIN by DigiShaman · · Score: 1

      Credit card fraud costs everyone involved $190 BILLION in loses per year alone. I'm pretty sure the tech would be cheaper in the long run.

      --
      Life is not for the lazy.
    55. Re:Chip and PIN by Anonymous Coward · · Score: 0

      The bank never takes the hit. What really happens is that if you get defrauded through chip & pin, then it's "your fault" and you get to carry the losses. In the US this is the case eg. with debit cards which is swipe & pin. If you have a credit card in the US, the vendor and/or gateway is responsible for any losses at all times.

    56. Re:Chip and PIN by plover · · Score: 1

      Sure, chip and PIN messages can be intercepted, but the data that can be intercepted cannot be reused dor a second fraudulent transaction, and cannot be tampered with.

      Chip and PIN moves the trust out of the merchants' terminals and out of the network. Only the chip and the bank's systems have the secret knowledge needed to participate in the conversation. You no longer have to wonder if Home Depot's readers are safe, because it won't matter.

      --
      John
    57. Re:Chip and PIN by stymy · · Score: 1

      Doesn't the authentication of Bitcoin transfers take something like half an hour? That doesn't exactly cut it for retail stores.

    58. Re:Chip and PIN by Rich0 · · Score: 1

      One way to scam that is to put a shim in the terminal, forcing it offline. Look for an extra cable coming from the card reader.

      Just don't support offline mode on the terminals then. Or maybe design the terminals so that offline mode only works if a manager enables it, and then it only works for 15 minutes. This would allow stores to not grind to a halt when there is a communications problem, but it would prevent stores from just systematically ignoring that 99% of their terminals are in offline mode 24x7.

      ATM cards support offline PIN verification too, or at least the spec does. Nobody ever used it because it was known to be insecure since the 70s (or maybe early 80s - whenever it was invented). Defeating that just requires reading/writing the magnetic strip.

      Offline mode will already break debit cards. It seems far more sane to just require a network connection to use the payment system at all - and by all means have a backup modem link or whatever.

    59. Re:Chip and PIN by h4ck7h3p14n37 · · Score: 1

      That's why you include a fee with your Bitcoin transaction. The larger the fee the more quickly you should get confirms back.

      Bitcoin really wasn't designed to be used as a currency; payment just happened to be one of the first applications developed using the protocol. If you need confirmation speed, you should take a look at Litecoin.

    60. Re: Chip and PIN by rickb928 · · Score: 1

      It's doubtful that offline mode could be enabled in firmware, certainly not without some serious work. But shimming the terminal 1. Intercepts the chip data stream, 2. Triggers an apparent non chip card insertion, 3. Captures the chip data and if the cracker is good, acts like a terminal and decodes data, 4. Sends stripe data as expected, 5. Terminal received the auth and is happy happy happy.

      The shim stands in to intercept the chip data, fill the terminal intro accepting the card as a mag stripe, and doors leave the chip unsynched, which will either kill the chip or force a re sync and raise some innocuous alarms. Ask we care about if that it is possible to circumvent the chip.

      IF the terminal permits swipe insertions. Many in EU will not, but if the cracker has modified the terminal firmware, all is lost. That is generally very difficult, checksums and signing and all that.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    61. Re:Chip and PIN by Anonymous Coward · · Score: 0

      It's a new to me as well. First time I encountered this was about two months ago. My first reaction when the cashier wrapped the card in a plastic bag before running the card back through the reader was WTF?!? But it worked.

    62. Re:Chip and PIN by Anonymous Coward · · Score: 0

      That's simply untrue (possibly true in some country but not generally). In the US, if you get defrauded through chip & pin, the liability is unchanged unless the merchant had a terminal that didn't support chip & pin, in which case it's the merchant's fault for doing an insecure transaction.

    63. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Because no one is completely protected and you can fund Amazon gift cards with Bitcoin. That places an airgap between your bank account and any payments that Amazon receives for product. Nowadays you can literally buy just about ANYTHING at Amazon.

    64. Re:Chip and PIN by Anonymous Coward · · Score: 0

      Tranasactions are acknowledged instantly. Funds are marked as permanently transferred typically within ten minutes and every ten minutes thereafter. It takes an individual to be in control of an impossible amount of processing power plus a little bit of luck in order to "double spend" any funds. The more ten minute periods that pass, the more exponentially impossible it becomes for someone to successfully double spend funds. Some of the most paranoid people out there refuse to consider a transaction truly permanent until it has been included in six blocks. Reality says that below a significant dollar amount, it is silly for vendors to wait even for one confirmation or block to include your transaction until a "significant" amount of money is involved.

      If you wait for a block to include a transaction to pay for a cup of coffee (or a box of nails at Home Depot), that vendor is doing it all wrong. Buying a car, though? It's worth waiting the half hour to an hour for six blocks to come back. Finally, the most popular source for people buying Bitcoin and storing it in a wallet is Coinbase. Coinbase is also one of the two most popular credit card processor alternatives. When the vendor and the customer both use Coinbase, then Coinbase guarantees the transaction and prevents chargebacks.

      So no, transactions don't take half an hour. They are instant, but are further guaranteed against having the funds reversed every ten minutes or so. Unless both ends of the transaction occur within Coinbase, in which case they are instant and fully and immediately guaranteed against reversal by Coinbase.

      Hope this helps.

    65. Re:Chip and PIN by hawaiian717 · · Score: 1

      A PIN is not required to use a debit card today. The vast majority of them support running the transaction either through the debit networks, where you use a PIN, or through the credit networks (Visa or MasterCard) where, today anyway, you sign. So the thieves can still steal the card number off a debit card and use it just like a credit card. The only difference is that your checking account is the money that gets tied up in limbo until it's sorted out, instead of the the bank's money (in the form possibly of your credit limit).

      --
      End of Line.
    66. Re:Chip and PIN by metrix007 · · Score: 1

      Why do you think that?

      --
      If you ignore ACs because they are anonymous - you're an idiot.
    67. Re:Chip and PIN by TechyImmigrant · · Score: 1

      Because there are a string of documented attacks against NFC payment systems.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. Instead of naming stores by Anonymous Coward · · Score: 1

    Instead of naming stores, how about naming the actual vendors in the headlines. You know, like IBM, NCR, etc ....?!

    1. Re:Instead of naming stores by NevarMore · · Score: 1

      Because your average consumer doesn't know and doesn't care that Home Depot or Target runs an IBM or NCR system. They know that Home Depot and Target screwed up forcing them to watch their statements even more closely than normal and maybe get a new card issued requiring an update of all the auto-payment stuff and made things a pain in the ass.

      Its up to Home Depot and Target to then apply leverage to IBM and NCR or jump ship to another vendor. Each vendor responds to their direct customer.

    2. Re:Instead of naming stores by unrtst · · Score: 1

      Fine.
      In the slashdot summary, how about naming the actual vendors?

    3. Re:Instead of naming stores by Anonymous Coward · · Score: 0

      "Instead of naming stores, how about naming the actual vendors in the headlines. You know, like IBM, NCR, etc ....?!"

      Because unless it is Windows, its one of Apple, Android or Flash ...

    4. Re:Instead of naming stores by rickb928 · · Score: 2

      It's not NCR, IBM, etc. It's Ingentico, Verifone, the other terminal makers, and the acquirers (Paymentech, First Data, etc) that handle the data, but Home Depot needs to secure the transmission of that. And I bet most of this was skimmed off of databases that needed to be another layer away from intruders.

      There is no such thing as absolute security.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    5. Re: Instead of naming stores by Anonymous Coward · · Score: 0

      Most of the larger stores, like HomeDepot, don't run on NCR / IBM / Fujitsu software systems, they run their own. Customized to their own liking. They can jump ship as the tides turn between the hardware venders with just a tweak to their software, or maybe in their labs, they have it all ready to go up front.

      This is all on. Home Depot.

    6. Re:Instead of naming stores by Anonymous Coward · · Score: 0

      No, it's the stores.
      The problem is Visa, Mastercard and all the other credit card companies have zero customer liability. So if Joe Shmo uses John Doe's card to steal merchendise, John Doe isn't on the hook for it. Instead, the fraud is claimed by the merchent. The bank just passes the liability off. Now if the stores could prove that it was Joe Shmo who used the card, perhaps someone could find the Shmo and throw him in the clink!
      In an effort to protect themselves from the fraud, companies like Home Depot, Homesense, Wal-Mart, Target etc... all have databases full of the transactions that have transpired. It's all they CAN do to try and protect themselves against a chargeback. When that data gets on the loose, you have trouble.
      Get rid of tags. Perioid. Chip and pin, swipe and pin, or (God forbid) contactless... They all do nothing for security. If the numbers arn't changing for every transaction, it's open to some sort of attack.
      I've heard of some idiots asking about biometrics... I'd rather the store ask for my picture ID...

  3. Awesome by TubeSteak · · Score: 1

    This will be the second time my credit card gets replaced this year.
    The third time in 3 years.

    I've tried to order stuff online and been forced to call in because the retailer subscribes to a service that considers me a 10/10 fraud risk.
    And not because of anything I've ever done or any charges that have shown up on my bill.

    --
    [Fuck Beta]
    o0t!
    1. Re:Awesome by rickb928 · · Score: 1

      If they change mine, it will be the second this year, fourth in two years, sixth or seventh in 3 years. Credit unions don't all own their card systems, and these issuers are lazy.

      Some card issuers know that 40-60% of their cards in force are 'compromised'. They consider that normal, and perform fraud/risk monitoring as a normal course of business.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  4. chip and pin? by anthony_greer · · Score: 1

    Why not just go to Chip and PIN...I dont seem to hear these stories in Canada or other places that use it, but I could be missing them...

    1. Re:chip and pin? by plover · · Score: 1

      The US is finally going to Chip and PIN next year. It just takes a long time to get a million businesses to spend the money needed to convert their readers.

      --
      John
    2. Re:chip and pin? by mjwx · · Score: 1

      Why not just go to Chip and PIN...I dont seem to hear these stories in Canada or other places that use it, but I could be missing them...

      I doubt Chip and Pin will close the security hole they have here. It's insecure POS's rather than insecure cards. Europe and Canada (and Australia) still have breaches but not as big as this for two reasons.
      1). You're not allowed to pass the card details onto the POS. The POS passes the sale info to the processor and the processor passes back a PCI (Payment Card Industry) standard censored card number (the last four digits).
      2). You're not permitted to store any payment details on the POS.

      Breaches happen in Oz usually because someone isn't following the rules. Magstripe cards are a still accepted almost everywhere here.

      However here most people have their card details stolen because their careless and/or stupid. NFC is going to change that though now that cards give the name, number and expiry date (everything on the front face of the card) to anything that asks for it wirelessly.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  5. Stupid banks... US credit cards have no security by mspohr · · Score: 1

    The banks are reaping the rewards of years of sticking their heads in the sand on security. Europe has chip and pin which is much more secure. US credit cards are ridiculously easy to counterfeit. I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.

    --
    I don't read your sig. Why are you reading mine?
  6. Forget the Politics by Anonymous Coward · · Score: 0

    .. its a direct result of technical mono-culture. Diversity in security technology is the way forward.

  7. Hire those illegals out front to investigate by NotDrWho · · Score: 1, Funny

    They work cheap.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  8. Solution: Use Cash? by Anonymous Coward · · Score: 0

    Of course, if we pay with cash then it would be assumed we have something to hide.

    1. Re:Solution: Use Cash? by Anonymous Coward · · Score: 0

      use dogecoin, then.

    2. Re:Solution: Use Cash? by Anonymous Coward · · Score: 0

      Of course, if we pay with cash then it would be assumed we have something to hide.

      Yes, we're hiding something -- our credit card info from the hackers.

  9. Store branded credit cards by sandytaru · · Score: 1

    I am suddenly grateful we've been using a store branded Home Depot credit card for the last few years. Replacing that with a new one won't be painful at all. I think I've paid cash if the amount was under $10, too.

    Still going to go through ye old checking account and verify there's no HD charges on there since April.

    --
    Occasionally living proof of the Ballmer peak.
    1. Re:Store branded credit cards by Anonymous Coward · · Score: 0

      checking account? who tf uses debit cards to shop with?

    2. Re:Store branded credit cards by sandytaru · · Score: 1

      Someone who forgot to hit the ATM before going shopping.

      --
      Occasionally living proof of the Ballmer peak.
  10. Re:Stupid banks... US credit cards have no securit by khellendros1984 · · Score: 1

    I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.

    One of my recently replaced cards is chip and signature, and I think that's what most US-issued smart cards are using. Security-wise, it's kind of a half measure, but at least it's a step forward from complete reliance on the magstripe.

    --
    It is pitch black. You are likely to be eaten by a grue.
  11. Re:Stupid banks... US credit cards have no securit by Firethorn · · Score: 1

    You know, I think it's true that Europe had a much higher rate of fraud, which convinced them to move to chip&pin sooner.

    Yes, I've heard that they're working to move to chip&pin, my bank sent out a notice that they're working on it. When I get closer to the expiration of my card I might call them up and ask to be moved over as I actually travel internationally occasionally and it'd be nice to be able to use my card in European stores.

    --
    I don't read AC A human right
  12. Stupid by Anonymous Coward · · Score: 1

    If you don't want your credit card number stolen and displayed all over the Internet, you shouldn't use your credit card! What were these people thinking?!?!

    And with that moral justification out of the way, let me go Google for those Jenni.... er credit card photos.

    1. Re:Stupid by Anonymous Coward · · Score: 0

      Go fuck yourself.

  13. Re:Stupid banks... US credit cards have no securit by anthony_greer · · Score: 1

    Not any time soon - as it happens, I have an Amazon card from Chase and just got the replacement for an expiring card - no chip and pin, I called and asked about it and they sid they MAY have it when my next card comes in 3 years...so dont hold your breath.

    I mention Amazon specifically because other commenters seem to think that anything Amazon is immune and safe...not so fast young grasshopper...

  14. What if you get two cards? by Anonymous Coward · · Score: 0

    One for the card present transactions and one for other phone transactions?

    This would at least lower the value of the card present card numbers because the carders would have to physically be present to win.

  15. Are the POS providers total morons? by DigitAl56K · · Score: 1

    How hard is it to run an independent circuit that scrapes your OS and process executable memory and compute a verified hash? Do these systems run any kind of meaningful IDS at all?

    1. Re:Are the POS providers total morons? by Anonymous Coward · · Score: 0

      No. They do not.

  16. For US - on Slashdot by Anonymous Coward · · Score: 0

    Yeah, yeah, yeah, I get that.

    But here on Slashdot - NAME the vendors. OK?

    When I check out - and I have worked in this industry and I won't name who i developed software but I can say we NEVER considered these threats - ever - I look at the checkout hardware.

    Me

    I am a GEEK and a NERD - like Slashdot NERDS.

    Get it?!

    I was just a code monkey but I may be part of this. mKAY?!

  17. Why do they keep doing it by skovnymfe · · Score: 1

    Why do these mega corporations keep storing credit card information insecurely? Are they required by law to be stupid?

    1. Re:Why do they keep doing it by Anonymous Coward · · Score: 0

      Why do they store it at all?

    2. Re:Why do they keep doing it by PRMan · · Score: 1

      I've worked at several companies and most of them store passwords in plain text. They've been doing it for decades and I ALWAYS make a new task/story/project, etc. that involves implementing proper security. Only once did I get a company to prioritize it to the point where it actually got done.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    3. Re:Why do they keep doing it by NotSanguine · · Score: 1

      Why do these mega corporations keep storing credit card information insecurely? Are they required by law to be stupid?

      No. But they are not required by law to be smart about security. Since they charge back everything to the retailers, they don't care.

      --
      No, no, you're not thinking; you're just being logical. --Niels Bohr
  18. Ukrainian and Russian peace by Anonymous Coward · · Score: 0

    It's so good to see enemies working together this way. Hacking for peace!

  19. Re:Stupid banks... US credit cards have no securit by afidel · · Score: 1

    Nope, they will issue a new card with at least chip and signature by next fall, October 2015 is the deadline from Visa for the card providers to move over as well as the merchants. After that date if the card issuer has issued a chip card and the merchant uses the magstripe then the merchant is liable for the fraud, there is no way in hell any card issuer is going to give up that kind of liability offload for one moment, let alone 2 years. The idiot bots that answer the phone have no idea what's actually going on, but I can all but guarantee you that you will be getting a new card around this time next year with a chip.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  20. See (RU and UA death match is a good thing) by Anonymous Coward · · Score: 0

    What the hell is so bad about RU and UA killing each other off?

  21. Chip and Pin isn't worth it. by gurps_npc · · Score: 1
    The amount of money saved by chip and pin is relatively low. A mere password doesn't cut it. US fraud rate is so low that it is not considered worthwhile.

    Give us real security - a Token based system that generates a new single use credit card number for each and every purchase made using the card - both on and off line.

    That number should only be reusable if you want to make it a reoccurring, monthly charge.

    --
    excitingthingstodo.blogspot.com
    1. Re:Chip and Pin isn't worth it. by Anonymous Coward · · Score: 0

      Some banks have this (Bank of America for one), at least for online. The interface is a bit tedious so I don't use it everywhere, but it's fantastic when signing up for a free trial of some service that requires a CC

    2. Re:Chip and Pin isn't worth it. by iONiUM · · Score: 1

      I live in Canada and now almost all debit / cc cards require chip + PIN (if it has a chip, and it's over $50, you must use it).

      It didn't appear to cost them much, or even take much time to roll it out (about 2-3 years). What's the problem?

  22. Re:Stupid banks... US credit cards have no securit by Anonymous Coward · · Score: 0

    The real problem with using signatures is that the banks don't require any actual matching to be done on signatuers to see if they are valid. Any squiggly, X, or line is accepted just as easily as a real signature.

  23. Re:Stupid banks... US credit cards have no securit by stdarg · · Score: 1

    Chip and signature may not help against physical theft of the card, but it will put a stop to these massive breaches by hackers.

  24. In the meantime.... by Dega704 · · Score: 1

    I am going to start using cash a lot more often until the system has it's act together. All of the crooks are busy robbing people the 21st century way anyhow. The good news is that between this and the NSA's shenanigans, security development efforts are on fire right now. It's long overdue.

  25. Multiple bank stolen credit cards .. by lippydude · · Score: 1

    And where does Microsoft Windows come into the equation?

    1. Re:Multiple bank stolen credit cards .. by WindBourne · · Score: 1

      100% of the systems broken into use windows AND have India based admin/coding.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    2. Re:Multiple bank stolen credit cards .. by Anonymous Coward · · Score: 0

      And where does Microsoft Windows come into the equation?

      I noticed back in late May that HD was running Windows XP on their checkout terminals at our local store...

    3. Re:Multiple bank stolen credit cards .. by Anonymous Coward · · Score: 0

      100% of the systems broken into use windows AND have India based admin/coding.

      Source please. "100%" is an awfully high level of assurance to be tossing about without sourcing your info.

  26. We need more talented H1B visa holders. by SimonXXX · · Score: 1

    We desperately need more talented people in IT. This would never happen if local workers were replaced with overseas talent.

    Thank you Mister Gates, Buffet and Adelson for pursuing what is right for this country.

    1. Re:We need more talented H1B visa holders. by WindBourne · · Score: 1

      Actually, we have replaced our talent with cheaper overseas ppl. In fact, everybody that is being cracked employ many overseas coders (along with Windows).
      Think that there is a relationship?

      --
      I prefer the "u" in honour as it seems to be missing these days.
    2. Re:We need more talented H1B visa holders. by Joe_Dragon · · Score: 1

      and they cut back on upgrading software / hardware.

      So we can't lock down systems more as the older software and hardware does not work well with more locked down systems.

  27. Bitcoin by ASDFnz · · Score: 1

    Yeah;-

    Bitcoin Bitcoin Bitcoin Bitcoin

    Just saying...

    1. Re:Bitcoin by Anonymous Coward · · Score: 0

      You're a colossal faggot. Just saying...

  28. Time to go retro ... by CaptainDork · · Score: 1

    ... back to the days of the credit card imprinter.

    Then back to fax machines and snail mail.

    Yes, these all have holes, but we know what they are and we know how to deal with them and foreigners would have the dickens of a time exploiting them and stuff.

    --
    It little behooves the best of us to comment on the rest of us.
  29. Re:Stupid banks... US credit cards have no securit by Anonymous Coward · · Score: 1

    More to the point, the merchant is prohibited from declining any payment via credit card that has been approved by the terminal regardless of whether the signature matches. Further, they cannot request ID as part of the checkout---per their payment processing agreement.

  30. They store credit card data with the transaction by kbahey · · Score: 5, Informative

    Home Depot stores credit cards with the transactions.

    I know this because when you go to return something I bought, they don't ask you for the credit card, and sort of highlight that this is a convenience that is unique to Home Depot.

    I complained more than once to the cashiers about storing credit card numbers (it is not their fault, it is management and IT). The cashiers would say: "Don't worry, we don't have access to it!"

    My response was: it is not you whom I am worried about.

    Now we know that storing credit cards is a bad idea, and why ...

    --
    2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
  31. Big guys, nothing...small guys pay by speedlaw · · Score: 1

    As a merchant who accepts credit cards, a few years back they came up with PCI Compliance. First you had to show some very basic data security. Then, they tried to sell you insurance. Then, they required you to take the data security insurance. If you are "PCI noncompliant" then you get tagged $20.00 per month. I appreciate how they made this too into an opportunity to gouge the small merchant, to no effect at the high end.

  32. Gee, it must be the HVAC again!!!! by WindBourne · · Score: 1

    Some of the stupidest ppl elsewhere and here screamed that target was caused by having an HVAC key. So, I guess that HVAC everywhere is making it possible to break into these systems?
    Or is is far more likely that all of them using Windows, combined with using off-shore admin/coding, specifically India where the 60 rupees to $1 means that their engineers are making less than $10K / year, the far more likely route?

    My bet is that the idiots, combined with those who are doing the bribes, continue to push the idea that it was an American inside job.

    --
    I prefer the "u" in honour as it seems to be missing these days.
    1. Re:Gee, it must be the HVAC again!!!! by Anonymous Coward · · Score: 0

      No, it was an HVAC service company that had a login to Target's procurement system for invoicing purposes. The login was compromised by phishing and the system was used as the front end for the attack. I'm posting AC because my company also uses that system. We were informed by the vendor after the cause was traced.

    2. Re: Gee, it must be the HVAC again!!!! by Anonymous Coward · · Score: 0

      Yes, but because some small evidence pointed that way does NOT mean that it happened that way. Right now all of the cracking is happening the exact same way, and it is not via phishing or losing your key, password, etc.

      Instead it is by bribing it people that are making a fraction of the money. In addition, they are not hurting their own nation since they allow none of these stores in.

  33. Person Of Interest by Anonymous Coward · · Score: 0

    The 'investigators' are performing cross-referencing of Barry Obama, Barak Obama, Barak Hussein Obama and Barak Hussein Obama II credit/debit cards and issuing Banks in U.S.A., Europe, Africa and Asia.

    Old Boy Barak can't win this.

    He must abdicate the Presidency or face ignominious impeachment, trial and imprisonment.

    Even Barak's beloved bong cannot save him.

    Tough tittie old boy barak.

  34. They store credit card data with the transaction by Anonymous Coward · · Score: 1

    You do not need to store CC number to roll back transaction - you only need transaction or auth number.

  35. Re:They store credit card data with the transactio by Tchaik · · Score: 1

    I've always assumed that they stored only the hashes of the CC number. In any case they (probably) don't store the expiration date

  36. Re:They store credit card data with the transactio by phorm · · Score: 1

    The local Home Depot also ties CC #'s to your email, allowing you to receive copies of your receipts in email. This is very useful if you need to keep receipts for tax purposes. However, if they're tying this to the plain-text CC info, not good at all (I had assumed some modicum of intelligence and that the emails were tied to name+hash).

  37. Windows on Point-of-Sale computer by Anonymous Coward · · Score: 0

    What could possibly go wrong?