Home Depot Confirms Breach of Its Payment Systems

itwbennett writes: Home Depot confirmed Monday that its payment systems had been breached, potentially affecting any customers who shopped at its stores in the U.S. and Canada since April. There's no evidence yet that debit card PINs had been compromised, the company said, though it is still figuring out the scope and scale of the attacks. Home Depot is offering a free year of identity protection services for anyone who used a payment card in one of their stores since the beginning of April.

Damn it, hire hackers as security professionals!

[ulatekh]

Yet another major computer security breach at a big retailer, compromising the payment details of uncountable customers.

It seems to me that the core problem is that companies won't hire actual experienced hackers as security consultants; for some reason, the idea terrifies them. Instead, they hire bozos that possess some worthless "security" certificate (like CompTIA).

Or even worse, they'll hire a hacker that was dumb enough to get caught and go to jail for his actions. For some reason, that gives them credibility.

Those of us who managed to spend their teenage years hacking everything in sight, and not getting caught — the ones with real expertise — get nothing.

And so these breaches continue.

Oh, and BTW, this is why I pay cash.

Re:Damn it, hire hackers as security professionals

You for got to mention How L33t you are, Anonymous I iz

Re:Damn it, hire hackers as security professionals

[Agares]

I agree, however the major issue here is that there are not enough hackers to go around. So unfortunately security will always be a mess I suppose.

PCs are the problem

[ArchieBunker]

Remember when cash registers used to be glorified calculators? Now they are cheap PCs running poorly configured operating systems. You have tons of attack vectors open from USB ports to unneeded services. That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.

Re:PCs are the problem

[wolrahnaes]

Now they are cheap PCs running poorly configured operating systems.

The important part. Brand new systems are still being deployed with Windows XP. Anyone who doesn't see how fucking idiotic that is should never be allowed to make an IT-related decision again, but unfortunately the people who make these decisions don't know and aren't held accountable for their stupidity.

Most of the local banks have installed new Diebold ATMs that scan checks automatically. I saw one reboot the other day. Take a wild guess what OS...

Fuck "enterprise IT" and the bullshit anti-update mentality. If you can't update, you're doing it wrong.

Re:PCs are the problem

[lister+king+of+smeg]

Now they are cheap PCs running poorly configured operating systems.

The important part. Brand new systems are still being deployed with Windows XP. Anyone who doesn't see how fucking idiotic that is should never be allowed to make an IT-related decision again, but unfortunately the people who make these decisions don't know and aren't held accountable for their stupidity.

Most of the local banks have installed new Diebold ATMs that scan checks automatically. I saw one reboot the other day. Take a wild guess what OS...

Fuck "enterprise IT" and the bullshit anti-update mentality. If you can't update, you're doing it wrong.

XP would be an upgrade from my retail experience everything from sco unixware, DrDOS, Netware, to IBM PCDOS is still used.

Re:PCs are the problem

[Vellmont]

That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.
Well, you're going to start getting your (and my) wish starting around October 2015. That's the date the liability shifts. Then the liability shifts to the party implementing the least technology. So if the card issuer issues a chip and pin card, and the retailer has only swipe, the retailer is responsible for any fraud from customers with chip and pin cards. If the retailer has a chip and pin machine, but the card issuer has only swipe, then the card issuer is liable.

So essentially you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015. I'm sure it'll be a slow process, with small retailers taking many years to finally upgrade. But it'll happen.

Re:PCs are the problem

[Archfeld]

I disagree, even XP can be made secure. The problem is the network implementation and the proprietary software that runs on the admittedly PIGGY-BACK of XP. More and more the routers and silly appliances with hard coded firmware passwords and insecure 3rd party installation is to blame. I have to agree on the credit card issue though. Isn't it odd that the companies responsible for credit DB's and ratings also run the so-called identity protection sites ?? That seems like a conflict of interest to me.

Re:PCs are the problem

[mjwx]

Remember when cash registers used to be glorified calculators? Now they are cheap PCs running poorly configured operating systems. You have tons of attack vectors open from USB ports to unneeded services.

This is pretty much why they wont hire anyone who knows dick about security.

The first thing they'll tell them is the unpatched Windows XP box running ShitPOS(TM) is inviting an attack. The problem with this is that the POS terminals they got were cheap and the director in charge of that procurement got a good bonus for getting the POS system in under budget. Getting a secure system costs money, time (which costs money) and effort (which isn't cheap either). This means the director and project manager cant spend as much time on the golf course enjoying their bonuses.

Yeah, so sticking to cash.

Re:PCs are the problem

[mjwx]

That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.
Well, you're going to start getting your (and my) wish starting around October 2015. That's the date the liability shifts. Then the liability shifts to the party implementing the least technology. So if the card issuer issues a chip and pin card, and the retailer has only swipe, the retailer is responsible for any fraud from customers with chip and pin cards. If the retailer has a chip and pin machine, but the card issuer has only swipe, then the card issuer is liable.

So essentially you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015. I'm sure it'll be a slow process, with small retailers taking many years to finally upgrade. But it'll happen.

This hinges on the cost of liability being greater than the cost of upgrading.

You can bet that Home Depot or Walmart will find a way to push this cost onto the customer (and offer optional insurance for a nominal fee to avoid it).

In Europe the governments had to force retailers _AND_ banks to upgrade. Not that EMV (Chip and Pin is the UK/Ireland brand name) has improved security any, it's pretty much as vulnerable as the mag stripe (successful attacks on EMV started in 2006 in the UK). The problem will remain as long as a POS system is allowed uncensored access to the card information.

But that's the least of your worries, along with EMV you'll get NFC. That will give your card details (everything on the front of the card) to anything that asks for it in a 1 metre radius.

Re:PCs are the problem

[ShanghaiBill]

you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015.

So far only one retailer that I shop is chip-and-pin ready: Walmart. About six months ago, they started asking me to insert, rather than swipe, my chipped card.

Re:PCs are the problem

[sound+vision]

In 2012 I worked at a discount retailer whose cash registers ran Windows 98. (Yes, the registers sucked.) The "office computer" ran Windows 2000. The Win2k machine (an subsequently all registers) were internet-connected, and the 2k machine had data from all the cash registers. I'd like to think the Win2k machine was strictly used on a properly secured VPN with the corporate office... but I doubt it.

Re:PCs are the problem

[Weirsbaski]

That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.

I think that's changing, maybe the mess is finally more expensive than a preemptive fix.

My bank cancelled+replaced my credit card last week (without warning: they said it was because the # was recently reported stolen, I'm guessing it was the local supermarket chain but they won't say), and the replacement has chip and pin. I didn't ask for it, they didn't ask me, they just did it. Of course, it's a no-brainer for them if the cost of a safer card is footed by a compromised retailer.

Re: PCs are the problem

[steven.db.clark]

Which card is that? I asked amex for chip and pin and they said they didn't have it available.

Re:PCs are the problem

[swillden]

If the retailer has a chip and pin machine, but the card issuer has only swipe, then the card issuer is liable.

One correction: The US isn't going to Chip and PIN, but Chip and Signature.

Given the federal laws that prevent issuers from placing (significant) liability on cardholders, there's less motivation for imposing the inconvenience of PINs (you can debate whether signature or PIN is more convenient, but US consumers have traditionally preferred the former). In the UK, for example, Chip & PIN has allowed banks to shift the liability almost completely to the cardholder, so in that sense US cardholders are better off.

Re:PCs are the problem

[swillden]

This hinges on the cost of liability being greater than the cost of upgrading.

It is. Far greater.

You can bet that Home Depot or Walmart will find a way to push this cost onto the customer

Home Depot has already installed chip-capable terminals (I use them all the time). Walmart already has in many locations as well.

Re:PCs are the problem

[jittles]

you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015.

So far only one retailer that I shop is chip-and-pin ready: Walmart. About six months ago, they started asking me to insert, rather than swipe, my chipped card.

I sometimes do some contract work for POS companies. I write little demo apps to help them sell their terminals to merchants. The cheapest stuff coming out the door right now all seems to have chip and pin built into it. So don't worry, everyone is going that way. T-Mo uses it, my Target location has switched to chip and pin capable terminals as of 3 weeks ago, too.

Re:PCs are the problem

[MikeBabcock]

Why would you want to run an insecure OS like XP instead of an easily secured one like Unixware or PCDOS?

Being pretty doesn't make it an upgrade.

Re:PCs are the problem

[MikeBabcock]

Come on up to Canada, we're all chip&pin ready and mostly tap&pay as well.

Re:PCs are the problem

[operagost]

You can bet that Home Depot or Walmart will find a way to push this cost onto the customer (and offer optional insurance for a nominal fee to avoid it).

They would have to ask each customer. I should say lost customer, because who is going to buy anything when the cashier's first words are, "Thanks for shopping at Home Depot. Would you like to buy liability insurance in case we get hacked?"

Re:PCs are the problem

[deKernel]

So let me get the story straight: the EU forced people to upgrade (which cost big buck and I am certain all those costs were passed to the customers), and then you seem to acknowledge that it really didn't accomplish much. So, what was the goal of the exercise? Am I missing something?

Re:PCs are the problem

[Megane]

FWIW, some places now request your postal zip code as a sort-of PIN, particularly unattended pay-at-the-pump gasoline. At first it sounds silly, but when you think about it, if someone scammed your credit card number by swiping the card track data, or out of a database, they're not likely to have your zip code too. (I suppose if they intercepted the zip-as-PIN they would have it, so hopefully it goes down the same encrypted route as debit PINs.)

If someone stole your wallet, sure, they would have your zip code, but at least then you would know that your card was missing.

Re:PCs are the problem

[randallman]

And you don't see the problem?

An OS designed for desktop retrofitted for appliance use.

Re:PCs are the problem

[Aaden42]

Being pretty doesn’t make it an upgrade.

No, but being easier for barely capable techs to cobble something together that “works” in less time is considered an upgrade.

Remember: IT security is a separate cost of doing business. Cutting IT security costs improves the bottom line. Increasing costs for “only” security has no business benefit.

Re:PCs are the problem

[Jane+Q.+Public]

Give me a break. I'm no great fan of Windows, but even if they used one of the more secure versions of Linux, their own software is not exactly known for stellar security.

Reference the scandals some years back regarding their voting machines...

Re:PCs are the problem

[wolrahnaes]

Did I ever say I had a problem with Windows overall? I don't, at least no more than any other ordinary OS. It's that second part...the one that starts with an X and ends with a P. That's the problem. Like I said, deploying new Windows XP is fucking stupid.

Windows itself is a fine core platform these days. The key is these days, meaning not a full major revision and two lesser (but hard to call minor) revisions ago.

I'd still personally prefer Linux or a BSD, but I'd have a hard time making a purely technical case for that.

Re:PCs are the problem

[strikethree]

Fuck "enterprise IT" and the bullshit anti-update mentality. If you can't update, you're doing it wrong.

Fuck software "engineering" and the bullshit always-update mentality. Build shit that works so that it can be used 20 years later without issues. If I have to update, YOU are doing it wrong.

I say this as someone who has written software. Oddly enough, it was in C, has never had any exploits, has not needed updates, and has been running in a hostile environment since 1999, and is still just as reliable now as it was then (never needs to be restarted/rebooted, no memory leaks, etc). And it is not Hello World.

Re:PCs are the problem

[datavirtue]

The cost of everything is always passed to the consumer. The retailer gets its money from you buying shit. Then they pay their expenses from the revenue. Can they accept lower profits? No. Same with taxes. Asking for a corporation to "pay their share of taxes" is like asking for higher prices across the board. Convenience and simplicity are valued over safety and security...period. Both by the consumer and the business.

Re:PCs are the problem

[datavirtue]

They arent too cheap. They are worried about better technology supplanting their monopoly. This is just the thing to do it. The CC becomes more inconvenient for security purposes so people opt to pay with their phone--Google Wallet, Apple Pay, whatever. Those are abstracted systems that can switch the payment processor at a whim without affecting customers.

Re:PCs are the problem

[swillden]

The cost of everything is always passed to the consumer.

Tautologically true, but misses the point.

The cost of fraud gets passed to the consumer, also, either through higher bank card fees and rates, or through higher cost of goods at the merchant (mostly the latter). When merchants save money on fraud costs by spending money on new chip-capable terminals, that savings ultimately gets passed to the consumer as well.

CC system is flawed

Even chips are bullshit. Why aren't CCs issuing one time tokens per a transaction - this rendering subsequent transactions useless? (Or tying the token to a retailer for subscriptions / etc)

Re:CC system is flawed

[Anubis+IV]

Why aren't CCs issuing one time tokens per a transaction - this rendering subsequent transactions useless? (Or tying the token to a retailer for subscriptions / etc)

Hopefully someone brings out a system like that soon.

Re:CC system is flawed

[dgatwood]

Even chips are bullshit. Why aren't CCs issuing one time tokens per a transaction - this rendering subsequent transactions useless? (Or tying the token to a retailer for subscriptions / etc)

You'd have to do better than that. If the payment terminal is compromised, an attacker could just sit there and wait for a card to be available at one of the payment terminals, then process two transactions in a row very quickly, one of which is the real one, and the other of which is an arbitrary transaction. There's a fundamental law in computing—not sure if it has a name—that goes something like this: If you cannot fully trust both endpoints of a communication channel, you cannot trust the communication channel itself. Period.

The only way to really improve the situation is to have credit cards treat the payment terminal as an untrusted network connection. Put a screen on the card itself, and require the user to push a button on the card itself to approve the transaction. Then use some form of PK crypto in the device itself to sign the transaction and send the response back to the payment processor's servers, which can then send a confirmation code to the register as proof that the transaction was accepted.

And no, I don't mean cell phones here. Cell phone payment systems certainly have the potential to be an easier way of paying for things, but security-wise, they just replace one attack target with another, without any obvious security benefit. Why? Because they're general-purpose computers that are constantly in use for other purposes like web browsing, so if they contain any security holes, the risk of them getting compromised is non-negligible.

More to the point, the risk of compromise for a cell phone is orders of magnitude higher than the risk of somebody finding a bug in a specialized card in your billfold and attacking it using nothing but NFC (because an attack on a cell phone doesn't require you to be in the same country as the victim, much less within a few feet).

And assuming all things are equal, the odds of a cell phone being compromised should be higher than the odds of a payment terminal being compromised (ignoring the "physically swap it out" risk), because the payment terminals should be segregated onto their own private network, and shouldn't be communicating with unrelated Internet servers for unrelated purposes. This does not appear to be the case in practice (as far as we know), but then again, until enough payments happen on cell phones, they won't be a high-priority target, so such comparisons may or may not really be valid.

Now it is theoretically possible to make a cell-phone-based solution as secure as a card with a screen, but the minimum requirements would be:

• A separate CPU that handles the transaction processing and signing.
• A means for that CPU to take over the display and input system in such a way that guarantees that the data shown on the screen is from that crypto chip even if the software running on the phone's main CPU is completely compromised.
• A physical light on the front panel of the device to indicate that the data on the screen is coming from the payment chip.

Anything short of that improves security only to the extent that the odds of simultaneously compromising a payment terminal and the phone that's talking to it are less than the odds of compromising one or the other, and there's a small chance that the customer might notice if the screens don't match, so an attacker really ought to compromise both of them. With that said, when there's a mass compromise of the payment systems of a major national company, it doesn't take a very high percentage of compromised cell phones before you would start seeing situations where both devices are compromised, at which point the cell phone doesn't make things appreciably more secure than a chip-and-pin system, which is, in turn, not all that much more secure than a magstripe system, whereas a mostly dumb crypto card with a screen and a pushbutton does.

Re:CC system is flawed

[aaarrrgggh]

It is easier than that; the token needs to have merchant, amount, date/time hashed in; you approve that information before entering your pin.

There are hard issues... like what to do with credit reports that rely on a non-random 9-digit social security number as keys to the kingdom, but securing the transaction between consumer, merchant, and bank isn't that hard.

Re:CC system is flawed

[dgatwood]

No, it really isn't easier than that. If an attacker is in control of the device that controls the screen, they can make it show you anything that they want, including showing the right text for the transaction you're actually making. Then, when you enter the PIN, they can perform your transaction, and repeat the process for a second one using the PIN data that they already captured. If a device vendor manages to somehow make it physically impossible to perform two transactions without entering the PIN twice, they could display something that looks like a legitimate error message (e.g. a communication error), causing the user to enter the PIN twice. Either way, you've gained nothing.

For that matter, they could show you your actual purchase, but really perform a transaction for airline tickets to Barbados, then not perform your actual purchase, but tell the register that they did. Then, to make the balance sheets look right from the store's perspective, they could add ten cents to the next few dozen transactions to cover the cost of your actual purchase. The error would only be caught on the store side through a thorough audit, and because the stolen card would not have a transaction for the store, there would be nothing suspicious about the transactions to draw the CC companies' attention towards that store, because after all, no consumer is likely to notice a missing transaction.

Securing the transaction between the consumer and the bank is hard, because the merchant's systems are inherently untrusted. The second that display screen ceases to be absolutely trusted, you've lost the security battle.

Re:CC system is flawed

[aaarrrgggh]

It is easy if the security token is a single-purpose device; hard if it is a smart phone.

Understood. The new CompTIA is better than most

[raymorris]

I understand where you're coming from. As you may know, I've been doing infosec for a long time, and I know the difference between "compliant" and "secure". I'm rather surprised you chose CompTIA Security+ as your example of a bad security certification. The new one especially is quite comprehensive, in my view. Not that a single certification can ensure that a candidate is ready to perform any and all jobs related to security, but I'd say that if even 10% of the people designing and maintaining these systems had enough knowledge to pass Security+, we'd be in a lot better shape.

Re:Understood. The new CompTIA is better than most

[strikethree]

but I'd say that if even 10% of the people designing and maintaining these systems had enough knowledge to pass Security+, we'd be in a lot better shape.

I am sure all of them could pass it if they studied for it. That is why all certifications are useless. With enough studying, almost anyone can pass it without understanding the material, just regurgitating facts.

If you could force someone to take and pass such a test without studying, THEN your statement would be useful.

Cash

[tquasar]

Just use cash instead of plastic. Go to your bank, get real money, QED. Cashiers are shocked when I use a fifty or hundred dollar bill to pay for a purchase.

Re:Cash

[crioca]

A couple of months back I payed for a bunch of Ikea stuff with 10 $100 notes. It was so cash. Literally.

Re:Cash

[tquasar]

So, cash is now a verb? Cool.

Re:Cash

[sound+vision]

Cash has been a verb since at least the time people began saying "cash a check" and "cash out".

Re:Cash

[cdrudge]

And a half hour later after the cashier has marked every bill, held it up to the light to observe ALL the security features, and then had to call two levels of management over to repeat the process to authorize accepting $50s or $100s.

Maybe it wasn't quite a half hour, but the above happened to me recently. The guy in front of me was paying with several $100s. It too far too long to complete the transaction.

Re:Cash

[Panaflex]

Agreed. I started using cash a few months ago so that I could keep better track of my spending, but the side benefit is a smaller digital footprint. I don't live in a high crime area, so the tradeoff is mostly positive.

Re:Cash

[operagost]

Looks more like an adjective.

Re:Cash

[operagost]

It's become ridiculous, considering that $100 doesn't buy crap. I can't even fill a cart at the grocery store with $100 unless we loaded up on coupons.

Re:Cash

[Megane]

In the context of "so cash", wouldn't cash be an adjective?

Re:Cash

[k6mfw]

repeat the process to authorize accepting $50s or $100s.

yes, give a $100 bill at any store and they will spend some time examining it. Except in Las Vegas, that gets as much attention as a quarter (unless things have changed in past 10 years). I read leading counterfeit bills are $10. $100 attract attention, $1 not worth time counterfeiting, but the $10 bill is good candidate because Treasury Dept is always changing the colors so nobody really keeps track on what an authentic bill looks like.

But how does a suspected counterfeit feels like? the real bills are special material that is hard to duplicate.

Some years ago couple teenagers had access to a color copy machine. They copied and printed lots of "money," went to Vegas and had a great time. They buy something trivial when cashier is really busy with long lines of people, give them a "$20" and receive legit change. But their luck ran out couple days later when a cashier took the money, "wait, this feels like regular paper." These days ***never*** copy money in a copy machine, a former Xerox tech told me. If it detects money, it will brick itself and only some guy from Xerox Japan can unlock the copy machine.

Re:Cash

[cdrudge]

I read leading counterfeit bills are $10. $100 attract attention, $1 not worth time counterfeiting, but the $10 bill is good candidate because Treasury Dept is always changing the colors so nobody really keeps track on what an authentic bill looks like.

The Treasury Dept in 1998 said $20 get 5x the number of counterfeits as $10 but $100 has 3x the value of counterfeit notes. Source, page 53

I wouldn't imagine the numbers have changed that much since than. I had always heard that $20s are the most frequently faked since everyone carries them so they are very common, and it's the highest denomination without being uncommon (like the $50 and $100).

Re:Cash

[k6mfw]

interesting document, thanks for link. heh, come to this thread about payment systems getting hacked and veer off into counterfeit money. I don't shop Home Depot often, last time was there bought electrical supplies and paid cash (with real money of course). I'd hate if I used my CC and then get up the next day and read about Home Depot.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:"anyone who shopped at Home Depot since April"

Negative.

Of the 7 billion people in the world, I highly doubt even one tenth of one percent of them shopped at home depot since April.

And even considering just the US, and only major populated areas...your definitely stretching it. Certainly an inflammatory statement with no basis in truth.

These are new systems...

[Etherwalk]

Home Depot deployed new card readers at all their stores (of the ones I saw at least) almost overnight shortly after the target breach. I had guessed it was in response to the breach to beef up security...

But it looks like it was the new ones that were compromised... (or else it was coincidental).

Re:These are new systems...

[swillden]

Home Depot deployed new card readers at all their stores (of the ones I saw at least) almost overnight shortly after the target breach. I had guessed it was in response to the breach to beef up security...

But it looks like it was the new ones that were compromised... (or else it was coincidental).

I doubt the new readers had any relationship to the Target breach. Home Depot was just being proactive and getting the new tech in well ahead of the liability shift, which is coming late next year. The Home Depot near me got them over a year before the Target breach. I know because I started using my Google Wallet there in late 2011.

The fundamental problems, though, depend on the cards, not just the terminals. As long as you're swiping a magnetic stripe you're vulnerable because (a) the POS system receives all of the card info in plaintext and (b) it's easy for skimmers to copy that data onto their own magnetic stripes. So new terminals are only half of the solution, and not the half that retailers can address -- though they should be working harder to ensure the security of the payment data they handle.

Re:These are new systems...

[jellomizer]

But are they implemented?

My credit card company has just recently send new cards with the microchip.
Now I have seen the chip reader on 80% of the card readers I have seen.
And only Wal-mart has it implemented and working. Target has the new reader, but it isn't implemented.

So the upgrading of the card readers happened to make people feel good, however like so many other IT projects their implementation was half assed.

Re:These are new systems...

[tlhIngan]

My credit card company has just recently send new cards with the microchip.
Now I have seen the chip reader on 80% of the card readers I have seen.
And only Wal-mart has it implemented and working. Target has the new reader, but it isn't implemented.

It probably IS implemented, it's just waiting on the processor to actually flip the switch to enable the chip reader.

It's a bit more involved than just swapping out old hardware with new hardware - the whole operation of chip+pin is completely different. And it's different enough that POS systems that integrate in credit and debit processing software MUST change as well.

Presumably, Home Depot and Target are busy rewriting their charge card processing software to handle the new format - but in the mean time, they can certainly have the hardware down and ready for it. Then there's retraining as well - because when doing stuff like returns and such, often because the POS machine stores the card, it can reverse the charge without the user doing anything more than signing the slip. But chip+pin can't do that, so the system needs to ensure that it can send the refund request properly to the machine and the customer service folks need to be trained to tell the user to insert their card. (And no, it won't accept any card, it generally must be a card on the same account, so if you made a purchase specially on Visa and forget it, you can be stumped when the normal MasterCard you use fails).

The hardware's just the basic part. It's the whole POS integration's that the difficult part. Wal-Mart has it easier because they're always tweaking stuff and policies so they've probably live-beta'd the new changes all the time.

In fact, the retailers most likely to have the new machines working are the small ones, provided they upgrade (usually as part of equipment refreshing or broken replacements), since there's no integration.

Heck, my local comic store has an interesting charge machine - they had their old one replaced with the same model because it broke, then earlier this year, that got replaced with a brand new one with a bright shiny high-res LCD. That apparently is probably running the old software in an emulator because it provides all sorts of status information on the screen, but the actual credit card processing uses large pixelated letters that emulates the low-res old screen. No, it's not simply using a large font, it's actual pixelated text where you can see the individual dots rendered. (And you know it can go finer because the stuff around the emulated low-res LCD is in color and fine text).

Re:Damn it, hire hackers as security professionals

[ShanghaiBill]

It seems to me that the core problem is that companies won't hire actual experienced hackers

Most likely the problem was the exact opposite: They did hire a black hat, and this was an inside job.

Re:Damn it, hire hackers as security professionals

[ruir]

No need to hire black hats. On this present economy and the mentality of the get the cheaper you can, they are probably paying students or some "Windows" experts to take care of their systems. This smells more of incompetence than of an inside job.

Re:Who cares?

[stoploss]

We get worked up because, inevitably, one day soon (and without warning) our credit cards will stop working, our automated recurring card charges that are on file with our utility companies will bounce, and we will get a letter from our CC company saying:
"A data breach at an undisclosed partner has occurred and we are therefore issuing you a new card, which will arrive in several more days under separate cover, for no reason other than to increase the inconvenience for you. In the meantime, enjoy the fact that we only sent this letter after we disabled your card so you are only finding out about our unilateral action officially now, several days after your card stopped working. Be grateful we are working to 'protect' you, maggot, even though you have zero fucking liability for fraud anyway."

It's a goddamn pain in the ass to deal with this, and we are not compensated for the hassle or the bounced payment charges that happen through no fault of our own.

Re:Just bite the bullet

[pla]

In the processing of waiting for a new card. Even if I'm not liable, I don't want my bank footing the bill for criminal purchases made by someone.

This. Everyone seems all panicked about this (along with Shaws, a regional supermarket chain) - But why care? I shop regularly at both stores, use only plastic, and... I will lose exactly zero dollars even in the worst-case scenario.

I know people who currently refuse to shop at TJ Maxx because of that breach a decade ago. Yet, such people never seem to have a good answer for how much it cost them personally (correct answer: nothing). And I fully expect the same people to start using Lowes exclusively (because at least they only screw their own employees with poor security, amiright?).

Guess what, folks - It just doesn't matter. If you report any fraudulent charges within a reasonable time after getting your statement, you have no liability, with the bank, the merchant, and the insurance company getting to argue over which of them foots the bill. Debit cards have somewhat worse terms (you front any money stolen, and start sharing the liability if it takes you too long to notice any problems), but even with them, you still have one full statement cycle to notice any fraudulent charges.

Much ado about nothing.

Heads must roll, or they aren't serious.

[140Mandak262Jamuna]

Corporations treat security as an after thought. It shows up in the expense column, nothing in the revenue/income column. The top corporations do not see any benefit to security expenses. It is as idiotic as not installing doors to help customers enter the store easier.

The CEO's bonus must be docked, the CIO must be fired, all the top executives who were in the decision chain of the security decisions must have their bonus forfeited, pay docked and a few of them should be fired too, Unless we see a strong reaction that hits the top management hard, they are not serious. When the things were going was good they had no compunctions in attributing it all to their own super brilliance and their actions and decisions. Thus they justified awarding themselves compensation two orders of magnitude more than rest of the corporations.

They must also take the blame as seriously and pay for it in terms of cash and career prospects.

They should, but they won't.

Re:Just bite the bullet

[pla]

You ignored what I said.

Oh, wow did I misread that! Sorry, my bad.

Clearly we disagree, rather than agreeing. Ah well, I probably would have responded with the same thing, just intro'd slightly differently. ;)

Junk quality; why bother?

[Squidlips]

My experience with Home Depot has been extremely low quality products. Your experience my differ, but I stopped shopping there long ago and now only shop at local, family-owned shops.

Re:Junk quality; why bother?

[aaarrrgggh]

Most local family-owned shops are effectively Ace or one of the other franchises. While not all the inventory comes from the franchiser, it's quality is usually lower to be at the same retail price. Lowes seems to have higher quality, higher-priced products consistently, but it seems to miss the balance on the value scale.

I bought a Husky tool cabinet last year for under $300, where the comparable product from Lowes was $700. Lowes was hands-down better in terms of construction quality, design, and features... but for my needs the cost wasn't warranted.

Know when you want/need quality, and know when you need to get the job done. The product is the key though, not the merchant.

Re:Damn it, hire hackers as security professionals

[Jawnn]

It seems to me that the core problem is that companies won't hire actual experienced hackers

Most likely the problem was the exact opposite: They did hire a black hat, and this was an inside job.

No. If history is any indicator, and it usually is, this is just another case of system admin ass-hattery. In other words, bad practices; giving LAN access to the HVAC contractor, allowing remote desktop access by the POS system contractor, etc. All things we've seen before in other high-profile breaches.

Canada: Chip and PIN

[dskoll]

I've shopped at our local Home Depot, but here in Canada everything's been chip-and-PIN for quite some time. So... am I at risk? It's not clear from the news media whether or not the chip-and-PIN system has protected me from this breach.

Chip and PIN cards affected too

[Walking+The+Walk]

I'm in Canada, and we've been using chip cards for a few years now. I just called my bank 45 minutes ago after noticing a fraudulent charge on my credit card from August 30th. Since I bought a bunch of stuff at Home Depot in May/June, I'm assuming they managed to clone my card from the stolen data. The charge was only $4.56, at a gas station halfway across the country, so I would guess that someone was testing the clone to see if it was a valid card number (maybe testing one number from a batch of 100s or 1000s, to see if the numbers were legit.)

Just so we're clear, I'm not saying the fraudulent purchase itself was made using the chip. I only ever use chip + pin when making purchases, but I suppose a cloned card could use NFC (eg: PayWay) for a purchase that small, or even just the magstripe, neither of which requires them to have compromised my pin. My point is that I thought I was being safe using chip + pin, but still got hit regardless. Fortunately, banks seem to be good about this sort of thing, and my new card is on its way.

Re:Chip and PIN cards affected too

[MikeBabcock]

I've twice taken random trips and had a phone call waiting for me when I get home from my CC company asking if I'm the one who made the random purchases in question because they don't match my normal profile and they want to prevent fraud.

I also only use chip&pin or NFC for payments (also Canadian).

Re:Just bite the bullet

[MikeBabcock]

Call the police every time as well as your bank.

Duh.

Identity theft monitoring

[Hydrated+Wombat]

If I'm already receiving monitoring from another database breach, is there a way to enqueue this monitoring so it goes in effect after that year lapses? Signs of bad systems...

Re:"anyone who shopped at Home Depot since April"

[Megane]

I think I went once or twice during those months, but I can't remember if I used my card or fed twenties into the self-service checkout.

Re:Just bite the bullet

[hendrips]

After the Target breach, the bank that issues my credit card cancelled that card and sent me a new one. They didn't give me a choice, and they didn't give any warning.

Every account that relied on my card information had to be updated. One of my bills - car insurance - bounced because they cancelled my old card before I had time to update that account with the new card info. It's quite galling to pay a late payment fee and have my credit rating potentially dinged for not paying a bill that I had enough cash on hand to pay a hundred times over.

The worst part of it was that I hadn't even been to Target in years - my bank just panicked and sent everyone new credit cards. So while I theoretically didn't have any liability, there was still a fairly major annoyance, not to mention a late payment fee.

Hire better IT talent

[o2bin813]

These companies get cheap and higher less capable IT workers for less money and this is the result. Home Depot, this liability will cost you far more than paying for better talent in the first place.

Re:Who cares?

[stoploss]

The card issuers are the ones I am angry with for how they handle the problem. I don't care about Home Depot, Target, or any of these other breachers. I don't have any liability either way.

Fwiw, it seems counterproductive to "boycott" a merchant by .. giving them more of your money... besides, there is no law in the US to force anyone to accept payment in any form of cash or coins. If you believe there is such a law, please cite a credible source that states that explicitly.

Studying your field might be a good thing

[raymorris]

> I am sure all of them could pass it if they studied for it. That is why all certifications are uselessuselessb

With enough study, you can pass the exams to be a medical doctor. That is why exams to certify that medical doctors know what they are doing are useless. Unless of course you want someone who knows about the subject at hand. I kind of want a doctor, and a security professional, who have studied their fields. Sorry you couldn't pass.

> With enough studying, almost anyone can pass it without understanding the material, just regurgitating facts.

I suppose it MIGHT be possible to do that, but that would be the hard way. Understanding the material is a lot easier than memorizing every possible question and answer.

Re:Studying your field might be a good thing

[strikethree]

With enough study, you can pass the exams to be a medical doctor.

That is true... and I have had many bad experiences with medical doctors. Just because someone can pass a test immediately after studying for it, that does NOT mean that they understand whatever it is that they just passed.

I kind of want a doctor, and a security professional, who have studied their fields.

I want more than just studying. I want understanding of the material.

Sorry you couldn't pass.

Heh. You are funny. I passed Security+, Server+, CISSP, etc all without breaking a book to specifically study for all of those certifications. I have read lots of books. I have learned lots of stuff. Knowing that stuff was sufficient for passing the tests. It is almost a form of cheating if you have to study to pass a test that checks for whether or not you understand the material.

I am well paid for my services.

I suppose it MIGHT be possible to do that, but that would be the hard way. Understanding the material is a lot easier than memorizing every possible question and answer.

You say that as if it is negating what I am saying. On the contrary, you are just validating what I say.

Understanding takes a LOT of mental energy. It also requires a certain speed of synapse firing or somesuch. Most people are not willing or are not capable of expending that type of energy... but they still want the high paying jobs. So they study. And study some more. They take the tests. They fail them. They study some more. Eventually, after several more failures, they pass them. They get hired into a high paying job... and then can not perform at the level of some of those around them.

People kill for money. Studying to get money is not so hard as actually learning, knowing, and understanding the material. People would rather than kill than expend the energy needed to understand.

In summary, the average person is a lazy and murderous brute who wants money and will take the path of least resistance to get it. Regurgitating facts is that path.

Free Credit Monitoring for Life!

[healyp]

Target offered a free year of credit monitoring after last year's breach and now this. As long as one major retailer makes the same mistake every year we'll all have free credit monitoring for life!