Home Depot Confirms Breach of Its Payment Systems

itwbennett writes: Home Depot confirmed Monday that its payment systems had been breached, potentially affecting any customers who shopped at its stores in the U.S. and Canada since April. There's no evidence yet that debit card PINs had been compromised, the company said, though it is still figuring out the scope and scale of the attacks. Home Depot is offering a free year of identity protection services for anyone who used a payment card in one of their stores since the beginning of April.

PCs are the problem

[ArchieBunker]

Remember when cash registers used to be glorified calculators? Now they are cheap PCs running poorly configured operating systems. You have tons of attack vectors open from USB ports to unneeded services. That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.

Re:PCs are the problem

[wolrahnaes]

Now they are cheap PCs running poorly configured operating systems.

The important part. Brand new systems are still being deployed with Windows XP. Anyone who doesn't see how fucking idiotic that is should never be allowed to make an IT-related decision again, but unfortunately the people who make these decisions don't know and aren't held accountable for their stupidity.

Most of the local banks have installed new Diebold ATMs that scan checks automatically. I saw one reboot the other day. Take a wild guess what OS...

Fuck "enterprise IT" and the bullshit anti-update mentality. If you can't update, you're doing it wrong.

Re:PCs are the problem

[Vellmont]

That and credit card companies are too fucking cheap to switch to chip and pin. The only reason the rest of world switched was because the companies were forced to. Not in the good old USA.
Well, you're going to start getting your (and my) wish starting around October 2015. That's the date the liability shifts. Then the liability shifts to the party implementing the least technology. So if the card issuer issues a chip and pin card, and the retailer has only swipe, the retailer is responsible for any fraud from customers with chip and pin cards. If the retailer has a chip and pin machine, but the card issuer has only swipe, then the card issuer is liable.

So essentially you're going to start seeing big retailers upgrade to chip and pin machines sometime around Oct 2015. I'm sure it'll be a slow process, with small retailers taking many years to finally upgrade. But it'll happen.

Re:PCs are the problem

[Archfeld]

I disagree, even XP can be made secure. The problem is the network implementation and the proprietary software that runs on the admittedly PIGGY-BACK of XP. More and more the routers and silly appliances with hard coded firmware passwords and insecure 3rd party installation is to blame. I have to agree on the credit card issue though. Isn't it odd that the companies responsible for credit DB's and ratings also run the so-called identity protection sites ?? That seems like a conflict of interest to me.

Re:PCs are the problem

[MikeBabcock]

Why would you want to run an insecure OS like XP instead of an easily secured one like Unixware or PCDOS?

Being pretty doesn't make it an upgrade.

Re:PCs are the problem

[operagost]

You can bet that Home Depot or Walmart will find a way to push this cost onto the customer (and offer optional insurance for a nominal fee to avoid it).

They would have to ask each customer. I should say lost customer, because who is going to buy anything when the cashier's first words are, "Thanks for shopping at Home Depot. Would you like to buy liability insurance in case we get hacked?"

Understood. The new CompTIA is better than most

[raymorris]

I understand where you're coming from. As you may know, I've been doing infosec for a long time, and I know the difference between "compliant" and "secure". I'm rather surprised you chose CompTIA Security+ as your example of a bad security certification. The new one especially is quite comprehensive, in my view. Not that a single certification can ensure that a candidate is ready to perform any and all jobs related to security, but I'd say that if even 10% of the people designing and maintaining these systems had enough knowledge to pass Security+, we'd be in a lot better shape.

Re:CC system is flawed

[Anubis+IV]

Why aren't CCs issuing one time tokens per a transaction - this rendering subsequent transactions useless? (Or tying the token to a retailer for subscriptions / etc)

Hopefully someone brings out a system like that soon.

These are new systems...

[Etherwalk]

Home Depot deployed new card readers at all their stores (of the ones I saw at least) almost overnight shortly after the target breach. I had guessed it was in response to the breach to beef up security...

But it looks like it was the new ones that were compromised... (or else it was coincidental).

Re:CC system is flawed

[dgatwood]

Even chips are bullshit. Why aren't CCs issuing one time tokens per a transaction - this rendering subsequent transactions useless? (Or tying the token to a retailer for subscriptions / etc)

You'd have to do better than that. If the payment terminal is compromised, an attacker could just sit there and wait for a card to be available at one of the payment terminals, then process two transactions in a row very quickly, one of which is the real one, and the other of which is an arbitrary transaction. There's a fundamental law in computing—not sure if it has a name—that goes something like this: If you cannot fully trust both endpoints of a communication channel, you cannot trust the communication channel itself. Period.

The only way to really improve the situation is to have credit cards treat the payment terminal as an untrusted network connection. Put a screen on the card itself, and require the user to push a button on the card itself to approve the transaction. Then use some form of PK crypto in the device itself to sign the transaction and send the response back to the payment processor's servers, which can then send a confirmation code to the register as proof that the transaction was accepted.

And no, I don't mean cell phones here. Cell phone payment systems certainly have the potential to be an easier way of paying for things, but security-wise, they just replace one attack target with another, without any obvious security benefit. Why? Because they're general-purpose computers that are constantly in use for other purposes like web browsing, so if they contain any security holes, the risk of them getting compromised is non-negligible.

More to the point, the risk of compromise for a cell phone is orders of magnitude higher than the risk of somebody finding a bug in a specialized card in your billfold and attacking it using nothing but NFC (because an attack on a cell phone doesn't require you to be in the same country as the victim, much less within a few feet).

And assuming all things are equal, the odds of a cell phone being compromised should be higher than the odds of a payment terminal being compromised (ignoring the "physically swap it out" risk), because the payment terminals should be segregated onto their own private network, and shouldn't be communicating with unrelated Internet servers for unrelated purposes. This does not appear to be the case in practice (as far as we know), but then again, until enough payments happen on cell phones, they won't be a high-priority target, so such comparisons may or may not really be valid.

Now it is theoretically possible to make a cell-phone-based solution as secure as a card with a screen, but the minimum requirements would be:

• A separate CPU that handles the transaction processing and signing.
• A means for that CPU to take over the display and input system in such a way that guarantees that the data shown on the screen is from that crypto chip even if the software running on the phone's main CPU is completely compromised.
• A physical light on the front panel of the device to indicate that the data on the screen is coming from the payment chip.

Anything short of that improves security only to the extent that the odds of simultaneously compromising a payment terminal and the phone that's talking to it are less than the odds of compromising one or the other, and there's a small chance that the customer might notice if the screens don't match, so an attacker really ought to compromise both of them. With that said, when there's a mass compromise of the payment systems of a major national company, it doesn't take a very high percentage of compromised cell phones before you would start seeing situations where both devices are compromised, at which point the cell phone doesn't make things appreciably more secure than a chip-and-pin system, which is, in turn, not all that much more secure than a magstripe system, whereas a mostly dumb crypto card with a screen and a pushbutton does.

Re:Who cares?

[stoploss]

We get worked up because, inevitably, one day soon (and without warning) our credit cards will stop working, our automated recurring card charges that are on file with our utility companies will bounce, and we will get a letter from our CC company saying:
"A data breach at an undisclosed partner has occurred and we are therefore issuing you a new card, which will arrive in several more days under separate cover, for no reason other than to increase the inconvenience for you. In the meantime, enjoy the fact that we only sent this letter after we disabled your card so you are only finding out about our unilateral action officially now, several days after your card stopped working. Be grateful we are working to 'protect' you, maggot, even though you have zero fucking liability for fraud anyway."

It's a goddamn pain in the ass to deal with this, and we are not compensated for the hassle or the bounced payment charges that happen through no fault of our own.

Chip and PIN cards affected too

[Walking+The+Walk]

I'm in Canada, and we've been using chip cards for a few years now. I just called my bank 45 minutes ago after noticing a fraudulent charge on my credit card from August 30th. Since I bought a bunch of stuff at Home Depot in May/June, I'm assuming they managed to clone my card from the stolen data. The charge was only $4.56, at a gas station halfway across the country, so I would guess that someone was testing the clone to see if it was a valid card number (maybe testing one number from a batch of 100s or 1000s, to see if the numbers were legit.)

Just so we're clear, I'm not saying the fraudulent purchase itself was made using the chip. I only ever use chip + pin when making purchases, but I suppose a cloned card could use NFC (eg: PayWay) for a purchase that small, or even just the magstripe, neither of which requires them to have compromised my pin. My point is that I thought I was being safe using chip + pin, but still got hit regardless. Fortunately, banks seem to be good about this sort of thing, and my new card is on its way.