Home Depot Says Breach Affected 56 Million Cards

wiredmikey writes: Home Depot said on Thursday that a data breach affecting its stores across the United States and Canada is estimated to have exposed 56 million customer payment cards between April and September 2014. While previous reports speculated that Home Depot had been hit by a variant of the BlackPOS malware that was used against Target Corp., the malware used in the attack against Home Depot had not been seen previously in other attacks. "Criminals used unique, custom-built malware to evade detection," the company said in a statement. The home improvement retail giant also that it has completed a "major payment security project" that provides enhanced encryption of payment card data at point of sale in its U.S. stores. According to a recent report from Trend Micro (PDF), six new pieces of point-of-sale malware have been identified so far in 2014.

Credit cards?

[MagickalMyst]

Cash usually works better.

Re:Credit cards?

[NoNonAlphaCharsHere]

At this point, mag-stripe cards are almost as old-coot-technology as paper money. We can't have nice things (chip & pin) because American industry is too cheap to upgrade infrastructure.

Re:Credit cards?

[afidel]

Uh, we're getting chips over the next 12 months, next September is when the liability shifts to the merchant if you have a chip card and they accept it as a swipe so every issuer is going to be sure to have cards out there by then and every large merchant is going to have the ability to use them. The one thing is in the US we're mostly going to be chip and signature, not chip and pin.

Re:Credit cards?

[smooth+wombat]

We can't have nice things (chip & pin) because American industry is too cheap to upgrade infrastructure.

No. We can't have nice things because some people think it's acceptable to steal other people's information or works. If people wouldn't steal there would be no need for chip and pin, or even pin.

Further, since we coddle such people when we catch them, this will be an ongoing issue. If you get rid of them you send a clear message that even if it doesn't deter someone, this will be the penalty you will pay if you do the same thing.

Re:Credit cards?

[kilodelta]

The thing is for years they've always said it was the mom and pops that didn't want to upgrade. But the gear is fairly inexpensive to begin with. It's just in most places that still use the old swipe method it's the BANK that owns the gear and leases it to the merchant.

So of course the banks will charge extortionate rates for said card swipe terminals.

But nothing really prevents the really big merchants from telling the bank to stuff their machine. So I'd expect that might see the first use of chip and PIN. It's just for some time cards will have both the magnetic stripe and the chip because all merchants will take their sweet time converting.

But MasterCard and VISA are going one better - they're pushing liability onto the merchants now. So it may happen sooner than later that the upgrades take place.

Re:Credit cards?

[Cpt_Kirks]

I was just informed my DEBIT card is on the list, and it's going to cost me $25 to have it replaced.

The least those assholes at THD could do would be to pay for that.

Re:Credit cards?

[CohibaVancouver]

All the Home Depot stores here in Vancouver, Canada have chip-and-PIN card readers.

Re:Credit cards?

[cyber-vandal]

Thank you Judge Death for your insightful contribution to this article.

Re:Credit cards?

[StrangeBrew]

Damn straight. Harvest their organs for the long organ donor list and they'll have contributed to society for once in their now terminated life.

Re:Credit cards?

All the old coots who are still using paper money are laughing at the cashless whipper snappers who shopped at the home depot. Until EMV is accepted everywhere, use cash if you can. Do not use a debit card! Credit card data breaches of major retailers are now widespread.

Re:Credit cards?

RFID cards have proven to be easy to compromise.

Re:Credit cards?

You need to find another bank. Community Bank Locator

Re:Credit cards?

Why the hell do YOU have to pay for a replacement?

Re:Credit cards?

[Anrego]

Sure, if we straight up execute people for stealing credit cards then credit card theft would probably go away.

But then the same can be said about every crime, and personally even as a generally law abiding person, I don't think I want to live in a world where any crime means death by catapult or exile to the acid mines.

Re:Credit cards?

[DogDude]

That's what you get for doing business with a bank. Smart people use credit unions.

Re:Credit cards?

[Cpt_Kirks]

It is a credit union. It's the fact that it's a debit card that they are charging me.

Re:Credit cards?

[DogDude]

Wow, I'm surprised at that. I'm a member of three different credit unions, and none of them charge for stuff like that (if for much at all). Very strange!

Re:Credit cards?

Most studies on the matter have agreed the punishment isn't as relevant to deterring crime as the perceived likelihood of being caught

Re:Credit cards?

You just have a crappy bank/credit union. Tell them to forget the replacement card and close your account. Try USAA instead.

Re:Credit cards?

It's not necessarily about being cheap so much as the US infrastructure being the largest and most expensive in the world. Yes, I agree this is late but it really would have been wasteful if a change was made and another came soon after that made the first useless. Sometimes it's good to wait it out a bit.

Re:Credit cards?

[jeffb+(2.718)]

So, all these folks who are saying "low-life criminals are the problem, and we need to stop them by whatever means necessary" shouldn't be calling for harsher penalties, but more pervasive surveillance (because the important factor is how likely you are to be caught, not how severe the punishment is).

Yeah, I'm sure they'll get right on that.

Re:Credit cards?

[toonces33]

The funny thing is that the other day I took one of the cats into the vet for an exam, and when I went to pay I found that they had a chip card reader, and it worked the way it was supposed to. My the first chip-card transaction in the U.S., and it was at a small mom-and-pop.

I should note that for many months, Home Depot has had chip card readers at their POS terminals, but they are not yet active.

Re:Credit cards?

I'm in Mexico, and all stores that accept credit cards accept chip-and-pin even if they don't usually get cards that require it (like mine).

Re:Credit cards?

[praxis]

RFID cards have proven to be easy to compromise.

I've not seen an RFID card. Do you have a link? Or did you mean EMV?

Re:Credit cards?

The death penalty has eliminated murder in the states that have it, after all.

Or, hold on, an idea just popped in my head: Criminals either don't think what they're doing is illegal, or they believe they won't be caught. If that were true, then even a level of punishment that included killing your entire family wouldn't do more than grandstand. HMM!!! I wonder which one is more likely?

Re:Credit cards?

[glenfahan]

Tell them you would just like to go ahead and cancel your account. If they don't waive the fee, you should. There are many banks and alternatives. BTW, stop using a debit card for anything other than an ATM. If your debit card is compromised, they get your money. If your credit card is compromised, they get the credit card companies money. Which do you think is easier to deal with?

Re:Credit cards?

[mcgrew]

I'm fine with the chip; that protects me, the bank, and the retailer. I am NOT fine with the PIN. My signature can't be stolen; if someone steals my card, the signature on the sales slip proves it's not me. But if someone steals your PIN they have your every penny.

It happened to me with a debit card. I welcome the chip, but of they add a PIN I'll cancel all my cards and go back to cash and checks, even though they're nowhere as convenient.

Re:Credit cards?

[idontgno]

Harvest their organs for the long organ donor list and they'll have contributed to society for once in their now terminated life.

Certain intelligent people have already explored where that idea ends up.

Executive summary: you better never get caught jaywalking, because there are dozens of people who think they have a claim on your vital organs thay you do.

Re:Credit cards?

Tell them you would just like to go ahead and cancel your account. If they don't waive the fee, you should. There are many banks and alternatives. BTW, stop using a debit card for anything other than an ATM.

Having crawled from a 95%er to a 1%er, I can tell you first-hand that banks simply don't waive fees for the poor. Also, my first credit card I got nine years ago had a $150 limit and cost $35/year. That's what minimum-wage USA with a bankruptcy looks like. Using a credit card isn't always an option.

Now, I just say, "I think you should waive the fee for that" for *everything*, and bank officers comply, like I'm some fucking jedi. It's only because now I make obscene amounts of money. When I had nothing, it would take me two hours and three trips to different branches to get a bank to refund an overdraft fee that was 100% their fault.

It's expensive to be poor.

Re:Credit cards?

[StrangeBrew]

You are so right, the worst case scenario is inevitable. You also have changed my life: I too will now quote fiction as if it were reality. Excuse me while I go find the local Scientology branch so I can follow your lead.

Re:Credit cards?

Uhh... I hate to rain on your parade, but chip and pin will not magically stop fraud; it may, temporarily, make a little less easy; it may just move organized groups to different attack vectors..

I am not saying it is a bad idea; but it is not fucking panacea that everyone seems to take it as.

Re:Credit cards?

That sounds like a problem with the laws/contracts around PINs, not a problem with PINs. The idea of the card + signature/PIN is that it's a way for the merchant to quickly verify that it's probably a real transaction, with the option for the owner of the account to later declare that it was fraudulent. There's no reason for the credit card company to treat a false transaction made with a stolen/cloned card and PIN any differently than a false transaction made with a stolen/cloned card and forged signature. And the PIN has the advantage that it's checked automatically while it seems unlikely the signature will ever get compared. Of course, I assume from your post that the US law is in fact not reasonable about this and there's something magical about signatures in there.

Re:Credit cards?

[Rakarra]

And it's one reason why I never ever use my debit card like it was a credit card. Debit cards just don't have the protections that credit cards do.

major payment security project

And Canadian stores get nothing?

Apple Pay?

[gnasher719]

So what would have happened to someone who didn't use their card, but an iPhone 6 with Apple Pay? I take it they would be completely unaffected?

Re:Apple Pay?

[master_kaos]

exactly, since the merchant never sees the credit card number.

Re:Apple Pay?

[master_kaos]

well maybe not "completely" unaffected, but the data they got would probably be pretty much useless.

Re:Apple Pay?

How do we get the DeLorean up to 88mph ?

Re:Apple Pay?

PayPal is already available at Home Depot.

Re:Apple Pay?

[michrech]

Great -- now the hackers that got my credit / debit card numbers could, instead, get my PayPal info! We all know how nice PayPal is to customers when their accounts are compromised!

Re:Apple Pay?

So what would have happened to someone who didn't use their card, but an iPhone 6 with Apple Pay? I take it they would be completely unaffected?

Ze paypal button is mighty easy. Less they logged the keystrokes -_-

Re:Apple Pay?

[DogDude]

The merchant doesn't see the credit card number with modern POS systems, either.

Re:Apple Pay?

From what I have heard from Home Depot, Paypal users are unaffected.

Re:Apple Pay?

[gnasher719]

The merchant doesn't see the credit card number with modern POS systems, either.

Unless they are hacked, like in Home Depot :-( Point is that the POS system doesn't see the credit card number either.

Re:Apple Pay?

[gnasher719]

Great -- now the hackers that got my credit / debit card numbers could, instead, get my PayPal info! We all know how nice PayPal is to customers when their accounts are compromised!

Excuse me - Apple Pay. Not PayPal. Unless you lived under a stone for the last two weeks I would have expected that you've heard of Apple Pay.

Re: Apple Pay?

Actually my paypal was broken into and I've only used it for Home Depot in the past 12 months.

sad

[Charliemopps]

I'm currently on the phone with my bank dealing with this.
Thanks Home Depot!
After you're done cleaning up this mess, could you clean up the bolt isle so I can actually find what I'm looking for should I ever decide to return to your store?

Re:sad

[i+kan+reed]

Well, considering the two of them ran all the small local hardware stores out of business, enjoy shopping at Lowes, instead.

Re:sad

What makes you think they won't be next?

Re:sad

[Charliemopps]

Well, considering the two of them ran all the small local hardware stores out of business, enjoy shopping at Lowes, instead.

There are plenty of small hardware stores around me. Dozens actually... I'm always at the hardware stores. They thrive specially because Home Depot doesn't have everything... They only sell things that are of high profit and easy to sell. If you have an account with them you can order pretty much anything you want and have it ready for pickup in a few days. But stop in for some odds and ends? Good luck. Better luck at the local hardware store.

I, unfortunately, live blocks from a home depot however... so I'm on occasion lured by convenience.

Re:sad

[i+kan+reed]

I have no idea where you might live where there is no only one, but multiple, local hardware stores. I remember when the last non-Bigbox hardware store in the county I grew up in vanished.

And I don't even like tools.

Re:sad

[DogDude]

That's partially your fault for using a bank. My credit union contacted me last week and already sent me a new card.

Re:sad

[gmhowell]

Try Fastenal. Generally cheaper and a much, much bigger selection. Hours can be a little inconvenient however.

Re:sad

[oldmac31310]

NYC still has a lot of small hardware stores.

Re:sad

I can imagine it. Just to name a few possibilities off the top of my head...

84 Lumber
Johnson Lumber
Ace Hardware
True Value

Re:sad

[anonxanon]

The amount of breaches happening these days is crazy..

Chip&Pin

Chip&Pin in 3... What? No? Insurance still costs less than deploying this hippy technology?

What is really surprising

Is that more than 10 people got helped and completed a transaction.

Re:What is really surprising

[Anrego]

Obviously varies a lot by location, but I've found the Home Depot here to be one of the best as far as having people in departments that know their stuff. Spend a few minutes looking perplexed while staring at an isle and someone will ask if they can help. Last time I was there the guy in the plumbing department was ridiculously helpful.

And we have Chip & Pin here (Canada).

Re:What is really surprising

[maliqua]

every home depot in my city is basically 1 staff at each entrance and exit

30 check out lanes all closed, 4 self check out lanes guarded by one person who's too busy texting to do anything useful

i'm glad home depot went to shit in my city before the data breach i used to shop their but since they turned into big self service wear houses i haven't been back.

The Airline Method

Wait until they start falling out of the skies, then we act!

More details:

What did they do?

How did you recognize it?

Was it a $10,000 charge with no details or did it show up as a $1,457.24 Home Depot purchase? Or what?

Official Home Depot statement

[eclectro]

From their website. This is the official Home Depot statement.

Really, this symbolizes the lackadaisical attitude people have when it comes to security - that a breach is not going to happen to them. You'd think after Target major companies like Home Depot would have audited their own security processes.

Re:Official Home Depot statement

[antdude]

I am pretty sure there will be many more and bigger ones. :(

Home Depot Breach = Apple Pay Adoption

Where I live, I must do business with Home Depot. My iPhone 6 arrives today. I would be stupid not to use Apple Pay (if Home Depot will accept it). Surely Home Depot is rushing to adopt?

Re:Home Depot Breach = Apple Pay Adoption

some would argue you'd be stupid to use apple pay.

but you did buy a new toy therefore anything it does is the best solution at least until the new wears off right?

bahhhh baaaahh
(i'm making sheep noises)

if you really want another layer of middle men taking money from you sounds great i guess.. if you didn't live in a 3rd world shithole like the united states you'd already have chip cards which essentially solve the same problem.

Canadians already using chip & pin...

Whenever this story pops up, it's always "US and Canadian stores affected..." followed by a bunch of frustrated comments about how the US isn't using chip and pin yet. Well Canada *is* using chip and pin, and I can never find any details about weather or not Canadian customers should actually be worried (unless they had to fallback to the old magstripe stuff, of course), because if chip and pin was breached too then it's not going to do the US a lot of good to upgrade to it. Anyone know the details?

Re:Canadians already using chip & pin...

[Reece400]

My understanding is that with chip + pin you're safer because even if they have your card details they can't use it as readily - however they can still be used in identity theft, etc. While they may be less of a risk than Visa or MC, the Home Depot credit cards used in Canada are all still magstripe.

Court Testimony described HD's developers workdays

[McGruber]

When I watched Justin Ross Harris' Preliminary Hearing, I was stunned by how little work Home Depot's developers seem to do.

Harris worked for Home Depot's ".com business" per a quote from the Home Depot Corporate Communications Manager in this CNN article. The Preliminary Hearing did an amazing job of describing his typical workday: After watching cartoons with his child, then taking him out for breakfast, Harris eventually arrived at his office at about 10 AM. About 90 minutes later, he went out for a long lunch, with a carload of coworkers. After eating, the group stopped at a store to puchase some items. After lunch, Harris is at his desk for a few hours, but then he was out the door at 4 PM, off to watch a movie with some of his coworkers.

The hearing documented that he put in, at most, about five hours of work. During those five hours, he was IMing women on dating sites and also IMing a couple coworkers about a small startup/consulting business they had.

the real story

[slashmydots]

56 million people shop there? What the hell is wrong with people? Do they only have Home Depot in their community? Their lack of any customer service of any kind, confusing aisles, and inability to carry anything anyone needs makes me wonder why anyone would still shop there.

Maybe if they'd cared more about quality

If companies cared more about their software's quality maybe this wouldn't be so rampant a problem. But software quality - things like robustness and security of that software - too often is secondary to features and schedules and the CIOs CTOs and CEOs are ultimately to blame for this.

So much for the cashless society

[Wansu]

This cat and mouse game will go on indefinitely.

Paranoia?

[TomRC]

It sounds like this sort of thing takes a scale of resources to accomplish that wouldn't be used idly.

So why are we hearing about a lot of cracks lately that get huge amounts of payment information, but apparently don't lead to massive numbers and dollars of thefts from accounts?

Is someone testing experimental weapons for a future cyber war that would aim to create enough financial chaos to crash our economy?
Or conversely, is there a secret government project to deliberately crack corporate financial systems, to scare them into getting more secure?

Re:Paranoia?

[Anrego]

I think it's more that Visa and MasterCard have partially fixed the problem from the other end, by making it harder to actually turn stolen numbers into cash in pocket.

The whole system is still a farce, but I feel slightly better when I buy something online that is outside my usual spending habits and my card is immediately locked followed by a phone call from VISA.

Poor security per news stories

For a retailer with 2,266 stores and $79 billion in annual revenue, buying software to protect against hackers is a good idea. Using the software is a better one. In the year before cybercriminals penetrated payment systems of Home Depot (HD) stores in the U.S. and Canada, the retailer suffered at least two smaller hacks, according to internal company e-mails and reports. Afterward, Home Depot security contractors urged the company to strengthen its cyberdefenses by activating a key, unused feature of its security software that the internal documents say would have added a layer of protection to the retail terminals where customers swipe their cards. ...
Internal Home Depot documents show the Atlanta-based retailer had chosen to keep the extra security measure deactivated even though it was designed specifically to spot the kind of malicious software that attacks systems’ endpoints, like the registers that were hit at Target, Michaels (MIK), Neiman Marcus, and others.

http://www.businessweek.com/articles/2014-09-18/home-depot-hacked-wide-open

Once again, cost cutting and management inertia are more significant than providing barely adequate security

Re:Poor security per news stories

[Anrego]

And the reason is obvious, people don't care.

How much money is Home Depot really gonna lose in this case? Maybe some liability? Probably cheaper to accept the risk than spend money on preventative measures which still might not be enough.

But surely people will be angry and vow to never shop there again? Nope. While it's in the news, sure, but people forget quickly. Remember how big the Sony/PSN thing was. I know people who swore they'd never do business with Sony ever again who currently own a PS4. As a whole, the thing has largely blown over and been forgotten about, as I'm sure this too will be.

Until there are real penalties to these kinda breaches, we'll keep seeing them.

It Was Windows Fault

[rotorbudd]

"The retailer left its computers vulnerable by switching off Symantecâ(TM)s Network Threat Protection (NTP) firewall in favor of one packaged with Windows. âoeIt is highly advised and recommended the NTP Firewall component be deployed and that Windows Firewall be discontinued,â the report states."

See, wasn't that easy?

Notification Home Depot On Notice

Home Depot assuredly better contact every bank and card institution so these financial corporations can notify card account holders their accounts are breached. It is Home Depot's responsibility to notify not our responsibility to ascertain.

Its time these companies get held liable

I understand that security breaches happen but I think if its discovered that companies are running servers on computers that aren't regularly patched or ran on Windows 95/Nt4 then they should be held liable for the cost to the consumer. The customer should not have to suffer because companies are too cheap to keep their servers up to date.