

The Home Depot confirms payment systems breach - manachar
http://ir.homedepot.com/phoenix.zhtml?c=63646&p=irol-SECText&TEXT=aHR0cDovL2FwaS50ZW5rd2l6YXJkLmNvbS9maWxpbmcueG1sP2lwYWdlPTk3OTYwNDImRFNFUT0wJlNFUT0wJlNRREVTQz1TRUNUSU9OX0VOVElSRSZzdWJzaWQ9NTc%3d

======
tdfx
(1) Don't use debit cards. You're much better protected as a consumer when you
use a credit card. [http://www.bbb.org/blog/2013/11/do-debit-cards-and-credit-
ca...](http://www.bbb.org/blog/2013/11/do-debit-cards-and-credit-cards-hav-
the-same-protection/)

(2) Use BillGuard [https://www.billguard.com/](https://www.billguard.com/)

(3) Review your transactions every week or so via a personal finance tool (I
use [https://www.mint.com/](https://www.mint.com/))

I don't particularly care if my payment credentials are compromised as it's
highly unlikely a fraudulent charge would go unnoticed by me just using the
advice above. It's quick, easy to set up, and stuff you really ought to be
tracking anyway.

~~~
WestCoastJustin
Or use cash and forget about all this other stuff ;)

~~~
snarfy
Oh the irony of how using cash is safer these days. You expose yourself to an
internet full of thieves using plastic, but with cash it's only to the handful
of people you actually cross paths with.

~~~
untothebreach
Only if you get the cash via bank teller though. Skimmers make using ATMs
risky as well.

------
jdong
Love the EMV plug, as if it'd actually have helped. EMV transmits the card
information in the clear, it only makes physical copying of the cards harder
(Which really doesn't matter since credit cards can be used online).

The only thing EMV would achieve is making this data slightly less valuable,
but still worth it for the attacker. Replacing the EMV cards would also be
more expensive by an order of magnitude.

tl;dr: if you use your EMV card on a compromised POS, you'll be as fucked as
you'd be with a magstripe card. Your bank will be ten times as fucked.

~~~
kalleboo
> Which really doesn't matter since credit cards can be used online

Don't you need the printed CVV for that? Which isn't stored on either the
magstripe nor the chip.

edit: 3DSecure would also help if banks cared to push it harder (for instance
my bank now disallows all online debit card charges that don't use 3DSecure)

~~~
jdong
No, you really don't need the printed CVV for that. And several cards have
actually had the CVV on the chip.

Also, in many cases the chips actually contain enough information to replicate
the magnetic stripe. (Which is well, bad.)

~~~
heywire
EMV tag 57 [1] generally contains the "Track 2 Equivalent Data", and 5A the
account number (PAN) [2]

[1]
[http://www.emvlab.org/emvtags/show/t57/](http://www.emvlab.org/emvtags/show/t57/)
[2]
[http://www.emvlab.org/emvtags/show/t5a/](http://www.emvlab.org/emvtags/show/t5a/)

~~~
JimmaDaRustla
That's not the same CVV.

Edit: Even having the track 2 data won't do you any good in reproducing an EMV
card. The only way reproducing a mag stripe EMV card is useful, is if it is
used at a non-EMV terminal and mag stripe is the only option.

I believe Europe has complete banished mag stripe now.

------
mmastrac
I wonder if this will be less of an issue here in Canada with our euro-style
chip & PIN setup. _In theory_ the attackers wouldn't have long-lived access to
any of the payment information. I suppose we'll see.

The attackers probably have my name/email address/mailing information, which
kind of sucks.

~~~
WestCoastJustin
It is not clear to me why they would have your name, email address, and
mailing information? For example, I recently purchased some items from home
depot and used my debit card + pin, other than rolling the pin, what else
should we be doing?

Do you have a home depot CC?

~~~
mmastrac
I don't have a Home Depot CC, but I've used their e-receipts in the last
couple of months and I'm reasonably sure that I've ordered online from them in
the past.

I certainly hope they didn't compromise the PIN pads in the stores. That could
be a Very Bad Thing.

~~~
heywire
From what I've read so far, this was another case of memory scraping
malware[1], most likely running on each POS. The pinpads typically have tamper
protection, though I wouldn't completely discount the possibility that we'll
see malware at the pinpad level at some point in the future.

[1] [http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-
ma...](http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-
target/)

------
snarfy
> The Home Depot is offering free identity protection services, including
> credit monitoring, to any customer who used a payment card at a Home Depot
> store in 2014, from April on.

This is absolutely not acceptable, and I deplore how this has become the
status quo. I reject these services and want nothing less than a full lawsuit.

~~~
jdong
A lawsuit which you would lose. Especially considering you most likely
suffered no damages.

~~~
snarfy
I'm pretty sure the card processors would be on my side of the lawsuit, along
with a few million other home depot customers.

I don't care about damages to me. I want the problem fixed. This Laissez-faire
attitude towards online commerce security needs to end. Standards like PCI and
PA-DSS are not enough. Corporations need to be liable for leaking everyone's
information. A year of free credit monitoring is a slap in the face.

~~~
jdong
Card processors might have a case, but the customers really mostly wouldn't.

The PAN that belongs to your credit card company that was assigned to you by
your credit card company was compromised and someone tried to defraud your
credit card company using it. Yet it's you complaining, why?

~~~
snarfy
I've been screwed by identity theft before.

~~~
jdong
Sure, but the only real solution would be not accepting cards. Does that sound
like a good solution to you?

~~~
sitkack
Not sure you are being productive.

~~~
jdong
Not sure about that either, but trying to blame Home Depot for fundamental
flaws of the system isn't productive either. You should blame the card design
for allowing this, not the people that accept cards.

~~~
sitkack
While the card design could be better, those that accept them have a
responsibility. The bigger you are and the more cavalier with card data, the
more likely you will get targeted. I have yet to see one of these data
breaches where the victim (if we call it that) company was doing a very good
OpSec job.

You both have a point, but lean towards more punishment. This isn't something
that should just be 'charged' away.

------
richardowright
It seems to me like the breach may still be ongoing/the vulnerability may
still exist. In the announcement, they use "have been" as in its actively
occurring. Additionally, in the press release
([http://ir.homedepot.com/phoenix.zhtml?c=63646&p=irol-
newsArt...](http://ir.homedepot.com/phoenix.zhtml?c=63646&p=irol-
newsArticle&ID=1964976&highlight=)), they don't indicate that the breach has
stopped; they only say they have taken aggressive action.

It seems unlikely that the attack would continue since the attackers have lost
their cover, but the wording is a bit strange.

~~~
heywire
I also found it strange how they worded things around the identity protection,
"from April on", rather than something like, "From April XX, 2014 until
September XX, 2014". Perhaps they just simplified the wording to make it clear
that they're providing protection, and I'm reading too far into things :)

------
ryanburk
encouraging that they are using this as a motivator to "roll out EMV "Chip and
PIN" to all U.S. stores by the end of this year" ahead of the prescribed
deadline.

edit: "Chip and PIN" is taken directly from the sec filing that is linked.

the described deadline of october 2015 for the liability shift comes from
banks[1] and not a US law or similar.

[1]
[http://en.wikipedia.org/wiki/EMV#United_States](http://en.wikipedia.org/wiki/EMV#United_States)

~~~
ufmace
Would it actually have helped, though? I was under the impression that the
Chip and PIN POS terminals don't do anything differently as far as the part
between themselves and the authorizer goes - if somebody hacks one, they can
still get everything they need to charge against the card. If so, it's more of
an issue of firewalling properly at the individual store and corporate level.

~~~
gergles
Your impression is incorrect. Current EMV cards do something called DDA, so
charging the card (as a card-present transaction) requires the card to be
physically present or you to have cloned the application off the card (which
the card is designed to prevent you from doing.)

You can still get the _magstripe_ data if you compromise the terminal, but the
network will (eventually) reject magstripe transactions made by a chip-capable
card in a chip-capable reader. You can get the transaction certificate for one
transaction, but that TC is protected from replay attacks.

~~~
amckenna
Yup you are correct. The chip acts as a proof of presence and a second factor
of authentication. It is technically possible to export the cert off of the
chip but it would cost several hundred thousand dollars and a lab with a
Focused Ion Beam :)

------
offmycloud
Official SEC Edgar filing:
[https://www.sec.gov/Archives/edgar/data/354950/0000354950140...](https://www.sec.gov/Archives/edgar/data/354950/000035495014000034/hd_8-kx982014.htm)

------
sjg007
Some home depots let you pay with paypal as well.

~~~
heywire
It will be interesting to see if any Paypal account compromises can be
attributed to this breach. From what I've read, this type of malware typically
scrapes the memory of processes on the POS, looking specifically for what
appears to be track data, and which passes a Luhn check.

