

Home Depot Investigates a Possible Data Breach - forgotAgain
http://www.nytimes.com/2014/09/03/technology/home-depot-data-breach.html

======
dminor
Brian Krebs' post which broke the story:
[http://krebsonsecurity.com/2014/09/banks-credit-card-
breach-...](http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-
home-depot/)

------
kitcar
One interesting thing I've noticed as a home depot customer is they don't
require you to have a receipt for returns, as they can access all previous
transactions based on your credit card number (... and therefore presumably
have a centralized database which maintains a record of any credit card used
at a home depot, hopefully in some hashed/encrypted format)

~~~
benburton
> presumably have a centralized database which maintains a record of any
> credit card used at a home depot

That's a bit of a leap. I'd assume they just have a hash of the data.

~~~
MichaelGG
CC numbers are not that large of a space and can be enumerated. They could use
a short hash (like a 26-bit hash) so each hash value has multiple plausible
numbers -- at the risk of having collisions.

~~~
btgeekboy
What does that get you, though? The formula for a valid card number (Mod 10)
is public. If Home Depot uses a 1-way hash for the card number, and ONLY uses
the card number, you gain nothing - you still need the expiration
date/CVV/Name to do much else.

~~~
MichaelGG
That's true whether or not they use a hash function.

------
k2enemy
I don't have anything insightful to say. I'm just really sick of this crap and
wish that US banks and retailers had incentives that would lead to smart-card
adoption.

~~~
MichaelGG
What's the benefit for me, as a consumer? I've gotta remember and enter a PIN
all over the place. If there is a compromise, I've gotta now prove it wasn't
me to a much higher level.

Whereas in the current US system, I rely on my bank/Visa to figure out fraud
detection and sort things out. If there's ever a problem, I dispute it and
move on with life. Now and then, I have to get another card. That's a hassle,
sure.

If _I_ was responsible for the fraud, then sure, I'd want all sorts of
security. But I'm not. Same logic used by my bank: My credit card gets blocked
every couple of months (I'm always traveling). My debit card, which requires
me to take more responsibility, has never been blocked by the bank.

~~~
zippergz
Virtually all of my bills except my mortgage are automatically charged to
credit cards. This means that every time my card gets compromised and replaced
by the bank, I have to go update it 20+ places. And there are always the odd
ones that only charge a few times a year (or once a year) and I forget until
the charge is declined. Yeah, I may not be liable for the fraudulent charges,
but it's still a big pain in the neck when it happens. I'd be more than
willing to memorize a PIN if it solved this problem.

~~~
matthewarkin
Visa/Mastercard/Amex all offer systems that can automatically alert merchants
that you got a new card. I've just got my American Express card replaced and
about half the merchants that I have a subscription with were still able to
charge my card without my intervention.

------
forgotAgain
Further details [http://www.reuters.com/article/2014/09/02/us-home-depot-
cust...](http://www.reuters.com/article/2014/09/02/us-home-depot-customer-
data-idUSKBN0GX2AQ20140902)

------
GregWatts
Would a chip + pin approach not make it substantially more difficult to pull
off these kinds of attacks? I ask because I don't know the particulars of how
Home Depot (ot previously Target) were said to be compromised.

------
coldcode
The list of people not hacked is much shorter than those who have. At least it
seems that way.

