
Nearly All U.S. Home Depot Stores Hit By Credit Card Theft - error54
http://krebsonsecurity.com/2014/09/data-nearly-all-u-s-home-depot-stores-hit/
======
awjr
I'm quite surprised by the blasé attitude the US has to card security.

The lack of chip and pin still surprises me. I'm surprised a lot of the bigger
retail companies haven't put pressure on the banks to bring this in.

~~~
jvm
Chip and PIN is scheduled for 2015.

[http://www.forbes.com/fdc/welcome_mjx.shtml](http://www.forbes.com/fdc/welcome_mjx.shtml)

~~~
js2
My understanding is that almost every US [edit: EMV] card is [edit: going to
be] chip and signature.

[http://www.flyertalk.com/forum/credit-card-
programs/1304271-...](http://www.flyertalk.com/forum/credit-card-
programs/1304271-usa-emv-cards-available-today-chip-pin-chip-signature.html)

[https://docs.google.com/spreadsheet/lv?key=0Ani-u3tGk5hedGRv...](https://docs.google.com/spreadsheet/lv?key=0Ani-u3tGk5hedGRvcE1ELVg5UmlGZk01SHZvTUMxdUE)

Edit: clarifying - what I meant was that the US EMV cards will be chip and
sig, not chip and pin. Most US cards are obviously still mag stripe. I'm
traveling to Europe later this year so I was looking into the CC issues, and
as a US traveler not being able to get an EMV card with pin priority is
annoying.

Edit 2: jvm, not sure what you meant to link to, but that link just goes to
the Forbes splash advert.

~~~
drzaiusapelord
I have three cards. Only my debit/credit card has a chip and there's no pin. I
can press it against one of the few readers that support this (Walgreens,
Subway) and it'll work. My other two cards don't even have this. Of course, if
these guys are storing my card in a non-encrypted way, its still the same
issue as using swipe.

On the plus side Google Wallet works at Walgreens. I have yet to see any other
brick and mortar support it. Paying for stuff with your smartphone is such a
no-brainer. Shame Apple won't play ball with Google (or even put NFC in its
phones) and Verizon is doing its own thing with ISIS and not allowing Google
Wallet to be installed on any phones on its network. There's a lot of wrong
here and its not just limited to credit card number theft.

If we have a more diversified way to pay for things it could limit the damage
when one method is cracked but the others aren't. Sure Targets credit cards
got stolen, but imagine if we were allowed to use Google Wallet. We'd be
immune to it.

~~~
chiph
I think the card you have is RFID enabled. They've been around for a while,
and have some weaknesses (replay attacks [1], notably), against the ID they
broadcast when inside an EM field.

The newer cards have a microprocessor inside them, with exposed contacts about
10mm from the left edge. With chip + pin transactions, the pin "unlocks" the
payment authorization [2].

[1]
[https://www.chicagofed.org/digital_assets/publications/econo...](https://www.chicagofed.org/digital_assets/publications/economic_perspectives/2009/ep_1qtr2009_part8_heydt_benjamin_etal.pdf)

[2]
[http://en.wikipedia.org/wiki/Chip_and_PIN](http://en.wikipedia.org/wiki/Chip_and_PIN)

------
nodesocket
How is [http://rescator.cc/](http://rescator.cc/) still online and
facilitating the transactions when they are clearly selling stolen goods? I
assume they are in Russia or similar. Are they using bitcoin, or do they
actually use PayPal?

Their forum is also utterly amazing, and downrigh scary:
[https://lampeduza.so/](https://lampeduza.so/)

Would be interesting if payment processors such as Stripe, Braintree, Amazon
Payments, and Balanced periodically got CC dumps, and proactively blacklisted
cards before the issuing banks notice and decline.

~~~
MichaelApproved
In my experience, Stripe won't do anything like that. I manage a website that
accepts donations. This tends to be a target that fraudsters like to utilize.
They'll "donate" small amounts to the non-profit in order to check if the
transaction went through. If the transaction was approved, they know the card
is still valid. Meanwhile, we're stuck with the fraudulent transaction and
have to refund the charge.

Now, these charges are clearly fraudulent. Without going into details, we can
100% detect the fraudulent transactions from real ones. I've suggested to
Stripe that this could be a honey-pot setup to identify stolen cards but
they've told me that there card processing doesn't have that type of
infrastructure. Even if I know a credit card number has been compromised,
there is no way to alert the card holder.

It's a shame really. It's not the fault of Stripe that we can't alert the card
holder but it's important to know that there is no mechanism to protect card
holders, even if you know their card has been compromised.

~~~
GFK_of_xmaspast
If you can "100% detect the fraudulent transactions from real ones" why don't
you refuse to send the details to Stripe.

~~~
MichaelApproved
Time. I can eye ball the charges and know 100%. I need to add code that'll do
the same and I don't have the time right now. For the few charges we get, it's
easier to quickly refund than to write the code. It's something I will
eventually write code to automate.

------
TallGuyShort
99% correlation sounds high, but I wonder what the correlation is with other
stores, and with what statistical confidence you can actually conclude that
Home Depot was the victim here...

~~~
dfc
It was a 99.4% overlap in zip codes listed for sale and zip codes listed as
having a HD storefront. I think you might want to reread that section.

~~~
TallGuyShort
Yes but what's the correlation like for other common stores? I've lived in a
lot of different towns in the US and every single on of them has had a Home
Depot in town. They've also all had a Target. I'd be curious to know what that
correlation looked like.

------
kazinator
You should be able to easily dispute charges at a "big box store" that were
not chip-and-pin transactions, and that did not use the three-digit security
extension to the number.

I've had a chip card for, what, some seven or eight years in Canada.

Here is a July 2007 story about how RBC (Royal Bank of Canada) logged 10
million chip transactions:

[http://www.newswire.ca/en/story/14243/rbc-
marks-10-million-w...](http://www.newswire.ca/en/story/14243/rbc-
marks-10-million-world-wide-chip-card-transactions-with-rbc-platinum-avion-
visa-card)

 _" RBC today announced it recently surpassed over 10 million successful chip
transactions at compatible merchant locations in Canada and worldwide. This
milestone comes four years after RBC became the first Canadian financial
institution to begin issuing chip cards nationally to its Platinum Avion Visa
cardholders in 2003."_

------
bluedino
Aren't debit cards part of the problem? I only use my credit card and then
just pay that as I go. Much easier to dispute charges on a credit card.

Also, if the card is stolen and my bank account is emptied, with a credit card
all that would happen is that my credit limit on one of my cards is
temporarily reduced.

~~~
crpatino
The card attached to my main account (where my employer sends my salary) is
private. My main credit card is from the same bank and I pay it directly from
there. Credit card gets used at places that I trust. Dispute charges can be a
time consuming process, and you have to pay some token amount to avoid
punitive rates anyways.

I have another account in a different bank, were I send small electronic
deposits periodically. I retire about 1/2 of that in cash at ATM, to pay
either at places that do not accept cards or I do not trust (i.e. gas
stations). I have to keep a small balance in the account, and it is not always
practical to use cash, so I use the corresponding debit card at places I
neither trust or distrust.

------
GabrielF00
I was at a home depot on September 1st and my credit card was declined for
security reasons. I just moved to a different state, but I had no problem
using the card at other stores that same day, including to make a larger
purchase at the same mall as the home depot.

~~~
willvarfar
So you may have been lucky and avoided your card getting breached, if that's
the only time you went to home depot that is.

~~~
ceejayoz
To get a decline the POS would have had to take the card number, so probably
not.

------
aioprisan
This is supposed to be much bigger than the Target breach. If this doesn't
give the move to the more secure EMV chip and pin method in the US, nothing
will.

~~~
mzuvella
Having chipped cards would not prevent this. It would slow down criminals
cloning cards but the numbers can still easily be used fraudulently online.

~~~
kaared
In Norway, the most common type of card is a debit card that can also be used
as a Visa or MasterCard credit card. The card has a smart chip on the front,
and on the back you have your national id number/date of birth, photo and
signature, etc. The card is frequently used as an id card.

When you pay using the debit card, you have to insert the part of the card
with the chip into a reader and enter your pin. Typically you can not do this
until the cash register has transferred the amount to pay to the terminal.

You can also use it as a credit card when abroad or even in Norway. However,
I'm not sure if the card will actually allow you credit (i.e. borrow money)
per se -- I believe the account must have a sufficient positive balance, and I
believe the domestic terminals are able to check that in real time (i.e. in a
few seconds) and decline the sale if not funded.

As for online purchases, every time I use it as a credit card, I get re-routed
to a card verification process. This means I get taken to some third party
site (typically Visa or MasterCard) where I have to authenticate using my
password and generate a one-time password (pin) on my phone. You can also use
a FOB, but I find a phone more practical. After the verification is done, you
get taken back to the merchant site. This is the same verification process
that is used for online banking.

After living 15 years in the states I found this to be a bit annoying at
first, but that had more to do with the speed of the implementation and the
fact that it's applet-based (Java and Chrome -- have to switch browsers and
hope that you don't lose your session).

If I had to authenticate every time I bought something on Amazon it would get
old pretty fast. However, one could simply authenticate once to indicate that
this merchant is trusted. A new merchant would trigger the authentication
before the transaction can be accepted.

~~~
radmuzom
That is exactly what happens in India too, except that most banks issue debit
and credit cards which are typically separate and not combined into a single
card. It also does not serve as a national id. Is this not the case in US?

~~~
mitchty
Basically the same here. I have both debit and credit cards are from the same
bank. National id is a bit more contentious here but generally the two cards
are about the same. With the caveat of much lower daily withdrawal limits on
the debit (think 300).

