
Home Depot breach bigger than Target at 56M cards - anigbrowl
http://www.reuters.com/article/2014/09/18/home-depot-dataprotection-idUSL3N0RJ5VJ20140918
======
bronbron
Part of me wonders if security will ever be something people actually care
about, and value.

Home depot had a huge, huge security breach. Their stock price? Up 12 points
from last year.

I'm not sure what it would take for people to really value a major security
breach. The tech guy inside me is screaming, "why wouldn't you care about
this?", but the regular guy inside me thinks, "who cares? the banks will
handle any stolen credit card info."

~~~
tacoman
I don't really know much about this sort of thing. I assume that to the
retailer that gets pwned, they get a few weeks or months of bad press then
pass the cost of that breach on to future customers.

The "regular guy" in me thinks, "Meh, I'll probably ending up paying 5 cents
more for light bulbs because of this. Oh well."

I feel bad for the sysadmin/security guys at these companies, probably
screaming for budget and not getting it. What do you think they're doing now?
Helping some high paid IR consultant restore logs from backups. Good times!

------
mrweasel
Could someone please explain to me why Home Depot and Target would even have
the information of 56M cards?

Is this a result of not using chip and PIN, relying on offline transaction
processing or some weird subscription plan?

I understand that there would be a cost involved in implementing chip and PIN
across the entire US and it may not solve the issue if they insist on having
the card on file. Online credit card processing has been pretty much standard
for the last ten years here in Denmark. Terminals are connecting to the credit
card processor, either via an ISDN/ADSL/phone/GSM connection, everything is
encryptet and the store never has anything expect the cardmask.

So why do companies like Target have the card information of their customers?

~~~
opium_tea
From this link: [http://krebsonsecurity.com/2014/09/in-home-depot-breach-
inve...](http://krebsonsecurity.com/2014/09/in-home-depot-breach-
investigation-focuses-on-self-checkout-lanes/)

"The malicious software that unknown thieves used to steal credit and debit
card numbers in the data breach at Home Depot this year was installed mainly
on payment systems in the self-checkout lanes at retail stores, according to
sources close to the investigation."

So it's not that Home Depot (i'm not sure this applies to Target) had the
credit card info stolen from their servers. It's more that it was skimmed from
their self-checkout machines, though by software though rather than hardware.

~~~
mtbcoder
Skimming would imply that someone physically altered the self-checkout lanes
to capture credit cards in the same way an ATM skimmer works. Since this was
installed malware, it would mean access to Home Depot's network. I wouldn't be
surprised to learn that credit card data was stored in plaintext somewhere in
their system.

~~~
jgillette
I will say, one time a few years back I needed to get a receipt from a
purchase more than 60 days old. I called the local store, and she said "just
give me your credit card number and I can lookup your transactions". With just
my card number she was able to see every transaction I made with that card
(and find my purchase I needed the receipt for). So (at least 3-4 years ago)
it was being stored somewhere searchable by people in the back office.

~~~
HeyLaughingBoy
Or at least a hash generated from it was stored.

------
coldcode
The sad thing is we will probably never learn the exact problem and that means
we the industry will never learn from their stupidity.

------
Sami_Lehtinen
If they would have followed Payment Application Data Security Standard as many
others do, they wouldn't have had this problem.

~~~
wyager
PADSS is a CYA tool, little else.

You can't checklist your way to good security.

~~~
Sami_Lehtinen
Well, it's not only that. Technically it's helping a lot. Because often there
is dedicated hardware with it's own certified software which deals with all
card data. So the POS PC doesn't get anything else than the transaction
identifier and confirmation of the payment. Therefore, what ever malware is
running on the PC, can't access the card data at all. Without this
arrangement, I'm sure we would have seen a lot more of credit card data
thefts. Especially from smaller stores which do not care about security at
all. You can ask your local non-chain random el cheapo Pizza Kebab about their
IT department and security standards they're utilizing. ;) Actually I've been
planning this for a while, it would be fun. Even stores which rent videos,
should have documentation (by law) about how their customer register data is
stored, protected and used etc. I'm quite sure there are many stores which do
not have that.

------
mrfusion
Any idea why the market punished Target stock so thoroughly but doesn't seem
to care about Home Depot?

~~~
smackfu
Target stock was fine until they put out this press release that updated
guidance lower due to reduced sales after the announcement:
[http://investors.target.com/phoenix.zhtml?c=65828&p=irol-
new...](http://investors.target.com/phoenix.zhtml?c=65828&p=irol-
newsArticle&ID=1889763&highlight=)

------
programminggeek
So, I assume Apple Pay will solve some of these kinds of problems? Otherwise,
what's the point?

~~~
pyre
> Otherwise, what's the point?

Funneling more cash to Apple?

~~~
kondro
And where exactly does Apple make money from their NFC payments?

~~~
MaysonL
By siphoning a small portion of the swipe fee. (Estimated at 0.15% of
transaction value).

~~~
josephlord
From the bank's cut apparently although I hadn't seen the amount before.

------
post_break
After having my card cancelled from the Target theft, and now this, I'm done
with Home Depot.

~~~
eli
I kinda feel like having to replace a lost/stolen card number is just part of
the cost of doing business by credit card.

~~~
post_break
Yeah but I don't want to support a company that has millions of credit cards
stolen from malware.

~~~
Hytosys
As consumers, we really don't have many ways to make an impact, so I can
understand why you would be so exacting. With that being said, a particularly
skilled engineer could find his or her way into just about any closed system.
Check out CVE Details[1] to get an idea of how many security exploits are
reported for software that surely you use daily.

For most companies, the mess that Home Depot is facing never occurs. Not
because they were so successful at anticipating security holes, but because
they were never targeted by a successful attacker.

Details have not been released (and may never be fully released) regarding the
attack; but this is just food for thought.

[1] [http://www.cvedetails.com/](http://www.cvedetails.com/)

~~~
InclinedPlane
Pay cash at retail establishments. Use paypal at as many online stores as
possible. Use prepaid debit cards elsewhere, don't keep much money on them
normally, drain them and switch to another card every month.

~~~
tdfx
> Pay cash at retail establishments.

Your cash can be stolen, lost, misplaced. No recourse. If you lose a credit
card, you just call and get a new one mailed to you.

> Use paypal at as many online stores as possible.

I can't believe someone just recommended using PayPal on HN.

> Use prepaid debit cards elsewhere, don't keep much money on them normally,
> drain them and switch to another card every month.

Don't use debit cards to pay for things. Ever. Credit cards give you
substantial consumer protections that you don't get from debit cards.

Bottom line: use credit cards everywhere you can. Find the best rewards
program for you and rack up points. Check your account activity once a week.
Report anything you don't recognize. If you're part of the social class to
which credit cards are actually available, it's quite foolish not to use them.

~~~
InclinedPlane
> Don't use debit cards to pay for things. Ever. Credit cards give you
> substantial consumer protections that you don't get from debit cards.

A: This is simply not true any more. Most banks offer essentially the same
level of protection for debit cards as for credit cards, the only issue with
debit cards is that potentially you could have a period of time while still
missing funds, but I've never seen that be an issue with any reputable bank
within the last several years.

B: You must have missed the part where I talked about using "prepaid debit
cards". If you are extremely paranoid you can only add money to them just
prior to use, leaving them with a low balance most of the time.

C: The problem isn't just fraud and potentially having a period of time
without funds available to you that should otherwise be there, it's also the
enormous hassle of replacing a card (and updating everywhere you use that as a
payment instrument such as amazon, your bills, etc.) That problem isn't
improved at all by using a credit card vs a debit card.

------
JDDunn9
Home Depot? I'm good. Tell me when Amazon gets breached.

~~~
phaemon
What's your robot butler thing? That sounds interesting.

------
clubhi
I could never decide if I preferred Home Depot or Lowes. This makes the
decision easy for me.

~~~
cordite
They've kept things cleaner and have more people to answer questions in my
experience.

~~~
IbJacked
Which one is "they" to you?

~~~
cordite
Home Depot.

------
marincounty
This stuff goes on while my picture is taken at least three times if I want to
buy a nut at that rediculios store.

By the way, HD does not necessarily have the lowest price anymore--shop
around.

Oh yea, your employees hate your company more than your customers do. If
there's shortage--It's probally Internal?

Hay Chantel--a manager asked if I wanted to have you written up. I figured
working there was punishment enough.(bad customer service experience--really
bad.)

