Another large payment card breach: This time Home Depot (1 Viewer)

[Juxtatarot]

Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating.

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”

There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.

http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/

The severity and frequency of these are getting ridiculous.

 

[3C's]

You forgot to add: Breaking News!

 

[Juxtatarot]

You forgot to add: Breaking News!

Honda? I must have missed it.

 

[3C's]

You forgot to add: Breaking News!

Honda? I must have missed it.

Nah, not really. Mentioned in another thread but this is probably the first thread specifically about it. Just seems like old news to me at this point (even though it's a new one). Just felt like a CNN "Breaking News" thing.

 

[Fat Nick]

Oh man...I'm f-ed. I buy something at HD or Lowes nearly every few days...

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

 

[pollardsvision]

#### it. I'm out. Cash only. Going off the grid. Ron Swanson style.

 

[Leroy Hoard]

"More saving. More breeching."

 

[Juxtatarot]

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

EMV cards are coming which will help.

 

[mquinnjr]

I'm done blaming the hackers for this.

WTF? What are companies this big thinking leaving their customers' financial information vulnerable like this? Spend the money and hire qualified network security folks to make sure cyber criminals can't steal customer card data.

Lowe's it is from now on.

 

[lod01]

I'm done blaming the hackers for this.

WTF? What are companies this big thinking leaving their customers' financial information vulnerable like this? Spend the money and hire qualified network security folks to make sure cyber criminals can't steal customer card data.

Lowe's it is from now on.

Dude, you are cutting into profits.

 

[Cliff Clavin]

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

EMV cards are coming which will help.

Coming? Thought these had been standard for a few years now.

 

[3C's]

I'm done blaming the hackers for this.

WTF? What are companies this big thinking leaving their customers' financial information vulnerable like this? Spend the money and hire qualified network security folks to make sure cyber criminals can't steal customer card data.

Lowe's it is from now on.

You think Lowes is immune?

 

[mquinnjr]

I'm done blaming the hackers for this.

WTF? What are companies this big thinking leaving their customers' financial information vulnerable like this? Spend the money and hire qualified network security folks to make sure cyber criminals can't steal customer card data.

Lowe's it is from now on.

You think Lowes is immune?

Well, until they have a breach I guess.

 

[Cliff Clavin]

I'm done blaming the hackers for this.

WTF? What are companies this big thinking leaving their customers' financial information vulnerable like this? Spend the money and hire qualified network security folks to make sure cyber criminals can't steal customer card data.

Lowe's it is from now on.

Good luck with that. Hackers >>>> Security.

 

[3C's]

Oh, forgot to mention. Not sure if it was data breach related or just blind (bad) luck but my daughters check card was used recently (in the past week) to make a large purchase. Not fun. Still working on getting that squared. Fortunately they have a zero liability policy at her bank.

 

[3C's]

I'm done blaming the hackers for this.

WTF? What are companies this big thinking leaving their customers' financial information vulnerable like this? Spend the money and hire qualified network security folks to make sure cyber criminals can't steal customer card data.

Lowe's it is from now on.

You think Lowes is immune?

Well, until they have a breach I guess.

Possibility they already have.

 

[Juxtatarot]

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

EMV cards are coming which will help.

Coming? Thought these had been standard for a few years now.

Not in the U.S.

 

[mquinnjr]

I'm done blaming the hackers for this.

WTF? What are companies this big thinking leaving their customers' financial information vulnerable like this? Spend the money and hire qualified network security folks to make sure cyber criminals can't steal customer card data.

Lowe's it is from now on.

Good luck with that. Hackers >>>> Security.

It's a fair point, but do we just go back to a cash basis society because our basement-dwelling overlords can compromise our financial life at any time?

Got to be a solution out there.

 

[3C's]

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

EMV cards are coming which will help.

Coming? Thought these had been standard for a few years now.

Not in the U.S.

My Visa card has the chip but nowhere in the US is it used.

 

[Cliff Clavin]

I'm done blaming the hackers for this.

WTF? What are companies this big thinking leaving their customers' financial information vulnerable like this? Spend the money and hire qualified network security folks to make sure cyber criminals can't steal customer card data.

Lowe's it is from now on.

Good luck with that. Hackers >>>> Security.

It's a fair point, but do we just go back to a cash basis society because our basement-dwelling overlords can compromise our financial life at any time?

Got to be a solution out there.

Be diligent checking your finances/credit and hope it doesn't happen to you but be prepared when it does. Deal strictly in cash if you're that worried about it. I'll take the minuet risk that my information gets comprised for the convenience and rewards of credit cards.

 

[lod01]

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

EMV cards are coming which will help.

Coming? Thought these had been standard for a few years now.

Not in the U.S.

My Visa card has the chip but nowhere in the US is it used.

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

 

[Cliff Clavin]

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

EMV cards are coming which will help.

Coming? Thought these had been standard for a few years now.

Not in the U.S.

My Visa card has the chip but nowhere in the US is it used.

This is surprising. I can only think of one place (shady beer vendor that I frequent) in the past few years where I haven't been able to use the chip on my Visa/MC or debit card. The majority of places in Canada you don't even need to enter a pin, just tap the card if the purchase is under $X (maybe $100? not exactly sure).

 

[GoFishTN]

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

EMV cards are coming which will help.

Coming? Thought these had been standard for a few years now.

Not in NA. It should gain traction soon, but some card issuers are still going chip and signature instead of chip and pin.

 

[3C's]

I have been asking myself why they don't just require a pin for CC usage, similar to how they do for ATM cards...if you don't know the Pin, the CC won't approve the charge.

EMV cards are coming which will help.

Coming? Thought these had been standard for a few years now.

Not in the U.S.

My Visa card has the chip but nowhere in the US is it used.

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Tell me something I don't know.

 

[Slapdash]

Good thing the hackers can't get to our medical data or anything important.

Maybe the government making companies build backdoors into stuff is not a good idea after all.

 

[Slapdash]

Nobody really cares about these breaches. The SC government let every taxpayer's SSN get stolen and they're going to elect the same clowns over again.

 

[Cliff Clavin]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

 

[Slapdash]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

Pretty sure the card issuers have CEOs too.

 

[Evilgrin 72]

I can hardly wait to have to change my payment information in 26 different places online to make sure my bills all get paid in a timely fashion. Which naturally, a couple of them won't because there will be a delay in changing over the information. This is getting absurd.

 

[Cliff Clavin]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

Pretty sure the card issuers have CEOs too.

They also have fraud to protect against. Do people still get cards issued with the chips in them?

 

[Slapdash]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

Pretty sure the card issuers have CEOs too.

They also have fraud to protect against. Do people still get cards issued with the chips in them?

Bank CEOs are more interest in perpetrating fraud against their customers than protecting them from it.

 

[McGarnicle]

$1659.92 charge this morning. Meh, my wife probably bought a riding mower or a fridge. I'll ask her tonight if I think of it.

 

[avoiding injuries]

It's only been 2 months since I had to replace my capital one card (for the 3rd time this year). Hopefully this happened before I switched so I don't have to change the 15 things on auto-pay again.

 

[SacramentoBob]

Hopefully they starting offering 5% cash back like Target did after their breach.

 

[Juxtatarot]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

Pretty sure the card issuers have CEOs too.

They also have fraud to protect against. Do people still get cards issued with the chips in them?

Mostly, no. Some Americans have them who are expected to be worldwide travelers.

EMV cards are certainly much more expensive to issue. The only merchant I've seen with EMV readers is Target. At this point it makes little sense to issue them if they will virtually exclusively be used the same way as the traditional magnetic strip cards.

 

[GoFishTN]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

Pretty sure the card issuers have CEOs too.

They also have fraud to protect against. Do people still get cards issued with the chips in them?

Mostly, no. Some Americans have them who are expected to be worldwide travelers.

EMV cards are certainly much more expensive to issue. The only merchant I've seen with EMV readers is Target. At this point it makes little sense to issue them if they will virtually exclusively be used the same way as the traditional magnetic strip cards.

Visa is currently planning to shift liability for fraud to merchants, if they are using non-EMV compliant devices, in October 2015. Unless they push it back (again), things are changing.

 

[Juxtatarot]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

Pretty sure the card issuers have CEOs too.

They also have fraud to protect against. Do people still get cards issued with the chips in them?

Mostly, no. Some Americans have them who are expected to be worldwide travelers.

EMV cards are certainly much more expensive to issue. The only merchant I've seen with EMV readers is Target. At this point it makes little sense to issue them if they will virtually exclusively be used the same way as the traditional magnetic strip cards.

Visa is currently planning to shift liability for fraud to merchants, if they are using non-EMV compliant devices, in October 2015. Unless they push it back (again), things are changing.

Right. Most large merchants will certainly get the new readers by the shift and the issuers will make the switch.

 

[3C's]

Will EMV cards help with fraudulent online purchases? Seems to me this could "force" the bad guys to focus more effort on online fraud.

This is sad:

Is this technology unique to the United States?
No. The chip technology standard for payment was first used in France in 1992. Today, there are more than 1 billion chip cards used around the world. The U.S. is one of the few industrialized nations that have not fully transitioned to this technology standard.

 

[3C's]

This touches on online fraud and what I asked above. And methods that could be used to hinder fraudulent use with CNP. I thought of the USB option but the NFC sounds like a good idea.

http://www.csoonline.com/article/2134340/malware-cybercrime/shift-to-emv-cards-expected-to-increase-online-fraud.html

 

[avoiding injuries]

Welp, everyone else has it:

4552 0925 5777 8128

09/17

386

 

[Drifter]

Will EMV cards help with fraudulent online purchases? Seems to me this could "force" the bad guys to focus more effort on online fraud.

This is sad:

Is this technology unique to the United States?

No. The chip technology standard for payment was first used in France in 1992. Today, there are more than 1 billion chip cards used around the world. The U.S. is one of the few industrialized nations that have not fully transitioned to this technology standard.

In Canada, they hardly even know what to do with a magnetic strip any more. A lot of place can't even read them and have to enter the number manually if you don't have a chip.

 

[Juxtatarot]

This touches on online fraud and what I asked above. And methods that could be used to hinder fraudulent use with CNP. I thought of the USB option but the NFC sounds like a good idea.

http://www.csoonline.com/article/2134340/malware-cybercrime/shift-to-emv-cards-expected-to-increase-online-fraud.html

Who would pay for the NFC equipment?

 

[lod01]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

For merchants and financial institutions, the switch to EMV means adding new in-store technology and internal processing systems, and complying with new liability rules.

The CEO of Target was the one who said it wasn't done because it was to expensive after Target got its ### kicked by hackers.

http://www.americanbanker.com/issues/179_14/why-targets-ceo-changed-his-mind-about-emv-1065067-1.html

From 2001 to 2004, Target worked with Visa to push for smart-card use in its stores.

The momentum halted because of factors that continue to plague EMV to this day — concerns about cost, speed and the learning curve for clerks and consumers.

it took getting his ### kicked to change his mind. ####### moron.

 

[FreeBaGeL]

Can we just start executing these douchebags already?

 

[3C's]

This touches on online fraud and what I asked above. And methods that could be used to hinder fraudulent use with CNP. I thought of the USB option but the NFC sounds like a good idea.

http://www.csoonline.com/article/2134340/malware-cybercrime/shift-to-emv-cards-expected-to-increase-online-fraud.html

Who would pay for the NFC equipment?

Crap, hit the wrong button and deleted my post.

Said: the article says NFC would be used with smart phones and that many phones have it built in. Mine has it built in.

For extra security, I would pay for a device that offers an extra layer like a usb reader that could read cards with a chip... If the price was reasonable.

 

[Juxtatarot]

This touches on online fraud and what I asked above. And methods that could be used to hinder fraudulent use with CNP. I thought of the USB option but the NFC sounds like a good idea.

http://www.csoonline.com/article/2134340/malware-cybercrime/shift-to-emv-cards-expected-to-increase-online-fraud.html

Who would pay for the NFC equipment?

The article is talking about using NFC built into smart phones. Mine has it built in.

OK. Then the problem I see is on-line merchants are unlikely to require that any time soon. They won't want to inconvenience customers. It reminds me of the failure of Verified by Visa.

 

[3C's]

This touches on online fraud and what I asked above. And methods that could be used to hinder fraudulent use with CNP. I thought of the USB option but the NFC sounds like a good idea.

http://www.csoonline.com/article/2134340/malware-cybercrime/shift-to-emv-cards-expected-to-increase-online-fraud.html

Who would pay for the NFC equipment?

The article is talking about using NFC built into smart phones. Mine has it built in.

OK. Then the problem I see is on-line merchants are unlikely to require that any time soon. They won't want to inconvenience customers. It reminds me of the failure of Verified by Visa.

I'm OK with not required but would definitely consider it if offered.

 

[Poke_4_Life]

Welp, everyone else has it:

4552 0925 5777 8128

09/17

386

Can I get your zip code, mother's maiden name, and Social Security number also?

Purely for research purposes and to be sure you get your lottery winnings from your jailed cousin in Nigeria.

 

[East Coast Bias]

Once again, profits come first. Implementing this is very costly and the CEOs wants their big bonuses.

Care to explain the cost? AFAIK, the only expense is on the card issuer side. The card readers themselves are typically free.

Pretty sure the card issuers have CEOs too.

They also have fraud to protect against. Do people still get cards issued with the chips in them?

Mostly, no. Some Americans have them who are expected to be worldwide travelers.

EMV cards are certainly much more expensive to issue. The only merchant I've seen with EMV readers is Target. At this point it makes little sense to issue them if they will virtually exclusively be used the same way as the traditional magnetic strip cards.

I can't swipe my Visa at Walmart anymore. It makes me insert the chip into the reader.

 

[Juxtatarot]

This touches on online fraud and what I asked above. And methods that could be used to hinder fraudulent use with CNP. I thought of the USB option but the NFC sounds like a good idea.

http://www.csoonline.com/article/2134340/malware-cybercrime/shift-to-emv-cards-expected-to-increase-online-fraud.html

Who would pay for the NFC equipment?

The article is talking about using NFC built into smart phones. Mine has it built in.

OK. Then the problem I see is on-line merchants are unlikely to require that any time soon. They won't want to inconvenience customers. It reminds me of the failure of Verified by Visa.

I'm OK with not required but would definitely consider it if offered.

But if it's not required, it won't help stop fraud.