The world’s largest home improvement chain store, Home Depot, recently confirmed a data breach affecting Home Depot credit cards and debit cards used in stores on the American mainland, which may have continued since April.
Reports by security reporter Brian Krebs and others have said that the malware used in the attack was the same used in the Target breach, and that large-scale fraud is being perpetrated with stolen debit cards, with $300,000 withdrawn from one bank in under two hours, using what appeared to be debit card numbers used in Home Depot.
In an official release, the company said that anyone who used a payment card at a Home Depot store since April 2014 may have been affected, and the chain is to offer free identity protection and credit monitoring to customers who used Home Depot credit cards or debit card in-store. Customers who shopped online or in Mexico have not been affected, the chain said in an official release.
Home Depot credit cards: Who is at risk?
Veteran security reporter Brian Krebs said that the news had been accompanied by a spike in debit card fraud, after a vast haul of Home Depot credit card and debit card numbers were sold on an underground forum last week.
Krebs said, “multiple financial institutions contacted by this publication are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards.”
Home Depot said that there was no evidence PIN numbers had been compromised during the breach, and that, “Home Depot’s investigation is focused on April forward, and the company has taken aggressive steps to address the malware.”
Technology site GigaOm reports that the malware involved in the breach has been reported as being BlackPOS, the same used in the Target breach earlier this year.
“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” said Frank Blake, chairman and CEO.
“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”
How criminals withdraw cash without needing PINs
GigaOm reports that the chain is to roll out EMV chip-and-PIN technology by the end of the year, offering a secure chip rather than a magnetic stripe which is more easily copied by malware such as BlackPOS.
Krebs said that the current glut of fraud relies on working out a customer’s ZIP code using criminal services which sell such information, starting from the ZIP code of the Home Depot they shopped at.
Krebs writes, “Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks. One is that the system checks to see if the call is coming from a phone number on file for that customer. It also requests the following four pieces of information:the 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card; the card’s expiration date; the customer’s date of birth; the last four digits of the customer’s Social Security number.”
Krebs said that this authentication process was weak enough that one large bank told him that a single West Coast bank had lost $300,000 in less than two hours due to debit and credit card fraud perpetrated with cards stolen in the breach.
ESET researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.”