Home Depot Hack Could Be Biggest Card Breach Ever
Source: ABCNews
The huge hacking attack against Home Depots payment systems could turn out to be the biggest breach of any retailers data so far. The company confirmed the data break-in but did not say how many credit and data cards are affected. The total could be as much as 60 million, according to several experts. That would be far more than the total number of cardholders impacted by the breach at Target stores.
Home Depot said that it strongly encourages its customers to review your payment card statements carefully and call your bank or card issuer if you see any suspicious transactions. Card information for sale on criminal sites that was stolen from Home Depot shoppers allows thieves to create counterfeit copies of debit and credit cards that can be used to purchase merchandise in big box stores, Krebs said.
Read more: http://abcnews.go.com/blogs/business/2014/09/home-depot-hd-hack-could-be-biggest-card-breach-ever/
Home Depot said malware was used in the hack. I can imagine many folks who make purchases at Home Depot have high credit limits for large appliances and other purchases. Hopefully these folks are keeping a watchful eye on recent credit purchases.
Kalidurga
(14,177 posts)for someone to say the victims shouldn't have posted their credit card info online.
tomm2thumbs
(13,297 posts)and probably a pretty huge hit --
Target's hit due to their hack was crazy -- $235 million dollars!
http://www.mprnews.org/story/2014/08/05/target-data-breach
Skittles
(152,967 posts)it was like they had no plan of action should a breach occur
Journeyman
(15,001 posts)sufficient to cover the expense of notifying all customers of any potential breach, as well as large enough to cover the expenses their customers will incur correcting this situation and replacing their compromised cards.
Do this, and the switch to the more secure, European-style "chip and pin" card system will be swiftly accomplished, no matter what the present complaints from store owners about their supposed "additional costs."
Right now, the only ass on the line is yours and mine, so the banks and stores have little to no interest in resolving this situation. So hit 'em in the same place we're getting whacked -- the pocketbook -- then stand aside to avoid being trampled as they move swiftly to protect their own asses (and we'll gain protection too, even though it be by default).
dixiegrrrrl
(60,010 posts)which is one of the reasons I use credit cards, esp. for on line purchases.
I always pay them off when the bill comes.
And, my local community bank just informed me that they will hold debit card customers harmless if a theft is promptly reported.
Promptly defined as within 30 days or so.
They did this because hackers are so prevalent now.
whereisjustice
(2,941 posts)prepared for this. At what point do we stop calling this an "attack" and start calling it what it is, gross negligence by company management.
If you are a bank and you keep money in the open, with no safe, because you are trying to cut costs, or you outsource your security to India, you should be open to civil lawsuits by customers when their money gets stolen.
Management must have known their systems were not secure, to claim that there was no sign of a breach until after a hundred million card numbers were stolen defies any sense of reason.
Understand that retailers have no incentive to prevent theft like this because they believe it is still cheaper to deal with the theft than to hire the people and change the technology that would eliminate this problem once and for all.
In a well functioning society, the CEO would be immediately fired. But in here in Idiotville, USA, he'll probably get a massive bonus.
jeff47
(26,549 posts)Everything is hackable. It is not possible to create a 100% secure system and have that system do useful work.
All you can do is make it so that the data stored in the system is useless. Such as using one-time codes instead of an unchanging credit card number. That way when the data is stolen, it is not useful to the hacker.
And yes, that's "when" the data is stolen. Not "if".
whereisjustice
(2,941 posts)This data is coming from POS terminals. With everything known from these exploits starting with olympics in Russia to Target, Marriott, etc it isn't that hard to figure out if your system is sending data outside the network sourced from your terminals. Heads should roll.
Not only that, we are spending 10s (100s?) of billions of dollars a year on MASSIVE cyber warfare center and NSA etc. who is monitoring all the tiers and NSA is trading naked pictures they find on the internet. So, even if dumb ass executives are outsourcing their IT security to India or Brazil or wherever, the fact that this wasn't nipped in the bud by external monitoring tells us all that goddamn money is being wasted on bullshit.
Making things worse, the US is practically the last place on Earth still using the swipe system. There is simply no excuse for this.
Perhaps dumb ass insurance companies are paying against the claims of dumbass executives too cheap to properly secure and monitor their networks because there is ZERO incentive for these corporations to safe guard our data. Ultimately it's the people who can least afford it who will be paying the price to make up for the losses of these banks and insurance companies, not to mention the literal hell and incalculable costs as people are forced to resolve bad charges and fight to clean up their identity.
You can't stop the hacks, but you sure as hell can make the damage relatively negligible. Putting the CEO infront of a grand jury would be a good place to start finding out what the hell went wrong.
Of course, that will be just as soon as we are done prosecuting all the bankers who fucked us over for trillions of dollars during the last economic meltdown which is a long way of saying never.
Further making my point - Apple was hacked by pw retry!!!! Holy Jesus, what kind of software system isn't tested against the most primal attacks like this?
It's the same reason our stock buble is going to crash again in near future, there is ZERO risk of prosecution for corporate malfeasance and deliberate negligence.
jeff47
(26,549 posts)How do you detect the data is flowing the wrong way?
Systems that are themselves exploitable.
Think about how the Iranian nuclear program was hacked. The centrifuges were programmed to spin too fast to cause them to break. To disguise this, they slowed down other centrifuges to hide the extra power consumption. And they had the monitoring software hide the speed changes.
Plus, you're assuming the terminals are on an actual separate network. A whole lot of them are on VPNs, so it looks like Internet traffic.
whereisjustice
(2,941 posts)I am familiar with coms/network industry, we aren't talking James Bond, more like Barney Fife. Except Fife was harmless. These goddamn CEOs are a threat. The fucker should be charged and/or put in front of a grand jury. Class action civil suit at a minimum.
From the PuppyBismark link farther down this thread.
In the name of profit Target and Home Depot refused to protect customers; now customers' credit cards are stolen
In the wake of a stunning data breach at America's largest home improvement retail chain, The Home Depot, Inc. (HD), a stunning picture of negligence is slowly emerging. Both Home Depot and Target Corp. (TGT) -- whose registers were compromised last December -- appear to have fallen victim to a decade-old exploit of Windows XPe.
What's more, these losses -- which may total as many as 100 million customer credit and debit card numbers -- could have likely been prevented by simply paying to upgrade to a more modern Microsoft Corp. (MSFT) operating system, such as Windows 7 for Embedded Systems. But since Target, Home Depot, and others have refused to protect customers, customers are now paying the price. Banks are scrambling to try to control the damage of these massive intrusions perpetrated by hackers in Russia and Ukraine. But much damage is already done and will yet be done due to retailers' appalling technical negligence.
I. Windows XPe -- The OS Behind Retail's Credit Card Breaches
This week Brian Krebs, a top security research affiliated with The Washington Post, wrote in his blog Krebs on Security fresh details of a hack that potentially compromised millions of Americans' credit cards. Mr. Krebs had broken word of the hack last Tuesday, writing that it appeared to be the work of Russian hackers. Now he's offered up fresh details on the malware they used to siphon credit card numbers (CCNs) from checkouts of Home Depot.
Historic NY
(37,449 posts)PuppyBismark
(593 posts)Once more American Corporations look to quick profits at the cost of customer satisfaction and possibly long term expense. The Home Depot hack is based on the same problem that Target had and Home Depot did not want to make the investment in the changes needed to protect their customers and their reputation.
http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm
Cha
(295,929 posts)whereisjustice
(2,941 posts)PuppyBismark
(593 posts)I know that Discover and Amex (Including Costco) have alerts you can set.
Amex: you can get an email and/or text message every time someone charges your account and does not have the card in their possession. This is typical of all internet charges and those made by people who possess stolen card numbers (but not all).
Both Amex and Discover allow you to set alarms for charges above a limit you set.
Not sure about Visa and MC. Also, Visa and MC cards are not centrally managed like Discover and Amex. The alarms are at the discretion of your bank or card processor.
Earth_First
(14,910 posts)...on a SATURDAY (not normal operating hours) to ask us if we were traveling due to out-of-state transactions posting to the account while we were on vacation.
90% of this issue lies with the corporation and the banks and their gross negligence -as was pointed out up thread.
However, as a consumer there are options available to us to refuse the banking status quo and look into credit union options available to you.
I realize that this may not be possible in every consumer situation, however for tens upon tens of thousands...it is an option.
Buck the trend of 'banking' and become a member of your community credit union...
O-Town Blue
(12 posts)Someone racked up $215 worth of purchases at a Walmart 4 hours away from me. I check my balances obsessively, so I caught the charges minutes after they went through and was able to get them removed in relatively short order. I shop at Home Depot pretty regularly and figure this is how my information got hacked.
Be careful, everyone, and check your bank activity regularly, even if you haven't shopped there.
Sunlei
(22,651 posts)a couple years ago my credit card number was taken. I changed the card right away and so never had a problem.
However, what was funny/weird is I got a few phone calls, where the caller said they were from a company I made orders from(years ago) and were offering great deals for product reorders. Was not a Sony company. Somehow when my card info was hacked, the scammers got lists of old transactions I made with that card.
Anyway, I recomend people do not allow any business to hold your card numbers. If you do, have the bank alert you by email everytime there is a transaction over say, $300. That way you will quickly know your card is being used.