As a precaution, Barclays Bank seems to be sending replacement cards to people who recently used their Visa card at Home Depot. I got a notification to that effect. Called them to inquire why, and they said the card's in the mail, even though my card hasn't been misused yet. An expensive thing for the banks, isn't it?
https://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained/ In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes — Krebs on Security
I have used a credit card at the self checkout terminals at Home Depot several times over the past 6 months. I have a chip card but these terminals do not have the tap function so a PIN has to be entered. I am not sure if the tap function would have thwart the malware used on these terminals or not. I assumed that the tap function captured the encrypted PIN at the handshake and did not reveal it at the terminal level. So, no keystroke, no capture. If you go through the service checkout at Home Depot, the card devices there do not have the tap function either. I changed my PIN last week even though Mastercard told me that it was not necessary. http://www.zdnet.com/au/banks-say-no-security-flaw-in-tap-and-go-cards-7000023672/ Getting to not trust this tap technology after having read the above link. I do not use the cell phone app from Google Play. My bank issues tap and go on the credit card I use.
Credit Card companies also need to revamp their security requirements set out for retail stores. Home Depot claim that they met PCI standards. Scanning for malware once per quarter strikes me as naive. Hackers can grab a lot of data over a 3 month period, especially from a large retailer. Boycotting one store would not be an effective response because the standard covers all stores. "Credit card industry security rules require large retailers like Home Depot to conduct such scans at least once a quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members’ data security programs." PCI comes across as a wet noodle. A legal blind to exempt the credit card company and retailer from liability. Home Depot, having met the minimum requirements set out by this group is a perfect example of its credibility.
I think the sooner these retailers and banks bite the bullet and adapt the digital chip cards that Europe has been using for years the better. At this point, if I was a major retailer I would race to be the first to begin using them. It would generate a huge jump in new card users for me.
Yep, just received my new American Express Credit Card with a digital chip in it last week. I didn't know it was coming. They changed some numbers on the card also which I'm glad. Now let's see what Bank of America does, still using the old type card. I'm not holding my breath on them.
Home Depot’s former security architect had history of techno-sabotage http://arstechnica.com/security/201...ity-architect-had-history-of-techno-sabotage/
I wonder if the police are investigating the Senior Architect for IT Security at Home Depot, Ricky Joe Mitchell. Home Depot do sell hammers. Bang bang Maxwell Silver hammer ... Edit: I see that Home Depot was using XP. Seems that the security department did not consider security a high priority. If Mr Mitchell advised management that all was good on the security front then he was 'the problem'. However, if he did put forward the appropriate security upgrades highlighting the actual cost of not implementing them and HD executives turned down the recommendation, then upper management is as much to blame.
Are companies breaking the law if they ignore these types of warnings? I know of none other than tort law. We can all understand that undetected malware is just that, however when there are warnings with recommended action you would expect some accountability. Evidence is coming forth now that customers have had their bank accounts wiped out and others are dealing with identity theft. When this happens the victims do not deal with Home Depot to recover their losses, they have to deal with their bank and the credit card company. The burden of proof, the inconvenience and the real cost is on the customer.
OT post removed. This thread is about the many people who may have been compromised by this criminal act. Nothing more.
Windows vulnerability identified as root cause in Home Depot breach http://www.scmagazine.com/home-depot-breach-caused-by-windows-vulnerability/article/382450/
Home Depot reaches $17.5 million settlement over 2014 data breach November 24, 2020 https://finance.yahoo.com/news/home-depot-reaches-17-5-184131343.html