The New York Times reports that the number of customers affected by the Home Depot leak could be higher than 60 million.
The breach apparently started in April and was fixed only in the past few weeks, according to a company spokesperson. About 2,000 Home Depot stores across the US and Canada were affected, but not online shoppers.
Well-known security blogger Brian Krebs, who has exposed several other high-profile data breaches, was apparently the first person to expose the breach. He reported that a “massive new batch of stolen credit and debit cards” went on sale the morning of September 2 in the “cybercrime underground.”
He said that it appeared that the gang responsible for the Home Depot theft was the same group responsible for data breaches at Target, Sally Beauty, P.F. Chang’s, and other companies.
How Thieves Can Change PINs and Steal Cash
Krebs also said that many financial institutions had reported a steep increase in the number of fraudulent ATM withdrawals since the stolen credit and debit card numbers hit the market.
Home Depot said that passwords for debit cards weren’t stolen. However, thieves may be able to change the PIN numbers for the debit cards.
According to Krebs, the thieves “also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards.”
He reported that:
The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen (presumably by malware installed on some part of the retailer’s network, and probably on each point-of-sale device).
Knowing the ZIP codes for the stores helps criminals more quickly and accurately locate the Social Security numbers and birthdates for the cardholders.
Many banks let consumers change their PINs via phone, using an automated system, with information like the cardholder’s birthdate and the last four digits of his or her Social Security number.
Some criminals were even able to convince the banks to raise the withdrawal limits for the stolen card numbers, saying that they were traveling – and letting them withdraw $300,000 from Italian ATMs in less than two hours.
The Problem with Multi-Factor Authorization
This proves that so-called “multi-factor” authorization (that requires the presentation of two or more independent verification factors) for authentication of identity isn’t nearly good enough to protect consumer credit/debit card data — when the factors used (card CVV code, card expiration date, customer’s date of birth, last four digits of the customer’s SSN) are so easy for thieves to get.
Sandy Kennedy, president of the Retail Industry Leaders Association, said in the Times earlier this year that data crime was a concern for the group’s members and that they were “looking at how we can deal with this long term.”
Here’s an idea: stop relying on data “security” that’s failed over and over and make PACid’s dynamic security the industry standard.