Home improvement giant Home Depot officially confirmed yesterday that hackers breached its payment data systems earlier this year. The company insists that “no debit card PIN data was compromised,” but Krebs on Security is reporting a “steep increase” in fraudulent ATM withdrawals connected with the compromised accounts.
A lot of the details surrounding the Home Depot hack are still murky. We know that Home Depot was made aware of the compromise on September 2, though it appears the company's systems have been vulnerable since April 2014. We also know that the criminals used the same point-of-sale malware in this compromise as was used in last year’s breach of Target’s payment data. An estimated 70 million card accounts were stolen in that particular attack. No numbers have been released on the number of people affected by the Home Depot breach.
PIN data was not taken from Home Depot. But as Krebs on Security notes, there are other roundabout ways thieves can obtain a valid PIN. The criminals buying account data on the black market can trick some banks’ automated systems into resetting card PINs by cross-referencing other stolen data. In short: If you shopped at Home Depot, your card is likely more vulnerable than you think it is.
Home Depot is offering those who have used a credit or debit card as payment at its stores during the compromise free credit monitoring. It’s a good idea to take advantage if you can, but you may want to go a few steps further. We suggest contacting your bank to request a new card and cancel the old one – it could save you a lot of hassle. Consider changing your PIN too, just in case.
Immediately report any suspicious activity on your cards to your bank. You will not be held legally responsible for any unauthorized charges made to your accounts.
You can learn more about the Home Depot payment systems compromise and the company’s free credit monitoring offer by visiting homedepot.com.
[Cut credit card via Shutterstock]
From Jeffrey Deutsch on September 11, 2014 :: 10:32 am
“You will not be held legally responsible for any unauthorized charges made to your accounts…”
...as long as it’s a consumer card (or a card for a sufficiently small business—check with your issuer).
And for any fraudulent activity against a business account (eg, hacking the online account), Zero Liability doesn’t apply no matter how small the business.
Too bad, too sad.
And, unlike with Target, guess who makes up a significant portion of Home Depot’s customer base?
Oh yeah, and precisely for that reason banks, in my admittedly limited experience, provide more protections for consumer accounts (eg, two-factor authentication, permitting more complex passwords) than business ones.
I can see lots of building and home improvement contractors having raced to their phones and computers. And over the next few weeks and months, I can see the screams coming loud and long in ways that go beyond the Target breach.
Reply
From Josh Kirschner on September 12, 2014 :: 8:21 am
We hadn’t thought about the business angle. And, as a small business ourselves, that’s definitely a cause for concern. There have been some cases recently of small businesses suing their banks for lax security policies leading to electronic fraud but, to my knowledge, most of those suits have not been successful to date.
Reply