Sounds of silence from the mainstream media and the scumbags at the mega-retailer. The Target breach was over 40 million credit cards. This breach looks much larger.
Via Brian Krebs
Data: Nearly All U.S. Home Depot Stores Hit
New data gathered from the cybercrime underground suggests that the apparent credit and debit card breach at Home Depot involves nearly all of the company’s stores across the nation.
Evidence that a major U.S. retailer had been hacked and was leaking card data first surfaced Monday on the cybercrime store rescator[dot]cc, the shop that was principally responsible for selling cards stolen in the Target, Sally Beauty, P.F. Chang’s and Harbor Freight credit card breaches.
As with cards put up for sale in the wake of those breaches, Rescator’s shop lists each card according to the city, state and ZIP code of the store from which each card was stolen. See this story for examples of this dynamic in the case of Sally Beauty, and this piece that features the same analysis on the stolen card data from the Target breach.
The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).
Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.
This morning, KrebsOnSecurity pulled down all of the unique ZIP codes in the card data currently for sale from the two batches of cards that at least four banks have now mapped back to previous transactions at Home Depot. KrebsOnSecurity also obtained a commercial marketing list showing the location and ZIP code of every Home Depot store across the country.
Here’s the kicker:
A comparison of the ZIP code data between the unique ZIPs represented on Rescator’s site, and those of the Home Depot stores shows a staggering 99.4 percent overlap.
A comparison of the ZIP code data between the unique ZIPs represented on Rescator’s site, and those of the Home Depot stores shows a staggering 99.4 percent overlap.
Home Depot has not yet said for certain whether it has in fact experienced a store-wide card breach; rather, the most that the company is saying so far is that it is investigating “unusual activity” and that it is working with law enforcement on an investigation. Here is the page that Home Depot has set up for further notices about this investigation.
I double checked the data with several sources, including with Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley. Weaver said the data suggests a very strong correlation.
“A a 99+ percent overlap in ZIP codes strongly suggests that this source is from Home Depot,” Weaver said.
Here is a list of all unique ZIP codes represented in more than 3,000 debit and credit cards currently for sale on Rescator’s site (Rescator limits the number of cards one can view to the first 33 pages of results, 50 cards per page). Here is a list of all unique Home Depot ZIP codes, in case anyone wants to double check my work.
In all, there were 1,822 ZIP codes represented in the card data for sale on Rescator’s site, and 1,939 unique ZIPs corresponding to Home Depot store locations (while Home Depot says it has ~2,200 stores, it is safe to assume that some ZIP codes have more than one Home Depot store). Between those two lists of ZIP codes, there are 10 ZIP codes in Rescator’s card data that do not correspond to actual Home Depot stores.
Finally, there were 127 ZIP codes for Home Depot stores that were not in the list of ZIPs represented in Rescator’s card data. However, it’s important to note that the data pulled from Rescator’s site is almost certainly a tiny fraction of the cards that his shop will put up for sale in the coming days and weeks.
What does all this mean? Well, assuming Home Depot does confirm a breach, it could give us one way to determine the likely size of this breach. The banks I spoke with in reporting this story say the data they’re looking at suggests that the breach probably started in late April or early May. To put that in perspective, the Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks, and resulted in the theft of roughly 40 million debit and credit card numbers. If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target.
How does this affect you, dear reader? It’s important for Americans to remember that you have zero fraud liability on your credit card. If the card is compromised in a data breach and fraud occurs, any fraudulent charges will be reversed. BUT, not all fraudulent charges may be detected by the bank that issued your card, so it’s important to monitor your account for any unauthorized transactions and report those bogus charges immediately.
How’s a guy supposed to tell the difference between a credit card thief run amuck and a wife?
Big box retailers, proving once again they work tirelessly to keep your private information safe with their trusty Tandy TRS80’s.
Iska Waran says:
“How’s a guy supposed to tell the difference between a credit card thief run amuck and a wife?”
Simple! Marry a woman with integrity and intelligence instead of some shallow bitch that is only good at removing chrome from trailer hitches and wonders how a Thermos “knows” how to keep something hot or cold.
Weefknhah! We are number one!!
How’s a guy supposed to tell the difference between a credit card thief run amuck and a wife? -IW
Simple. You didnt meet the wifey on a catwalk in a place called “Hot Patooty”
The password into Home Depot’s databases was probably “password” or “Home Depot”.
Then there’s this late-breaking story about fake cell phone towers intercepting your communications.
http://finance.yahoo.com/news/mysterious-fake-cellphone-towers-intercepting-162645809.html
They don’t even know who is doing it (presumably it isn’t Uncle Sam, since he’s already tapping your online activities at the source.) I’m getting tired of this shit.
How’s a guy supposed to tell the difference between a credit card thief run amuck and a wife? -IW
God it is a fucking joke. Some of you need to lighten the fuck up.
Winston says:
“How’s a guy supposed to tell the difference between a credit card thief run amuck and a wife? -IW
“God it is a fucking joke.”
No shit Sherlock……I mean Winston. Some of us get it and responded in kind although, my response was serious as well!
So..17 customized Android devices hacked stores across the country Steve Hogan? As far as I know the range of a Cell phone tower is some 8-12 miles. An Android much less.
And some 40 million plus people are using a credit card to buy shit from Home Depot??
God it is a fucking joke. Some of you need to lighten the fuck up. -Winston
I was joking about a stripper bar called Hot Patooty though one might exist…
I throw down the brown bullshit card. Sure there are people that sit around, in their cars or in such magnificient places as McSucks with their pineapples.
WiFi Pineapple
But Android uses a Linux/Unix type OS, open source software, but to say Android, the phone is at fault is just BS.
Why, by the link you have posted IS, the military is to be using Android type devices to hack Home Depot, or are we speaking about the celebrity nudie selfies
Sorry, that was Hogan, not IS
My Bad
I can’t believe this story isn’t getting more traction. Can’t find but a couple of mentions of it on Reddit, a search turned up only a few mainstream media stories, the WSJ has it paywalled.
And isn’t this just a week following the news of the big 4 banks hacked for user accounts and passwords?
Welcome to unfolding world of techno-money, just keep your bitcoins in your e-wallet and pay for everything with plastic! Bingo, you’re broke, it’s all been stolen out of the internet cloud. Enjoy your digital slavery.
We’ve been paying for almost everything with cash for the last 10 years. I saw this coming a long time ago.
Justify your credit card statement monthly. You are not liable for any fraudulent charges – but you have to catch them and report them. You get instant rebate on charges you cannot verify when you turn them in.
Phone in a “lost credit card” to your bank annually and have them issue you a new credit card (with a new number and new expiration and new “security code”) Then notify everyone that charges that card with your new number, etc.
Presto – problem gone unless you are VERY unlucky..
MA
The ones that will be hit the hardest by this are all the illegals that hang out in front of Home Depot looking for day work. Watch for turf wars to break out in front of Lowes now.
Towers?? Jeebus in a Camaro, you dont need towers, you need a laptop with a hotel password while driving amongst the cocaine fueled celebrities taking nekkid selfies in Holyweird.
1. Getting a letter from my CC company telling me my card has been compromised is a yearly event and a pain in the ass. The best part is them telling me I can continue to use my card until the new ones arrive. That’s along with them letting recurring charge continue as much as a year later, on the old card.
2. I don’t care who listens to my phone conversations. All they’re going to hear is “fuck off” to people who want to sell me solar panels.
Saker, is the current conflict in Ukraine about Judaism?
Hacker breached HealthCare.gov insurance site
By Danny Yadron
Published: Sept 4, 2014 4:18 p.m. ET
A hacker broke into part of the HealthCare.gov insurance enrollment website in July and uploaded malicious software, according to federal officials.
Investigators found no evidence that consumers’ personal data was taken in the breach, federal officials said. The hacker appears only to have accessed a server used to test code for HealthCare.gov. The Department of Health and Human Services discovered the attack last week.
An HHS official said the attack appears to mark the first successful intrusion into the website, where millions of Americans bought insurance starting last year under the Affordable Care Act. It raised concerns among federal officials because of how easily the intruder gained access and how much damage could have occurred.
“Our review indicates that the server did not contain consumer personal information; data was not transmitted outside the agency, and the website was not specifically targeted,” the Department of Health and Human Services said in a written statement. “We have taken measures to further strengthen security.”
The attack comes as the federal government and insurance companies prepare for open enrollment, which begins Nov. 15. It is likely to be seized on by Republican lawmakers, who oppose the law, in fall campaigns as another sign of the health law’s flaws. HealthCare.gov suffered from crippling technology problems when it launched in October, though the government has since improved the site.
Taken with recent data thefts from J.P. Morgan Chase & Co., Home Depot Inc., and celebrities’ iPhones, the HealthCare.gov hack further underscores that large organizations haven’t yet mastered how to secure the troves of data they collect from consumers.
A couple of years ago someone hacked Burger King’s Twitter feed or some such BS.
Want to take fuckin’ guess what the password was?
it was Burger King or Whopper or something any person, but maybe not bb, could guess.
Went to the bank today to cxl my debit card for fear it had been compromised as I bought a couple of items at Home Depot with it, to find that my bank had cxl’d the card already, this very day. They culled all the cards that had been used at HD and cancelled them as a precaution, sending new cards to affected customers.
If retailers cannot assure the safety of their data, people will simply back away from electronic transactions and go straight cash. Henceforth, I am dealing in cash as much as possible, for fear of who’s next. Macy’s? Jewell? Walgreen’s?
Not only do retailers need to upgrade their data security substantially, but protocols for customer identification need to be improved. It is too easy for someone to empty your bank account with your debit card, even without a PIN no. You see, most debit transactions can be run as “signature” credit transactions. Retail clerks scarcely ever even glance at signatures, and stores not only do not ask for I.D. when credit or debit cards are used, but approve purchases under a certain amount of money, with no signature. Perhaps a verification protocol that requires either “biometric” identification such as a thumbprint, or an identification process with multiple means of verification, should be used.