Home Depot Breach - zip codes revealed

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
EagertoLearnMore
Posts: 773
Joined: Wed Jun 30, 2010 4:05 pm

Home Depot Breach - zip codes revealed

Post by EagertoLearnMore »

I have used several credit cards at Home Depot, but yesterday everyone in line was paying with cash.
Krebs has reported a 99% correlation between credit cards for sale online and the zip codes of HD stores. Here is a link to the zip codes: http://krebsonsecurity.com/wp-content/u ... d_zips.txt

And if you would like to read Krebs' article, here is the link to it. It is much more definitive than statement from HD: http://krebsonsecurity.com/2014/09/data ... more-27685
barnaclebob
Posts: 5586
Joined: Thu Aug 09, 2012 10:54 am

Re: Home Depot Breach - zip codes revealed

Post by barnaclebob »

When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
carolinaman
Posts: 5463
Joined: Wed Dec 28, 2011 8:56 am
Location: North Carolina

Re: Home Depot Breach - zip codes revealed

Post by carolinaman »

Thanks. My zip code was included. I will have to see if I did any cc transactions in that timeframe.
tigermilk
Posts: 870
Joined: Thu Aug 15, 2013 9:32 am

Re: Home Depot Breach - zip codes revealed

Post by tigermilk »

barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
Since any fraudulent charges aren't my responsibility, I honestly am hoping for more of these breaches to put a fire under the CC companies. They really need to get their act together. I've got a Chase United card that has been replaced at least 6 times in the last 3 years. Already on my 3rd this year alone.
Grt2bOutdoors
Posts: 25625
Joined: Thu Apr 05, 2007 8:20 pm
Location: New York

Re: Home Depot Breach - zip codes revealed

Post by Grt2bOutdoors »

I've had about enough of this nonsense, first Target, now Home Depot. If they can spend hundreds of millions on dividends and executive compensation, they can take that money and protect their bread and butter - their customers first. When the customers start leaving, it's the beginning of the end.
"One should invest based on their need, ability and willingness to take risk - Larry Swedroe" Asking Portfolio Questions
Grt2bOutdoors
Posts: 25625
Joined: Thu Apr 05, 2007 8:20 pm
Location: New York

Re: Home Depot Breach - zip codes revealed

Post by Grt2bOutdoors »

johnep wrote:Thanks. My zip code was included. I will have to see if I did any cc transactions in that timeframe.
97% of all Home Depot stores were infiltrated by the hackers....that's just about everyone in America. :shock:
"One should invest based on their need, ability and willingness to take risk - Larry Swedroe" Asking Portfolio Questions
crg11
Posts: 535
Joined: Sat Jan 04, 2014 7:16 am

Re: Home Depot Breach - zip codes revealed

Post by crg11 »

Hope this makes the migration to Chip+PIN faster.
Faith20879
Posts: 1242
Joined: Fri Mar 02, 2007 9:16 am

Re: Home Depot Breach - zip codes revealed

Post by Faith20879 »

Hope this makes the migration to Chip+PIN faster.
I am not well-versed in the credit card technologies. From what I read, Chip+PIN would still require some info be stored somewhere (server or not), no? If so, won't hackers still be able to get to it?

Thanks!
Glenn
Posts: 163
Joined: Mon Feb 19, 2007 5:06 pm

Re: Home Depot Breach - zip codes revealed

Post by Glenn »

I have a chip and pin card, but it didn't help because Home Depot just uses it like any old magnetic stripe card.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Home Depot Breach - zip codes revealed

Post by telemark »

The code to check is the one for the store you go to, this may be different than your home zip code (it is in my case).
User avatar
fungus_amungus
Posts: 63
Joined: Sun Sep 29, 2013 7:37 am
Location: Tennessee

Re: Home Depot Breach - zip codes revealed

Post by fungus_amungus »

tigermilk wrote:
barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
Since any fraudulent charges aren't my responsibility, I honestly am hoping for more of these breaches to put a fire under the CC companies. They really need to get their act together. I've got a Chase United card that has been replaced at least 6 times in the last 3 years. Already on my 3rd this year alone.
This really isn't the fault of the CC companies or banks. They aren't the ones responsible for your card data being stolen and are actively trying to prevent you from being inconvenienced by fraudulent charges. Believe me, banks want to stop this more than anything else right now. They are the ones that eat the charges after all, not the merchant. Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.

Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV. This includes certification from Visa/Mastercard on every type card they offer, production issues with the company that prints the cards, core processing solutions that aren't able to generate debit card orders for EMV chips, etc. Only the largest of financial institutions were even able to start issuing EMV chip cards in the past year. Remember that your average card issuer isn't a mega-bank like Chase, BofA, American Express, etc. Most are small community banks and credit unions that are at the mercy of their core processor.
crg11
Posts: 535
Joined: Sat Jan 04, 2014 7:16 am

Re: Home Depot Breach - zip codes revealed

Post by crg11 »

Faith20879 wrote:
Hope this makes the migration to Chip+PIN faster.
I am not well-versed in the credit card technologies. From what I read, Chip+PIN would still require some info be stored somewhere (server or not), no? If so, won't hackers still be able to get to it?

Thanks!
My understanding is that today, the actual data on the magnetic strip on the credit card is not encrypted. This makes it fairly trivial for a hacked card reader in stores to steal all of the information stored in the magnetic strip, which is what happened with Target last year (and probably Home Depot in this case). Cards with a chip store that information with encryption, which vastly improves the security of this. Additional if a PIN is used, that PIN is required for authentication vs. a signature today.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Home Depot Breach - zip codes revealed

Post by jchef »

fungus_amungus wrote: Believe me, banks want to stop this more than anything else right now.

Most of the rest of world switch to EMV many years ago. While switching the US is more complicated than any other country, they still could have done it. They put it off because they felt the cost of fraud was manageable.

They are the ones that eat the charges after all, not the merchant.

Starting in October 2015 that will no longer be true. Merchants that swipe a chip card will eat the charges if the card was fraudulent.

Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.
If the liability shift was in October 2012 instead of October 2015, nearly all merchants would have upgraded to chip terminals. It's the liability shift which is the huge incentive for merchants to upgrade to chip terminals.

Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV.

The rest of the world has been using EMV for many years. Upgrading to EMV is not a new process, it's been done many times. US banks and the banking infrastructure should be able to handle it.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Home Depot Breach - zip codes revealed

Post by jchef »

crg11 wrote:
Faith20879 wrote:
Hope this makes the migration to Chip+PIN faster.
I am not well-versed in the credit card technologies. From what I read, Chip+PIN would still require some info be stored somewhere (server or not), no? If so, won't hackers still be able to get to it?

Thanks!
My understanding is that today, the actual data on the magnetic strip on the credit card is not encrypted. This makes it fairly trivial for a hacked card reader in stores to steal all of the information stored in the magnetic strip, which is what happened with Target last year (and probably Home Depot in this case). Cards with a chip store that information with encryption, which vastly improves the security of this. Additional if a PIN is used, that PIN is required for authentication vs. a signature today.
To be precise, it's not the card readers that has been hacked into at Target, Home Depot and many others. It's the software running on cash register.

Your correct that the magnetic strip isn't encrypted. So the information from the magnetic strip is processed by the cash register software, encrypted and sent to the financial institution. However before the cash register software encrypts the data, it is copied and stolen.

Chip cards encrypt the communication with the financial institution. The cash register software doesn't get to listen in to this communication. So the financial institution will provide the cash register software with some information, so that they can track customers, etc. But the financial institution doesn't provide the store or cash register software with enough information to create a fraudulent card or transaction.

So even if you hack into the cash register software, you don't get anything of use if a chip card is used.
agent13x
Posts: 91
Joined: Sat Mar 22, 2014 1:35 pm
Location: Iowa

Re: Home Depot Breach - zip codes revealed

Post by agent13x »

barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
Chip and pin only adds extra protection for an in-person transaction. Most of these credit card breaches are related to online credit card transactions, where the chip and pin are of no use. The best fraud protection we have is our legal system and the fact that the credit card companies are liable for fraud in the US. In other countries the cardholder is liable for fraud. I'd much rather have the US system.
barnaclebob
Posts: 5586
Joined: Thu Aug 09, 2012 10:54 am

Re: Home Depot Breach - zip codes revealed

Post by barnaclebob »

fungus_amungus wrote: This really isn't the fault of the CC companies or banks. They aren't the ones responsible for your card data being stolen and are actively trying to prevent you from being inconvenienced by fraudulent charges. Believe me, banks want to stop this more than anything else right now. They are the ones that eat the charges after all, not the merchant. Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.

Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV. This includes certification from Visa/Mastercard on every type card they offer, production issues with the company that prints the cards, core processing solutions that aren't able to generate debit card orders for EMV chips, etc. Only the largest of financial institutions were even able to start issuing EMV chip cards in the past year. Remember that your average card issuer isn't a mega-bank like Chase, BofA, American Express, etc. Most are small community banks and credit unions that are at the mercy of their core processor.
BS, this is absolutely the fault of the CC companies and the banks. They are the ones that don't think the fraud costs justify the switch. Maybe when more CEO's have to resign due to data breaches they will start pushing on their bank CEO buddies.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Home Depot Breach - zip codes revealed

Post by jchef »

agent13x wrote:
barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
Chip and pin only adds extra protection for an in-person transaction. Most of these credit card breaches are related to online credit card transactions, where the chip and pin are of no use. The best fraud protection we have is our legal system and the fact that the credit card companies are liable for fraud in the US. In other countries the cardholder is liable for fraud. I'd much rather have the US system.
Most (all?) of the big breaches in the news recently (Target, Home Depot and others) deal with in store purchases, not online.

And are you sure consumers in other countries are responsible for online fraud? I know in some countries they can be for in store purchases if the bank believes you gave away your PIN. But I've never heard of a consumers being responsible if someone breaks into an online store and steals info from there.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Home Depot Breach - zip codes revealed

Post by Mudpuppy »

crg11 wrote:
Faith20879 wrote:
Hope this makes the migration to Chip+PIN faster.
I am not well-versed in the credit card technologies. From what I read, Chip+PIN would still require some info be stored somewhere (server or not), no? If so, won't hackers still be able to get to it?

Thanks!
My understanding is that today, the actual data on the magnetic strip on the credit card is not encrypted. This makes it fairly trivial for a hacked card reader in stores to steal all of the information stored in the magnetic strip, which is what happened with Target last year (and probably Home Depot in this case). Cards with a chip store that information with encryption, which vastly improves the security of this. Additional if a PIN is used, that PIN is required for authentication vs. a signature today.
Just a slight correction, in addition to what jchef already posted. The information on the magnetic stripe of a chip (EMV) card is not encrypted. The magnetic stripe is "backwards compatible" with current technology, so it's just as open as it currently is. Anyone could swipe a chip+pin or chip+signature card and get the information on the magnetic stripe, same as they do today. They could still make a clone of that magnetic stripe, like they do today. Magnetic stripe transactions are not changing at all. What EMV cards do is enable EMV transactions to take place (see jchef's response for a description of EMV transactions).

However, the liability shift is the key thing here. Right now, merchants and the card issuer split liability costs for fraud, regardless of the transaction type. After the liability shift (next year for point-of-sale devices, a few years down the road for gas station terminals), merchants will bear full liability costs for fraudulent transactions under certain circumstances. The exact circumstances vary by card issuer (e.g. VISA, MC, AmEx, Discover), but the basic idea is if the merchant processes more than x% of EMV cards with magnetic stripe transactions instead of EMV transactions, the merchant is fully liable for any resulting fraud.

So merchants have a very strong incentive to require EMV transactions for EMV cards and to reject any attempt to run a magnetic stripe transaction for an EMV card. A thief could still clone the magnetic stripe of an EMV card, but they'd have to be rather sophisticated to trick a merchant into using a magnetic stripe transaction. And as already pointed out, they could also still use the magnetic stripe information to do card-not-present frauds, particularly at online merchants that do not ask for the 3-/4-digit number on the card.

This is all simplified of course, but that's the basic idea.
User avatar
fungus_amungus
Posts: 63
Joined: Sun Sep 29, 2013 7:37 am
Location: Tennessee

Re: Home Depot Breach - zip codes revealed

Post by fungus_amungus »

barnaclebob wrote:
fungus_amungus wrote: This really isn't the fault of the CC companies or banks. They aren't the ones responsible for your card data being stolen and are actively trying to prevent you from being inconvenienced by fraudulent charges. Believe me, banks want to stop this more than anything else right now. They are the ones that eat the charges after all, not the merchant. Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.

Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV. This includes certification from Visa/Mastercard on every type card they offer, production issues with the company that prints the cards, core processing solutions that aren't able to generate debit card orders for EMV chips, etc. Only the largest of financial institutions were even able to start issuing EMV chip cards in the past year. Remember that your average card issuer isn't a mega-bank like Chase, BofA, American Express, etc. Most are small community banks and credit unions that are at the mercy of their core processor.
BS, this is absolutely the fault of the CC companies and the banks. They are the ones that don't think the fraud costs justify the switch. Maybe when more CEO's have to resign due to data breaches they will start pushing on their bank CEO buddies.
That is a gross generalization. The only banks that have enough sway to even make that change are the big guys. If you want to make an argument that specific big players are holding us back by accepting fraud losses as an acceptable cost, fine. However, that doesn't scratch the surface of the word "banks." Nearly 97% of banks in the United States are defined as community banks that depend on third party vendors to operate. An overwhelming majority of those don't have in-house programmers or card production. They can't just flip a switch and make EMV work. I know for a fact that the largest bank core processor in the country (2 out of every 5 banks) doesn't support EMV and won't until "quarter 1 2015." Two out five banks in the country simply cannot issue EMV at this time.
User avatar
TheTimeLord
Posts: 12130
Joined: Fri Jul 26, 2013 2:05 pm

Re: Home Depot Breach - zip codes revealed

Post by TheTimeLord »

tigermilk wrote:
barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
Since any fraudulent charges aren't my responsibility, I honestly am hoping for more of these breaches to put a fire under the CC companies. They really need to get their act together. I've got a Chase United card that has been replaced at least 6 times in the last 3 years. Already on my 3rd this year alone.
How is it the credit card companies fault the your retailer mishandled the data?
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]
User avatar
fungus_amungus
Posts: 63
Joined: Sun Sep 29, 2013 7:37 am
Location: Tennessee

Re: Home Depot Breach - zip codes revealed

Post by fungus_amungus »

jchef wrote:
fungus_amungus wrote: Believe me, banks want to stop this more than anything else right now.

Most of the rest of world switch to EMV many years ago. While switching the US is more complicated than any other country, they still could have done it. They put it off because they felt the cost of fraud was manageable.

They are the ones that eat the charges after all, not the merchant.

Starting in October 2015 that will no longer be true. Merchants that swipe a chip card will eat the charges if the card was fraudulent.

Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.
If the liability shift was in October 2012 instead of October 2015, nearly all merchants would have upgraded to chip terminals. It's the liability shift which is the huge incentive for merchants to upgrade to chip terminals.

Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV.

The rest of the world has been using EMV for many years. Upgrading to EMV is not a new process, it's been done many times. US banks and the banking infrastructure should be able to handle it.
They can absolutely handle it and that's why it's being done now that there is a mandate and liability shift, but don't underestimate the difficulty of doing so due to the fragmentary nature of banking in the USA. There are huge technical hurdles that people are skimming over by equating US "banks" with Chase, BofA, etc that have the congressional sway, capital, thousands of IT staff/programmers, and in-house card production. Even some of the huge regional banks that are too big to be considered "community banks" (97/100 in the country) don't have dedicated programming staff and depend on a third party like Jack Henry or Fiserv as their core processor.

This isn't about making one set of programming changes in some universal banking program. This is about thousands and thousands of unique banks making the switch by depending on third parties. Most banks simply do not have a choice at this time whether they issue EMV or not. If they could, believe me that they would. Fraud losses may not be a big deal to Chase who would write off a few million in fraud losses like it was nothing, but that's not the situation for most banks whose fraud loss "budget" is razor thin.
User avatar
Rainier
Posts: 1733
Joined: Thu Jun 14, 2012 5:59 am

Re: Home Depot Breach - zip codes revealed

Post by Rainier »

I'm not sure HD has the situation under control yet. My coworker went to the store on Wednesday night to buy something. Last night she got a call from her cc company that there was suspicious activity on he her card. They were right, somebody had already cloned the card and were making fraudulent purchases.

Could be coincidence this happened right after she went to HD, but it seems like a good connection.
rjm_cali
Posts: 152
Joined: Thu Apr 10, 2014 1:52 pm

Re: Home Depot Breach - zip codes revealed

Post by rjm_cali »

I can only speak from my UK experience as both customer and retailer. Customers are not generally liable for fraudulent transaction unless the card issuer thinks there is good reason to believe the car holder has done something dumb but that's generally rare ime. The issuers were generally very hot on spotting fraudulent card use based on a whole range of parameters e.g location , amount, frequency and even type of purchase. General pattern of fraudulent use was a blitz several months after the card/card details got stolen,

As a retailer I *had* to switch to C&P terminals and liability moved to me so although I did the occasional "card holder not present" transaction I tried to avoid them wherever possible. I don't know how mail order only businesses managed the fraud issue. Cheques,sorry, checks were a non-issue as most places don't accept them anymore and the banks don't issue check guarantee cards anymore.

C&P is not a panacea for card fraud but it's a step that's not been made here yet for reasons that have nothing to do with customer security and everything to do with corporate profits imho.

<A Home Depot customer>
Grasshopper
Posts: 1209
Joined: Sat Oct 09, 2010 3:52 pm

Re: Home Depot Breach - zip codes revealed

Post by Grasshopper »

My only HD purchase was online, any clue if I was hacked. I download into Quicken daily, I logged into Discover and they made a statement about the HD attack. :oops:
User avatar
fungus_amungus
Posts: 63
Joined: Sun Sep 29, 2013 7:37 am
Location: Tennessee

Re: Home Depot Breach - zip codes revealed

Post by fungus_amungus »

rjm_cali wrote:I can only speak from my UK experience as both customer and retailer. Customers are not generally liable for fraudulent transaction unless the card issuer thinks there is good reason to believe the car holder has done something dumb but that's generally rare ime. The issuers were generally very hot on spotting fraudulent card use based on a whole range of parameters e.g location , amount, frequency and even type of purchase. General pattern of fraudulent use was a blitz several months after the card/card details got stolen,

As a retailer I *had* to switch to C&P terminals and liability moved to me so although I did the occasional "card holder not present" transaction I tried to avoid them wherever possible. I don't know how mail order only businesses managed the fraud issue. Cheques,sorry, checks were a non-issue as most places don't accept them anymore and the banks don't issue check guarantee cards anymore.

C&P is not a panacea for card fraud but it's a step that's not been made here yet for reasons that have nothing to do with customer security and everything to do with corporate profits imho.

<A Home Depot customer>
The same applies in the USA. It's called Reg E, and it guarantees consumer cardholders that they aren't liable for fraudulent usage of their card unless their usage is irresponsible in some fashion. The switch you described as what the previous poster was talking about with regards to the liability shift. That is supposedly going to happen late next year. After that, liability is as follows:

1. Bank doesn't offer EMV, but merchant does, bank eats it
2. Bank offers EMV, but merchant doesn't, merchant eats it
3. Bank offers EMV, merchant offers EMV, bank eats it
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Home Depot Breach - zip codes revealed

Post by jchef »

Grasshopper wrote:My only HD purchase was online, any clue if I was hacked. I download into Quicken daily, I logged into Discover and they made a statement about the HD attack. :oops:
The known hack deals with the software on physical cash registers. Target was quite clear that their online store wasn't affected.

It would be unusual for Home Depot, or any other store, to use the same software on their physical cash machines and their website. So it's unlikely to be a problem.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Home Depot Breach - zip codes revealed

Post by Mudpuppy »

Rainier wrote:I'm not sure HD has the situation under control yet. My coworker went to the store on Wednesday night to buy something. Last night she got a call from her cc company that there was suspicious activity on he her card. They were right, somebody had already cloned the card and were making fraudulent purchases.

Could be coincidence this happened right after she went to HD, but it seems like a good connection.
It probably was coincidence, as the turnover time to get the numbers to the black market would make it happening in 24 hours a little unlikely. If the crime ring were using cash mules themselves, they might get that quick of a turnaround time, but the indications are that this theft ring is sending numbers to the black market rather than using cash mules themselves.

Considering that Home Depot is just the latest in a string of such announcements over the last 6 months, it could have been stolen in many places. Just off the top of my head, the following places have announced card compromises this year: Albertsons, Sallys Beauty, Harbor Freight, UPS Store, Michaels, Aaron Brothers, PF Chang's, Goodwill, and Neiman Marcus. Possibly Dairy Queen and Jimmy Johns too, although they have not confirmed a data breach. And those are just the stores that we've heard about.

It can take months (the more pessimistic security folks say 9 months to a year) for a company to detect a breach on its own, and several of these breaches were first discovered by law enforcement tracking patterns in fraudulent charges. If you use a credit card, just get used to the idea it's going to be stolen and cloned. Keep an eye on your transactions and alert the issuer if anything seems amiss.
User avatar
mojave
Posts: 393
Joined: Mon Aug 20, 2012 8:59 am

Re: Home Depot Breach - zip codes revealed

Post by mojave »

:?

I never thought I would say this but, I'm glad we switched back to Chase. It's easy to get a new debit card, many of their locations will let you do it right there, no waiting for a new one to come through the mail. We had to do this for the Target breach and now this one. And quite frankly, it may be worth doing every 6 months because this seems to be an escalating problem that no one wants do address, or they do bandaid fixes.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Home Depot Breach - zip codes revealed

Post by jchef »

mojave wrote: And quite frankly, it may be worth doing every 6 months because this seems to be an escalating problem that no one wants do address, or they do bandaid fixes.
Every country that implemented EMV had a significant reduction in credit card fraud. As well, given that the US is the only major country that hasn't implemented EMV, that makes it the easiest target in the world.

EMV certainly isn't going to eliminate fraud, but it almost certainly cause a significant reduction.
User avatar
grabiner
Advisory Board
Posts: 35307
Joined: Tue Feb 20, 2007 10:58 pm
Location: Columbia, MD

Re: Home Depot Breach - zip codes revealed

Post by grabiner »

EagertoLearnMore wrote:Krebs has reported a 99% correlation between credit cards for sale online and the zip codes of HD stores. Here is a link to the zip codes: http://krebsonsecurity.com/wp-content/u ... d_zips.txt

And if you would like to read Krebs' article, here is the link to it. It is much more definitive than statement from HD: http://krebsonsecurity.com/2014/09/data ... more-27685
This correlation doesn't make sense, because zip codes don't correspond to shopping areas. For example, Columbia, MD, where I live, has one Home Depot, but three zip codes (and two non-Columbia post offices covering parts of the town). The Home Depot in zip code 21046 is across the street from 21045 and three miles from 21044. I would expect that just as many people from 21044 and 21045 shop at the same Home Depot, but only 21046 is on the list of the top zips for stolen cards.
Wiki David Grabiner
Startled Cat
Posts: 709
Joined: Thu Apr 03, 2008 8:54 pm

Re: Home Depot Breach - zip codes revealed

Post by Startled Cat »

grabiner wrote:
EagertoLearnMore wrote:Krebs has reported a 99% correlation between credit cards for sale online and the zip codes of HD stores. Here is a link to the zip codes: http://krebsonsecurity.com/wp-content/u ... d_zips.txt

And if you would like to read Krebs' article, here is the link to it. It is much more definitive than statement from HD: http://krebsonsecurity.com/2014/09/data ... more-27685
This correlation doesn't make sense, because zip codes don't correspond to shopping areas. For example, Columbia, MD, where I live, has one Home Depot, but three zip codes (and two non-Columbia post offices covering parts of the town). The Home Depot in zip code 21046 is across the street from 21045 and three miles from 21044. I would expect that just as many people from 21044 and 21045 shop at the same Home Depot, but only 21046 is on the list of the top zips for stolen cards.
I believe the zip codes associated with the card numbers are zip codes of retail locations where the card numbers were stolen, not customer addresses. I don't know how the people collecting the card numbers would be able to get address information for each card.

People usually shop close to home, so for people buying card numbers on the black market, this is good enough. They want to avoid generating fraudulent charges thousands of miles away from the cardholder's address. This is more likely to get the account shut down quickly.
jcman01
Posts: 48
Joined: Tue Feb 12, 2013 12:45 pm

Re: Home Depot Breach - zip codes revealed

Post by jcman01 »

barnaclebob wrote:
fungus_amungus wrote: This really isn't the fault of the CC companies or banks. They aren't the ones responsible for your card data being stolen and are actively trying to prevent you from being inconvenienced by fraudulent charges. Believe me, banks want to stop this more than anything else right now. They are the ones that eat the charges after all, not the merchant. Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.

Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV. This includes certification from Visa/Mastercard on every type card they offer, production issues with the company that prints the cards, core processing solutions that aren't able to generate debit card orders for EMV chips, etc. Only the largest of financial institutions were even able to start issuing EMV chip cards in the past year. Remember that your average card issuer isn't a mega-bank like Chase, BofA, American Express, etc. Most are small community banks and credit unions that are at the mercy of their core processor.
BS, this is absolutely the fault of the CC companies and the banks. They are the ones that don't think the fraud costs justify the switch. Maybe when more CEO's have to resign due to data breaches they will start pushing on their bank CEO buddies.


+1
User avatar
grabiner
Advisory Board
Posts: 35307
Joined: Tue Feb 20, 2007 10:58 pm
Location: Columbia, MD

Re: Home Depot Breach - zip codes revealed

Post by grabiner »

aaronl wrote:I believe the zip codes associated with the card numbers are zip codes of retail locations where the card numbers were stolen, not customer addresses. I don't know how the people collecting the card numbers would be able to get address information for each card.

People usually shop close to home, so for people buying card numbers on the black market, this is good enough. They want to avoid generating fraudulent charges thousands of miles away from the cardholder's address. This is more likely to get the account shut down quickly.
I confirmed this from a more clearly-written article; the zip codes advertised are associated with the stores.
Wiki David Grabiner
thenameishersch
Posts: 29
Joined: Thu May 23, 2013 10:33 am

Re: Home Depot Breach - zip codes revealed

Post by thenameishersch »

Apparently the breach might have started as early as April 2014, and Home Depot is providing free identity protection.

I am pretty sure I made at least 10+ purchases at HomeDepot/HomeDepot.com since April 2014 owing to some remodeling.
I plan to do the following:
1. Cancel credit cards and request new ones with new card numbers
2. Monitor transactions
3. Monitor Credit Sesame/Credit Karma
4. Sign up for the AllClearID

Not sure how secure (4) is, since I will be opening up my intimate numbers to someone (HomeDepot) who already lost my information once.
Any other suggestions?

EDIT: Just found this.
4strings
Posts: 161
Joined: Fri Feb 19, 2010 3:49 pm

Re: Home Depot Breach - zip codes revealed

Post by 4strings »

thenameishersch wrote:Apparently the breach might have started as early as April 2014, and Home Depot is providing free identity protection.

I am pretty sure I made at least 10+ purchases at HomeDepot/HomeDepot.com since April 2014 owing to some remodeling.
I plan to do the following:
1. Cancel credit cards and request new ones with new card numbers
2. Monitor transactions
3. Monitor Credit Sesame/Credit Karma
4. Sign up for the AllClearID

Not sure how secure (4) is, since I will be opening up my intimate numbers to someone (HomeDepot) who already lost my information once.
Any other suggestions?

EDIT: Just found this.

i just stumbled upon the free identify theft monitoring service home depot is offering.

what do you guys think? is it worth it? has anyone ever done this with with a previous merchant's breach? thanks.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Home Depot Breach - zip codes revealed

Post by Mudpuppy »

I'm personally not a fan of identity monitoring services over a credit card number breach. Unless you have a Home Depot card (and the hackers got into that particular database), there's not enough information on the magnetic stripe alone for successful identity theft. They could cross-tabulate it with other data, but if you're concerned about that, it's just better to freeze your credit.
stan1
Posts: 14246
Joined: Mon Oct 08, 2007 4:35 pm

Re: Home Depot Breach - zip codes revealed

Post by stan1 »

thenameishersch wrote:Apparently the breach might have started as early as April 2014, and Home Depot is providing free identity protection.

I am pretty sure I made at least 10+ purchases at HomeDepot/HomeDepot.com since April 2014 owing to some remodeling.
I plan to do the following:
1. Cancel credit cards and request new ones with new card numbers
2. Monitor transactions
3. Monitor Credit Sesame/Credit Karma
4. Sign up for the AllClearID

Not sure how secure (4) is, since I will be opening up my intimate numbers to someone (HomeDepot) who already lost my information once.
Any other suggestions?

EDIT: Just found this.
I used my card at Target last year. I only monitored for fraudulent transactions which I do every day anyways (there were none). In March or April B of A sent me a new credit cardon their own initiative. Remember you are not liable for fraudulent charges on a credit card. There isn't enough information on a swiped card to apply for credit so I would continue to monitor credit reports annually.

I know there's a feeling that you need to "do something" in this situation, but with the frequency of attacks you could find yourself in a continuous state of stress if you worry about protection rather than detection. I use the Mint Mac OS X desktop app to look at what charges are hitting my credit card several times per day. Charges hit within minutes to hours most of the time. Takes about 3 seconds every time I put the cursor over the Mint icon and click.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Home Depot Breach - zip codes revealed

Post by Ged »

stan1 wrote:Remember you are not liable for fraudulent charges on a credit card.
I have two concerns with the card I used at HD.

1. Possible cancellation of the card at an inconvenient time. For example if I'm travelling somewhere.

2. Annoyance factor with respect to dealing with fraudulent charges. I had to do this once before and it was excruciating thanks to atrocious customer service from CitiBank. :x :x

So I've told my card issuer I want a new one. They were quite accommodating.

As far as identity theft I'm far more worried about incidents reported involving the Federal OPM.
Browser
Posts: 4857
Joined: Wed Sep 05, 2012 4:54 pm

Re: Home Depot Breach - zip codes revealed

Post by Browser »

I recently activated alerts on my credit card, which was used in April at HD. Gives me an immediate message on my smartphone when the card is used. Did this before I learned about the HD breach, but glad I did so I can catch any misuse of the card immediately if it occurs. Recommend that you check your bank to see if you can activate these alerts as well.
We don't know where we are, or where we're going -- but we're making good time.
Browser
Posts: 4857
Joined: Wed Sep 05, 2012 4:54 pm

Re: Home Depot Breach - zip codes revealed

Post by Browser »

Just heard on the evening news that 56 Million! credit card numbers have been stolen in the HD breach. That's a bunch, eh? Let's make it easy for the hackers and just go ahead an publish our numbers on the web. :shock:
We don't know where we are, or where we're going -- but we're making good time.
ilisira
Posts: 130
Joined: Tue Mar 11, 2008 3:04 pm

Re: Home Depot Breach - zip codes revealed

Post by ilisira »

Grt2bOutdoors wrote:
johnep wrote:Thanks. My zip code was included. I will have to see if I did any cc transactions in that timeframe.
97% of all Home Depot stores were infiltrated by the hackers....that's just about everyone in America. :shock:
This proves I'm living in the middle of nowhere :).

I had separated my online, and offline credit cards long time ago. Offline cards are only used when card is present, and if they need to be replaced, I do not need to change credit card info for many only retailers that have my credit card.
JW-Retired
Posts: 7189
Joined: Sun Dec 16, 2007 11:25 am

Re: Home Depot Breach - zip codes revealed

Post by JW-Retired »

I have 2 credit cards where I charged something in the last few months at one of the zip code listed Home Depots. Guess I will give the 800 numbers a call and see about changing the credit card numbers. Do you think anyone will answer or are they totally swamped? I'll let you know tomorrow.
JW
Retired at Last
Browser
Posts: 4857
Joined: Wed Sep 05, 2012 4:54 pm

Re: Home Depot Breach - zip codes revealed

Post by Browser »

JW Nearly Retired wrote:I have 2 credit cards where I charged something in the last few months at one of the zip code listed Home Depots. Guess I will give the 800 numbers a call and see about changing the credit card numbers. Do you think anyone will answer or are they totally swamped? I'll let you know tomorrow.
JW
I'm with U.S. Bank and they posted something on their website about the breach. Basically they said they always monitor transactions for fraud and to just keep using the card; if they detect a problem they'll contact customers and issue new cards as required. You might check the websites of your banks to see if they have anything posted before calling.
We don't know where we are, or where we're going -- but we're making good time.
SimonJester
Posts: 2500
Joined: Tue Aug 16, 2011 12:39 pm

Re: Home Depot Breach - zip codes revealed

Post by SimonJester »

Browser wrote:Just heard on the evening news that 56 Million! credit card numbers have been stolen in the HD breach. That's a bunch, eh? Let's make it easy for the hackers and just go ahead an publish our numbers on the web. :shock:
The Target breach was 100+ million so this number was much lower then they initially thought. It looks like the thieves targeted the self checkout machines.

Looks like my card is in the bowel for the reaping some 12+ times :(
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
Post Reply