Home Depot Breach - zip codes revealed
-
- Posts: 773
- Joined: Wed Jun 30, 2010 4:05 pm
Home Depot Breach - zip codes revealed
I have used several credit cards at Home Depot, but yesterday everyone in line was paying with cash.
Krebs has reported a 99% correlation between credit cards for sale online and the zip codes of HD stores. Here is a link to the zip codes: http://krebsonsecurity.com/wp-content/u ... d_zips.txt
And if you would like to read Krebs' article, here is the link to it. It is much more definitive than statement from HD: http://krebsonsecurity.com/2014/09/data ... more-27685
Krebs has reported a 99% correlation between credit cards for sale online and the zip codes of HD stores. Here is a link to the zip codes: http://krebsonsecurity.com/wp-content/u ... d_zips.txt
And if you would like to read Krebs' article, here is the link to it. It is much more definitive than statement from HD: http://krebsonsecurity.com/2014/09/data ... more-27685
-
- Posts: 5586
- Joined: Thu Aug 09, 2012 10:54 am
Re: Home Depot Breach - zip codes revealed
When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
-
- Posts: 5463
- Joined: Wed Dec 28, 2011 8:56 am
- Location: North Carolina
Re: Home Depot Breach - zip codes revealed
Thanks. My zip code was included. I will have to see if I did any cc transactions in that timeframe.
Re: Home Depot Breach - zip codes revealed
Since any fraudulent charges aren't my responsibility, I honestly am hoping for more of these breaches to put a fire under the CC companies. They really need to get their act together. I've got a Chase United card that has been replaced at least 6 times in the last 3 years. Already on my 3rd this year alone.barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
-
- Posts: 25625
- Joined: Thu Apr 05, 2007 8:20 pm
- Location: New York
Re: Home Depot Breach - zip codes revealed
I've had about enough of this nonsense, first Target, now Home Depot. If they can spend hundreds of millions on dividends and executive compensation, they can take that money and protect their bread and butter - their customers first. When the customers start leaving, it's the beginning of the end.
"One should invest based on their need, ability and willingness to take risk - Larry Swedroe" Asking Portfolio Questions
-
- Posts: 25625
- Joined: Thu Apr 05, 2007 8:20 pm
- Location: New York
Re: Home Depot Breach - zip codes revealed
97% of all Home Depot stores were infiltrated by the hackers....that's just about everyone in America.johnep wrote:Thanks. My zip code was included. I will have to see if I did any cc transactions in that timeframe.
"One should invest based on their need, ability and willingness to take risk - Larry Swedroe" Asking Portfolio Questions
Re: Home Depot Breach - zip codes revealed
Hope this makes the migration to Chip+PIN faster.
-
- Posts: 1242
- Joined: Fri Mar 02, 2007 9:16 am
Re: Home Depot Breach - zip codes revealed
I am not well-versed in the credit card technologies. From what I read, Chip+PIN would still require some info be stored somewhere (server or not), no? If so, won't hackers still be able to get to it?Hope this makes the migration to Chip+PIN faster.
Thanks!
Re: Home Depot Breach - zip codes revealed
I have a chip and pin card, but it didn't help because Home Depot just uses it like any old magnetic stripe card.
Re: Home Depot Breach - zip codes revealed
The code to check is the one for the store you go to, this may be different than your home zip code (it is in my case).
- fungus_amungus
- Posts: 63
- Joined: Sun Sep 29, 2013 7:37 am
- Location: Tennessee
Re: Home Depot Breach - zip codes revealed
This really isn't the fault of the CC companies or banks. They aren't the ones responsible for your card data being stolen and are actively trying to prevent you from being inconvenienced by fraudulent charges. Believe me, banks want to stop this more than anything else right now. They are the ones that eat the charges after all, not the merchant. Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.tigermilk wrote:Since any fraudulent charges aren't my responsibility, I honestly am hoping for more of these breaches to put a fire under the CC companies. They really need to get their act together. I've got a Chase United card that has been replaced at least 6 times in the last 3 years. Already on my 3rd this year alone.barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV. This includes certification from Visa/Mastercard on every type card they offer, production issues with the company that prints the cards, core processing solutions that aren't able to generate debit card orders for EMV chips, etc. Only the largest of financial institutions were even able to start issuing EMV chip cards in the past year. Remember that your average card issuer isn't a mega-bank like Chase, BofA, American Express, etc. Most are small community banks and credit unions that are at the mercy of their core processor.
Re: Home Depot Breach - zip codes revealed
My understanding is that today, the actual data on the magnetic strip on the credit card is not encrypted. This makes it fairly trivial for a hacked card reader in stores to steal all of the information stored in the magnetic strip, which is what happened with Target last year (and probably Home Depot in this case). Cards with a chip store that information with encryption, which vastly improves the security of this. Additional if a PIN is used, that PIN is required for authentication vs. a signature today.Faith20879 wrote:I am not well-versed in the credit card technologies. From what I read, Chip+PIN would still require some info be stored somewhere (server or not), no? If so, won't hackers still be able to get to it?Hope this makes the migration to Chip+PIN faster.
Thanks!
Re: Home Depot Breach - zip codes revealed
fungus_amungus wrote: Believe me, banks want to stop this more than anything else right now.
Most of the rest of world switch to EMV many years ago. While switching the US is more complicated than any other country, they still could have done it. They put it off because they felt the cost of fraud was manageable.
They are the ones that eat the charges after all, not the merchant.
Starting in October 2015 that will no longer be true. Merchants that swipe a chip card will eat the charges if the card was fraudulent.
If the liability shift was in October 2012 instead of October 2015, nearly all merchants would have upgraded to chip terminals. It's the liability shift which is the huge incentive for merchants to upgrade to chip terminals.Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.
Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV.
The rest of the world has been using EMV for many years. Upgrading to EMV is not a new process, it's been done many times. US banks and the banking infrastructure should be able to handle it.
Re: Home Depot Breach - zip codes revealed
To be precise, it's not the card readers that has been hacked into at Target, Home Depot and many others. It's the software running on cash register.crg11 wrote:My understanding is that today, the actual data on the magnetic strip on the credit card is not encrypted. This makes it fairly trivial for a hacked card reader in stores to steal all of the information stored in the magnetic strip, which is what happened with Target last year (and probably Home Depot in this case). Cards with a chip store that information with encryption, which vastly improves the security of this. Additional if a PIN is used, that PIN is required for authentication vs. a signature today.Faith20879 wrote:I am not well-versed in the credit card technologies. From what I read, Chip+PIN would still require some info be stored somewhere (server or not), no? If so, won't hackers still be able to get to it?Hope this makes the migration to Chip+PIN faster.
Thanks!
Your correct that the magnetic strip isn't encrypted. So the information from the magnetic strip is processed by the cash register software, encrypted and sent to the financial institution. However before the cash register software encrypts the data, it is copied and stolen.
Chip cards encrypt the communication with the financial institution. The cash register software doesn't get to listen in to this communication. So the financial institution will provide the cash register software with some information, so that they can track customers, etc. But the financial institution doesn't provide the store or cash register software with enough information to create a fraudulent card or transaction.
So even if you hack into the cash register software, you don't get anything of use if a chip card is used.
Re: Home Depot Breach - zip codes revealed
Chip and pin only adds extra protection for an in-person transaction. Most of these credit card breaches are related to online credit card transactions, where the chip and pin are of no use. The best fraud protection we have is our legal system and the fact that the credit card companies are liable for fraud in the US. In other countries the cardholder is liable for fraud. I'd much rather have the US system.barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
-
- Posts: 5586
- Joined: Thu Aug 09, 2012 10:54 am
Re: Home Depot Breach - zip codes revealed
BS, this is absolutely the fault of the CC companies and the banks. They are the ones that don't think the fraud costs justify the switch. Maybe when more CEO's have to resign due to data breaches they will start pushing on their bank CEO buddies.fungus_amungus wrote: This really isn't the fault of the CC companies or banks. They aren't the ones responsible for your card data being stolen and are actively trying to prevent you from being inconvenienced by fraudulent charges. Believe me, banks want to stop this more than anything else right now. They are the ones that eat the charges after all, not the merchant. Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.
Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV. This includes certification from Visa/Mastercard on every type card they offer, production issues with the company that prints the cards, core processing solutions that aren't able to generate debit card orders for EMV chips, etc. Only the largest of financial institutions were even able to start issuing EMV chip cards in the past year. Remember that your average card issuer isn't a mega-bank like Chase, BofA, American Express, etc. Most are small community banks and credit unions that are at the mercy of their core processor.
Re: Home Depot Breach - zip codes revealed
Most (all?) of the big breaches in the news recently (Target, Home Depot and others) deal with in store purchases, not online.agent13x wrote:Chip and pin only adds extra protection for an in-person transaction. Most of these credit card breaches are related to online credit card transactions, where the chip and pin are of no use. The best fraud protection we have is our legal system and the fact that the credit card companies are liable for fraud in the US. In other countries the cardholder is liable for fraud. I'd much rather have the US system.barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
And are you sure consumers in other countries are responsible for online fraud? I know in some countries they can be for in store purchases if the bank believes you gave away your PIN. But I've never heard of a consumers being responsible if someone breaks into an online store and steals info from there.
Re: Home Depot Breach - zip codes revealed
Just a slight correction, in addition to what jchef already posted. The information on the magnetic stripe of a chip (EMV) card is not encrypted. The magnetic stripe is "backwards compatible" with current technology, so it's just as open as it currently is. Anyone could swipe a chip+pin or chip+signature card and get the information on the magnetic stripe, same as they do today. They could still make a clone of that magnetic stripe, like they do today. Magnetic stripe transactions are not changing at all. What EMV cards do is enable EMV transactions to take place (see jchef's response for a description of EMV transactions).crg11 wrote:My understanding is that today, the actual data on the magnetic strip on the credit card is not encrypted. This makes it fairly trivial for a hacked card reader in stores to steal all of the information stored in the magnetic strip, which is what happened with Target last year (and probably Home Depot in this case). Cards with a chip store that information with encryption, which vastly improves the security of this. Additional if a PIN is used, that PIN is required for authentication vs. a signature today.Faith20879 wrote:I am not well-versed in the credit card technologies. From what I read, Chip+PIN would still require some info be stored somewhere (server or not), no? If so, won't hackers still be able to get to it?Hope this makes the migration to Chip+PIN faster.
Thanks!
However, the liability shift is the key thing here. Right now, merchants and the card issuer split liability costs for fraud, regardless of the transaction type. After the liability shift (next year for point-of-sale devices, a few years down the road for gas station terminals), merchants will bear full liability costs for fraudulent transactions under certain circumstances. The exact circumstances vary by card issuer (e.g. VISA, MC, AmEx, Discover), but the basic idea is if the merchant processes more than x% of EMV cards with magnetic stripe transactions instead of EMV transactions, the merchant is fully liable for any resulting fraud.
So merchants have a very strong incentive to require EMV transactions for EMV cards and to reject any attempt to run a magnetic stripe transaction for an EMV card. A thief could still clone the magnetic stripe of an EMV card, but they'd have to be rather sophisticated to trick a merchant into using a magnetic stripe transaction. And as already pointed out, they could also still use the magnetic stripe information to do card-not-present frauds, particularly at online merchants that do not ask for the 3-/4-digit number on the card.
This is all simplified of course, but that's the basic idea.
- fungus_amungus
- Posts: 63
- Joined: Sun Sep 29, 2013 7:37 am
- Location: Tennessee
Re: Home Depot Breach - zip codes revealed
That is a gross generalization. The only banks that have enough sway to even make that change are the big guys. If you want to make an argument that specific big players are holding us back by accepting fraud losses as an acceptable cost, fine. However, that doesn't scratch the surface of the word "banks." Nearly 97% of banks in the United States are defined as community banks that depend on third party vendors to operate. An overwhelming majority of those don't have in-house programmers or card production. They can't just flip a switch and make EMV work. I know for a fact that the largest bank core processor in the country (2 out of every 5 banks) doesn't support EMV and won't until "quarter 1 2015." Two out five banks in the country simply cannot issue EMV at this time.barnaclebob wrote:BS, this is absolutely the fault of the CC companies and the banks. They are the ones that don't think the fraud costs justify the switch. Maybe when more CEO's have to resign due to data breaches they will start pushing on their bank CEO buddies.fungus_amungus wrote: This really isn't the fault of the CC companies or banks. They aren't the ones responsible for your card data being stolen and are actively trying to prevent you from being inconvenienced by fraudulent charges. Believe me, banks want to stop this more than anything else right now. They are the ones that eat the charges after all, not the merchant. Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.
Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV. This includes certification from Visa/Mastercard on every type card they offer, production issues with the company that prints the cards, core processing solutions that aren't able to generate debit card orders for EMV chips, etc. Only the largest of financial institutions were even able to start issuing EMV chip cards in the past year. Remember that your average card issuer isn't a mega-bank like Chase, BofA, American Express, etc. Most are small community banks and credit unions that are at the mercy of their core processor.
- TheTimeLord
- Posts: 12130
- Joined: Fri Jul 26, 2013 2:05 pm
Re: Home Depot Breach - zip codes revealed
How is it the credit card companies fault the your retailer mishandled the data?tigermilk wrote:Since any fraudulent charges aren't my responsibility, I honestly am hoping for more of these breaches to put a fire under the CC companies. They really need to get their act together. I've got a Chase United card that has been replaced at least 6 times in the last 3 years. Already on my 3rd this year alone.barnaclebob wrote:When will US credit card companies learn and start requiring PIN numbers? It so stupid that consumers eventually end up paying for this nonsense.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. |
Run, You Clever Boy! [9085]
- fungus_amungus
- Posts: 63
- Joined: Sun Sep 29, 2013 7:37 am
- Location: Tennessee
Re: Home Depot Breach - zip codes revealed
They can absolutely handle it and that's why it's being done now that there is a mandate and liability shift, but don't underestimate the difficulty of doing so due to the fragmentary nature of banking in the USA. There are huge technical hurdles that people are skimming over by equating US "banks" with Chase, BofA, etc that have the congressional sway, capital, thousands of IT staff/programmers, and in-house card production. Even some of the huge regional banks that are too big to be considered "community banks" (97/100 in the country) don't have dedicated programming staff and depend on a third party like Jack Henry or Fiserv as their core processor.jchef wrote:fungus_amungus wrote: Believe me, banks want to stop this more than anything else right now.
Most of the rest of world switch to EMV many years ago. While switching the US is more complicated than any other country, they still could have done it. They put it off because they felt the cost of fraud was manageable.
They are the ones that eat the charges after all, not the merchant.
Starting in October 2015 that will no longer be true. Merchants that swipe a chip card will eat the charges if the card was fraudulent.
If the liability shift was in October 2012 instead of October 2015, nearly all merchants would have upgraded to chip terminals. It's the liability shift which is the huge incentive for merchants to upgrade to chip terminals.Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.
Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV.
The rest of the world has been using EMV for many years. Upgrading to EMV is not a new process, it's been done many times. US banks and the banking infrastructure should be able to handle it.
This isn't about making one set of programming changes in some universal banking program. This is about thousands and thousands of unique banks making the switch by depending on third parties. Most banks simply do not have a choice at this time whether they issue EMV or not. If they could, believe me that they would. Fraud losses may not be a big deal to Chase who would write off a few million in fraud losses like it was nothing, but that's not the situation for most banks whose fraud loss "budget" is razor thin.
Re: Home Depot Breach - zip codes revealed
I'm not sure HD has the situation under control yet. My coworker went to the store on Wednesday night to buy something. Last night she got a call from her cc company that there was suspicious activity on he her card. They were right, somebody had already cloned the card and were making fraudulent purchases.
Could be coincidence this happened right after she went to HD, but it seems like a good connection.
Could be coincidence this happened right after she went to HD, but it seems like a good connection.
Re: Home Depot Breach - zip codes revealed
I can only speak from my UK experience as both customer and retailer. Customers are not generally liable for fraudulent transaction unless the card issuer thinks there is good reason to believe the car holder has done something dumb but that's generally rare ime. The issuers were generally very hot on spotting fraudulent card use based on a whole range of parameters e.g location , amount, frequency and even type of purchase. General pattern of fraudulent use was a blitz several months after the card/card details got stolen,
As a retailer I *had* to switch to C&P terminals and liability moved to me so although I did the occasional "card holder not present" transaction I tried to avoid them wherever possible. I don't know how mail order only businesses managed the fraud issue. Cheques,sorry, checks were a non-issue as most places don't accept them anymore and the banks don't issue check guarantee cards anymore.
C&P is not a panacea for card fraud but it's a step that's not been made here yet for reasons that have nothing to do with customer security and everything to do with corporate profits imho.
<A Home Depot customer>
As a retailer I *had* to switch to C&P terminals and liability moved to me so although I did the occasional "card holder not present" transaction I tried to avoid them wherever possible. I don't know how mail order only businesses managed the fraud issue. Cheques,sorry, checks were a non-issue as most places don't accept them anymore and the banks don't issue check guarantee cards anymore.
C&P is not a panacea for card fraud but it's a step that's not been made here yet for reasons that have nothing to do with customer security and everything to do with corporate profits imho.
<A Home Depot customer>
-
- Posts: 1209
- Joined: Sat Oct 09, 2010 3:52 pm
Re: Home Depot Breach - zip codes revealed
My only HD purchase was online, any clue if I was hacked. I download into Quicken daily, I logged into Discover and they made a statement about the HD attack.
- fungus_amungus
- Posts: 63
- Joined: Sun Sep 29, 2013 7:37 am
- Location: Tennessee
Re: Home Depot Breach - zip codes revealed
The same applies in the USA. It's called Reg E, and it guarantees consumer cardholders that they aren't liable for fraudulent usage of their card unless their usage is irresponsible in some fashion. The switch you described as what the previous poster was talking about with regards to the liability shift. That is supposedly going to happen late next year. After that, liability is as follows:rjm_cali wrote:I can only speak from my UK experience as both customer and retailer. Customers are not generally liable for fraudulent transaction unless the card issuer thinks there is good reason to believe the car holder has done something dumb but that's generally rare ime. The issuers were generally very hot on spotting fraudulent card use based on a whole range of parameters e.g location , amount, frequency and even type of purchase. General pattern of fraudulent use was a blitz several months after the card/card details got stolen,
As a retailer I *had* to switch to C&P terminals and liability moved to me so although I did the occasional "card holder not present" transaction I tried to avoid them wherever possible. I don't know how mail order only businesses managed the fraud issue. Cheques,sorry, checks were a non-issue as most places don't accept them anymore and the banks don't issue check guarantee cards anymore.
C&P is not a panacea for card fraud but it's a step that's not been made here yet for reasons that have nothing to do with customer security and everything to do with corporate profits imho.
<A Home Depot customer>
1. Bank doesn't offer EMV, but merchant does, bank eats it
2. Bank offers EMV, but merchant doesn't, merchant eats it
3. Bank offers EMV, merchant offers EMV, bank eats it
Re: Home Depot Breach - zip codes revealed
The known hack deals with the software on physical cash registers. Target was quite clear that their online store wasn't affected.Grasshopper wrote:My only HD purchase was online, any clue if I was hacked. I download into Quicken daily, I logged into Discover and they made a statement about the HD attack.
It would be unusual for Home Depot, or any other store, to use the same software on their physical cash machines and their website. So it's unlikely to be a problem.
Re: Home Depot Breach - zip codes revealed
It probably was coincidence, as the turnover time to get the numbers to the black market would make it happening in 24 hours a little unlikely. If the crime ring were using cash mules themselves, they might get that quick of a turnaround time, but the indications are that this theft ring is sending numbers to the black market rather than using cash mules themselves.Rainier wrote:I'm not sure HD has the situation under control yet. My coworker went to the store on Wednesday night to buy something. Last night she got a call from her cc company that there was suspicious activity on he her card. They were right, somebody had already cloned the card and were making fraudulent purchases.
Could be coincidence this happened right after she went to HD, but it seems like a good connection.
Considering that Home Depot is just the latest in a string of such announcements over the last 6 months, it could have been stolen in many places. Just off the top of my head, the following places have announced card compromises this year: Albertsons, Sallys Beauty, Harbor Freight, UPS Store, Michaels, Aaron Brothers, PF Chang's, Goodwill, and Neiman Marcus. Possibly Dairy Queen and Jimmy Johns too, although they have not confirmed a data breach. And those are just the stores that we've heard about.
It can take months (the more pessimistic security folks say 9 months to a year) for a company to detect a breach on its own, and several of these breaches were first discovered by law enforcement tracking patterns in fraudulent charges. If you use a credit card, just get used to the idea it's going to be stolen and cloned. Keep an eye on your transactions and alert the issuer if anything seems amiss.
Re: Home Depot Breach - zip codes revealed
I never thought I would say this but, I'm glad we switched back to Chase. It's easy to get a new debit card, many of their locations will let you do it right there, no waiting for a new one to come through the mail. We had to do this for the Target breach and now this one. And quite frankly, it may be worth doing every 6 months because this seems to be an escalating problem that no one wants do address, or they do bandaid fixes.
Re: Home Depot Breach - zip codes revealed
Every country that implemented EMV had a significant reduction in credit card fraud. As well, given that the US is the only major country that hasn't implemented EMV, that makes it the easiest target in the world.mojave wrote: And quite frankly, it may be worth doing every 6 months because this seems to be an escalating problem that no one wants do address, or they do bandaid fixes.
EMV certainly isn't going to eliminate fraud, but it almost certainly cause a significant reduction.
Re: Home Depot Breach - zip codes revealed
This correlation doesn't make sense, because zip codes don't correspond to shopping areas. For example, Columbia, MD, where I live, has one Home Depot, but three zip codes (and two non-Columbia post offices covering parts of the town). The Home Depot in zip code 21046 is across the street from 21045 and three miles from 21044. I would expect that just as many people from 21044 and 21045 shop at the same Home Depot, but only 21046 is on the list of the top zips for stolen cards.EagertoLearnMore wrote:Krebs has reported a 99% correlation between credit cards for sale online and the zip codes of HD stores. Here is a link to the zip codes: http://krebsonsecurity.com/wp-content/u ... d_zips.txt
And if you would like to read Krebs' article, here is the link to it. It is much more definitive than statement from HD: http://krebsonsecurity.com/2014/09/data ... more-27685
-
- Posts: 709
- Joined: Thu Apr 03, 2008 8:54 pm
Re: Home Depot Breach - zip codes revealed
I believe the zip codes associated with the card numbers are zip codes of retail locations where the card numbers were stolen, not customer addresses. I don't know how the people collecting the card numbers would be able to get address information for each card.grabiner wrote:This correlation doesn't make sense, because zip codes don't correspond to shopping areas. For example, Columbia, MD, where I live, has one Home Depot, but three zip codes (and two non-Columbia post offices covering parts of the town). The Home Depot in zip code 21046 is across the street from 21045 and three miles from 21044. I would expect that just as many people from 21044 and 21045 shop at the same Home Depot, but only 21046 is on the list of the top zips for stolen cards.EagertoLearnMore wrote:Krebs has reported a 99% correlation between credit cards for sale online and the zip codes of HD stores. Here is a link to the zip codes: http://krebsonsecurity.com/wp-content/u ... d_zips.txt
And if you would like to read Krebs' article, here is the link to it. It is much more definitive than statement from HD: http://krebsonsecurity.com/2014/09/data ... more-27685
People usually shop close to home, so for people buying card numbers on the black market, this is good enough. They want to avoid generating fraudulent charges thousands of miles away from the cardholder's address. This is more likely to get the account shut down quickly.
Re: Home Depot Breach - zip codes revealed
barnaclebob wrote:BS, this is absolutely the fault of the CC companies and the banks. They are the ones that don't think the fraud costs justify the switch. Maybe when more CEO's have to resign due to data breaches they will start pushing on their bank CEO buddies.fungus_amungus wrote: This really isn't the fault of the CC companies or banks. They aren't the ones responsible for your card data being stolen and are actively trying to prevent you from being inconvenienced by fraudulent charges. Believe me, banks want to stop this more than anything else right now. They are the ones that eat the charges after all, not the merchant. Even if every credit and debit card in the country had an EMV chip today, very few merchants have the POS terminals to accept chip & pin or chip & signature. Your data would have been stolen at Home Depot even if you had one of the newer EMV cards.
Furthermore, there are giant hurdles that most banks are unable to deal with at the time being for issuing EMV. This includes certification from Visa/Mastercard on every type card they offer, production issues with the company that prints the cards, core processing solutions that aren't able to generate debit card orders for EMV chips, etc. Only the largest of financial institutions were even able to start issuing EMV chip cards in the past year. Remember that your average card issuer isn't a mega-bank like Chase, BofA, American Express, etc. Most are small community banks and credit unions that are at the mercy of their core processor.
+1
Re: Home Depot Breach - zip codes revealed
I confirmed this from a more clearly-written article; the zip codes advertised are associated with the stores.aaronl wrote:I believe the zip codes associated with the card numbers are zip codes of retail locations where the card numbers were stolen, not customer addresses. I don't know how the people collecting the card numbers would be able to get address information for each card.
People usually shop close to home, so for people buying card numbers on the black market, this is good enough. They want to avoid generating fraudulent charges thousands of miles away from the cardholder's address. This is more likely to get the account shut down quickly.
-
- Posts: 29
- Joined: Thu May 23, 2013 10:33 am
Re: Home Depot Breach - zip codes revealed
Apparently the breach might have started as early as April 2014, and Home Depot is providing free identity protection.
I am pretty sure I made at least 10+ purchases at HomeDepot/HomeDepot.com since April 2014 owing to some remodeling.
I plan to do the following:
1. Cancel credit cards and request new ones with new card numbers
2. Monitor transactions
3. Monitor Credit Sesame/Credit Karma
4. Sign up for the AllClearID
Not sure how secure (4) is, since I will be opening up my intimate numbers to someone (HomeDepot) who already lost my information once.
Any other suggestions?
EDIT: Just found this.
I am pretty sure I made at least 10+ purchases at HomeDepot/HomeDepot.com since April 2014 owing to some remodeling.
I plan to do the following:
1. Cancel credit cards and request new ones with new card numbers
2. Monitor transactions
3. Monitor Credit Sesame/Credit Karma
4. Sign up for the AllClearID
Not sure how secure (4) is, since I will be opening up my intimate numbers to someone (HomeDepot) who already lost my information once.
Any other suggestions?
EDIT: Just found this.
Re: Home Depot Breach - zip codes revealed
thenameishersch wrote:Apparently the breach might have started as early as April 2014, and Home Depot is providing free identity protection.
I am pretty sure I made at least 10+ purchases at HomeDepot/HomeDepot.com since April 2014 owing to some remodeling.
I plan to do the following:
1. Cancel credit cards and request new ones with new card numbers
2. Monitor transactions
3. Monitor Credit Sesame/Credit Karma
4. Sign up for the AllClearID
Not sure how secure (4) is, since I will be opening up my intimate numbers to someone (HomeDepot) who already lost my information once.
Any other suggestions?
EDIT: Just found this.
i just stumbled upon the free identify theft monitoring service home depot is offering.
what do you guys think? is it worth it? has anyone ever done this with with a previous merchant's breach? thanks.
Re: Home Depot Breach - zip codes revealed
I'm personally not a fan of identity monitoring services over a credit card number breach. Unless you have a Home Depot card (and the hackers got into that particular database), there's not enough information on the magnetic stripe alone for successful identity theft. They could cross-tabulate it with other data, but if you're concerned about that, it's just better to freeze your credit.
Re: Home Depot Breach - zip codes revealed
I used my card at Target last year. I only monitored for fraudulent transactions which I do every day anyways (there were none). In March or April B of A sent me a new credit cardon their own initiative. Remember you are not liable for fraudulent charges on a credit card. There isn't enough information on a swiped card to apply for credit so I would continue to monitor credit reports annually.thenameishersch wrote:Apparently the breach might have started as early as April 2014, and Home Depot is providing free identity protection.
I am pretty sure I made at least 10+ purchases at HomeDepot/HomeDepot.com since April 2014 owing to some remodeling.
I plan to do the following:
1. Cancel credit cards and request new ones with new card numbers
2. Monitor transactions
3. Monitor Credit Sesame/Credit Karma
4. Sign up for the AllClearID
Not sure how secure (4) is, since I will be opening up my intimate numbers to someone (HomeDepot) who already lost my information once.
Any other suggestions?
EDIT: Just found this.
I know there's a feeling that you need to "do something" in this situation, but with the frequency of attacks you could find yourself in a continuous state of stress if you worry about protection rather than detection. I use the Mint Mac OS X desktop app to look at what charges are hitting my credit card several times per day. Charges hit within minutes to hours most of the time. Takes about 3 seconds every time I put the cursor over the Mint icon and click.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: Home Depot Breach - zip codes revealed
I have two concerns with the card I used at HD.stan1 wrote:Remember you are not liable for fraudulent charges on a credit card.
1. Possible cancellation of the card at an inconvenient time. For example if I'm travelling somewhere.
2. Annoyance factor with respect to dealing with fraudulent charges. I had to do this once before and it was excruciating thanks to atrocious customer service from CitiBank.
So I've told my card issuer I want a new one. They were quite accommodating.
As far as identity theft I'm far more worried about incidents reported involving the Federal OPM.
Re: Home Depot Breach - zip codes revealed
I recently activated alerts on my credit card, which was used in April at HD. Gives me an immediate message on my smartphone when the card is used. Did this before I learned about the HD breach, but glad I did so I can catch any misuse of the card immediately if it occurs. Recommend that you check your bank to see if you can activate these alerts as well.
We don't know where we are, or where we're going -- but we're making good time.
Re: Home Depot Breach - zip codes revealed
Just heard on the evening news that 56 Million! credit card numbers have been stolen in the HD breach. That's a bunch, eh? Let's make it easy for the hackers and just go ahead an publish our numbers on the web.
We don't know where we are, or where we're going -- but we're making good time.
Re: Home Depot Breach - zip codes revealed
This proves I'm living in the middle of nowhere .Grt2bOutdoors wrote:97% of all Home Depot stores were infiltrated by the hackers....that's just about everyone in America.johnep wrote:Thanks. My zip code was included. I will have to see if I did any cc transactions in that timeframe.
I had separated my online, and offline credit cards long time ago. Offline cards are only used when card is present, and if they need to be replaced, I do not need to change credit card info for many only retailers that have my credit card.
-
- Posts: 7189
- Joined: Sun Dec 16, 2007 11:25 am
Re: Home Depot Breach - zip codes revealed
I have 2 credit cards where I charged something in the last few months at one of the zip code listed Home Depots. Guess I will give the 800 numbers a call and see about changing the credit card numbers. Do you think anyone will answer or are they totally swamped? I'll let you know tomorrow.
JW
JW
Retired at Last
Re: Home Depot Breach - zip codes revealed
I'm with U.S. Bank and they posted something on their website about the breach. Basically they said they always monitor transactions for fraud and to just keep using the card; if they detect a problem they'll contact customers and issue new cards as required. You might check the websites of your banks to see if they have anything posted before calling.JW Nearly Retired wrote:I have 2 credit cards where I charged something in the last few months at one of the zip code listed Home Depots. Guess I will give the 800 numbers a call and see about changing the credit card numbers. Do you think anyone will answer or are they totally swamped? I'll let you know tomorrow.
JW
We don't know where we are, or where we're going -- but we're making good time.
-
- Posts: 2500
- Joined: Tue Aug 16, 2011 12:39 pm
Re: Home Depot Breach - zip codes revealed
The Target breach was 100+ million so this number was much lower then they initially thought. It looks like the thieves targeted the self checkout machines.Browser wrote:Just heard on the evening news that 56 Million! credit card numbers have been stolen in the HD breach. That's a bunch, eh? Let's make it easy for the hackers and just go ahead an publish our numbers on the web.
Looks like my card is in the bowel for the reaping some 12+ times
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin