This security breach at Home Depot has been traced back to April 2014. Despite Home Depot’s claim that ‘no debit card PIN data was compromised in the break-ins’, banks are reporting a big increase in use of ATM cards and cash withdrawals by hackers.
Stolen card data has helped hackers create fake credit and debit cards so as to be able to shop anywhere. Thieves have been able to come up with new PINs and withdraw cash as easily as a genuine cardholder doing it.
“Experts say the thieves perpetrating the debit card fraud are capitalizing on a glut of card information stolen from Home Depot customers and being sold in cyber crime shops online. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards,” says the Krebs blog. If the banks have several security checks done over the phone, it is quite easy for the thieves to fool a bank’s voice response units (VRU).
The stolen card data has provided the hackers all the information needed to produce counterfeit cards such as name, city, state, zip code. Zip code is important to find the social security numbers and dates of birth of the cardholders. Hackers using underground services that specialize on this aspect of a crime have been very successful at this as well.
Banks are not completely aware of the different ways hackers fool them especially if it is an automated system such as the one that comes over the phone. Fraud detection experts say that every question answered should be accurate for authentication. Currently, hackers can easily outsmart the system.
Avivah Litan, a fraud analyst with Gartner Inc. says, “We saw this same activity in the wake of the breach at Target, where the thieves would call in and use the VRUs to check balances, remove blocks on cards, get the payment history and of course change PINs. I know of at least two very popular and long-running cyber crime stores that sell this information for a few dollars a piece. One of them even advertises the sale of this information on more than 300 million Americans.”
More information, including an FAQ about the breach, released by Home Depot is available at this link. Update from Home Depot on Breach Investigation.