Q&A: What Home Depot customers can now expect

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Acohido

If you’re one of the mil­lions of folks who used a pay­ment card at a Home Depot store this past spring or sum­mer your iden­ti­ty may be at risk. Third­Cer­tain­ty asked Chris Came­jo, direc­tor of assess­ment ser­vices at NTT Com Secu­ri­ty, to out­line the go-for­ward ram­i­fi­ca­tions of the Home Depot breach.

 3C: What should any­one who shopped at Home Depot in the past few months expect next?

 Came­jo: Home Depot’s cus­tomers should be check­ing their cred­it and deb­it card state­ments care­ful­ly to make sure there are no fraud­u­lent pur­chas­es or with­drawals, and they shouldn’t be sur­prised if their card gets shut off and/or replaced with lit­tle or no notice. I’m sure Home Depot and the banks are fran­ti­cal­ly try­ing to iden­ti­fy those accounts so that they can can­cel the stolen cards before they lose any more mon­ey to fraud.

3C: What are the data thieves up to?

The thieves are sell­ing the stolen cards on black mar­ket web­sites right now. At this point it’s basi­cal­ly a race to see how many fraud­u­lent trans­ac­tions the carders can run through before the banks fig­ure out which cards were affect­ed and replace them. I’m sure Home Depot and the banks are fran­ti­cal­ly try­ing to iden­ti­fy those accounts so that they can can­cel the stolen cards before they lose any more mon­ey to fraud.

3C: How use­ful are the free con­sult­ing ser­vices mer­chants offer to cus­tomers when a big breach gets disclosed.

Came­jo: Home Depot is offer­ing the usu­al ‘free iden­ti­ty theft mon­i­tor­ing’ which is point­less in a way. Iden­ti­ty theft mon­i­tor­ing is to check if some­one is open­ing new lines of cred­it in your name which would require a SSN. There’s no need to do that when the attack­er has stolen the line of cred­it you’ve already opened.

3C: Home Depot must now meet data loss dis­clo­sure laws in 47 states. How oner­ous is that going to be?

Came­jo: Most of the laws are fair­ly sim­i­lar so noti­fy­ing peo­ple shouldn’t be too bad once they actu­al­ly iden­ti­fy all of the peo­ple that were affect­ed. One of the loop­holes in the dis­clo­sure laws is that the dis­clo­sure can be delayed if request­ed by law enforce­ment and the Secret Ser­vice typ­i­cal­ly gets involved in these big fraud cas­es. I wouldn’t be sur­prised if much of the infor­ma­tion is kept under wraps so that they can try to nail the perpetrators.

3C: So far Tar­get, PF Chang, UPS, Good­will, P. F. Chang’s, Sal­ly Beau­ty, Michael’s, Neiman Mar­cus and now Home Depot have dis­closed breach­es. What does this sug­gest about the true scope of breach­es of major chains?

Came­jo: It’s not very sur­pris­ing, big com­pa­nies han­dle lots of trans­ac­tions and are there­fore entic­ing tar­gets, it takes much less effort to break into one net­work and steal 40 mil­lion accounts than it does to break into 400 net­works and steal 100,000 accounts each. These large com­pa­nies are also at a dis­ad­van­tage because they’re so big: every sys­tem that is attached to a net­work is anoth­er poten­tial vul­ner­a­bil­i­ty that can be exploit­ed, and these big com­pa­nies like­ly have many more sys­tems than small and medi­um merchants.

3C: Any­thing else?

Came­jo: Home Depot and Tar­get are mov­ing to chip-and-pin pay­ment sys­tems. Unfor­tu­nate­ly this alone won’t solve much. Chip cards send their data to the ter­mi­nal unen­crypt­ed just like magstripe cards and could be cap­tured in near­ly the same way. The cap­tured card data may not be usable at anoth­er chip-and-pin mer­chant, but it can be used to make online pur­chas­es or cloned onto a magstripe card and used at a mer­chant that doesn’t sup­port chip-and-pin.




Posted in Cybersecurity, Data Security, Q&A