Home Depot told its customers today to monitor their bank and credit card accounts for fraud as it continues to investigate the “unusual activity” on its networks that could turn out to be one of the biggest data breaches in U.S. history.

“We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate.  We know that this news may be concerning and we apologize for the worry this can create,” the company said in a statement posted to its website. “If we confirm a breach has occurred, we will make sure our customers are notified immediately.”

The company promises free credit monitoring and other fraud protection services should it confirm a breach; Home Depot said yesterday that it has brought in law enforcement and its banking partners to investigate.

Two batches of credit card numbers, reportedly stolen from Home Depot according to security website Krebs on Security, appeared on the same underground forum that sold payment card data stolen in the Target data breach during the last holiday shopping season. Dan Ingevaldson, CTO of Easy Solutions and a longtime researcher at Internet Security Systems (ISS) and cofounder of Endgame Solutions, said that the cards are selling for $50 to $100 each, a high price that’s likely not to last.

“We believe those prices are likely to come down faster than in the past, as the window of opportunity to profit from stolen cards has shrunk,” Ingevaldson said. “This has happened because financial institutions have become smarter about dealing with these attacks.”

Ingevaldson said banks have amped up fraud detection systems to look for test charges applied to stolen cards before they’re sold in order to prove the number is active and valid. Many underground card dealers, as a result, no longer offer this service, he said.

Large-scale retail data breaches, including the Target breach and recent intrusions at Albertson’s and SUPERVALU supermarkets, United Parcel Service and as many as 1,000 others according to the U.S. Secret Service, involve some manner of point-of-sale malware. Backoff is a PoS malware strain identified by the Secret Service as the culprit in most of the recent attacks. Point-of-sale malware is injected remotely onto a point-of-sale device once an attacker has a foothold on the network through some other weak spot. Once on a device, the malware steals credit card numbers from memory before they’re encrypted on the device and sent to a payment processor.

“There are a large number of these attackers who rely on automated point and click tools to find merchants using insecure remote access software exposed to the internet,” said Lucas Zaichowsky, enterprise defense architect at AccessData. “Once they’re in the POS system, they drop card data theft malware to steal credit card data as it passes through the system. The same tactics have been used for many years.”

Small retailers have been singled out as especially vulnerable because their payment systems are managed often by third parties that are not security specialists. Those consultants and vendors use remote management tools to access payment devices and systems, and often those remote systems are protected with a default or weak password that is easily exploitable. Once an attacker is in, they look like a legitimate, authenticated user.

“Their presence isn’t obvious since they’re accessing the environment just as the real administrator would. Once there, they’ll manually place newly created variants of specialize card data stealing malware, thereby evading anti-malware protection,” Zaichowsky said. “Next-generation malware detection appliances observing Internet traffic will be completely blind to this since it’s being delivered through encrypted command and control channels.”

Zaichowsky spoke at the recent Black Hat conference about the need for point-of-sale vendors to step up and recognize the security dilemma their customers are in.

“Any system or user that has access to the POS network is a likely target for exploitation and account hijacking,” he said. “Once inside the POS network, attackers have multiple choices for pilfering card data as it passes through, many of which involve no malware whatsoever.”

Categories: Data Breaches

Comments (4)

  1. larry
    1

    Has Home Depot’s Web Site even been Secure?

    Home Depot’s Website Fails Basic Site Security Check
    A leading security verification site [ssllabs.com] issues reviews and rating of SSL security risks for companies. It is used in over 85 countries and by 40 of the top Fortune global 100 companies.

    HOME DEPOT received an “F” rating for the security of their payment systems before home depot demanded they disable the rating for the site. HAHAHA..

    Even the most basic site security can receive a “C” rating.

    LOL, if you go to the site now and try to enter https://secure2.HomeDepot.com for verification and review, the site states verbatim:

    “This site’s (Home Depot’s) owners requested that we do not publish their assessment results.”

    HOME DEPOT is simply trying to obscure the truth

    They will drag this “investigation” out as long as possible and provide the public with the bear minimum information just to save their stock price…

    BOYCOTT HOME DEPOT and prosecute the CEO for Negligence.

    Reply
  2. Khürt Williams
    2

    So is Home Depot suggesting that I might want to pay for credit monitoring now in case it turns out they were breached? If it turns out they were breached and they offer free credit monitoring what use will that be to me?

    Reply
    • Campbell Milton
      4

      The Secure site gets an A -. However, go to ssl-labs and run the test for http://www.homedepot.com/, there is a “certificate not valid for domain name” statement for 3 variations of homedepot. There are some other odd issues as well. It appears that the “fix” is slightly odd, IMO

      Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>