Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Banks Report Credit Card Breach At Home Depot

Soulskill posted about a month and a half ago | from the another-day-another-breach dept.

Security 132

criticalmass24 sends news that multiple banks are indicating Home Depot stores are the source of a new batch of stolen credit cards and debit cards that hit the black market today. "There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store – rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market." Home Depot is aware of the situation, and says they're investigating. The banks say this breach may have begun as early as April or May of this year and may extend to all 2,200 of Home Depot's U.S. stores.

cancel ×

132 comments

Sorry! There are no comments related to the filter you selected.

Chip and PIN (4, Insightful)

DigiShaman (671371) | about a month and a half ago | (#47810769)

Fuckers! Implement it like yesterday!!!

Tell you what. You want me to continue to shop at the B&M stores, then do this. Otherwise, It's Amazon for me.

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47810829)

Why do you think Amazon is immune?

Re:Chip and PIN (2)

ctime (755868) | about a month and a half ago | (#47810901)

The problem is that these data compromises are going to happen and that the current magnetic strip technology is laughably obsolete and insecure. Chip + PIN effectively mitigates the weakness in magnetic strip data by embedding a chip (physical, something you have) and a pin (something you know) into the transaction process, plus many other security enhancements. Current magnetic strip cards are authenticated purely by a string of digits (something you know) and are easily copied and reproduced.

Read all about it here: http://en.wikipedia.org/wiki/E... [wikipedia.org]

Chip + pin WILL be happening in America. http://blogs.wsj.com/corporate... [wsj.com]

NFC-based payment system may have a chance to become popular in the mean time.

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47810955)

Current magnetic strip cards are authenticated purely by a string of digits (something you know) and are easily copied and reproduced.

What exactly do you think the chips do?

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47811001)

Exactly. The chip and pin simply protect that string a little bit longer. In the end though, it all needs to be sent over the wire, and as a result, somebody just needs to be in the right place.

Re:Chip and PIN (2)

ASDFnz (472824) | about a month and a half ago | (#47811695)

Bitcoin would be a better solution

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47812451)

cash is better yet.

Re:Chip and PIN (1)

OldCodger (2479044) | about a month and a half ago | (#47812641)

The point is that if Chip&Pin is used then the bank takes the hit (at least in the UK it does) - swipe and you're f**ked.

Re:Chip and PIN (1)

afidel (530433) | about a month and a half ago | (#47811007)

Mutual authentication and off (merchant) device encryption.

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47811077)

Why do you think the chip or the information on it can't be duplicated or spoofed?

Re:Chip and PIN (1)

afidel (530433) | about a month and a half ago | (#47811151)

Probably because none of the vulnerabilities listed at wikipedia [wikipedia.org] involve cloning the card, they all incude forcing terminals into offline chip and pin mode which is not going to be supported by most US card issuers. I've been following EMV for many years now and outside of some very controlled lab experiments involving very cold temperatures and long side channel analysis nobody has managed to pull off a duplication attack for online transactions (at least nobody that's published information, and there have been no wide scale attacks that can be traced back to fraudulent duplicates used for online transactions).

Re:Chip and PIN (1)

rickb928 (945187) | about a month and a half ago | (#47811241)

One way to scam that is to put a shim in the terminal, forcing it offline. Look for an extra cable coming from the card reader.

Re:Chip and PIN (1)

geekoid (135745) | about a month and a half ago | (#47811353)

IT's already been done and demo'd at DEFCON.
Next.

Re:Chip and PIN (1)

TechyImmigrant (175943) | about a month and a half ago | (#47812287)

Why do you think the chip or the information on it can't be duplicated or spoofed?

To duplicate an EMV card, you would need to take the card to a lab and do some serious meddling.
To duplicate a standard US credit card you need a cell phone and the card for 10 seconds.

The difference is significant.

Of course NFC will screw the pooch before the US catches up.

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47810991)

Still doesn't make Amazon safe. In fact, if magnetic stripe is so obsolete, then Amazon's type your number in is even worse. While I agree that Chip & PIN will limit problems, initially anyway, hackers will find a way to exploit its weakness as well.

Re:Chip and PIN (2)

geekoid (135745) | about a month and a half ago | (#47811329)

Yes it will, and then it will be compromised. Chip and Pin* has known defects.
NFC is also broken.

Digital money is a dead end.

*Sounds like a kids cartoon about encryption.

Re:Chip and PIN (1)

nabsltd (1313397) | about a month and a half ago | (#47812433)

Chip + PIN effectively mitigates the weakness in magnetic strip data by embedding a chip (physical, something you have) and a pin (something you know) into the transaction process, plus many other security enhancements.

Since some of the cards stolen were debit cards, which require something you have (card with magnetic strip) and something you know (PIN), I don't see how chip+PIN is the holy grail you think it is.

Although there may be more negotiation/handshake at PoS with chip+PIN, it still comes down to two-factor auth to make that sale. And, if somebody can install software/hardware that grabbed mag strip + PIN, they likely can do the same for chip+PIN.

Re: Chip and PIN (1)

James Buchanan (3571549) | about a month and a half ago | (#47812717)

Sorry you are wrong. Been busted , there was a proof of concept at the last black hat meeting. A west coast college presented it. Read about the hack several weeks ago, you should be able to buy the single by now. Yes it was conceptual, but the prior writeup sounded just like the chip and pin, along with further work on the NFC concept of card. As NFC was being introduced they were showing the weaknesses. The only one not busted so far is the encrypted transmission to the bank. But sure homeland has a backdoor, which will be its downfall sooner then later.

Re:Chip and PIN (2)

Russ1642 (1087959) | about a month and a half ago | (#47810881)

Big deal. You're not on the hook for the fraudulent charges. You just have to check your bill and maybe your CC issuer will give you another card.

Re:Chip and PIN (1)

TechyImmigrant (175943) | about a month and a half ago | (#47810905)

FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

Re:Chip and PIN (2)

Russ1642 (1087959) | about a month and a half ago | (#47810969)

FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

And what property of yours is missing? I'm thinking it's your sanity.

Re:Chip and PIN (1)

rogoshen1 (2922505) | about a month and a half ago | (#47811011)

Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent. But mainly, while everything is pending, your money is gone. It may only be temporary, but you can't pay bills with IOU's.

Re:Chip and PIN (1)

kenai_alpenglow (2709587) | about a month and a half ago | (#47811073)

Plus, if you have a bunch of bills going to the credit card, now you have to update all of them with the new number. Been there-done that...

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47812569)

You have to do this anyways when the expiration date changes. Every 18-24 month, depending on the card, I have to change my billing information. If this is too hard for you, go bad to using cash and checks.

Re:Chip and PIN (1)

Anonymous Coward | about a month and a half ago | (#47811589)

Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent.

You would be mistaken [ftc.gov] .

Notice that the timer on reporting doesn't really start until you either 1) learn of the fraud or 2) have an opportunity to review a bank statement.

And if your credit doesn't suck (read: are a responsible adult), most card issuers won't charge you even that $50 limit because they'd rather have customers that don't badmouth them on the internet than people who are disillusioned with the system and hate them. Perhaps that last part is where you have trouble.

Re:Chip and PIN (1)

rogoshen1 (2922505) | about a month and a half ago | (#47811853)

Thanks for pointing that out in a completely non-condescending or stupidly myopic manner! Of course you can call the card issuer, or write a a letter.

As stated though, the main problem with these fraud cases is: when a debit card is involved, your bank account is *temporarily* drained. Which can lead to a bit of a headache.

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47812443)

Well if it's a debit card, if i'm not mistaken, the onus is on YOU to produce proof that the charges weren't fraudulent.

The onus is very small, you just have to inform the bank as soon as the fraud occurs and cooperate in the subsequent investigation. You're off the hook even if you are the victim of trickery or intimidation. Besides, if you have a lot of money in the bank to begin with, (a) you're dumb, (b) you're rich. Either way, who cares about you! The top poster is simply correct, this is a problem for banks and credit card companies. Fuck these stories.

Re: Chip and PIN (1)

James Buchanan (3571549) | about a month and a half ago | (#47812783)

Sorry about this, but you still owe the "bounced check" charge. Your bank may waive it but any in line company won't. Remember they tally at the end of the day. Your balance doesn't always show correctly till the end of day occurs at the bank. Even on debit cards.

Re:Chip and PIN (2)

jjhall (555562) | about a month and a half ago | (#47811087)

Well, for one I have to spend my time to submit a fraud report to my bank. If using my debit card, the money is gone until the fraud is confirmed. Second, I have to wait for a new card to arrive in the mail, then try to remember who I have set up on automatic payments using my old card. Call each one of them or visit their website to enter in the new numbers. The ones that I forget will possibly result in account suspensions, etc, until after the new number is entered. Fees may be charged, which most of the time will be waived but that again takes more time to deal with.

The credit card companies need to fix this, and chip/pin is not the answer. It should solve retail store card theft, but as online purchasing becomes more and more popular, chip/pin will do nothing to combat it. We need a rotating pin device, similar to PayPal and World of Warcraft uses, and tie that number to the authorization. That number/pin combo would be useless for future transactions other than follow-on transactions to/from the same merchant for subscription or refund purposes. That way when a card number is compromised it is useless since the attacker won't be trying to get more money for the original merchant. Instead the card issuers just tout "$0 fraud liability!!!11!!!1!" to the consumers and pass the buck off to the merchants. Chargback fees from merchants are a profit center for card issuers, so why would they want to fix the problem?

Re:Chip and PIN (1)

geekoid (135745) | about a month and a half ago | (#47811435)

So it's their fault you have a sloppy financial system?
Lock on the info up with encryption is it's such a bother for you.

When it happened to me, I called the bank, 5 minutes latter my money had been returned, the was no longer attached to my account directly.
After that, when I got an email from varies companies that my CC was no longer valid, I just changed it. Never had any interruption in any service.

On a weird note, after that call, 2 weeks later a reoccurring charged on that account went through. I contacted the bank and they told be not to worry about it and to please change my number on that service. I suspect they where keeping it active to try and get more information

Re:Chip and PIN (1)

Skynyrd (25155) | about a month and a half ago | (#47811571)

I'm refinancing my house at the moment. Having my card stolen will raise all sorts of flags, and either about or delay the process.

My property won't be missing if I run up a massive credit card bill, but it would potentially cause me hours and hours of work, a bunch of money, and a shit-load of stress. I'd rather that the problem be fixed instead of ignoring it for another bunch of years.

Re:Chip and PIN (1)

TechyImmigrant (175943) | about a month and a half ago | (#47812023)

FOAD. I'd prefer the banks implemented security so I wouldn't have to go through a bureaucratic mess to get back my property.

And what property of yours is missing? I'm thinking it's your sanity.

No, it would be insane to invite all that hassle by advocating banks continue with ludicrous plaintext credentials on credit cards. Do you work for a bank?

Re:Chip and PIN (2)

msauve (701917) | about a month and a half ago | (#47810987)

"You're not on the hook for the fraudulent charges."

That's not it - you're simply not clear on the concept. Those costs are paid by the consumer, through higher prices and/or fees.

Re:Chip and PIN (1)

geekoid (135745) | about a month and a half ago | (#47811449)

Which is balanced against price point and competition. If the problem was magically fixed tomorrow, you fee wold not go down.

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47811691)

The costs of "stronger" security tech would also be paid by the consumer. Anybody have any real data on which is cheaper?

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47812633)

Good thing the bank always eats all those loses and NEVER passes them on to the consumers via fees, surcharges, interest rates, etc....

You are right, who cares if there is fraud, just get another card...

Re:Chip and PIN (1)

slashmydots (2189826) | about a month and a half ago | (#47810915)

Chip and pin does nothing. It's still interceptible and nobody in America has the patience for "card present only" transactions.

Re:Chip and PIN (1)

PopeRatzo (965947) | about a month and a half ago | (#47811403)

nobody in America has the patience for "card present only" transactions.

Me. I have the patience for "card present only" transactions. What's the big hurry?

Re:Chip and PIN (1)

Ralph Wiggam (22354) | about a month and a half ago | (#47810949)

The deadline to switch is in 13 months. That kind of massive national transition is not easy or fast.

After next October, businesses will be able to use the old swipe and sign terminals, but they will be liable for any fraud instead of the credit card company. Obviously nobody wants that liability.

Re: Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47811125)

1 October 2015 is 394 days away, which is over 14 moon periods away.

But yeah, we in the "rest of the world" have been using this stuff for a decade or so.

Re: Chip and PIN (1)

rickb928 (945187) | about a month and a half ago | (#47811287)

And in the UK, the stories of pensioners being shoulder-surfed at the ATM (or worse) while they peck away at the keypad end with them at the bank being informed that their money is gone, and they must have disclosed their PIN to someone. "Sorry, but the system is totally secure. It isn't our fault". Not as if the camera at the ATM wouldn't be showing some hoodie emptying their account, though the banks have no real incentive to investigate.

Yeah, Chip n PIN is a real winner, for the banks.

Re:Chip and PIN (1)

DogDude (805747) | about a month and a half ago | (#47811039)

And how does Amazon get your chip and pin, exactly, Mr. Einstein?

Re:Chip and PIN (1)

rickb928 (945187) | about a month and a half ago | (#47811217)

Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.

And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.

Re:Chip and PIN (1)

ender- (42944) | about a month and a half ago | (#47811281)

Home Depot has been replacing terminals with dip terms for EMV. But the issuers are waiting for some more traction. Most US merchants don't want to pay for the terminals, since the risk doesn't shift sufficiently for them to pay the money.

And as mentioned above, any card-not-present transactions are unaffected by EMV. Most of these rings sell cards to be used not-present. It;s fairly common to place the order on the website for local pickup, grab the loot and fence it. EMV doesn't stop that.

It *could* if the store at least used the Chip + Pin to validate the person picking up the loot.

Granted, I still don't see how it helps stop people buying stuff on Amazon but that one example you provided should be fairly simple to avoid.

Re:Chip and PIN (1)

wkk2 (808881) | about a month and a half ago | (#47812985)

The chip and pin readers at Home Depot are not enabled. I had to swipe a card that had a chip. Maybe they will install the right software.

Re: Chip and PIN (1)

rickb928 (945187) | about a month and a half ago | (#47813161)

That's as easy as it gets.

Re:Chip and PIN (1)

geekoid (135745) | about a month and a half ago | (#47811279)

What do you care? the CC company pays for it, and they send you a new card.

Re:Chip and PIN (2)

PopeRatzo (965947) | about a month and a half ago | (#47811433)

What do you care? the CC company pays for it, and they send you a new card.

As has already been pointed out, no, it's you that pays for it in fees.

The current interest rate on savings is what about 1%? Banks can take that money and charge 18-24%. They've got a license to print money. Do you really think they're just going to eat the loss? They're passing it on to you in dribs and drabs.

Re:Chip and PIN (1)

wiredlogic (135348) | about a month and a half ago | (#47811553)

My grocery store has new Verifone readers with chip and pin slots. The things are so badly made that they reject my card on the mag strip reader until the clerks showed me a trick where you stick a plastic grocery bag between the card and mag head to make it work.

Re:Chip and PIN (1)

GTRacer (234395) | about a month and a half ago | (#47812257)

New trick? I learned that one 5 years ago at a grocery store where some of their old terminals were bad readers. Not entirely sure what the bag-wrapping does, but it worked!

Re:Chip and PIN (0)

Anonymous Coward | about a month and a half ago | (#47811621)

You could use cash, you know. Oh, but then you'd have to earn it somehow before you spend it, unlike the other way around with a credit card.

Re:Chip and PIN (1)

GTRacer (234395) | about a month and a half ago | (#47812361)

No thanks! Once my bank offered me a "Visa check card" - debit card processed through Visa's credit network - I signed up and haven't looked back. For me at least having a card isn't about spending future money, it's about not having a paycheck's worth of cash on me or my wife. It's about convenience in bill payments and purchasing. And these days, it's a wonder when paired with self checkout technology!

Also, I hate having to keep up with receipts. Electronic payments make recordkeeping so much easier.

Re:Chip and PIN (1)

ASDFnz (472824) | about a month and a half ago | (#47811689)

Even better, use bitcoin instead.

Seriously, problem fixed.

Instead of naming stores (1)

Anonymous Coward | about a month and a half ago | (#47810773)

Instead of naming stores, how about naming the actual vendors in the headlines. You know, like IBM, NCR, etc ....?!

Re:Instead of naming stores (1)

NevarMore (248971) | about a month and a half ago | (#47810917)

Because your average consumer doesn't know and doesn't care that Home Depot or Target runs an IBM or NCR system. They know that Home Depot and Target screwed up forcing them to watch their statements even more closely than normal and maybe get a new card issued requiring an update of all the auto-payment stuff and made things a pain in the ass.

Its up to Home Depot and Target to then apply leverage to IBM and NCR or jump ship to another vendor. Each vendor responds to their direct customer.

Re:Instead of naming stores (1)

unrtst (777550) | about a month and a half ago | (#47811003)

Fine.
In the slashdot summary, how about naming the actual vendors?

For US - on Slashdot (0)

Anonymous Coward | about a month and a half ago | (#47811015)

Yeah, yeah, yeah, I get that.

But here on Slashdot - NAME the vendors. OK?

When I check out - and I have worked in this industry and I won't name who i developed software but I can say we NEVER considered these threats - ever - I look at the checkout hardware.

Me

I am a GEEK and a NERD - like Slashdot NERDS.

Get it?!

I was just a code monkey but I may be part of this. mKAY?!

Re:Instead of naming stores (2)

rickb928 (945187) | about a month and a half ago | (#47811325)

It's not NCR, IBM, etc. It's Ingentico, Verifone, the other terminal makers, and the acquirers (Paymentech, First Data, etc) that handle the data, but Home Depot needs to secure the transmission of that. And I bet most of this was skimmed off of databases that needed to be another layer away from intruders.

There is no such thing as absolute security.

Re:Instead of naming stores (0)

Anonymous Coward | about a month and a half ago | (#47811149)

"Instead of naming stores, how about naming the actual vendors in the headlines. You know, like IBM, NCR, etc ....?!"

Because unless it is Windows, its one of Apple, Android or Flash ...

Awesome (1)

TubeSteak (669689) | about a month and a half ago | (#47810781)

This will be the second time my credit card gets replaced this year.
The third time in 3 years.

I've tried to order stuff online and been forced to call in because the retailer subscribes to a service that considers me a 10/10 fraud risk.
And not because of anything I've ever done or any charges that have shown up on my bill.

Re:Awesome (1)

rickb928 (945187) | about a month and a half ago | (#47811363)

If they change mine, it will be the second this year, fourth in two years, sixth or seventh in 3 years. Credit unions don't all own their card systems, and these issuers are lazy.

Some card issuers know that 40-60% of their cards in force are 'compromised'. They consider that normal, and perform fraud/risk monitoring as a normal course of business.

chip and pin? (1)

anthony_greer (2623521) | about a month and a half ago | (#47810801)

Why not just go to Chip and PIN...I dont seem to hear these stories in Canada or other places that use it, but I could be missing them...

Stupid banks... US credit cards have no security (1)

mspohr (589790) | about a month and a half ago | (#47810803)

The banks are reaping the rewards of years of sticking their heads in the sand on security. Europe has chip and pin which is much more secure. US credit cards are ridiculously easy to counterfeit. I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.

Re:Stupid banks... US credit cards have no securit (1)

khellendros1984 (792761) | about a month and a half ago | (#47810931)

I hear that they are finally, slowly moving to chip and pin since their losses to fraud are increasing.

One of my recently replaced cards is chip and signature, and I think that's what most US-issued smart cards are using. Security-wise, it's kind of a half measure, but at least it's a step forward from complete reliance on the magstripe.

Re:Stupid banks... US credit cards have no securit (0)

Anonymous Coward | about a month and a half ago | (#47811071)

The real problem with using signatures is that the banks don't require any actual matching to be done on signatuers to see if they are valid. Any squiggly, X, or line is accepted just as easily as a real signature.

Re:Stupid banks... US credit cards have no securit (1)

Anonymous Coward | about a month and a half ago | (#47811757)

More to the point, the merchant is prohibited from declining any payment via credit card that has been approved by the terminal regardless of whether the signature matches. Further, they cannot request ID as part of the checkout---per their payment processing agreement.

Re:Stupid banks... US credit cards have no securit (1)

stdarg (456557) | about a month and a half ago | (#47811085)

Chip and signature may not help against physical theft of the card, but it will put a stop to these massive breaches by hackers.

Re:Stupid banks... US credit cards have no securit (1)

Firethorn (177587) | about a month and a half ago | (#47810939)

You know, I think it's true that Europe had a much higher rate of fraud, which convinced them to move to chip&pin sooner.

Yes, I've heard that they're working to move to chip&pin, my bank sent out a notice that they're working on it. When I get closer to the expiration of my card I might call them up and ask to be moved over as I actually travel internationally occasionally and it'd be nice to be able to use my card in European stores.

Re:Stupid banks... US credit cards have no securit (1)

anthony_greer (2623521) | about a month and a half ago | (#47810963)

Not any time soon - as it happens, I have an Amazon card from Chase and just got the replacement for an expiring card - no chip and pin, I called and asked about it and they sid they MAY have it when my next card comes in 3 years...so dont hold your breath.

I mention Amazon specifically because other commenters seem to think that anything Amazon is immune and safe...not so fast young grasshopper...

Re:Stupid banks... US credit cards have no securit (1)

afidel (530433) | about a month and a half ago | (#47811041)

Nope, they will issue a new card with at least chip and signature by next fall, October 2015 is the deadline from Visa for the card providers to move over as well as the merchants. After that date if the card issuer has issued a chip card and the merchant uses the magstripe then the merchant is liable for the fraud, there is no way in hell any card issuer is going to give up that kind of liability offload for one moment, let alone 2 years. The idiot bots that answer the phone have no idea what's actually going on, but I can all but guarantee you that you will be getting a new card around this time next year with a chip.

Forget the Politics (0)

Anonymous Coward | about a month and a half ago | (#47810807)

.. its a direct result of technical mono-culture. Diversity in security technology is the way forward.

Hire those illegals out front to investigate (1, Funny)

NotDrWho (3543773) | about a month and a half ago | (#47810811)

They work cheap.

Solution: Use Cash? (0)

Anonymous Coward | about a month and a half ago | (#47810831)

Of course, if we pay with cash then it would be assumed we have something to hide.

Re:Solution: Use Cash? (0)

Anonymous Coward | about a month and a half ago | (#47810897)

use dogecoin, then.

Re:Solution: Use Cash? (0)

Anonymous Coward | about a month and a half ago | (#47811651)

Of course, if we pay with cash then it would be assumed we have something to hide.

Yes, we're hiding something -- our credit card info from the hackers.

Store branded credit cards (1)

sandytaru (1158959) | about a month and a half ago | (#47810879)

I am suddenly grateful we've been using a store branded Home Depot credit card for the last few years. Replacing that with a new one won't be painful at all. I think I've paid cash if the amount was under $10, too.

Still going to go through ye old checking account and verify there's no HD charges on there since April.

Re:Store branded credit cards (0)

Anonymous Coward | about a month and a half ago | (#47811009)

checking account? who tf uses debit cards to shop with?

Stupid (1)

Anonymous Coward | about a month and a half ago | (#47810951)

If you don't want your credit card number stolen and displayed all over the Internet, you shouldn't use your credit card! What were these people thinking?!?!

And with that moral justification out of the way, let me go Google for those Jenni.... er credit card photos.

Re:Stupid (0)

Anonymous Coward | about a month and a half ago | (#47811133)

Go fuck yourself.

What if you get two cards? (0)

Anonymous Coward | about a month and a half ago | (#47810983)

One for the card present transactions and one for other phone transactions?

This would at least lower the value of the card present card numbers because the carders would have to physically be present to win.

Are the POS providers total morons? (1)

DigitAl56K (805623) | about a month and a half ago | (#47811013)

How hard is it to run an independent circuit that scrapes your OS and process executable memory and compute a verified hash? Do these systems run any kind of meaningful IDS at all?

Re:Are the POS providers total morons? (0)

Anonymous Coward | about a month and a half ago | (#47811293)

No. They do not.

Why do they keep doing it (1)

skovnymfe (1671822) | about a month and a half ago | (#47811031)

Why do these mega corporations keep storing credit card information insecurely? Are they required by law to be stupid?

Re:Why do they keep doing it (0)

Anonymous Coward | about a month and a half ago | (#47811129)

Why do they store it at all?

Re:Why do they keep doing it (1)

PRMan (959735) | about a month and a half ago | (#47811715)

I've worked at several companies and most of them store passwords in plain text. They've been doing it for decades and I ALWAYS make a new task/story/project, etc. that involves implementing proper security. Only once did I get a company to prioritize it to the point where it actually got done.

Re:Why do they keep doing it (1)

NotSanguine (1917456) | about a month and a half ago | (#47811729)

Why do these mega corporations keep storing credit card information insecurely? Are they required by law to be stupid?

No. But they are not required by law to be smart about security. Since they charge back everything to the retailers, they don't care.

Ukrainian and Russian peace (0)

Anonymous Coward | about a month and a half ago | (#47811033)

It's so good to see enemies working together this way. Hacking for peace!

See (RU and UA death match is a good thing) (0)

Anonymous Coward | about a month and a half ago | (#47811051)

What the hell is so bad about RU and UA killing each other off?

Chip and Pin isn't worth it. (1)

gurps_npc (621217) | about a month and a half ago | (#47811057)

The amount of money saved by chip and pin is relatively low. A mere password doesn't cut it. US fraud rate is so low that it is not considered worthwhile.

Give us real security - a Token based system that generates a new single use credit card number for each and every purchase made using the card - both on and off line.

That number should only be reusable if you want to make it a reoccurring, monthly charge.

Re:Chip and Pin isn't worth it. (0)

Anonymous Coward | about a month and a half ago | (#47812329)

Some banks have this (Bank of America for one), at least for online. The interface is a bit tedious so I don't use it everywhere, but it's fantastic when signing up for a free trial of some service that requires a CC

Re:Chip and Pin isn't worth it. (1)

iONiUM (530420) | about a month and a half ago | (#47812841)

I live in Canada and now almost all debit / cc cards require chip + PIN (if it has a chip, and it's over $50, you must use it).

It didn't appear to cost them much, or even take much time to roll it out (about 2-3 years). What's the problem?

In the meantime.... (1)

Dega704 (1454673) | about a month and a half ago | (#47811105)

I am going to start using cash a lot more often until the system has it's act together. All of the crooks are busy robbing people the 21st century way anyhow. The good news is that between this and the NSA's shenanigans, security development efforts are on fire right now. It's long overdue.

Multiple bank stolen credit cards .. (1)

lippydude (3635849) | about a month and a half ago | (#47811127)

And where does Microsoft Windows come into the equation?

We need more talented H1B visa holders. (1)

SimonXXX (3810069) | about a month and a half ago | (#47811171)

We desperately need more talented people in IT. This would never happen if local workers were replaced with overseas talent.

Thank you Mister Gates, Buffet and Adelson for pursuing what is right for this country.

Re:We need more talented H1B visa holders. (1)

WindBourne (631190) | about a month and a half ago | (#47813505)

Actually, we have replaced our talent with cheaper overseas ppl. In fact, everybody that is being cracked employ many overseas coders (along with Windows).
Think that there is a relationship?

Bitcoin (1)

ASDFnz (472824) | about a month and a half ago | (#47811575)

Yeah;-

Bitcoin Bitcoin Bitcoin Bitcoin

Just saying...

Time to go retro ... (1)

CaptainDork (3678879) | about a month and a half ago | (#47811751)

... back to the days of the credit card imprinter [cultureand...cation.org] .

Then back to fax machines and snail mail.

Yes, these all have holes, but we know what they are and we know how to deal with them and foreigners would have the dickens of a time exploiting them and stuff.

They store credit card data with the transaction (5, Informative)

kbahey (102895) | about a month and a half ago | (#47812843)

Home Depot stores credit cards with the transactions.

I know this because when you go to return something I bought, they don't ask you for the credit card, and sort of highlight that this is a convenience that is unique to Home Depot.

I complained more than once to the cashiers about storing credit card numbers (it is not their fault, it is management and IT). The cashiers would say: "Don't worry, we don't have access to it!"

My response was: it is not you whom I am worried about.

Now we know that storing credit cards is a bad idea, and why ...

Big guys, nothing...small guys pay (1)

speedlaw (878924) | about a month and a half ago | (#47813223)

As a merchant who accepts credit cards, a few years back they came up with PCI Compliance. First you had to show some very basic data security. Then, they tried to sell you insurance. Then, they required you to take the data security insurance. If you are "PCI noncompliant" then you get tagged $20.00 per month. I appreciate how they made this too into an opportunity to gouge the small merchant, to no effect at the high end.

Gee, it must be the HVAC again!!!! (1)

WindBourne (631190) | about a month and a half ago | (#47813485)

Some of the stupidest ppl elsewhere and here screamed that target was caused by having an HVAC key. So, I guess that HVAC everywhere is making it possible to break into these systems?
Or is is far more likely that all of them using Windows, combined with using off-shore admin/coding, specifically India where the 60 rupees to $1 means that their engineers are making less than $10K / year, the far more likely route?

My bet is that the idiots, combined with those who are doing the bribes, continue to push the idea that it was an American inside job.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?