A sharp uptick in ATM-withdrawal fraud may be linked to the theft of credit and debit cards from Home Depot stores, sources at several banks told independent security reporter Brian Krebs.
Home Depot confirmed the data breach in its payment systems last night (Aug. 8), but said debit-card personal identification numbers (PINs) were not included in the massive trove of stolen card data. Yet Krebs outlined a scenario that would nevertheless let online criminals change PINs on debit cards stolen from Home Depot, allowing fraudulent withdrawal of money from ATMs.
Home Depot has not disclosed how its payment systems were penetrated, or whether any form of malware was implanted. Krebs' sources tell him traces of the BlackPOS RAM scraper, which was behind the Target data breach last fall, were found on some Home Depot systems, but that cannot be confirmed.
What is almost certain is that the "track data" from the magnetic strips of millions of debit and credit cards were copied from Home Depot's systems. Track data includes a card's account number, the cardholder's full name and the card's expiration date. All that information is currently being sold in "carder" markets online.
In at least one carder market called Rescator, each card's track data is being sold with the ZIP code of the store from which it was stolen. That's valuable to a carder, because a card-issuing bank normally won't consider suspicious a transaction that takes place near a cardholder's residence.
Krebs contends that if the legitimate cardholder does indeed live near the store from which his or her card number was stolen, then that might provide criminals with enough location information, when combined with the cardholder's full name, to get started on hunting down the legitimate user's date of birth and Social Security number.
For a fee, legal and illegal online services conduct extensive searches for such personal information on individuals. If a criminal does combine a debit-card holder's full name, date of birth and Social Security number, Krebs explained on his blog, then the criminal may be able use those three data points, along with the card expiration date (included in the track data), to call the card issuer's help line and reset the card's PIN.
Once the criminals have the card's PIN, they encode the stolen data to a blank magnetic-stripe card — a process called card "cloning." With a newly reset PIN, the criminals can fraudulently withdraw cash from ATMs.
Krebs said he spoke last week with someone at a New England bank who said the bank had seen more than $25,000 in fraudulent withdrawals from ATMs in Canada. Callers had used disposable telephone numbers to contact the bank's service center and reset the PINs.
A source at a West Coast bank told Krebs $300,000 had been lost in bogus ATM withdrawals in Italy to fraudsters who called the customer-service line, reset the PINs and convinced service personnel they were traveling in Europe and needed the withdrawal ceilings raised.
To prevent fraudulent PIN resets, Krebs said, bank customer-service personnel need to demand the three- or four-digit card verification code, also known as the card verification value (CVC/CVV), printed on the card. That number is not in the track data, and is what online and telephone retailers ask for to verify that the person conducting the transaction is actually holding the card.
Unfortunately, obtaining a cardholder's personal information also opens the door to full-scale identity theft, a potentially much more serious situation than payment-card fraud. With a legitimate Social Security number, date of birth and full name, a criminal can open new payment-card accounts, take out loans, obtain false documents such as drivers' licenses and even file false tax returns in the cardholder's name.
Home Depot is offering a free year of identity-theft protection and credit monitoring to anyone who used a card at a Home Depot retail store in the United States or Canada after April 1, 2014, and has created a signup page.
- 12 Computer-Security Mistakes You're Probably Making
- 'Don't Take Nude Selfies' Is Not Good Security Advice
- 7 Scariest Security Threats Headed Your Way
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.