Home Depot breach confirmed, stolen info used to change PINs, collect money

In a terse statement, and an annoyingly repetitive FAQ, Home Depot has confirmed that it had suffered a breach of its payment data systems.

The breach could impact any customer that has, from April forward, used the their payment card at the company’s US and Canadian stores. Customers who shopped online at HomeDepot.com and those who shopped in the company’s Mexican stores will likely not be affected.

After reassuring customers that their check information and PINs tied to their debit cards were not compromised in the breach, the company has, nevertheless, urged users to review their bank statements for suspicious transactions.

Finally, they made sure to note that potentially affected customers will not be responsible for any fraudulent charges to their accounts, and they will be offered free identity protection and credit monitoring services.

No more details about the breach itself were given, so it’s still unconfirmed whether the attackers used a variant of the BlackPOS (or Kaptoxa) malware to collect the payment card data, as anonymous sources reported. The malware in question has been used in the Target breach, and a newer variant has been spotted masquerading as an AV service.

But the fact that the attackers didn’t manage to get their hands on debit card PINs means little, as a number of banks have confirmed that cards cloned using the stolen data are being used around the world to withdraw money from ATMs.

How is that possible?

“The card data stolen from Home Depot customers and now for sale on the crime shop Rescator[dot]cc includes both the information needed to fabricate counterfeit cards as well as the legitimate cardholder’s full name and the city, state and ZIP of the Home Depot store from which the card was stolen,” explains Brian Krebs. “The ZIP code data of the store is important because it allows the bad guys to quickly and more accurately locate the Social Security number and date of birth of cardholders using criminal services in the underground that sell this information.”

The criminals are using all this information to trick banks’ automated call-in system to change the PIN associated with the card.

These type of systems check the identity of the caller by checking whether the phone number from which the call was made is the same one they have on file, and request users to type in the card’s 3-digit card verification value, its expiration date, the customer’s date of birth, and the last four digits of the customer’s Social Security number.

Unfortunately, the changes can be made even if three of these five types of information are provided and are correct, and fraudsters can provide them.

Some of the banks have started requesting all these security checks to be cleared before permitting any changes to the accounts to be made but.