Got an email from our credit card issuer this morning. We’re going to be getting a brand-new card in the next couple of weeks, because we’re among the 56 million (beating Target’s 40 or so million) customers who shopped at Home Depot during the time they had a breach - from April to September of this year.
HD repeatedly refused to upgrade their systems to the latest security controls.
They didn’t bother to adequately vet their security staff (in fairness, I haven’t seen any reports that this guy was involved in HD’s current woes).
I haven’t seen any evidence of any inappropriate transactions on our card, but I’ll be watching it VERY carefully! There’s good reason to believe it’s in the hands of bad people already.
Le sigh.
The communication from Chase is that we are to continue using our card for the time being. I’m tempted to have them terminate it NOW (we have other cards we can use for the moment).
Got the same note from my credit union, a card that I have had since 1986, and the number is like an old friend to me. As a regular Home Depot customer I’m in the same fix.
Oh well. At least I can worry less about who might have stolen the number over the past 28 years.
ETA: I hope the banks are able to charge the cost of replacing a zillion cards back to Home Depot somehow.
The TJX, Target, and Home Depot breaches are just the tip of the iceberg.
I used to work on the store systems side of corporate IT for a different major retailer of a similar size to HD and Target, back in the early days of PCI.
We had a total of two guys on the team responsible for the care and feeding of approximately 75,000 900Mhz, DOS-based handheld scanners that all suddenly needed to be secured to meet PCI requirements.
They, and the security team, advocated loudly for buying all-new devices running real operating systems that could be properly secured.
Problem was, our wholesale rate for newer scanners running real operating systems was $400 a pop. That’s $30,000,000 in hardware to even start properly securing the one component of the in store infrastructure.
They instead ended up buying 75,000 licenses for a proprietary VPN client for about a tenth of the cost. It secured the network layer just fine, but did nothing for the physical, radio-link layer of the network. Anybody with the right equipment could sit in the parking lot and connect right to the core of the store’s network.
Anyway, most major retailers have margins in the 1-10% range. Operating at a scale of 2000+ stores, with hundreds of network connected devices per location, it may actually be cheaper for the retailer to assume the risk of paying out $50 million every few years to mitigate a breach than to eat the cost of ripping out and replacing decades of legacy stuff.
Seriously, you’d better just get used to changing your credit card number every couple of years. This is going to happen again.
Yeah, I’ve been chatting with people about this and the target breach and the consensus seems to be that Home Depot and Target are not flukes or outliers. If you use plastic at a store, you are at risk. Me, I’m going to set up text notifications on all my cards to alert me when purchases are made using the number and I’m going to make it a point to go over my online statement every week. I may even start carrying a check register around just to jot down every time I swipe to make sure that my swipe total matches the transactions online. We have to be proactive about our financial security because the retailers cannot or will not.
You have to watch the smaller businesses too. I used to work for Intuit in their merchant service department. It was scary the number of people who would ask can I store a customer’s credit card number on my computer? Or worse yet, the ones who told me they just keep the numbers written down under their cash register.
Most of these people had no clue about keeping their computers secure, much less PCI compliant. Our security wasn’t that great either. I worked in that section for 9 months, and in that time there were several breaches that resulted in the credit cards our merchants had charged being used for fraudulent charges, all due to a very simple bug in our system.
I haven’t heard anybody say this for a few years, but I used to hear an occasional person say, on a fairly regular basis, how dangerous it was to use a credit card online.
I watched more than one of those people blithely hand their card to a perfect stranger in a restaurant and let him walk out of sight with it.
It seems to me now that using a card online is perhaps the safest way to use it.
Last year one of the kids needed a violin rental for school, and the guy at the music store asked to swipe my credit card, as a security deposit. No prob, said I. He then wrote down the CVV number on the contract. Big problem, said I.
He didn’t care about my arguments about why that number is never supposed to be stored anywhere, and just rolled his eyes, telling me it was store policy.