Latest hacker target is Home Depot. Apparently every credit card purchase since April has possibly been compromised.
Once I visit their retail store and pay with a credit card, and the transaction is authorized and settled, why does Home Depot need to continue to keep a record in their systems? I don’t see any reason for them to retain this data for more than a couple of days.
I used to manage a payment system for an online merchant, and we kept this information as part of the user’s account to be able to execute future purchases. But Home Depot has no need to do this for brick-and-mortar customers.
Many of these merchant hacks allow the CC numbers to be stolen when they are used. The hackers may have hooks into things like the CC scanner, the backend database, network, etc. They steal the CC #'s as you are making your purchase. When a company says that transactions have been compromised since April, what they usually mean is that they can trace back the hacker intrusion at least that far back.
Pretty much, you should assume that every merchant has been hacked and that your CC info is being stolen all the time. There’s no guarantee that a hacked merchant will discover the hack. A hacker could get into a system, steal CC info for a few months, then clean everything up. Always review your CC statement and check your credit report to look for any accounts which you did not open.
I’m not sure about Home Depot, but I know at Target (another hacked company), if you purchased something at their physical store, you could return it without a receipt if you had the credit card you purchased it with.
This is true, but I’ve never been able to actually get the refund without the actual card. Using some *part *of the card number to identify and track the purchaser (which, I believe, borders on illegal use of the data) is one thing; retaining the complete number and expiration date that could enable further transactions is another.
I seem to recall from prior hacking incidents, companies aren’t supposed to keep credit card numbers around in their systems once the transaction is cleared. But many companies do, and these are the credit cards numbers that the hackers are targeting. But maybe that’s a “best practices” thing instead of a regulation/law thing.
They don’t need to, but… knowledge is power, basically. You’ve given the company a very useful piece of information about you - your credit card number and name. With that, they can uniquely identify you, hook into a data warehousing company, and build up an extensive profile about you, which can be used to sell you more stuff. Why would they throw that away?
It is of course possible to hack the numbers from their machines, but I don’t think that was what happened. The reason I say that is that was mentioned on the news that Canadians needn’t worry because they (mostly) use chip and pin cards and the card numbers without the PINs were useless. But if they had hacked the machines, they would have gotten the PINs too. Since they didn’t, I assume they hacked the records.
The reason I said mostly is that there are some signature cards. I have a P-card (for making purchases) from my employer (yes, I am retired, but I have a research grant so I can get a card) and it was issued a bit over a year ago and still was not chip and PIN.
I believe it’s illegal to use credit or bank account numbers to ID customers - at least, it was for some good portion of the past few decades, which is why stores started using [del]tracking[/del] loyalty cards and [del]tracking[/del] membership cards and [del]tracking[/del] club cards. (Before that, up until the 1970s, I believe, it was both legal and becoming increasingly common.) It’s also behind store [del]tracking[/del] credit cards, which are not subject to the rules, and possibly store-branded major cards (e.g., a Home Depot Visa), which might permit “inside use” of the customer data.
So much has changed in the last few years, riding the tails of the various consumer credit “reforms,” that I wouldn’t swear this is true any longer.
But it’s all about [del]tracking[/del] [del]tracking[/del] [del]tracking[/del].
All the posts above are basically useless, because the supposition in the OP is wrong. Home Depot (and target), didn’t have records of the CC# stolen after the fact, they had malware running on the POS capturing the Credit card numbers in REAL TIME, and the malware has simply been running on the machines, undetected, since at least April. The particular strains of malware used in the recent attacks take the CC# from RAM before it is encrypted to be sent to be processed.
PINs are often encrypted on the keypad device itself and thus the infection type used in these breaches couldn’t get it in most cases. (Can hackers decrypt Target’s PIN data? – A Few Thoughts on Cryptographic Engineering).
Now, the keypad device itself could probably also be hacked, but it likely is a more difficult and specialized task that the thieves haven’t resorted to yet.
Chip and pin wouldn’t have stopped this attack at all given a similar POS system, but Chip and Pin (or and signature) would have made the cloned cards you could make useless for fraud at any merchant that has chip turned on. And the lack of the CVV2 value printed on the back (which is not on the stripe or chip), makes the numbers not all that useful for online fraud with most merchants.