In Wake of Confirmed Breach at Home Depot, Banks See Spike in PIN Debit Card Fraud

by Ron Mazursky 0

Home Depot has confirmed it has suffered a credit and debitcard data breach involving nearly all of its US and Canadian stores – similarto the Target breach reported in early 2014. Apparently this breach dates backto April 2014.

These account numbers canthen be used to create counterfeit credit and debit cards and used at POS.

Home Depot has claimed that no debit card PIN data wascompromised – yet several financial institutions have reported an increase inthe last few days in fraudulent ATM withdrawals on customer accounts. This raises some concerns that if PIN numberscan be changed on the counterfeit debit cards, then cash can be withdrawn fromATMs using those customers’ accounts at will. It seems that these counterfeiters are taking advantage of weakauthentication methods via some automated bank phone systems that allowcustomers to reset their PINs for their debit cards.

The bad news: the same site that has posted the Home Depotcard data for sale also has the legitimate cardholders full name and city,state and zip of the Home Depot store from which the card data was stolen. The store location information is likely inclose proximity to the cardholder’s home address. With this information, the counterfeiters canthen locate the social security number and date of birth of the cardholder(using criminal services that sell this information). This information can help payment datathieves use a bank’s voice response unit to change their PIN as long as theypass 3 of 5 security checks.

Accordingto Krebs on Security:

“A large number of theseVRU systems allow the caller to change their PIN provided they pass threeout of five security checks. One is that the system checks to see if the callis coming from a phone number on file for that customer. It also requests thefollowing four pieces of information:

the 3-digit code (card verification value)printed on the back of the debit card;

the card’s expiration date;

the customer’s date of birth;

the last four digits of the customer’s SocialSecurity number.”

The good news: Some of the largestbanks have begun moving away from Knowledge-based Authentication for their VRUsystems given how easily they can be tricked. More of the industry needs to do so. Biometrics will also need to be introduced in the near term, unlessother authentication tools will eventually be used.

Banks need to update their VRUcapability and merchants will need to improve their data protectionservices. Together they need toimplement tools to better protect the payment data. This could includetokenization and end-to-end encryption.

Overview by Ron Mazursky, Director, Debit Advisory Service

Read Full Story at Krebs on Security