Debit-Card Fraud Spikes Following Home Depot Breach

Credit: The Home Depot

(Image credit: The Home Depot)

A sharp uptick in ATM-withdrawal fraud may be linked to the theft of credit and debit cards from Home Depot stores, sources at several banks told independent security reporter Brian Krebs.

Home Depot confirmed the data breach in its payment systems last night (Aug. 8), but said debit-card personal identification numbers (PINs) were not included in the massive trove of stolen card data. Yet Krebs outlined a scenario that would nevertheless let online criminals change PINs on debit cards stolen from Home Depot, allowing fraudulent withdrawal of money from ATMs.

MORE: How to Survive a Data Breach

Home Depot has not disclosed how its payment systems were penetrated, or whether any form of malware was implanted. Krebs' sources tell him traces of the BlackPOS RAM scraper, which was behind the Target data breach last fall, were found on some Home Depot systems, but that cannot be confirmed.

What is almost certain is that the "track data" from the magnetic strips of millions of debit and credit cards were copied from Home Depot's systems. Track data includes a card's account number, the cardholder's full name and the card's expiration date. All that information is currently being sold in "carder" markets online.

In at least one carder market called Rescator, each card's track data is being sold with the ZIP code of the store from which it was stolen. That's valuable to a carder, because a card-issuing bank normally won't consider suspicious a transaction that takes place near a cardholder's residence.

Krebs contends that if the legitimate cardholder does indeed live near the store from which his or her card number was stolen, then that might provide criminals with enough location information, when combined with the cardholder's full name, to get started on hunting down the legitimate user's date of birth and Social Security number.

For a fee, legal and illegal online services conduct extensive searches for such personal information on individuals. If a criminal does combine a debit-card holder's full name, date of birth and Social Security number, Krebs explained on his blog, then the criminal may be able use those three data points, along with the card expiration date (included in the track data), to call the card issuer's help line and reset the card's PIN.

Once the criminals have the card's PIN, they encode the stolen data to a blank magnetic-stripe card — a process called card "cloning." With a newly reset PIN, the criminals can fraudulently withdraw cash from ATMs.

Krebs said he spoke last week with someone at a New England bank who said the bank had seen more than $25,000 in fraudulent withdrawals from ATMs in Canada. Callers had used disposable telephone numbers to contact the bank's service center and reset the PINs.

A source at a West Coast bank told Krebs $300,000 had been lost in bogus ATM withdrawals in Italy to fraudsters who called the customer-service line, reset the PINs and convinced service personnel they were traveling in Europe and needed the withdrawal ceilings raised.

To prevent fraudulent PIN resets, Krebs said, bank customer-service personnel need to demand the three- or four-digit card verification code, also known as the card verification value (CVC/CVV), printed on the card. That number is not in the track data, and is what online and telephone retailers ask for to verify that the person conducting the transaction is actually holding the card.

Unfortunately, obtaining a cardholder's personal information also opens the door to full-scale identity theft, a potentially much more serious situation than payment-card fraud. With a legitimate Social Security number, date of birth and full name, a criminal can open new payment-card accounts, take out loans, obtain false documents such as drivers' licenses and even file false tax returns in the cardholder's name.

Home Depot is offering a free year of identity-theft protection and credit monitoring to anyone who used a card at a Home Depot retail store in the United States or Canada after April 1, 2014, and has created a signup page.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

TOPICS

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

Latest in Online Security
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Android 12
Google March Android Security Update fixes two high severity vulnerabilities — update now
An Android bot next to an Android TV remote
Millions of Android TVs hijacked in massive botnet — how to see if yours is at risk
Poster of Elon Musk saying "I am stealing from you"
Elon Musk's DOGE blocked from accessing your data – and 3 in 4 Americans agree
A fake text message on a smartphone being held by both hands.
Toll road scams are worse than ever — what to look for and how to stay safe
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 9 (#637)
Prime Gaming's selection of free games for March 2025
Amazon Prime is giving away these 20 games in March — get Fallout, Saints Row 3, and more free games now
Hugh Grant as Mr. Reed in "Heretic"
Max top 10 movies — here’s the 3 worth watching right now
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #371 (Sunday, March 9 2025)
Nintendo Switch 2
Nintendo Switch 2 price rumors and predictions — everything we've heard so far
Samsung Galaxy S25 Edge back
Samsung Galaxy S25 Edge latest leak hints at good news for pricing
  • ap3x
    Looks like a pretty refined product. Will be interesting to see how it works in real life.

    Not sure what happened with my post getting submitted twice. My apologies guys.
    Reply