Newsroom

September 09, 2014

Krebs: PIN debit card fraud up after Home Depot breach

KrebsOnSecurity said financial institutions are seeing a "steep increase" in PIN debit card fraud after the retailer breach, which The New York Times said could be the largest yet. The report conflicts with Home Depot's statement Monday.
NAFCU President and CEO Dan Berger responded, "This breach is more evidence that retailers are not doing enough to protect consumers, and that Congress must hold them to a national standard. Consumers and their financial institutions are paying the price for retailers' mistakes - the retailers need to take responsibility and be held to account."
This week, Home Depot confirmed its systems were breached and advised any customer who shopped in one of its stores from April 2014 on to watch their accounts. It said there "is no evidence" that debit PIN numbers were compromised.
KrebsOnSecurity on Tuesday casts doubt about that. "If the crooks who buy stolen debit cards also are able to change the PIN on those accounts, the fabricated debit cards can then be used to withdraw cash from ATMs. Experts say the thieves are who perpetrating the debit card fraud are capitalizing on a glut of card information stolen from Home Depot customers and being sold in cybercrime shops online. Those same crooks also are taking advantage of weak authentication methods in the automated phone systems that many banks use to allow customers to reset the PINs on their cards."
Home Depot said customers will not be held liable for fraudulent charges. The breach reportedly may have involved the a "reworked" version of the malware used in last year's Target breach.
The New York Times cited a person briefed on the investigation as saying the Home Depot breach could affect more than 60 million cardholders - compared to 40 million affected by the massive Target breach last year.
NAFCU was the first financial trade organization to call for national data security standards for retailers following the Target breach. The association is also a member of the Payments Security Task Force, a diverse group of participants in the payments industry focused on EMV chip implementation, including ways to help reduce testing and implementation time.