Home Depot Breach Exposes Vulnerabilities with EMV Roll-out
Back on September 2nd, KrebsonSecurity (Krebs) reported that Home Depot had a data breach that affected an estimated 56 million debit and credit cards. While this is certainly alarming, it appears that it has had little impact on Home Depot’s sales. This is in stark contrast to what happened when the Target breach was reported last December–sales plummeted, senior executives were fired and consumers were angry. Now just nine short months later, we have moved from outrage and fear to “whatever.” We have become immune to the formerly alarming news on data breaches and have come to accept that these breaches are going to happen. While this may be true, we had better wake up soon or it is only going to get worse.
These fraudsters are getting much more sophisticated and evolving faster than ever. And as always, they are looking to exploit vulnerabilities in the system. When we look back at the Home Depot breach, we are now seeing new tactics that we had not seen before. On September 14th, Krebs further reported that issuers were seeing a spike in PIN based debit card fraud attributed to the Home Depot breach.
Whoa!! While the stolen information was enough to produce counterfeit cards, it is not enough to commit PIN-based fraud since the hackers did not get the PINs from the data stolen in the breach.
So how did they do it? It is scary when you realize the simplicity of their scheme. Krebs mentions how the thieves are taking the name information from the cards then using the zip code of the store that the thieves also received. With name and zip code in hand, it is relatively easy to find that person’s address and phone number. Now the fraudsters simply append the social security number and date of birth from black market databases that are readily accessible. With this information, the thieves can open new accounts, change account profiles or even reset PINs and extract the cash.
In some respects, it sounds like a lot of work, but it is not. The criminal organizations and businesses spawning these breaches have actual business plans, objectives and P&L’s. When they get up in the morning and before they have their first cup of coffee, they are already planning their next attack.
So what can this tell us about Fraud Threats and the EMV roll-out? First of all – it tells us that these criminal organizations are already planning their strategies. They are looking at how EMV will roll out and where and how they can jump in the middle. They are seasoned experts based on the experience they gained with the roll out of EMV in Europe and Asia.
What we do know is that when EMV rolls out in the U.S., we will see a decline in counterfeit fraud and a corresponding increase in Card Not Present (CNP) fraud. If history repeats itself, we also see increases in New Account Fraud and Account Takeover Fraud. However, with so many breaches in the market and so much personal information at the ready, we are anticipating a new and increased threat with respect to Account Takeover.
A typical account takeover scheme involves changing the address on an account from the victim’s address to an address the fraudster controls. Once the address change has been completed, the fraudster will then request a replacement card. With card in hand, the fraudster can cash out. Because of this known scheme, Section 114(b) of the FACT Act states that financial services companies need to screen these address changes for potential fraud.
However, with EMV and the re-issuance of cards, the fraudsters only have to work half as hard. Rather than change the address and request a replacement card, they now just have to change the address and wait for that new secure EMV card to be re-issued. The fraudsters don’t have to request the replacement card because they know it is coming. Once they have the card in hand, all that is left to complete the takeover is to activate the card by either spoofing their phone number or having last four digits of the social security number (which we just learned is relatively easy). It should go without saying, but I’ll say it anyway—issuers need to be prepared to counter this evolving threat.