By Neal O'Farrell, Security and Identity Theft Expert for CreditSesame.com
Home Depot hasn't really told us much about their data breach so far, and for that, I say shame on them. One of the few things they did share though, and quite categorically, is that no debit card PINs were exposed in the breach.
That's important, because that might not be good news either. If thieves steal your credit card number in a breach like Home Depot, and then use it to commit fraud, they're stealing the bank's money. Or the merchant's. But at least it's someone else's money. If, on the other hand, the crooks get their hands on your debit card and your PIN, they get direct access to your bank account and everything that's in it.
And while you're not supposed to be liable for more than $50 in fraudulent losses, whether it's a debit card or a credit card, it's not that simple. For starters, many banks will use stalling tactics if more than a few hundred dollars is removed from a bank account through fraud. Not very helpful if you have urgent bills to pay.
Some banks will simply deny any responsibility, hoping the customer doesn't know their rights. And if the debit card is connected to a business account, forget about it. Zero liability doesn't extend to business accounts. So if you lose every dime in your account, there's a good chance you won't be getting any of it back.
So what's that got to do with Home Depot? Well, Brian Krebs, the super cyber sleuth who uncovered both the Home Depot and Target breach, is reporting that the thieves have figured out a way to reset the PINs for those stolen debit cards. Even if they don't have the original PIN.
Many banks use automated phone systems to allow their customers to reset their debit card PINs. In order to complete the process, you'll typically need at least three of the five following things in order for the bank to believe it's really you on the phone:
•A phone number recognized by the bank.
•The three or four digit CVV number, or card verification value, on your card.
•The card expiration date.
• Your date of birth.
•The last four digits of your Social Security number.
Well, guess what? Thieves may be using their obviously extensive networks to fill in enough missing pieces so they can answer enough questions to reset those PINs.
They're using Go Phones or VoIP to fake the customer's phone number. They have the customer's name, address and ZIP code from the Home Depot breach, and they're apparently able to buy the matching last four digits of victim Social Security numbers. That's enough to reset a PIN and start going crazy on the stolen cards. Some banks are reporting thefts of up to $300,000 using this tactic, according to Krebs.
So if this is true and this attack works, does that mean we've now exposed yet another massive weakness and vulnerability in our banking system that the banks might take forever to change? Remember, banks want to make banking convenient, and security is the enemy of convenience. They're unlikely to rush to make it any harder for legitimate customers to change a PIN.
And this tactic raises an even bigger issue. There are thousands of hackers in possession of billions of stolen records, but not all the records are complete enough to be useful enough. What if those hackers could join the dots by finding a way to connect with other hackers who might have the missing pieces -- like the last four digits of a Social Security number?
If we can use technologies like data analytics to make sense of billions of tiny pieces of data, why can't crooks?
If you used a debit card at Home Depot, change the PIN now. Hackers might still change it back, but you still have to try to stay ahead of them. Talk to your bank, monitor your accounts, use a secret code if your bank or credit union offers it. And if you have a small business account, think about separating it into two or three accounts, each with different PINs and passwords.
Welcome to your future, your new normal, an Internet of Very Insecure Things.
This post originally appeared on CreditSesame.com. Neal O'Farrell, Credit Sesame's Security and Identity Theft Expert, is one of the most experienced consumer security experts on the planet. Over the last 30 years he has advised governments, intelligence agencies, Fortune 500 companies and millions of consumers on identity protection, cybersecurity and privacy. As Executive Director of the Identity Theft Council, Neal has personally counseled thousands of identity theft victims, taken on cases referred to him by the FBI and Secret Service, and interviewed some of the nation's most notorious identity thieves.