co-authored by Dr. Stephen Bryen, Founder & CEO ZiklagSystems
Something is wrong with Home Depot's explanation of the hack on the point of their cash registers, which apparently were infected with malware. Some 60 million credit cards have been compromised, according to Home Depot's admission.
The curious thing is the fact that the hack apparently started last April but was not reported until September 3rd. So for six months every credit card transaction was picked up by some malware that somehow allegedly got into their cash registers?
Who makes the cash registers? What security is built into them? Why did it take six months to figure it out? Why aren't all customer transactions that go through Home Depot's network automatically encrypted?
The good news, according to Home Depot, is that the user's pin numbers were not compromised. Of course they weren't, because when you pay for something at Home Depot, you just scan your card or the attendant does it for you. Home Depot stores have two means of check out. Option A - the customer scans the items and bags them. When the scanning is done, the customer goes to a separate credit card device, the same one you see in countless retail outlets, and swipes the card. The transaction processes and a receipt is printed.
Option B - which nowadays is being discouraged, the customer allows the clerk to scan and bag items and swipe the credit card for the customer.
In both cases, a pin number is not used, so the so-called "good news" from Home Depot is, in fact, non-news, or shall we say manufactured news?
The fact of the matter is that we think the malware living in Home Depot's system is not in their cash registers at all; it is in their network and the compromise is on Home Depot's network servers. The news from Home Depot is, again, possibly misleading. Most people use the automatic check out and the credit card scanner (which is separate from the item scanner but obviously connected to it in some way). So the cash registers could not account for 60 million cards.
It is nice that Home Depot says it will cover any fraudulent card use, but what this means exactly is unclear. Cover fraudulent use just in their stores or anywhere else? No details are yet available, but at best it means a big headache for consumers.
Indeed it is very strange that many banks and stores are pressing ahead to move to mobile payments. Are they assuming mobile payments are safer than credit cards in stores? The jury is out of that one, but chances are that if it took Home Depot six months to figure out that all its credit card and transaction information was flying out the back door, how long will it take stores and banks with your mobile payment to figure it out?
The real truth is that American companies are very sloppy about computer and network security, and so customers can easily be victimized. While no commercial establishment likes bad publicity, maybe they don't care and figure they are protected by insurance and by the credit card companies. But if I were AMEX, VISA or MasterCard, I would be smoking mad, because fielding 60 million plus possible frauds or more is not a cost free activity. Will Home Depot pay for all the bad charges absorbed by the credit card companies?
Americans are quickly losing patience with how their credit cards and bank accounts are increasingly being plundered by hackers and thieves, few of whom are ever caught. There is a point where the entire commercial credit system will implode, and where that tipping point is we don't know. The chance that our economy could go into a tailspin is not a far-fetched notion if payment systems and trust in transactions collapses.
At the end of the day, the explanations we have got from the likes of Home Depot and Target are unsatisfactory and deeply worrisome. If they have risky networks, they should say so. Otherwise the game is over.