Security experts tell eWEEK that if an ongoing investigation confirms there has been a data breach at Home Depot, it was likely caused by the rapidly spreading Backoff malware.
So far, all the company is saying is it may have been attacked but that it is still investigating whether a data breach actually took place.
“We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate,” the Home Depot officials said in a statement released to the media.
“We know that this news may be concerning and we apologize for the worry this can create. If we confirm a breach has occurred, we will make sure our customers are notified immediately,” the statement said.
The company also said that it would offer free identity protection services to any affected customers and that it would make an announcement once it determines whether a breach actually occurred. One security expert told eWEEK that apparently hackers have published lists of fresh credit card numbers lately, and that when those numbers were checked, they led to Home Depot.
But there’s still a big leap from a potential breach tied to credit card numbers offered for sale and confirming that Home Depot has sustained a breach. In addition, Home Depot has already begun outfitting its point-of-sale terminals with chip and PIN readers, which means that at least some customers may not be at risk if the breach took place.
Security response teams at some of the card-issuing banks have already started buying back credit card numbers believed stolen in the suspected breach at Home Depot, according to John Zurawski, vice president of marketing for Authentify.
However, he said that much of the risk could be avoided if the credit cards supported two-factor authentication. One means of providing such authentication is by issuing cards with an EMV chip that require a PIN to make purchases.
Zurawski said that credit card companies can also implement a phone-based two factor authentication now to make sure that customers are aware of suspicious purchases using their smartphones or even their landline phones. Such an authentication process, which already exists at some card companies, happens when a consumer gets a phone call to confirm a purchase in progress.
The way this works is when a credit card, or a credit card number, is being presented for purchase, the customer receives a call asking whether they’re really making such a purchase, and if they are to either confirm it verbally, or to press a number key on the phone. If the purchase can’t be authenticated, then it’s not approved.
Backoff Malware Likely Cause of Suspected Home Depot Data Breach
I’ve experienced such authentication calls from American Express when I’ve made purchases where something is unusual, such as when I’m in a country where I haven’t used a credit card before. They’re usually brief, but they’re effective.
The problem is, calling every customer about every transaction is impossible. There are simply too many credit card transactions happening, which is why card issuers target card use where something looks unusual, such as the same card being used in two places at about the same time.
There’s little question that widespread EMV use in the U.S. would reduce the severity of such breaches, but it wouldn’t eliminate them. “EMV technology, if used widespread, could potentially reduce the amount of damage by denying criminals the ability to use copied cards at POS terminals,” said Adam Kujawa, head of malware intelligence at Malwarebytes Labs, in an e-mail to eWEEK, “as long as those terminals were set up to use EMV technology.”
“If EMV technology was required and utilized by the whole of the population and traditional mag-stripe cards were no longer accepted, then it would put a serious wrench in the gears of the cyber-criminals plans,” Kujawa noted.
In fact, it may be the success of such secure payment cards elsewhere that’s contributing to the flurry of attacks in the U.S., Zurawski said. “Chip and pin in Europe may be why you see so many attacks in U.S.,” he said.
While the use of chip and PIN technology in Europe and Asia have dramatically reduced the levels of credit card fraud where cards are physically present, fraud in other areas, such as in online and telephone purchases has not diminished.
Unfortunately, even in situations where secure payments are proven to work, banks are slow to implement any improvements. “The banks still worry about putting friction in front of transactions,” Zurawski said. But he doesn’t think this should slow down a move to better authentication. “I think the average consumer is getting tired of worrying about the breaches,” he said.
Zurawski said that right now, following the announcement by the Department of Homeland Security that as many as 1,000 U.S. businesses may have been compromised by malware, security executives should be concerned. “If I were the CISO or CEI or CIO, I would be all over my people right now to make sure we’re not breached,” he said.
So now we’re back to Home Depot and whether the company suffered a breach. The good news is that apparently managers were on top of events and got the word out early. Hopefully, the bad news won’t get much worse.