NEWS ANALYSIS: Home Depot is accelerating the deployment of EMV chip-and-PIN cards, but that's little consolation to holders of 56 million payment cards exposed in a massive cyber-attack.
As a result of the massive cyber-attack on its point-of-sale (POS) systems, Home Depot is accelerating its move to EMV chip and PIN cards. The company said all stores will be equipped with such terminals by the end of 2014.
The imposition of chip-and-PIN terminals will reduce Home Depot's exposure in the future, but is unlikely to do anything in the short term to protect customers holding the 56 million payment card numbers that were compromised in the cyber-attack.
The Home Depot data breach, first disclosed by the retailer in early September, affected purchases at stores in the United States and Canada between April and September 2014. According to Home Depot's announcement, the breach did not affect stores in Mexico, and did not expose PIN numbers.
Canadian Home Depot stores are already equipped with EMV card readers. However, cards from those stores were also compromised and could still be used for fraudulent remote purchases.
Although counterfeit cards bearing account numbers exposed in the breach now can't be used at Home Depot, they could still be used at stores that haven't upgraded beyond magnetic-strip readers. In addition, those cards would remain vulnerable to "card not present" transactions such as phone and Internet purchases.
In its most recent statement, Home Depot said it learned of the breach from law enforcement and banking partners who were able to correlate payment card numbers offered for sale on a Russian cyber-crime site with Home Depot store locations.
According to several security researchers reached by eWEEK, such lists of credit and debit cards frequently provide location information so that criminals can use the cards where they will be the least likely to raise suspicion.
The company said that the malware that was used to steal the payment card information was custom-written for Home Depot's POS system. According to security blogger Brian Krebs, the malware was apparently installed on self-checkout POS terminals.
Krebs reported that the number of compromised cards actually being used was smaller than most banks expect, which may be related to the fact that the malware only existed on those self-service terminals.
Perhaps more important, Home Depot has also completed a project that encrypts all card data. "The company's new payment security protection locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and effectively useless to hackers.
Home Depot's new encryption technology, provided by Voltage Security, has been tested and validated by two independent IT security firms," the company said in its statement. Voltage Security provides a range of enterprise security products and services, including POS encryption.
While Home Depot is saying that the malware eluded its existing security systems, a number of security researchers have told eWEEK that the cyber-attack was likely based on the Backoff malware, which is frequently customized for specific retailers.
Security information for the Backoff exploit has only recently been made available by law enforcement. Had Home Depot had its POS encryption system in place prior to April, the cyber-criminals would not have been able to read or use the payment card information even if they were able to steal it.
Unfortunately, while the encryption project has been completed for stores in the U.S., stores elsewhere will not have encryption in place until early 2015.
Home Depot has not provided any details about how the breach was carried out, nor has the company responded to requests from eWEEK seeking information beyond the press release. However, the indications are that the malware was apparently introduced through the self-checkout POS terminals, and affected only those. Because the Backoff malware and its variants require some sort of direct access to the POS terminals, it's unlikely that Home Depot was penetrated through some sort of phishing attack.
But because neither Home Depot nor Voltage are commenting on the solution to the breach or the manner in which it came about, other retailers won't be able to benefit directly from their experience.
At this point, it appears that the POS system was attacked through a brute-force attack or through some sort of back door.
However, because the malware seems to have affected all of Home Depot's self-service POS terminals, it would appear that, one way or another, their POS system was accessed remotely and the malware installed that way.
This is one situation where the company could really benefit other retailers by helping them determine where to look for weak spots. When Target found that its breach happened because of access using a vendor's log-in, it gave the rest of the industry the information it needed to limit access to third parties. It's hard to know what to learn from Home Depot.
The sad part is that the company is probably worried that the cyber-criminals will then know where their system was weak, but quite frankly, that's misplaced concern. The criminals already know.
What's really important is that customers know what to avoid, other retailers know how to secure their systems and Home Depot stockholders really know that the problem was solved. Unfortunately, Home Depot's efforts to handle damage control don't accomplish any of those things and they don't even control the damage.