Suspicions about a possible data breach at Home Depot arose, as in past breaches, after a big batch of stolen payment cards surfaced on an underground marketplace, selling for about $50 each.
Dan Ingevaldson, chief technology officer at fraud prevention firm Easy Solutions, tells me that the latest dump of stolen cards "looks like it was massive - basically every BIN that you search for, every city is included, every state is included." He's referring to bank information numbers, which appear as the first six digits of a card number and are unique to every bank. BIN numbers almost never get retired as a result of the industry's nonstop mergers and acquisitions. That's why some banks now issue cards with dozens of different BINs.
The 'spot a flood of card data onto cybercrime sites, then react' model is far from perfect.
The emergence of easily accessible underground marketplaces, such as the Rescator site where the most recent card dump occurred, has allowed card issuers and fraud analysts to spot breaches much more quickly by tracing back stolen card numbers being offered for sale. That's good news for the issuers, who have to cover any resulting losses, as well as consumers, who have to watch for related fraud.
Model Remains Reactive
But this "spot a flood of card data onto cybercrime sites, then react" model is far from perfect. Notably, the Rescator site has been inaccessible for long periods of time in recent days, Ingevaldson says. One possible explanation is anti-fraud activists have been targeting it with a distributed-denial-of-service attack. But because the site is protected by DDoS defense firm CloudFlare, it's much more likely that so many would-be buyers are using the site that it can't keep up with demand.
"When cards that are this hot hit the market, they are virtually guaranteed to be valid - before the banks and card companies put up their defenses - and it's just a crush [by buyers] to get as many cards as possible and see which ones are valid," Ingevaldson says. Many sites trafficking in stolen card data - Rescator included - even offer built-in tools prospective buyers can use to test batches of cards and determine if they're still valid, which often involves attempting to make a pre-authorization charge, or charging a small amount, such as two cents, and seeing if it goes through.
But some BINs listed on Rescator carry warnings that under no circumstances should they be tested, because doing so would likely trip fraud alarms at the bank behind the BIN. "Those are patterns that can be detected on the back end, if banks are looking for them," Ingevaldson says. "Some banks have deployed these controls, some haven't. ... so if you're a bad guy, you want to find banks that are protected by poor controls."
Consumers, obviously, might also like to know which banks have poor controls, so they can take their business elsewhere. But pending a Consumer Reports investigation, there's scant related information in the public domain.
Life After Target
Since the Target breach came to light in December 2013 - after stolen cards began flooding Rescator - the amount of time between when stolen cards surface for sale, and when banks disable the cards and issue new ones to consumers, thus invalidating stolen card numbers, has continued to decrease. "The banks have gotten much better between the initial disclosure time and when they're increasing their controls," Ingevaldson says. Of course, that's great news for potential breach victims. But the reactive model isn't stopping the breaches themselves.
For that to happen, says Gartner analyst Avivah Litan, the payment card industry must overhaul its "faulty and antiquated payment system" - adding end-to-end encryption would help - and require all cards to carry EMV chips, which can require a PIN code to authorize in-person transactions.
"The unfortunate thing is that nothing fundamentally has changed since December of last year when Target was breached," Ingevaldson says.
When Will Card Industry Catch Up?
But changes are afoot. Data breach poster child Target, for one, has been demanding the payment card industry adopt EMV, and there's now an October 2015 deadline for restaurants and merchants to deploy compatible POS terminals. Still, EMV likely wouldn't have stopped the Target breach, which apparently involved POS malware.
Home Depot, prior to the suspected breach, invested in EMV-compatible POS terminals. "All of our terminals [have] EMV PIN and chip hardware," Home Depot CEO Frank Blake told the Goldman Sachs Global Retailing Conference on Sept. 4. "We will have all of our terminals fully enabled for credit card EMV PIN and chip by the end of this year ... well in advance of the October 2015 deadline."
Historically, countries that have adopted EMV have seen card-related fraud decline, but only once they block the use of all non-EMV cards. Litan says the transition to EMV in the United States may take until 2020.
But will those changes be enough to stop the unending data breach du jour?