back to article Home Depot: 56 million bank cards pwned by malware in our tills

Home Depot today admitted 56 million bank cards are at risk after they were used in malware-infected tills. The DIY giant on Thursday revealed that a software nasty infiltrated its PC-powered registers between April and September in the US and Canada. Cards swiped through the compromised machines could be accessed by the …

  1. Destroy All Monsters Silver badge
    Coat

    ...Till Malware Shall Part Us Forever

    It's a sad story...

  2. ecofeco Silver badge

    XP based self checkouts

    I know for a fact those self checkouts were XP based.

    Just like millions of others.

    1. Phil O'Sophical Silver badge

      Re: XP based self checkouts

      And probably hadn't had an update or security fix applied since they day they were installed. Which is much more likely to be a problem than the simple fact that they're running XP, which was still a supported OS at the time the malware was alleged to be introduced.

    2. ecofeco Silver badge

      Re: XP based self checkouts

      I see I hit a nerve.

      And you would be right Phil because security updates can and would break the software.

      Now, want to guess the most popular retail checkout software being used? Rhymes with Tomb Raider Lara. Goes by the initials RMS.

      Bar and restaurants use a different kind, but they have the same underlying problem. XP. Thank god staff aren't bright enough to pull the hack required.

      1. Anonymous Coward
        Anonymous Coward

        Re: XP based self checkouts

        If you run a 10 year old verision of Linux, chances are that's going to be pretty easy to nail as well.

        It's not he OS that is the issue, it's the installation, maintenance and policies.

  3. Eddy Ito

    There needs to be a fine of something like 10% of market cap for shit like this. In this instance that breaks down to only about $220 per card. Oh, that's on top of paying for all the resulting fraudulent charges. It sounds harsh but it's the only way these folks are going to take security seriously.

    1. Elmer Phud

      Not really fine

      They'd find some way of making the users pay .

    2. Tom 13

      Re: There needs to be a fine of something

      I have to agree with Elmer, not a fine. The heart of the problem here is that the current form of incorporation protects those who are intentionally making bad decisions from the responsibility of those decisions. If you fine the company, they just jack their prices which only hurts the consumers a second time. Instead, for cases like this were it is obvious that simple precautions could have limited or prevented the breach, each and every person involved in implementing those decisions should be liable for damages to the consumer. And yes, that means from the CEO all the way down to the IT coalface guys like me. Their resources to be exhausted first and only after that do the shareholders start picking up the tab. Even holding the employees accountable first, I think shareholders are still likely to pickup 80% or more of the tab. Also, at some management level responsibility needs to translate to jail time. Definitely for the CEO, CFO, and CIO. Maybe everybody from Program Manager up, maybe it picks up the rung below that.

      1. Eddy Ito

        Re: There needs to be a fine of something

        They can't really jack the prices since they still have to compete with other shops like Lowes. Otherwise we'll see a return of local hardware and lumber stores where breaches of this magnitude are likely to be impossible.

        I hesitate to say "when this was all fields" but I grew up being able to go to the local lumber yard and tell Mr. Duncan that my dad needed so many two by four studs and a few pounds of ten penny nails for the barn and while I'll take the nails now would he be kind enough to deliver the studs, oh and please put it on our bill. That doesn't happen in many places today.

        1. ecofeco Silver badge

          Re: There needs to be a fine of something

          Can't jack the prices? What fairy world are you living in?

          Target raised prices across the board months ago to cover their disaster. In many instance by 25%.

          1. Eddy Ito

            Re: There needs to be a fine of something

            What kind of idiot still shops at Target? Moreover what kind of idiot still shops at Target and pays an additional 25% for the privilege?

  4. razorfishsl

    I was recently in Shenzhen in one of the 'dark' buildings

    Sat in a room were a bunch of guys around the biggest pile of 'POS' card readers I've seen in a long time ,stripping off the cases and re-programming the firmware

    They also had new packaging materials for them

    The problem is most MIS departments buy hardware, but have no policy for auditing it, after all how many 'tech' guys actually have the ability to reverse engineer and check such equipment

    1. ecofeco Silver badge

      How many tech guys have the ability?

      Certainly not the ones they are hiring for bottom dollar.

  5. Anonymous Coward
    Anonymous Coward

    And this is why the problem will never be resolved:

    From Home Depot's press release (https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf):

    "The company also has completed a major payment security project that provides enhanced encryption of payment data at point of sale in the company’s U.S. stores, offering significant new protection for customers."

    You shouldn't be rolling out encryption after the hack, you should be enhancing your security from the get-go, you should be having regular security testing that results in "Hey idiots, you need to enhance your security in X,Y, and Z " Honestly, there should never be a single review that comes back as "Everything checks out"

    What a load of rubbish. I hope every major company gets hacked. Maybe then they will start taking security seriously, or consumers will demand better security

    1. Anonymous Coward
      Anonymous Coward

      Re: And this is why the problem will never be resolved:

      Encryption is expensive.... or at least it's not something that can be rolled out to hundreds or thousands of retail stores across a large geographical location with the snap of your fingers. While many larger retails probably try to do business with a single payment processor, it wouldn't surprise me at all to learn that regulations across various states end up requiring a multi-state retailer to enter into multiple relationships.

      And then there is the age-old problem in business: If it's broken, only replace it if fixing it daily becomes more expensive than the teardown and start-over approach. The devil you know and all that. I work at a company with a very substantial online presence, and the back-end is such a nightmare that we've put as much red-tape around it as possible to limit tinkering. However, those entities who were implemented under the "legacy" (most broken) process are going to stay there until the heat death of the sun or someone literally takes a match and gasoline into the datacenter this particular software is running out of. The reason? Because a lot of money was spent to shoehorn some folks into a box even a contortionist would shy away from. The entire thing is balancing on a knife's edge, so no one wants to even breath the word "migration" lest the whole thing topple over and some Very Important People get phone calls.

      The encryption thing is no different. Today, payments get processed in a timely manner. The retailer gets their money, the banks get their fees, and the consumer (usually) gets a hassle-free experience to get that new washer and dryer set. Upset that apple cart too much, and the lost revenue from sales may dwarf the hit caused by a PR blackeye.

  6. Eric Olson

    At this rate..

    I'll never have to pay for identity protection services again. However, could we try to space these out a bit more so I can get the most out of each individual subscription?

  7. etabeta
    FAIL

    Use a VSAT connected intranet to connect these POS units to central server. With no physical connection to the internet, they can put as many trojans as the want in the POS firmware, but with no physical connection to the internet they won't be able to break in, and data can't get out.

    1. P. Lee

      > with no physical connection ... they won't be able to break in, and data can't get out.

      If they can get the malware onto the tills, they might have had physical access - embed a small phone or wifi device somewhere in the case (data out by sms if required) or just compromise the network at the store level.

      1. Anonymous Coward
        Anonymous Coward

        Re: > with no physical connection ... they won't be able to break in, and data can't get out.

        Don't agree,

        If stores like Home Depot had anything approaching a clue, the segmented network approach you describe would have been implemented from day one.

        POS terminals with hardened encrypted cable connections routed through secure, heavily isolated, regularly audited data centers and no local storage of CC numbers, pins, IDs or anything else remotely compromising would also be a good start. But try to explain all that to Target shareholders and executives.

        Unfortunately, the real world is full of businesses handling confidential financial information on unaudited hardware. Often that hardware is connected to wifi and/or open public networks where it will just be hacked over and over again. To make you feel better, some of these hacked businesses will buy you free identity theft insurance for a year after your bank account has been cleaned out and your credit rating ruined.

        It's sad really.

        After reading some of the comments here, I too wonder if jailing the clueless CEOS and IT staff that let it happen wouldn't improve things, but I don't actually think so.

        Their very cluelessness makes them like a drunk who has been rolled, he shares partial responsibility for his situation, but in the end he was just overpowered by smarter, stronger people.

        What might actually work though is this:

        Make it illegal for any store to electronically process CC information unless it submits to regular security audits and is certified to use mandated best security practices and architecture.

        Liability claims eventually made automobiles much safer, why can't we do the same with frickin' cash registers?

        And if stores are still too clueless or poor to manage that, then they would need to pay someone to do if for them or else work with non-electronic means of payment only.

        It sounds harsh, but by hitting everyone's bottom line (particularly the credit card companies) we might actually get some results.

        1. ecofeco Silver badge

          Re: > with no physical connection ... they won't be able to break in, and data can't get out.

          <"After reading some of the comments here, I too wonder if jailing the clueless CEOS and IT staff that let it happen wouldn't improve things, but I don't actually think so."

          Wanna bet? And it's not the tech staffs' fault. These disasters are the direct fault of the CXOs. It is they and they alone that set budgets and make policy.

      2. pig

        Re: > with no physical connection ... they won't be able to break in, and data can't get out.

        The large 24 hour ASDA near me has 16 self service tills.

        They leave them unlocked. If you push the handle with the lock on, it clicks and the screen of the machine lifts up, revealing the PC (yes, these are XP based too) and 4 usb slots.

        The usb slots are enabled as this is how they reimage them if something goes wrong.

        Sadly getting physical acces is nothing like as hard as it should be.

        I was discussing this with a friend who fixes cash machines, and he reminded me that almost all the threats he deals with are physical.

    2. Phil O'Sophical Silver badge

      Why VSAT? These sort of systems used to work just fine on X.25, many still do (look at how many till and ATM reciepts have unmistakable X.121 addresses printed somewhere). Not an internet connection in sight.

      1. roman iwasjuk

        The problem with x.25 is that the telcos don't want to support or provide it anymore - just like they're doing away with dvacs for the alarm side - all these systems are being forced to move to ip based communications - along with alarm systems! I'm really starting to get a bad feeling about this direction, as we're moving all our communications into 1 basket - and when it crashes EVERYTHING will go down....

    3. Anonymous Coward
      Anonymous Coward

      "....with no physical connection to the internet..."

      There are some problems with this:

      1. The need to connect credit/debit card readers to third-party validation systems

      2. The need to link checkout data to third part logistics providers

      3. ....and so on.

      AIr-gapping is fine if you have a COMPLETE vertically integrated business which does everything.....and there isn't a retail organization in the world which is like that!

      1. Tom 13

        Re: "....with no physical connection to the internet..."

        I'm sure there are better solutions, but the simplest solution is the one everybody used before Al Gore invented the internet: POTS line to every cash register to process the credit card via modem.

  8. Anonymous Coward
    IT Angle

    PC-powered registers?

    What Operating System did these 'PC-powered registers' run on?

    1. The Man Who Fell To Earth Silver badge

      Re: PC-powered registers?

      It's almost a 100% certainty it is Windows Embedded for Point of Service V1 or Windows Embedded POSReady 2009, both of which are types of Windows XP.

      1. ecofeco Silver badge

        Re: PC-powered registers?

        ...or just plain XP.

        Seriously.

  9. gregthecanuck
    Trollface

    Owned Depot

    Evil pill kills tills, HD wills ill to shills.

  10. Tezfair
    Coat

    Malware proteced payment device....

    Cash

    1. Elmer Phud

      Re: Malware proteced payment device....

      Funny that, I seem to be paying more by cash these days.

      Not a conscious decision - and often a lot quicker.

      You do get some odd looks now and then if it's anything more than about £30.

      (at least most DIY tills now don't care which way round the note is presented)

    2. paulf

      Re: Malware proteced payment device....

      Upvoted, but not entirely true. Counterfeit notes/coins would be the equivalent of malware in the EFTPOS machine.

      I found a fake £1 coin in the reject slot of a parking machine the other day. It was clearly a fake but not easy to spot if you're in a shop accepting a handful of change from someone and the queue behind them means you don't have time to check each coin carefully.

      1. Phil O'Sophical Silver badge

        Re: Malware proteced payment device....

        Counterfeits aren't quite the same, since it's often possible to pass them on to a person or machine that isn't so picky. Of course that raises an interesting moral question, since people who wouldn't dream of knowingly passing on malware often show no reluctance to circulate a dodgy coin. Plausible deniability, maybe? There's probably a psychology PhD thesis in there somewhere...

        1. paulf

          Re: Malware proteced payment device....

          Not quite the same but close enough that I can see since a direct comparison isn't entirely possible.

          If someone gets a counterfeit note/coin they take a direct loss if they keep it and don't pass it on. Perhaps that explains the lack of reluctance to circulate counterfeits? Malware on the other hand people have no direct benefit/loss in circulating (unless they're the author!) so morals get a louder voice in its propagation. I don't know - but yes it would make for an interesting PhD!

          For the avoidance of doubt, the falsie I found was permanently taken out of circulation!

          1. Phil O'Sophical Silver badge

            Re: Malware proteced payment device....

            For the avoidance of doubt, the falsie I found was permanently taken out of circulation!

            Yes, after I posted I realised it could have been seen as a slur on your morals. Not my intention, sorry!

    3. Eric Olson

      Re: Malware proteced payment device....

      I would say that counterfeited bank notes are a much older form of malware. While they might work for the customer, or even a retailer, they either will eventually be noticed and no credit will be given for the note, or the inflationary impact of those bank notes will hit all of us in the wallet.

      There is already concern that state-sponsored (read N. Korea) counterfeiting is sophisticated enough to pass all but the most advanced detection systems. Not too much different from state-sponsored malware, I suppose.

  11. Daedalus Silver badge

    Its not the replacement credit cards...

    ... It's having to change all my online accounts that's th real pain.

  12. Anonymous Coward
    Anonymous Coward

    Did this happen on SCO, I wonder?

    Used to be that SCO UNIX was the POS operating system of choice. There's still a lot of UNIX POS stuff out there. Aren't these targets as well? That is, it's not just XP or the MS family.

  13. Tree

    Are your privates with the illegals?

    Whenever I go to the local Home Depot, there are always a crowd of illegal aliens standing around outside in the shadows there. It is a crime to hire them. Inside there are these crminal terminals trying to steal our money. Is it possible that these are in any way connected? Is Home Depot profiting in any way from these criminal enterprises?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022