Hacking Home Depot

Hacking Home Depot

    Attention Home Depot shoppers.  You've likely heard a similar phrase in many stores, broadcast over the speaker system, its sound so common that you barely notice or even pause from what you've been doing.  But the hacking that occurred in Home Depot (and earlier, Target, Michaels and Neiman Marcus) is now out there, the credit and debit card numbers selling in batches for $50 to $100 per number (although that figure is dropping as more and more cards prove invalid) and being carefully released by specific city.  A quick word of advice...if you haven't already done so, go to the Home Depot website and sign up for your year of credit protection (free for the basic and you can upgrade to the higher version...if you did this with Target, your annual protection from them is expired).

   In an article from Bloomberg Businessweek, the cards are coming in large batches, 80,000 or more in the Minneapolis-St. Paul area alone (stolen card resellers release them in batches related to the city where they were issued to avoid fraud detection software that flags transactions occurring far from your place of residence). The main reselling dealer is a site called Rescator which not only lists cards by zip codes, but provides a validity rate (how much of a guarantee that the card is still good) as well as a return policy with another valid card issued in exchange (ironically, debit cards --which can drain your checking account and have little protection if more than 60 days pass-- go for a far cheaper price than actual credit cards).  One recent example cited was a 50% validity rate on the card numbers stolen in June from the P.F. Chang's China Bistro (selling for $8-20 per card number, according to Bloomberg Businessweek).

   The breaches that hit Target and Home Depot appear to be using different coding leading investigators to suspect that there may be several different operations;  but what IS the same is that both the breaches occurred at the point-of-sale terminal, the brief pause from when you swipe your card to when the terminal says "approved."  What's also the same is that both Target and Home Depot had prevention systems in place (but not on), and both were warned several times by their respective security firms that a breach seemed likely and to turn their end point security on (both firms ignored the advice due to expected costs involved, and were breached; Home Depot's software was so outdated that it no longer was supported at the start of the year).  Ironically, Home Depot just posted a small profit, but Target --only now, over a year later,  saying the majority of law suits from the breach are behind them-- posted an expected 15% loss for the year.  The suits for Home Depot, with close to 2300 stores, are just beginning...

   Target has announced a gradual switch to EV cards, digital cards with a much higher layer of encryption and scrambled security, similar to cards already in use throughout Europe (Costco business already offers merchants EV processing).  The resistance by both merchants and banks to this higher level of security on credit and debit cards has been the cost to change all the terminals and issue the new cards with embedded chips...a cost that will likely seem smaller in retrospect after consumers are reimbursed for the stolen data.  But hackers are already on the move (although Britain reports credit card fraud down 67% since switching to the EV card).  So the next step?  Quantum computing which jumps past 1s and 0s to a combination that might signal "maybe" instead of just "on" or "off," (conveniently labeled "qubits").  Microsoft, Google, IBM and yes, China, are pouring money into funding quantum computing  Should a quantum computer recognize an intruder getting close to decoding an encryption key, it can immediately scramble the coding thereby shutting out the hacker...or so it is thought.

   One company, Exodus, specializes in hacking into servers' software, and is paid well to do it.  Microsoft, Mozilla, Google and other companies all pay "good" hackers to spot vulnerabilities in their coding.  Top prize at Microsoft is $100,000 for finding a large flaw.  Facebook pays an average of $2200.  But according to one article in Time, one security strategist said this about black market prices, "I've seen pricing models where a six-figure payout will go out as a lump sum, and then a monthly recurring fee will be paid to the researcher to encourage them to keep quiet and not use it and not double-sell it."  One example comes from Exodus itself who hacked Google's Chrome software and then refused to tell Google what the flaw was (despite an offer of $120,000).

   So bottom line, what can you do about all this?  And since you have your anti-virus system on and have changed your passwords so many times that you're getting dizzy and have been sending everything into the "cloud" anyway (Apple won't confirm or deny that their "cloud" was hacked), why should you be worried?  You're covered, right?   A recent special by NOVA shows that our worries might actually be far beyond that of tapping into our bank accounts and social media files.  Rise of the Hackers shows that new targets for hackers are now electrical grids, satellite systems, water supplies, and possibly military command centers.  And as we slowly turn over our homes to smart appliances and smart televisions (the latter is considered by a tech friend of mine to be THE most vulnerable piece of hardware in your house;  the second? your phone...Android users, best check out the Heartbleed patch, especially if you're doing any banking or checking of accounts on your phone), imagine entire systems locking you out...no gasoline at the station, no water coming to your home, and gasp, no internet!  A report by Symantec (a security firm and maker of security software) said that 553 million identities were exposed in 2013 (birthdays, names, even identification numbers) and 1 in every 196 emails contained a virus.

   As the Time piece summarized:  We've been so successful in building a connected paradise where information flows freely, and so eager to move our lives into it, that we've gotten ahead of our ability to keep information flowing when we don't want it to.  The result is a new kind of war--yet another one, in a millennium that seems to specialize in them.  It's unobtrusive but constant and pervasive.  It makes little distinction between military and civilian, private and public, politics and business.  Its victims bleed personal data and intellectual property, and by the time they figure out they've been hit, it's already much too late.

   With infrared and RFD (radio frequency tags), public WiFi spots and unlocked cell phones, online contests and your local store's 5%-off credit card, streaming and now hacking, your information is out there.  What you might consider no big deal (as in, "who'd want my stuff"), might in the aggregate, prove a bigger loss than you might imagine...photos, addresses, account numbers, gone in an instant.  And you telling the Customs officer, really, it's me...one hates to add to the growing world of paranoia, but the cyber world is indeed a new "world."  And perhaps, at the very least, we should enter it with a bit of caution, a bit on guard, and a bit of skepticism.