Claimed Home Depot credit card hack could be biggest retail breach yet One of the US's largest home improvement chains is investigating whether its systems have been cracked by hackers, as one security researcher has claimed. "I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," the company told El Reg in a …
If nothing else, so that U.S. travelers can use their credit and bank accounts while overseas.
As for point-of-sale, it's really becoming a nightmare. The store personnel who work with them directly don't understand them well and are not highly educated in IT and security, and it's the one piece of "store equipment" that retailers are happy to have customers/pretend customers fiddle with, because usually that means they are about to buy something. And the terminals are balky enough that you can walk in off the street and do unusual things to the terminal as long as you are making/pretending to make a purchase and passing off your actions as "Wait, your card swiper doesn't seem to be working. Here, let me try doing this. There, that's got it/Eh, I'll just pay cash/Never mind, I don't want the item anymore."
@Kain Preacher,
I am an American, and I live in the USA. And yes, credit card companies make more money if they don't use chip-and-PIN, which is why the rollout has been slight in the U.S.
As far as overseas trips, I know a couple friends and myself have had some problems not having chip-and-PIN cards in the U.S., and one of my friends ran into problems paying for stuff in Canada.
It is fun to try too. I once used a European C&P card in a US store that did not realize they had a C&P capable reader. So: swipe card, reader complains: try the other slot. Total pandemonium ensued. No matter what, they were not going to use C&P and ended up rolling out the paper clack-clack machine to complete the transaction :-/
Yes, chip-and-PIN cards can cause a lot of confusion, even in unexpected places.
I had to teach Budget staff at Suvarnabhumi airport, Bangkok, Thailand a couple of months ago how the thing worked. They were extremely confused and about to tell me "sorry sir, transaction rejected" when their machine asked for a PIN code. Fortunately, Thai people usually are friendly and open, so they happily accepted my telling how european cards work :-)
And yes, that was unexpected at the counter of a multinational car rental company in a major S-E Asia airport! But hey, this is Thailand :-)
I've never had a problem using a US-issued credit or debit card overseas. Except in Japan, where with the exception of 7-Eleven pretty much no ATMs accept debit cards that weren't issued in Japan, and that goes for European chip-and-PIN cards, too.
One of my credit card companies just issued me a new card with a chip in it. That's the first time I've seen one from a US bank. The trouble is, it's "chip-and-signature." As in, the retailer can authenticate the chip somehow, but it needs no PIN to validate the transaction -- a signature will do. Based on what I've seen, proper chip-and-PIN in the US is still a long way off.
"The trouble is, it's "chip-and-signature." As in, the retailer can authenticate the chip somehow, but it needs no PIN to validate the transaction"
It has some use. If you try to swipe it on a terminal that supports chip it will tell you to insert the chip. So if anyone skims the mag strip they will only be able to use it on a terminal without chip support.
I have been given the impression that there is some more fundamental security problems than that at the meat end. Someone who has just emigrated over there has told me he has been asked in many stores and restaurants if he is actually a legal immigrant.
However they have been quite happily accepting his wife's card without checking, at one place even going so far as to call an ex 6'3'' rugby player Mrs XXXX during the transaction.
Been across here seven years and still have my perfect BBC accent. Never been asked, by anyone, about my residency and, since 2012, my citizenship status. Nobody in retail gives a shit and not one of them is entitled to ask (it's actually illegal to ask in many states - even cops!). Everyone who is legal has, I guarantee it, a state drivers license and, if like mine, my credit cards say "See ID" then that license is proffered as ID when asked. Of course, one issue is that they only actually care enough to ask about one time in 10 at places I'm not known.
Some don't like the subject but many Americans believe the RFID or any other "Chip-in-card" solution is to close to that "Mark Of The Beast" issue. The question here is if the new sudden increase in point of sale data breaches is enough to sell the new "Chip-in-card" as the solution.
Well it's not the mark-of-the-beast, it's just we've seen the shit you guys have taken over the banks saying "oh chip&pin is completely invulnerable, it can repel bullets with its eyeballs, you must have told people your pin, therefore it's your fault and we're not refunding anything"
Yes, but we would still prefer to avoid that 3 to 5 year period before it gets slapped down on this side of the pond. Besides which, since the banks have been slapped down on your side of the pond, are they really that much more secure than swipe and sign? It strikes me that if you can't trust the POS terminal, the rest of the chain really doesn't matter. And essentially, the POS terminal has been the movie star in all these big data harvest stories.
Lets see if we get 3+ months of coverage on this story, as this is bigger than the PSN hack in every way imaginable (more consumers 70m in this case) and actual creditcard details..
I think we know that it's going to be a different story this time, as Microsoft aren't behind the scenes manipulating things....
This post has been deleted by its author
Yeah, similar sentiments here. I could only LOL @ "Protecting our customers' information is something we take extremely seriously" because all that really means is "Protecting our customers' information is something we take extremely seriously IF AND ONLY WHEN we are uncovered to be a bunch of incompetent fools".
I do also find that enforcing slightly more complex usernames does help a lot... especially since our implementation prohibits users from changing their usernames. So even if they have hopeless passwords chances are their username won't appear in a dictionary. It does help deter simpler bruteforce attempts on common account names.
The reality is though that it's actually not very complex to maintain a very decent level of security which would thwart the vast majority of random probes and script kiddies... if you run solo and are thus in full control of your kit. With larger organizations and larger IT teams it really does become a lot more difficult and a lot costlier to maintain an airtight network since weakest link etc etc etc.
"That would be Windows Embedded for Point of Service - i.e. XP?"
Probably. But ignoring the OS, what about the EPOS system? A few large European retailers use EPOS systems written entirely in Java which is bad enough. When you then learn that the individuals who designed and coded it have only recently been released from Her Majesty's hospitality for fraud then you might conclude that the retailers have not bought wisely.
Then again, with the slightly whiffy nature of many EPOS suppliers, often involving accounting standards that are a flexible friend, and sales/purchasing practices amongst both software vendors and the retailers that would make an Afghan drug dealer blush, things can only get worse.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
