Home Depot data breach may have been used for debit fraud

“Multiple financial institutions contacted … are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts,” Krebs wrote on his blog, Krebs on Security.

He said that a West Coast bank “lost more than $300,000 in two hours today to PIN fraud on multiple debit cards that had all been used recently at Home Depot.”

The breach at Home Depot, which the company said dated back to April, was uncovered Sept. 2 and Krebs was the first to report it.

The thieves who hacked into the Home Depot systems used a software similar to the technology keys that unlocked an estimated 40 million customer accounts at Target last year. Pilfered data flows directly into a huge global black market and can be sold on websites, like the one that started bulging with Home Depot customer information last week.

The data for sale lets buyers set up counterfeit cards that can be used to make purchases.

It seemed at first, from Home Depot’s announcement Monday, that debit card holders would have nothing to fear after its breach, since PINs were not stolen.

Unfortunately, some banks let a caller reset a PIN if the caller knows some basic information, like a birth date, Social Security number and the stolen card’s expiration date, Krebs wrote. This “suggests that most banks remain clueless or willfully blind to the sophistication of identity theft services offered in the cybercrime underground.”

It is easy and cheap for a thief to buy that information, he said. One cybercrime store “even advertises the sale of this information on more than 300 million Americans.”