Fraud Tied to Home Depot Breach MountingRamp Up Called 'Greater Than Target'
(This story has been updated.)
See Also: The Global State of Online Digital Trust
Fraudulent transactions stemming from the massive Home Depot payment card breach have been occurring since early September, security experts say, forcing many financial institutions to reissue cards for affected customers.
One executive with a large card issuer on the West Coast, who asked not to be named, tells Information Security Media Group that fraud losses have been "significant" following the breach. "The ramp up of fraud in the first three weeks has been much greater than what we saw from Target Corp., Michaels and Neiman Marcus," the executive says. "The fraud we are currently seeing is occurring on cards specifically related to Home Depot, and not cross-contaminated by the other big breaches."
Fraudsters have used counterfeit cards, using information apparently stolen in the Home Depot breach, at a variety of merchant locations, including gas stations and ladies' apparel stores, says John Buzzard, manager for products and fraud operations at FICO Card Alert Service.
"The amounts of the individual fraudulent purchases mimicked typical purchase amounts that a legitimate consumer might spend," he says. "Obviously, the criminals who purchased the card dumps on the Internet wanted to blend into the transactional landscape to evade detection for as long as possible."
What is making the breach scenario worse for consumers is the level of detailed information that was sold on online hacker forums, Buzzard says. "It has enabled criminals to have a more powerful set of parameters to work with, like first and last name, cities and states close to where the legitimate cardholder may live, ZIP codes - anything that can make social-engineering attacks more convincing is always a bad scenario for consumers."
Malware Heavily Customized
The Department of Homeland Security has issued a new warning to retailers, saying that the malware - now dubbed Mozart - used in the Home Depot breach appears to have been heavily customized for that retailer's environment, The Wall Street Journal reports.
Commenting on the Mozart malware, Home Depot spokesman Stephen Holmes tells Information Security Media Group: "The first place our outside security experts have seen it used was in our attack. There is no evidence that Mozart belongs to BlackPOS, Backoff, Framework POS or other commonly known card-stealing malware families."
Holmes says the malware was designed to hide in Home Depot's specific environment. "The malware uses a service name that blends in with other legitimate services running our systems. The file names it uses blend in with other file names unique to our environment."
Air Academy Federal Credit Union in Colorado Springs, Colo., has caught roughly $20,000 worth of attempted fraudulent transactions tied to cards that were exposed in the Home Depot breach, Brad Barnes, chief financial officer, told Information Security Media Group.
Of the 25,000 debit cards AAFCU has issued, just over 5,800 were part of the compromise. "That's almost 25 percent of our debit cards," Barnes says.
AAFCU is reissuing cards to impacted customers. At a cost of about $5 per card, the credit union will spend roughly $30,000, plus staff time, to reissue the cards, Barnes says.
"I would like to see some sort of national data security and merchant breach notification standards created," Barnes says. "Merchants don't seem to be held to the same security standards financial institutions are. We end up footing the bill for compromises of a similar nature at multiple merchants. It's incredibly frustrating and expensive."
First Choice Federal Credit Union in New Castle, Penn., has filed a class action lawsuit on behalf of credit unions, banks and other financial institutions to recover fraud losses stemming from the breach.
The suit, which was filed in the U.S. District Court for the Northern District of Georgia and includes more than 100 class members, is seeking more than $5 million in damages to cover costs, such as canceling and reissuing cards; closing and reopening accounts; and refunding or crediting any cardholder to cover the cost of any unauthorized transaction relating to the breach.
In its suit, First Choice says the Home Depot breach could result in $2 billion to $3 billion in fraudulent charges, citing research from BillGuard, a security firm.
Responding to the Breach
Card issuers have been proactive in managing the breach aftermath, Buzzard says. "Some issuers have opted to reissue a great deal of their exposed cards simply to err on the side of caution, even if they have not experienced an overwhelming degree of [fraud] loss."
So far, several large banks are being tight-lipped about the impact of the Home Depot breach.
"We wouldn't have anything to add specific to Home Depot, but I can tell you that we always proactively monitor customers' accounts for fraud," says Betty Riess, a spokesperson at Bank of America. "If we believe a customer's account is at risk for fraud, we will notify a customer and reissue the card."
In addition, Bank of America issued a statement online to customers regarding the breach.
"At this time, you do not need to call Bank of America to learn if you're impacted," the financial institution said. "You can continue using your Bank of America debit or credit card while knowing that we are always working to help protect your financial information."
JPMorgan Chase last week started notifying customers that the bank was reissuing cards due to the Home Depot breach, says spokesperson Edward Kozmor.
Likewise, TD Bank is reissuing cards for customers believed to have been impacted by the breach and is evaluating further action, says Judith Schmidt, a spokesperson.
Extent of the Fraud Losses
The potential size of fraud losses tied to the breach is tough to predict, says Doug Johnson, senior vice president of risk management policy for the American Bankers Association. "But what we do know is this is just a different event than what we saw with Target," a breach that impacted 40 million credit and debit card numbers (see: Target Breach: By The Numbers).
"Target was a fairly short window of opportunity for the criminals," Johnson says. "Then the banks shut it down pretty quickly because they reissued cards so swiftly. In this case, the breach went on for months so there's much greater potential for fraud to occur and unauthorized transactions to be successful against accounts."
Home Depot says payment card purchases from April to early September may be at risk, meaning the payment cards may have been vulnerable for a period of about five months. In the Target compromise, payment cards were exposed for only about three weeks (see: Infographic: How Large is Home Depot Breach?).
(Executive Editor Tracy Kitten contributed to this story.)