The news about the Home Depot customer-database hacking keeps getting worse: in addition to countless credit- and debit-card numbers, it looks like the hackers are managing to get people's personal identification numbers (PIN), too.
From an identity thief's perspective, this is a huge advantage, because a stolen credit-card number generally is only useful for buying merchandise, whereas a stolen debit card and PIN is sufficient to make actual cash withdrawals.
Meanwhile, from the perspective of an ordinary Home Depot customer whose data was compromised in the breach, this is fantastically bad news because you're at greatly increased risk of being personally liable for any money fraudulently withdrawn from your account — if your bank thinks “That withdrawal was made with your PIN, and you're the only person who knows it, so it must have been you who withdrew all that money.”
Security expert Brian Krebs, who first broke word of the hacking almost a week before Home Depot formally admitted it, reported yesterday that his sources at “multiple financial institutions” have noticed a steep increase in fraudulent withdrawals from customer accounts.
For what it's worth, Home Depot says that no debit-card PINs were stolen in the data breach, and they're probably correct in saying this. The problem is that, while the thieves didn't get the actual PINs, they did get enough other customer data to call various banks and change them:
Countless banks in the United States let customers change their PINs with a simple telephone call, using an automated call-in system known as a Voice Response Unit (VRU). A large number of these VRU systems allow the caller to change their PIN provided they pass three out of five security checks. One is that the system checks to see if the call is coming from a phone number on file for that customer. It also requests the following four pieces of information:
-the 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card;
-the card’s expiration date;
-the customer’s date of birth;
-the last four digits of the customer’s Social Security number.
But apparently, at least some thieves had had success in changing PINs without calling from the customer's actual phone number. Krebs mentioned an unidentified bank in New England that lost more than $25,000 to PIN fraud at ATMs in Canada: “In this attack, the fraudsters were calling from disposable, prepaid Magic Jack telephone numbers, and they did not have the Cv2 for each card. But they were able to supply the other three data points.”
Another bank, this one on the West Coast, lost more than $300,000 in only two hours on Monday afternoon:
the bad guys called the customer service folks at the bank and provided the last four of each cardholder’s Social Security number, date of birth, and the expiration date on the card. And, as with the bank in New England, that was enough information for the bank to reset the customer’s PIN.
The fraud manager said the scammers in this case also told the customer service people they were traveling in Italy, which made two things possible: It raised the withdrawal limits on the debit cards and allowed thieves to withdraw $300,000 in cash from Italian ATMs in the span of less than 120 minutes.
The good news is that, obviously, such frauds would be easy to stop by simply requiring all five of the authentication points before allowing a PIN reset — as many banks have already hurriedly done in the past two days.
Of course, inevitably there will come a downside; a legitimate customer who actually is visiting Italy (or some other country) will legitimately need to reset their PIN and be unable to do so since they're not calling from their regular phone, perhaps. With current limits on both technology and human nature, it probably isn't possible to create any security system that's 100% failproof, let alone a security system that never, ever keeps people “out” who should be allowed “in.”
Tokenization to the rescue?
More security changes are sure to be on the horizon, though. Credit card companies this week announced plans to adopt a process called “tokenization:” instead of every card-accepting merchant (such as Home Depot) being entrusted with the security of all their customers' credit-card data, the credit card company keeps all this information, and the merchant merely sees a “token” good only for confirming your identity with the credit card company.
But even tokenization is still a form of what's called “knowledge-based authentication” which, as the name says, is authentication requiring certain knowledge (such as your birth date, Social Security and other account numbers, and so forth).
The downside of knowledge-based authentication is obvious to anyone who's noticed the near-constant stream of recent “hackers break into database” news stories: even presumably confidential knowledge can be stolen, and the past few years have made it equally obvious that the world's financial institutions can't afford to continue relying on security systems that assume you are the only person on Earth who could possibly know your middle name, SSN and DOB.
But it doesn't look like they'll continue relying on this much longer. Krebs also spoke to security experts who said that banks are starting to move away from VRUs requiring knowledge-based authentication to VRUs with more “robust” security strategies: most likely biometric identifiers including “voice printing.”
On the other side of the Atlantic Ocean, Barclay's Bank in the United Kingdom is taking biometric identifiers a step further: last week, Barclay's announced a new anti-fraud initiative wherein clients can access their bank accounts by sticking their fingers into a special scanner that identifies — not even a person's fingerprints, but the pattern of the veins inside the fingertip. (The scanner is only supposed to work with fingers still attached to living human bodies.
The Barclay's finger-scanners are currently limited to corporate clients, not to everyday account holders; certainly, such technology (at least for now) is far more expensive than the voice-printing and phone-testing which, according to Krebs' sources, might soon be standard security features on American payment cards.
Meanwhile, if you're an ordinary credit- or debit-card holder who's used it to buy something from any American or Canadian Home Depot store since last April, you might want to contact your bank and make doubly sure nobody can change your PIN except you.