Home Depot hack leading to ATM cash thefts; the case against debit cards
Visit KrebsonSecurity.com
Credit or debit? The answer is credit. Always, whenever possible. And by credit, I mean put away that piece of plastic you can use to get money at the ATM and pull out your credit card. We're about to find out why this is so important. Criminals are using debit card data stolen from Home Depot, printing up fake ATM cards, changing account-holders' PINs, and stealing piles of cash.
Brian Krebs, the security experts who first exposed the Home Depot data theft, has an important nugget in today's report. Many folks ignore the advice above and use debit cards to buy things at retail stores. That means whenever a big pile of credit card data is stolen, it includes a haul of debit cards.
But it's just the card number, right? There's no way to use the stolen data to withdraw cash from an ATM, right? Because the criminals don't have the PIN, right? WRONG.
Because consumers forget passwords, PINs, and other account secrets, large organizations like banks always need an alternative method for unlocking account access. On your computer, you know this as the "Forgot Your Password?" routine. It's a little annoying, but often surprisingly easy, to pick a new password. It often requires answering a few Facebook-friendly questions, such as, "What is your pet's name?"
Banks have a similar process for consumers who forget their PIN code. They call in, and as long as they provide data such as the last four digits of their Social Security number and a few other pieces of information, are given the opportunity to create a new PIN. Naturally, some of the required answers are in the stolen database, such as phone numbers. Others, like SSN digits, can be easly purchased online. Then, armed with imitation plastic and a new PIN code, they can steal your money from half-way around the world.
In short, when the answers are worth $400 per withdrawal, the criminals find a way to get them.
Krebs today reports that this isn't merely a theoretical possibility -- one that's been discussed for years. He's heard from bank fraud managers who say stolen Home Depot debit card data has already been turned into hundreds of thousands of dollars at ATMs.
Avivah Litan, a fraud expert at consultancy Gartner, told me in a quick, ominous note: "This is becoming common."
So, there you have it. Home Depot shoppers, check now to see if any money is missing from your checking account. Of course, consumers are entitled to refunds after such fraud, but I can't stress this enough: The hassle of losing money out of your account, and having to get it back from the bank, can dwarf the hassle of challenging a fraudulent credit card purchase. With debit card/ATM fraud, your money is gone. There's a delay in making you whole. That can lead to bounced checks and numerous other headaches.
Going forward, unless you must, put that debit card back in your wallet. Only use it to withdraw cash. When a clerk gives you the chance to run your debit card as a credit transaction, don't be fooled -- running a debit card through the credit network still means your debit account will be in their database, waiting for the next hacker to take.
And we all know there will be a next hacker. And a next. And a next.