(3) Review your transactions every week or so via a personal finance tool (I use https://www.mint.com/)
I don't particularly care if my payment credentials are compromised as it's highly unlikely a fraudulent charge would go unnoticed by me just using the advice above. It's quick, easy to set up, and stuff you really ought to be tracking anyway.
Oh the irony of how using cash is safer these days. You expose yourself to an internet full of thieves using plastic, but with cash it's only to the handful of people you actually cross paths with.
Unless your job pays you in cold hard cash, you have to go to the ATM. And you expose yourself to getting mugged, or have a the debit card skimmed. You could physically walk into the bank and get whatever-you-spend-per-month-in-stores in cash. So that might be an approach. But now you have to carry a fat wallet with you and manages lots of pocket change. Also not purchase much online.
Except I really like the free trips I get every year from accumulating travel reward points. Not to mention in my experience (personal and through acquaintances) Visa refunds fraudulent transactions immediately and with little to no hassle.
Depends on where you shop, but some places will give you cash discounts of 3-5%, which is more than most CC rewards pay. Admittedly it's not as widespread.
It was more complicated, I believe. The marked and advertised price had to be what credit card users would pay, but they could have a cash discount at the register or checkout.
Starting in early 2013, as a result of a settlement of a class action by merchants, they no longer have to charge credit card users the advertised and marked price. They can advertise and mark the cash price, and charge a credit card surcharge of up 4% or the processing fees for that transaction (whichever is smaller).
They used to - it used to be enough for a merchant to lose 'rights' to process credit cards - but the federal regulations of a couple years ago put a stop to it.
Some states previously used to also restrict the ability of merchant agreements to do that, though usually only in specific industries. E.g. in Texas, liquor stores (but nobody else) have been able to offer cash discounts for ages. Now anyone can.
Not saying that's untrue, but when you think of it, it's pretty amazing that card companies can legally do this. Testament to the efficacy of K Street I suppose.
From what I remember, you can charge a single flat fee for using a credit card, but no percentages. At the time, I thought that 'sliding scale' flat fees (e.g. < $100 is $0.15, > $100 is $1.50) were too close to percentages per the agreement.
Agreed on debit cards. Another way to vet charges is to use something that notifies your phone whenever you make a purchase. Simple bank does this, maybe others too.
Bump for Simple. Anytime an auth occurs, I get a push notification on my phone. Its so simple from a UX standpoint, not sure why other financial services firms (Discover, Amex, etc) don't push something like it out.
I can confirm that Amex has this. If you login on the website, you can also get emails / text for each transaction, set thresholds, etc. I've been using this feature for a while now. They also send you weekly statements on your transactions and how much your account has changed from the previous week, etc.
As others pointed out, AMEX has supported this for a while - I get texted almost instantly with any transactions on my card. I believe their mobile app also supports notifications, but I prefer SMS for this.
I only wish my bank (Wells Fargo) supported SMS alerts for transactions - if there's one thing I don't mind getting frequent notifications about, it would be this.
Billguard uses Yodlee as a backend, so at the very least I do trust that Billguard only has read-only access. I'm less certain how Yodlee functions -- whether they just scrape data and have full access, or whether they get some sort of read-only token from the financial institution.
I am not familiar with Yodlee, but I recently discovered that many banks support OFX [1], which is a format for exchanging financial information.
GnuCash has a list of OFX credentials for major banks. [2] In fact, there are tons of OFX open source libraries out there - I had luck with this one recently in Python. [3]
Thanks for the references. After some research, I decided to go with YNAB http://www.youneedabudget.com/ it has a desktop and mobile apps and uses your dropbox for syncing data.
BillGuard indeed has only access to data in a read-only fashion. Yodlee does have a mix of web scrappers as well as data feeds for certain financial institutions. They power different features for banks such as bill payment and others but companies like BillGuard don't have access to these APIs.
And for those that can't get credit cards...? I mean, I agree with you that that's definitely the safest way, but lets not forget that there are a significant portion of the population that have bad or no credit and are stuck with Debit cards at best. What of them?
While I don't know as much about it as perhaps I should, the reloadable-prepaid market is very large.
American Express offers a popular card in this model.
Love the EMV plug, as if it'd actually have helped. EMV transmits the card information in the clear, it only makes physical copying of the cards harder (Which really doesn't matter since credit cards can be used online).
The only thing EMV would achieve is making this data slightly less valuable, but still worth it for the attacker. Replacing the EMV cards would also be more expensive by an order of magnitude.
tl;dr: if you use your EMV card on a compromised POS, you'll be as fucked as you'd be with a magstripe card. Your bank will be ten times as fucked.
I think you are forgetting that EMV cards introduce the concept of digitally signing a transaction. That signature is then checked by the payment card processor and if it matches then the charge goes through. The signatures are performed by the chip on the card using a non-exportable certificate. This provides the "proof of presence" for the card and makes duplicating the EMV portion virtually impossible. This doesn't stop the other portions of the card from being stolen, but if merchants force EMV only transactions, stolen credentials cannot be used. It's a step in the right direction.
EMV terminal certification must meet certain PCI standards for one thing. Not sure it would apply in this scenario, it does mention canadian cards affected, but I'm not sure if that's because it was on american machines.
Secondly, if EMV was adopted in the USA, the stolen information would become useless because they wouldn't be able to use the data to produce fraudulent cards.
> Which really doesn't matter since credit cards can be used online
Don't you need the printed CVV for that? Which isn't stored on either the magstripe nor the chip.
edit: 3DSecure would also help if banks cared to push it harder (for instance my bank now disallows all online debit card charges that don't use 3DSecure)
Edit: Even having the track 2 data won't do you any good in reproducing an EMV card. The only way reproducing a mag stripe EMV card is useful, is if it is used at a non-EMV terminal and mag stripe is the only option.
I believe Europe has complete banished mag stripe now.
EMV isn't about securing information, it's about customer/card validation - validating that the person using the card is who they say they are. Therefore you are secure from fraud - as you said, cards are hard to reproduce.
You still need the CVV code to use the card number in a card not present transaction. So not to your point, it is rather secure...
EMV would have helped immensely here, especially considering EMV compliant machines are held to PCI standards as well.
I wonder if this will be less of an issue here in Canada with our euro-style chip & PIN setup. In theory the attackers wouldn't have long-lived access to any of the payment information. I suppose we'll see.
The attackers probably have my name/email address/mailing information, which kind of sucks.
It doesn't protect the information but it does protect a user from the re-use of the information because the physical card is needed to perform an EMV transaction.
Banks are switching to the EMV system because they can place the liability on the merchant if a fraudulent transaction is performed through them when they could have required an EMV transaction (thereby preventing the fraud).
It is not clear to me why they would have your name, email address, and mailing information? For example, I recently purchased some items from home depot and used my debit card + pin, other than rolling the pin, what else should we be doing?
A lot of people make online purchases and pick up in store. When you make a return, you have to supply them a drivers license and that goes into the system as well. I'm wondering how much of this information was compromised. They use a third party company called Retail Equation for tracking returns. This company basically makes a profile / tracks your return patterns.
I don't have a Home Depot CC, but I've used their e-receipts in the last couple of months and I'm reasonably sure that I've ordered online from them in the past.
I certainly hope they didn't compromise the PIN pads in the stores. That could be a Very Bad Thing.
From what I've read so far, this was another case of memory scraping malware[1], most likely running on each POS. The pinpads typically have tamper protection, though I wouldn't completely discount the possibility that we'll see malware at the pinpad level at some point in the future.
home depot likes to collect email address for sending receipts (and spam). Along with that older style mag stripes will give out the name. Not sure about mailing info or how they'd get that.
The thing to do is to actually get stores to stop storing CC info at all. they should be able to process the payment and then forget the info at all so it never has to be stored so it can't be stolen. EMV is actually a move to force this as they'll no longer be able to get the number, just verify a transaction in theory.
I've made a lot of Home Depot purchases in the last month (yay, new credit cards for me!), and I don't recall ever being asked for an email address either by a cashier or the self-check kiosk. Maybe it's just my local stores don't do it, though.
Just for another point of data, all of my purchases during the timeframe in question were on the Self-Checkout units, and I was given the option for eReceipt, which I took advantage of. What I noticed was that upon returning with the same card, my email address was remembered, which tells me that they must store some information to cross reference (hopefully just name + last 4 or similar). Typing this reminds me that I actually did use both of my cards at Home Depot, because I now remember being prompted again when I had used another card. Guess that means two new cards for me...
> The Home Depot is offering free identity protection services, including credit monitoring, to any customer who used a payment card at a Home Depot store in 2014, from April on.
This is absolutely not acceptable, and I deplore how this has become the status quo. I reject these services and want nothing less than a full lawsuit.
I wonder if I can add this year of identity protection services on to the year I got from the Target breach not to long ago. At the rate these companies are losing my credit card number I'll have free identity theft protection services for life!
- Go through your entire credit history over a six month period looking for illegitimate charges. (Many people, such as myself, use a single credit card for most of their payments -- that's thousands of transactions.)
- Wait a week for a new credit card to arrive in the mail, and hope none of your automatic payments try to charge the old card while you wait for the new one.
- Update all of your automatic payments. Doing it once would be one thing, but every time one these breaches happens?
None of these are the end of the world, but they're certainly not "no damages".
You'd have a really hard time arguing those as damages in court. And then you'd have an even harder time arguing that it was in fact Home Depot that was responsible.
I'm pretty sure the card processors would be on my side of the lawsuit, along with a few million other home depot customers.
I don't care about damages to me. I want the problem fixed. This Laissez-faire attitude towards online commerce security needs to end. Standards like PCI and PA-DSS are not enough. Corporations need to be liable for leaking everyone's information. A year of free credit monitoring is a slap in the face.
Card processors might have a case, but the customers really mostly wouldn't.
The PAN that belongs to your credit card company that was assigned to you by your credit card company was compromised and someone tried to defraud your credit card company using it. Yet it's you complaining, why?
Not sure about that either, but trying to blame Home Depot for fundamental flaws of the system isn't productive either. You should blame the card design for allowing this, not the people that accept cards.
While the card design could be better, those that accept them have a responsibility. The bigger you are and the more cavalier with card data, the more likely you will get targeted. I have yet to see one of these data breaches where the victim (if we call it that) company was doing a very good OpSec job.
You both have a point, but lean towards more punishment. This isn't something that should just be 'charged' away.
This isn't how the legal system works. You can't proceed with a lawsuit without some kind of defined damages. Unless you can point to something bad that has happened to you, how can Home Depot argue in their defense? How can a jury judge their defense? How can a fair penalty be agreed upon?
Possibly having your data leaked isn't enough of a harm for the courts to hear the lawsuit. If you can force a company to respond to a lawsuit based on the potential that they lost your data, what stops larger companies from suing smaller competitors constantly forcing them to prove they haven't leaked any data? They always could have leaked data.
Typically the financial institute is responsible for any fraudulent charges on their customers' credit cards. The cardholders of the affected cards would probably have a hard time justifying that they were negatively affected by the breach.
It seems to me like the breach may still be ongoing/the vulnerability may still exist. In the announcement, they use "have been" as in its actively occurring. Additionally, in the press release (http://ir.homedepot.com/phoenix.zhtml?c=63646&p=irol-newsArt...), they don't indicate that the breach has stopped; they only say they have taken aggressive action.
It seems unlikely that the attack would continue since the attackers have lost their cover, but the wording is a bit strange.
I also found it strange how they worded things around the identity protection, "from April on", rather than something like, "From April XX, 2014 until September XX, 2014". Perhaps they just simplified the wording to make it clear that they're providing protection, and I'm reading too far into things :)
encouraging that they are using this as a motivator to "roll out EMV "Chip and PIN" to all U.S. stores by the end of this year" ahead of the prescribed deadline.
edit: "Chip and PIN" is taken directly from the sec filing that is linked.
the described deadline of october 2015 for the liability shift comes from banks[1] and not a US law or similar.
Would it actually have helped, though? I was under the impression that the Chip and PIN POS terminals don't do anything differently as far as the part between themselves and the authorizer goes - if somebody hacks one, they can still get everything they need to charge against the card. If so, it's more of an issue of firewalling properly at the individual store and corporate level.
Your impression is incorrect. Current EMV cards do something called DDA, so charging the card (as a card-present transaction) requires the card to be physically present or you to have cloned the application off the card (which the card is designed to prevent you from doing.)
You can still get the magstripe data if you compromise the terminal, but the network will (eventually) reject magstripe transactions made by a chip-capable card in a chip-capable reader. You can get the transaction certificate for one transaction, but that TC is protected from replay attacks.
Yup you are correct. The chip acts as a proof of presence and a second factor of authentication. It is technically possible to export the cert off of the chip but it would cost several hundred thousand dollars and a lab with a Focused Ion Beam :)
I got into an argument about that with the guy at the Home Depot paint counter today. I blamed the hack on Home Depot probably running XP on their POS machines and he blamed the banks not doing something that they do in Europe, I'm assuming it's this EMV chip because it sounded like he was repeating something he was told.
Why on earth would you argue this issue with the guy at the paint counter? He clearly has nothing to do with either the cause or any remedy they might decide to offer.
All the computers for the paint mixing machines in every Home Depot were screwed up today, which brought up the topic of the hack and he got excited when I suggested it was probably outdated software on the point of sales machines that was to blame.
The interesting part to me was it sounded like the managers explained to them that it was all the bank's fault. Not that Home Depot was too cheap and lazy to update their software. And ya got to talk about something while the paint's shakin
Do you have reason to believe that Windows 7 instead of Windows XP would have prevented this attack? It sounds like weak credentials and overall lax security are more to blame.
edit: Also, keep in mind that some retailers are running POSReady 2009 / POSReady 7, which may look just like Windows XP at first glance.
No kidding. Until now, I'd have been hard-pressed to imagine any sentence that started with "I got into an argument with the guy at the Home Depot paint counter", but didn't end with "because my paint color didn't match".
When will banks actually start issuing chip + pin cards in the US? It doesn't help US consumers much if the retailers accept them, but the banks don't issue them. I have credit cards with four banks (probably the biggest 4 in the US, but I don't know exactly how they stack up). One is chip+signature, and the rest don't have chips at all. Including a brand new one I got from a huge bank less than a month ago.
After the EMV liability shift date (October 2015), the fraud liability for a card-present, non-EMV transaction falls on the party which was noncompliant, the issuer or the merchant. Hopefully this will be a significant driver of EMV adoption by both issuers and merchants.
Both cards that I recently received have a chip. One of them is a debit card so it already has a pin, and presumably at some point I'll at least have the option to get a pin for my credit card.
My understanding (and it's entirely possible I'm mistaken) is that chip+pin and chip+signature cards are not interchangeable. In other words, I don't think you can just take a chip+signature card and "get a pin" for it. And the one card I've received with a chip (from Bank of America) is definitely chip+signature.
I'd love to be told I'm wrong, and that this can be made into a chip+pin card without physically swapping the card.
I had no idea that it wasn't possible to get a pin, but now having done some research it looks like I was wrong. I wonder if it has something to do with them using the existing pin infrastructure for ATM cash advances.
Do you have a source for this? I distinctly remember my Canadian credit card starting off as chip and signature and sometime later start asking me for my PIN.
I had an AMEX Blue Business card with an RF chip in it, transaction receipts had a completely different last 4 digits using RF vs magnetic. I called to see if I could get a chip+pin and they said yes except it's chip+signature. So at least U.S. AMEX is chip+signature. However, the card's chip "pin out" area is shaped smaller and differently arranged than the one on my bank issued card. So we apparently have two different "chip" standards and I don't know which one is actually going to get used.
When I enquired my bank about my EMV card, they informed it that it preferred Chip+Signature, but that it also supported online (aka "realtime") Chip+Pin authorization. It is not configured to support offline Chip+Pin like many european cards.
PIN verification is performed against the chip first, not online. Although Chip+Signature is possible, it really doesn't make sense.
Edit: Chip cards provide a Cardholder Verification Method List (CVML) to the terminal. The terminal then decides what method it'd like to use. Options are PIN online, PIN offline plain text, PIN offline enciphered, Signature, or No Authentication.
"Responding to the increasing threat of cyber-attacks on the retail industry, The Home Depot previously confirmed it will roll out EMV "Chip and PIN" to all U.S. stores by the end of this year, well in advance of the October 2015 deadline established by the payments industry."
Yes, they may say that. However, Home Depot is not the one that is determining what technology the issuers use. Most issuers are using Chip&Signature. Home Depot may support Chip and Pin, but if your bank doesn't use Chip&Pin, the fact that Home Depot supports it is worthless to you.
I'm pretty sure the merchant equipment is going to support either chip&signature or chip&pin, seeing as we already have signatures for credit card, and PINs for debit card transactions. The difference will be up to the card issuers. And I for one hate digital "esignatures" talk about all kinds of fraud waiting to happen with that bullcrap. I want to use either PIN or ink on paper signature. Make me use a screen to sign my name, and I'm signing it mickey mouse.
while I don't condone blind commenting like you described, I have encountered threads with titles such that they conveyed the entire article accurately enough to comment on from just the title alone, so I can understand that with certain topics.
It will be interesting to see if any Paypal account compromises can be attributed to this breach. From what I've read, this type of malware typically scrapes the memory of processes on the POS, looking specifically for what appears to be track data, and which passes a Luhn check.
(2) Use BillGuard https://www.billguard.com/
(3) Review your transactions every week or so via a personal finance tool (I use https://www.mint.com/)
I don't particularly care if my payment credentials are compromised as it's highly unlikely a fraudulent charge would go unnoticed by me just using the advice above. It's quick, easy to set up, and stuff you really ought to be tracking anyway.