So it’s starting to look like Home Depot got breached. Nobody knows yet how bad it is. I decided to be proactive and call my credit card company because I shop at Home Depot a lot, and they just read me a canned script. OK, they don’t want to know if I think my card was among those breached.
Here’s what I’m doing in the meantime.
This morning I bought half a tank of gas using that card. I bought it close to home. If I remember, I’ll buy another half a tank or so on Friday. This establishes that I’m not traveling right now. It’s also not terribly unusual–I rarely buy full tanks of gas if I’m not traveling–so it helps establish normal. We’re in the data age, so the more normal data I can produce about myself, the more abnormal data–someone using a breached card–sticks out.
Someone using a breached card will look very different. Initially it’s likely to be for a small amount, and it will be online. If that transaction goes through, then they’ll buy something big. But my big purchases tend to be in person, and if you’ve been reading me long enough, you can probably guess what kind of stuff I buy. It’s generally not the kind of stuff a crook is going to buy with a stolen card. That will stick out too.
The other thing I’m doing is gathering together the contact information for my automatic payments, because I’m going to be changing those yet again soon. Those companies are used to it and probably would be understanding if I were late for a payment, but I don’t want to be late for a payment.
Home Depot will be offering identity protection if the breach is confirmed; if you’ve shopped there and used a credit card, take them up on the offer.
Large companies are playing a cat and mouse game with hackers, and the problem is that it doesn’t matter how often the hackers lose. A passing grade for the hackers is anything higher than 0%, and a passing score for companies is 100%.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
Dave,
Are the chip based smart cards worth the cost? Will they be hackable by the average criminal?
The answer to the first question is debatable, which is part of the reason we haven’t even talked about them prior to last December. Yes, they will reduce crime, but it’s impossible to know by how much and for how long, and that’s what makes it hard to say if the savings will outweigh the cost. In Europe the results of implementing them were dramatic, but then crept back up over time. We can only hope to fall to the level Europe is at now, because at least some of what the crooks learned by hacking Europe will apply here.
So the answer to the second question is yes, they will be hackable, most likely by attacking the card readers or cash registers themselves. That will mean shoring up the readers and the registers and the connection between them. The question is finding the equilibrium where there’s enough security to make it more expensive to steal a card than the card is worth.