ID Thieves Don’t Need PINs To Withdraw Cash From Debit Cards Stolen From Home Depot

When Home Depot confirmed the potentially massive data breach of its in-store payment systems in the U.S. and Canada, it tried to quell some concerns by saying there was no evidence that PIN info for debit cards had been compromised in the attack. But it looks like enough other information was stolen in the hack that a clever ID thief wouldn’t need that PIN to drain the cash from a victim’s bank account.

According to KrebsOnSecurity.com, which has been a few steps ahead of Home Depot on this entire story, the stolen Home Depot info currently on sale on the black market includes the information you’d expect — the card number, cardholder’s name — and it also contains the ZIP code for the store from which the information was stolen.

With some 2,200 stores in the U.S. alone, most people don’t have to travel far to find a Home Depot. That means there is a good chance that many Home Depot shoppers live in the same ZIP code as their store. Having that information, an ID thief versed in black market information can illegally purchase additional info like Social Security numbers and dates of birth.

So with all that information at their fingertips, an ID thief can try changing a card’s PIN using the automated customer service phone lines that many banks operate.

If a customer calls up and can provide almost all of the requested data about the account, he or she can change the PIN rather easily.

Automated systems generally check for four things:
1. The card’s expiration date;
2. The customer’s date of birth;
3. The last four digits of the customer’s Social Security number
4. The 3-digit code (known as a card verification value or CVV/CV2) printed on the back of the debit card.

This last item is the only piece of information not readily available to data thieves willing to spend a little money to potentially reap a lot of money from victims.

And Krebs says he’s been hearing about spikes in PIN-related ID theft since the Home Depot hack.

Like the New England bank that has seen $25,000 in PIN debit fraud at ATMs in Canada. Krebs’s source claims that the ID thieves were able to change the PINs on the cards using the bank’s automated system, which only required that they provide three of the four requested data points.

Then there is the bank on the West Coast that Krebs reports was hit with $300,000 in PIN fraud in just two hours, all from multiple debit card accounts that had been used recently at Home Depot.

Like the New England banks, having the customer’s SSN, DOB, and the card’s expiration date was enough to change the PIN.

Additionally, the callers told bank customer service reps that they were traveling abroad, which allowed them to take out more money from the ATMs than they would have been able to stateside. It presumably also turned off any red flags when those withdrawals were made from ATMs in Italy.

Home Depot has reassured customers that any fraudulent charges to credit or debit card users will be absorbed by either the customer’s bank or by the retailer. However, PIN-related fraud is always the hardest to prove, as it requires information that only the customer is supposed to have. Hopefully, banks will be looking with a wary eye at people who wish to change their PIN without all of the requested information about the account.