[opium_tea]

From this link: http://krebsonsecurity.com/2014/09/in-home-depot-breach-inve...

"The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation."

So it's not that Home Depot (i'm not sure this applies to Target) had the credit card info stolen from their servers. It's more that it was skimmed from their self-checkout machines, though by software though rather than hardware.

[mrweasel]

Assuming that Home Depot is correct and skimming is involved and also assume that the 56M cards is correct. That just seems to unlikely, even with malware pushed to the POS systems, that 56M cards could be stolen.

I mean there's "only" 350M people in the US. One in seven would have to have used a card at Home Depot (I know, people have multiple cards). Still seems unlikely to have 56M card skimmed in any reasonable timeframe.

[mtbcoder]

Skimming would imply that someone physically altered the self-checkout lanes to capture credit cards in the same way an ATM skimmer works. Since this was installed malware, it would mean access to Home Depot's network. I wouldn't be surprised to learn that credit card data was stored in plaintext somewhere in their system.

[jgillette]

I will say, one time a few years back I needed to get a receipt from a purchase more than 60 days old. I called the local store, and she said "just give me your credit card number and I can lookup your transactions". With just my card number she was able to see every transaction I made with that card (and find my purchase I needed the receipt for). So (at least 3-4 years ago) it was being stored somewhere searchable by people in the back office.

[HeyLaughingBoy]

Or at least a hash generated from it was stored.

[mrweasel]

But why would they store them and why would they have access to the card number?

The credit card processing is normally completely separate from the rest of the POS. The credit card "machine" communicates directly with the credit card processing company and just informs the POS that the transaction was completed.

You would need to break into the encrypted data sent from the credit card terminal to the processing company to get the card number.

Maybe I'm just completely ignorant about how this stuff works.

Target and Home Depot are doing something that they don't need to be doing to process payments, unless skimming is involved.

If skimming is involved: start moving to chip cards and drop the magnetic strip.