Counterfeit credit cards were seized by federal law enforcement officials from the site Fakeplastic.net in Charlotte. (Photo: U.S. Attorney’s Office)

The end of the road for the 56 million credit card numbers stolen a month ago from Home Depot turns out, often as not, to be a cheap meal at McDonald’s or a gallon of milk at Walmart.

“We’re generally not seeing $1,000 transactions where they’re buying wide-screen TVs,” said Rob Miller, chief operations officer with San Diego-based Mission Federal Credit Union.

The story of how a massive international data breach ended up at a fast food store in California’s Central Valley began last April.

That was when someone inserted malicious software — malware — into point-of-sale machines at Home Depot stores in the USA and Canada.

Many in the security community suspect the attackers were in Russia or Eastern Europe, but there’s no way to know for sure. What is known is that malware skimmed off credit and debit card information, undetected, for six months.

As many as 56 million cards were compromised, according to Home Depot.

The news broke in September, when someone put a batch of cards for sale on a criminal Internet site that trafficked in stolen financial information.

Banks and credit unions began to see bogus charges appear almost immediately. Despite the far-reaching criminal networks that create these massive computer security breaches, the people who end up buying things with the stolen cards appear to be “just using them for day-to-day living,” Miller said.

For Air Academy Federal Credit Union in Colorado Springs, the first indication something was wrong was when members started seeing charges on their cards from Indonesia.

“Our people travel, many of them are Air Force, but we don’t have a whole lot of customers who go to Indonesia,” said Brad Barnes, chief financial officer for the non-profit organization.

It was easy to cut off cards whose owners were buying gas in Colorado Springs the same day a charge suddenly popped up in Jakarta. It got a whole lot harder when the charges began appearing in Denver, an hour to the north, Barnes said.

“The financial institution is going to reimburse the customer for any fraudulent transaction on the account,” said Doug Johnson, vice president for risk management policy with the American Bankers Association.

Computer security writer Brian Krebs reported that banks have taken big losses from cards compromised in the breach.

Mission Federal has dealt with more than $100,000 in fraud claims that might be linked to cards compromised in the Home Depot breach in the past month, Miller said.

Credit unions are not-for-profit, he said, so “when we take $100,000 in credit card losses, that’s $100,000 that we could have used to give our customers higher interest rates or lower loan rates.”

Another cost financial institutions face is replacing compromised cards. Mission Federal Credit has gotten about 10 lists of compromised cards from MasterCard in the past two weeks. They total 28,000 cards.

“That’s about 15% of the credit cards we issue,” Miller said. It costs the credit union about $2.60 to replace each card, so “that’s $72,800 so far. It’s another hit.”

The trajectory, from a continent away to a few ZIP copes away, isn’t any surprise to security experts.

“The thing to remember about this whole process is that it’s an industry,” said Geoff Webb, director of strategy for NetIQ, a Houston-based computer security company.

Click here to continue reading…

SOURCE: Elizabeth Weise
USA TODAY