The Home Depot hacking, which could well end up to be the largest commercial data breach in history continues to evolve. The latest developments involve those people who unwisely used their debit cards for making purchases at Home Depot stores. Although Home Depot attempted to comfort those people who used debit cards at their stores by telling them that no PINs were among the data stolen, banks are already reporting a large increase in fraudulent ATM withdrawals using those compromised debit cards. So how could this happen? Unfortunately, armed with the debit card number, the full name of the card holder, the city, state and zip code where the card was used, enterprising identity thieves are able to gain access to the Social Security numbers and birth dates of those customers. They are then able to call automated systems at the banks issuing the cards and change the PIN. Most of these systems will allow the caller to be able to change PINs if the caller passes three of five security checks including the customer’s date of birth and the last four digits of the customer’s Social Security number and the card’s expiration date. These can be obtained by identity thieves and we are now seeing hundreds of thousands of dollars already emptied from the bank accounts of people who used their debit cards to shop at Home Depot. This same problem occurred following the Target data breach last Fall.
First and foremost, DO NOT USE DEBIT CARDS FOR RETAIL PURCHASES. I can’t say this too often or too loudly. The risk to your financial well being is just too great, particularly with more and more retailers being hit with the same data breaches that have happened at Target, Home Depot and many other stores. This will continue to happen as cyber security experts still have not come up with a viable solution to the threat posed by the hackers behind these data breaches. When making purchases, use your credit card where the risk is only one of inconvenience in having to get a new card if your card is part of a data breach. Meanwhile banks have got to recognize that their present system of allowing people to change PINs by phone with information easily obtained by identity thieves is not effective and the system must change.