Today, I received a new credit card from The Home Depot. (In the picture, the top one is my old one and the bottom is, obviously, the new one). The first thing I noticed was the new card was attractive and that they added a chip. I thought that was fantastic that a store card would go through the work. I then dug a bit further, and was less happy.
Behind the card, there is a mag stripe still. The Home Depot (“Home Depot”) cards are not valid at other stores (like a Visa, MasterCard, etc). This means that they control the entire payment ecosystem. My local Home Depot has chip technology, as have a few other locations I’ve been to. This means that they could have issued strictly chip cards and done away with the magstripe entirely. This would make them a clear leader in payment technology and I would have really been impressed. Sadly, they didn’t. Oh well, most companies don’t even have chips, and the big banks universally issue mag+chip cards.
The next issue I noticed (honestly, it is kind of a nice feature even it if it incredibly insecure) was that the card comes activated, ready to start using. I don’t need to call from my home phone, I don’t need to activate online. Just go and start buying lumber, screws, or even a garage kit… Oh, and look — the credit limit is printed right on the paperwork!
The next issue is that the entire card number is printed on the flyer attached to the card. You might believe that this is a bit pedantic because, after all, the card is attached. If somebody stole the mail, they’d surely have the card #.
Sadly, this makes it much easier to shine a light through the envelope and see the entire card number unmolested. Likewise, after disposing of the document (if unshredded), now your entire card number is in the bin somewhere.
The final issue is that this was an unsolicited bulk card reissue. I didn’t lose my old card, I didn’t know a new card was on its way. The issue with all of these vulnerabilities is magnified when an event like this happens. Somebody like me can receive a card, realize these issues, and then start grabbing these documents out of the mail. Postal workers can bring a flashlight and a cellphone to work and start capturing these numbers enmasse. The chip was a nice addition, and the new card looks great. The security, however, leaves much to be desired.