Home Depot Hacks
by DKN
Yesterday, Apple announced its Apple Pay platform.
I turned to my friend, a head cashier at Home Depot, to ask about their credit card breach and support for Near-Field Communication (NFC). I'll call this person Shanayna.
Regarding the payment card breach, for "lots of weeks" before its discovery, Shanayna described to me how she would need to close a register for several days because a payment card reader failed to work. As soon as Home Depot got a card reader to work again, another card reader would fail. The failures, to her recollection, happened in incremental succession down the register line. Reader failures would start at Returns, then proceed through the second Returns device, then customer service, then Register 1, and so on. Since the failures and their fixes were spread over several days, nobody in the store noticed any patterns or correlations.
Regarding NFC, Shanayna described how, for a short time, her store had payment card readers that supported NFC. While the cashiers knew about the device support, it never worked. "It was never hooked up," she said. Some months after the NFC payment card readers were installed, Home Depot came back to replace them again with NFC-free readers. The NFC-free card readers are supposedly the ones her store had during the window of the payment card breach.
When she went to work today, "tons" of people came into the store to ask if they would be able to pay with their new iPhone. Home Depot had not prepared for this event, so in addition to having no NFC readers in the store, many of the cashiers didn't even know what Apple Pay, NFC, or tap-to-pay were.
Remember, I'm asking this of a head cashier with several years' experience at the same location - a person you might expect to know if their registers support NFC payment or not.
Her story didn't stop there, though. She also described how the anti-theft devices can be hacked for petty theft.
Home Depot has been expanding its use of self-checkout. When there's a shortage of cashiers, the preference is to open self-checkout with four registers instead of a single, traditional register. Stores that still have traditional registers are then completely unattended by a cashier, though Home Depot has a compensating control: cameras. Cameras are only reviewed as part of specific suspicious events, however.
Higher-value items in the store have an RFID chip that should be deactivated during checkout. A zone on the counter of each traditional register is designated for RFID deactivation - and the deactivation zone works even when the register is unattended. Moreover, the deactivation field is not unidirectional. Thieves who pocket high-value, RFID-tagged items can apparently bump into the side of the register counter to deactivate a pocketed item, then continue to walk out the door without even slowing down.
Shanayna described a store near hers which went completely self-checkout, disposing of traditional cashier stations altogether. As part of the experiment, they saddled a single person to monitor eight or more self-checkout stations at once in addition to watching people exit the store.
The self-checkout solution compensates for flaws in the RFID field for traditional registers because the RFID deactivation field only activates when an item is passed over the barcode scanner. In the case of the overwhelmed self-checkout monitor, thieves can scan a $2 screwdriver at the same time they pass an expensive drill over the scanner without being noticed. They let the scanner read the screwdriver UPC, but cover the UPC for the drill. While the $2 screwdriver is logged for payment, the register activates the RFID field and the drill's RFID is deactivated.
For either the traditional register or self-checkout, the thieves walk out the door, then right back in to Returns and claim they lost their receipt. Home Depot gives store credit for the pocketed item and drill. You can guess what happens next, but if you get caught, they'll absolutely have the whole thing on camera.
It seems Home Depot is betting that the losses from stolen items won't cost as much as the employees' wages that could have prevented the theft in the first place.