In what appears to be the first public fallout of the recent Home Depot mega-hack, Redbox Instant, the Verizon/Redbox partnership that competes with Netflix, has temporarily closed signups to new users, saying that "criminals were misusing our new customer registration process to validate credit card numbers illegally obtained from some other sources.”
The drastic move is in response to a practice known as “carding,” where cybercriminals test small transactions on credit cards, to check whether they are still valid, before making larger fraudulent orders.
The CTO of Trustev, Chris Kennedy, observed the temporary block at 9pm EST on Tuesday, September 16, and it continues today.
The reasoning behind such a dramatic counter-measure is likely that merchants are responsible for fraudulent charges to credit cards, in the form of chargebacks — when charges are reversed because they were not genuine. Not only do merchants have to pay back the amount of the charge, but they must also pay penalties, often of $15 or more per transaction. So with a flood of new fraud on the internet, there is a much higher risk of fake charges and losses for merchants selling online.
Although full details have not yet emerged, it looks likely that the Home Depot payment card data leak was the biggest ever, even larger than the recent hack of Target. The home improvement chain disclosed that malicious software had been found in point of sale systems and that the malware had been in place since April, leaking data over several months on potentially tens of millions of customers.
Estimates of fraud expected to result from the Home Depot hack are in the range of 2 to 3 billion dollars, costs which will be borne by merchants, and not by consumers.
With a record number of Americans’ credit card numbers and personal data currently up for sale on the black market, the disruption to Redbox looks like the first of many hurdles for retailers and services selling online.