Encrypted PIN Data Taken In Target Breach - Slashdot

Slashdot

Encrypted PIN Data Taken In Target Breach 213

Posted by Soulskill on Friday December 27, 2013 @07:40PM
from the now-you're-all-targets dept.

New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.

This discussion has been archived. No new comments can be posted.

Encrypted PIN Data Taken In Target Breach

Search 213 Comments Log In/Create an Account

Comments Filter:

Why are they storing this data anyway? (Score:3, Interesting)

by Anonymous Coward writes: on Friday December 27, 2013 @07:45PM (#45801549)

Is there a good reason for keeping this that I'm not seeing?

Share
twitter facebook linkedin
Can encyption experts chime in? (Score:4, Interesting)

by postmortem (906676) writes: on Friday December 27, 2013 @07:47PM (#45801573) Journal

How hard it would be to decrypt, knowing that each pin is exactly 4 digits?
I would think if salting was not using, it is just a matter of the time.

Share
twitter facebook linkedin
sigh, lamestream press strikes again (Score:5, Interesting)

by sribe (304414) writes: on Friday December 27, 2013 @07:50PM (#45801589)

The article I read stated that the key necessary to decrypt the data was never on the systems which encrypted the data, then went on to state that the data was encrypted with triple DES. Oh my lord. Which is it? Symmetric or asymmetric encryption?

Share
twitter facebook linkedin
Re:inside job? (Score:5, Interesting)

by Rhyas (100444) writes: on Friday December 27, 2013 @08:14PM (#45801801) Journal

They didn't get anything onto the card readers from all that's been published publicly so far. Most card readers these days will encrypt the pin *before* sending the data to the terminal. Thus, only getting encrypted pins.
Given that the terminals run windows, it's not that difficult to get some malware to spread to them from a central source. Could still be an inside job for sure, but none of the details published yet can confirm that for fact.

Parent Share
twitter facebook linkedin
Re:3des (Score:4, Interesting)

by Proudrooster (580120) writes: on Friday December 27, 2013 @09:10PM (#45802173) Homepage

How did this breach happen? What were the mechanics behind the data theft? Was the server hacked? As it firmware in the POS registers? How did this happen?

Parent Share
twitter facebook linkedin
Re: Why are they storing this data anyway? (Score:2, Interesting)

by khanta (820056) writes: on Friday December 27, 2013 @09:14PM (#45802193)

Terminals encrypt PIN data inside the device. The terminals they use are PED certified. DUKPT is used, and the data should be safe. The PIN block should stay encrypted all the way to the processor. If it is decrypted it should be done in an HSM. The malware was most likely scraping memory on the POS and grabbing track data as it was passed from terminal to the POS. Then they somehow exfiltrated it out. Obviously they weren't using encrypted terminals. I don't think target stored this data centrally. Most likely just infected POS stations. My bet is at the source and they all booted up infected stations. Sorry for the terse responses.

Parent Share
twitter facebook linkedin
Re:Time to ask the bank a new debit card and P (Score:5, Interesting)

by Jah-Wren Ryel (80510) writes: on Friday December 27, 2013 @10:16PM (#45802531)

Your response is orthogonal to the question. Your example is not that of bounced checks, it is of trying to use a debit card at point of sale when the balance was low.
It is an entirely different thing to write a check and then have it bounce 3 days later. There are all kinds of fees and penalties that get assessed when that happens, some of which can come from the company you wrote the check to, the bank never even sees the penalty. There are even non-monetary penalties like your landlord, or your utility company reporting the bounced check to the credit agencies.
There really is only one reason to ever use a debit card - your credit is so bad that you can't actually get a credit card. In all other ways credit cards are the superior tool.

Parent Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

833 commentsMicrosoft's Attempt To Convert Users From Windows XP Backfires
564 commentsAsk Slashdot: Does Your Employer Perform HTTPS MITM Attacks On Employees?
384 commentsAsk Slashdot: How Do You To Tell Your Client That His "Expert" Is an Idiot?
264 commentsRouters Pose Biggest Security Threat To Home Networks
261 commentsEdward Snowden's Lawyer Claims Harassment From Heathrow Border Agent

Alexander Graham Bell is alive and well in New York, and still waiting for a dial tone.