Encrypted PIN Data Taken In Target Breach

New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.

Why are they storing this data anyway?

[Anonymous Coward]

Is there a good reason for keeping this that I'm not seeing?

Can encyption experts chime in?

[postmortem]

How hard it would be to decrypt, knowing that each pin is exactly 4 digits?

I would think if salting was not using, it is just a matter of the time.

sigh, lamestream press strikes again

[sribe]

The article I read stated that the key necessary to decrypt the data was never on the systems which encrypted the data, then went on to state that the data was encrypted with triple DES. Oh my lord. Which is it? Symmetric or asymmetric encryption?

Re:inside job?

[Rhyas]

They didn't get anything onto the card readers from all that's been published publicly so far. Most card readers these days will encrypt the pin *before* sending the data to the terminal. Thus, only getting encrypted pins.

Given that the terminals run windows, it's not that difficult to get some malware to spread to them from a central source. Could still be an inside job for sure, but none of the details published yet can confirm that for fact.

Re:3des

[Proudrooster]

How did this breach happen? What were the mechanics behind the data theft? Was the server hacked? As it firmware in the POS registers? How did this happen?

Re: Why are they storing this data anyway?

[khanta]

Terminals encrypt PIN data inside the device. The terminals they use are PED certified. DUKPT is used, and the data should be safe. The PIN block should stay encrypted all the way to the processor. If it is decrypted it should be done in an HSM. The malware was most likely scraping memory on the POS and grabbing track data as it was passed from terminal to the POS. Then they somehow exfiltrated it out. Obviously they weren't using encrypted terminals. I don't think target stored this data centrally. Most likely just infected POS stations. My bet is at the source and they all booted up infected stations. Sorry for the terse responses.

Re:Time to ask the bank a new debit card and P

[Jah-Wren Ryel]

Your response is orthogonal to the question. Your example is not that of bounced checks, it is of trying to use a debit card at point of sale when the balance was low.

It is an entirely different thing to write a check and then have it bounce 3 days later. There are all kinds of fees and penalties that get assessed when that happens, some of which can come from the company you wrote the check to, the bank never even sees the penalty. There are even non-monetary penalties like your landlord, or your utility company reporting the bounced check to the credit agencies.

There really is only one reason to ever use a debit card - your credit is so bad that you can't actually get a credit card. In all other ways credit cards are the superior tool.