Encrypted PIN Data Taken In Target Breach

New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.

Time to ask the bank for a new debit card and PIN

[WilliamGeorge]

Subject line says it all :)

Re:Time to ask the bank for a new debit card and P

[Todd Knarr]

That depends. How understanding will your landlord or your bank be when your rent or mortgage check bounces because the day it was deposited somebody ran up charges on your debit card that emptied your bank account? Sure you'll be able to dispute the charge, but that didn't stop the checks from bouncing between the time it happened and the time you got to the bank to fill out the paperwork on the fraudulent charge. Same if you're at the end of a trip and go to pay your hotel bill and your credit card's over limit because of fraudulent charges. Sure you'll be able to dispute them, but that doesn't make the hotel bill magically paid.

Re:Time to ask the bank a new debit card and P

[AK Marc]

When I've had issues, some quick arguing with the bank got money invented from nowhere and put in my account. Yes, it would delay the checkout from the hotel by a few minutes, but it will get the hotel bill paid. I'm sure you can find some cases where someone was a jackass to their bank, who then refused to fix the issue on the customer's time frame. But I've had this issue before, and the bank took care of it outside the minimum contractual requirements.

Re:Time to ask the bank a new debit card and P

[Jah-Wren Ryel]

Your response is orthogonal to the question. Your example is not that of bounced checks, it is of trying to use a debit card at point of sale when the balance was low.

It is an entirely different thing to write a check and then have it bounce 3 days later. There are all kinds of fees and penalties that get assessed when that happens, some of which can come from the company you wrote the check to, the bank never even sees the penalty. There are even non-monetary penalties like your landlord, or your utility company reporting the bounced check to the credit agencies.

There really is only one reason to ever use a debit card - your credit is so bad that you can't actually get a credit card. In all other ways credit cards are the superior tool.

Re:

[Jah-Wren Ryel]

I apologize. I didn't read Todd Knar's entire post. You were addressing his point about hotels, and what you wrote was a reasonable response to that. But being at the mercy of a customer service person feelings about my attitude when I am under a lot of stress is not appealing.

Re:

[AmiMoJo]

US consumer law seems pretty weak. In the UK the bank is entirely liable unless they can prove that the fraud was your fault. That includes things like charges incurred from other companies, interest, fines etc.

Re:

[evilviper]

There really is only one reason to ever use a debit card - your credit is so bad that you can't actually get a credit card. In all other ways credit cards are the superior tool.

Superior, how? Superior as in just about anybody is able to easily find out about all your credit cards, and plenty of purchase details? Is that the kinds of "superior" you were talking about?

Re:

[Todd Knarr]

Credit cards are in fact better than a debit card in one way: the money doesn't actually come out of your pocket until you pay your bill. With a debit card the money's gone and you're trying to get it back (and the fact that the bank tends to be cooperative doesn't change this dynamic). And the old adage about possession being 9/10ths of the law does ring true here: it's much easier to keep what you have than to get back what you don't.

Re:

[evilviper]

I remind you that this is a debate about the merits of debit cards versus credit cards. References to other payment methods would be more than just stupid.

Information about debit cards are NOT shared with anyone outside of the issuing bank. They are every bit as private as writing a check, doing a wire transfer, or similar. Credit cards are the polar opposite, with all your financial information being reported, and being easy for anyone on the planet to access.

Re:

[Jah-Wren Ryel]

Information about debit cards are NOT shared with anyone outside of the issuing bank.

I find that impossible to believe when the exact same processing system is used for both credit and debit cards.

Hell, there are even "rewards" programs for visa and mastercard branded debit cards. I think you would be hard pressed to explain how visa can do that without knowing your spending.

http://usa.visa.com/personal/cards/debit/visa_extras.html [visa.com]

Re:

[tibit]

Information about debit cards are NOT shared with anyone outside of the issuing bank.

LOLWUT? Who cares about the cards, they are meaningless by themselves, the information about underlying accounts (whether credit, checking, etc.) is what counts, and it is most certainly shared! By changing the amount of average monthly balance on the checking account I can select what kind of spam I get via USPS. Seriously. The running joke around here is that if you keep the average above $10K, you are bougie since all your firestarter paper comes by mail!

Re:

[Todd Knarr]

The problem is that you're away from home, you don't have access to everything you normally would, and you can't deal with the bank in person. It's easy to get the charge handled when you're in the branch and can fill out the paperwork. It's less easy when you're in a different time zone and can't just fork over a driver's license as proof of identity. I could probably handle it, but that's because I'm paranoid and travel with at least one portable device set up for access to everything. But most people are

Re:

[AK Marc]

When away from home, I have the 800-number for the bank. On the card. When I travel internationally, I put a stickey-note on every card with the bank's toll-free numbers from every country on my itinerary. Reaching the bank isn't an issue while on the road. I've never had someone ask for ID over the phone. At most, they ask for your most recent transaction, and standard account info anyone would know off the top of their head, like SSN and address.

Re:

[Todd Knarr]

No, they won't. I've disputed fraudulent charges on my debit card before, and the bank didn't freeze my account. What they did do was invalidate the compromised card and issue me a new one, but that happened right there while I was filling out the paperwork so it didn't really impact me. The only time it impacted me was the one time it came from the bank's end rather than me reporting the charge, and I got a phone call from the security department saying the bank'd been notified and I'd need to stop in ASAP

Re:Time to ask the bank for a new debit card and P

[Anonymous Coward]

To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards. Banks make a lot of promises about zero liability on debit cards but you'll have to read the fine print and beg for mercy when the time comes.

Re:

[Mashiki]

It depends on where you live and what bank you have. Where I live in Ontario, the same rights are afforded to me on my debit card that my credit card has. Including a lock limit on the RFID of no more than $50.

Re:Time to ask the bank for a new debit card and P

[ColdWetDog]

I think you can safely assume that when a Slashdot poster talks about a legal problem, a problem with consumer protection or issues with the health care system, they are either talking about the USA or, perhaps, North Korea.

Re:

[Jah-Wren Ryel]

To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards.

In recent years, things have gotten better for debit card holders, you are right that it used to be all promises. Now there are some federal regulations, but they still aren't anywhere near as strong as the federal laws protecting credit card holders.

http://www.fdic.gov/consumers/consumer/news/cnfall09/debit_vs_credit.html [fdic.gov]

Why are they storing this data anyway?

[Anonymous Coward]

Is there a good reason for keeping this that I'm not seeing?

Re:

[Baloroth]

They don't (necessarily) have to, if the attack was ongoing (which it sounds like it very much was) then the attackers could have retrieved the PINs in transit.

Re:

[beelsebob]

As I said above, why are the chip & pin machines not designed to avoid this? Surely the keypad should operate without firmware, and be responsible only for sending the key presses to the card. The card's chip can then generate a response from a hash of the challenge and the PIN, and only then send the data off the card/key pad, and into the system controlled by firmware.

Re:

[rollingcalf]

In the US they generally don't use chip & PIN. The stolen PINs involved are for bank ATM cards without chips, not PINs for credit cards with chips.

Re: Why are they storing this data anyway?

[khanta]

Terminals encrypt PIN data inside the device. The terminals they use are PED certified. DUKPT is used, and the data should be safe. The PIN block should stay encrypted all the way to the processor. If it is decrypted it should be done in an HSM. The malware was most likely scraping memory on the POS and grabbing track data as it was passed from terminal to the POS. Then they somehow exfiltrated it out. Obviously they weren't using encrypted terminals. I don't think target stored this data centrally. Most l

Re:Why are they storing this data anyway?

[Tool Man]

Nope, horse-puckey. This would be the same PIN data that their PCI compliance *cough* would disallow from storing after authorization for a transaction, just like the CVV codes which I think also got nabbed. Now, it is possible that they were all captured "in-flight" and not being stored against the rules, but it is very much verboten to keep even with encryption.

Re:

[failedlogic]

I don't work in PCI compliance, but I've been reading up on it. This is, as I've understood it, a violation of PCI. Adding to parent comment, that it was taken "in-flight" is probably as much a rule breaker .... and one has to wonder how if this data was not being stored just how long it was being taken "in-flight". There's several million cards been taken from the news release. This might represent several hours worth of transactions (given the busy time of the year) so if this info was tapped for a few h

plenty of ways to confirm PIN without sending it

[raymorris]

You could confirm whether a PIN is correct without sending it.
For example, send sha1(card number + pin + time of day)
The machine at bank's end does the same calculation with the correct pin and returns whether or not it matches.

Mod parent up!

[khasim]

Or even use the PIN as part of the encryption key used to encrypt a random string sent from the bank once authentication is requested.

And the connection between the PoS and the bank should also be encrypted.

And that connection should be 100% private. ISDN or whatever. Nothing going across the Internet. Not even with a VPN.

Re:

[dcollins]

"Time of day" would seem to be the weak link there. How does the bank-end machine know that exact value so as to replicate the sha1 calculation?

Re:

[tibit]

It's even worse. They don't have to guess at all. They can all just use one arbitrary combination, and keep trying it on each card. They've got enough cards to get tens of thousands of hits.

Re:Why are they storing this data anyway?

[snowraver1]

I have been doing card processing for a living for 7 years now. The pin, of course, has to go over the wire along with the track2 data. How exactly that happens can differ greatly though. Larger merchants are more likely to use some sort of middleware processing software, and that introduces weaknesses. In many cases communication between the POS and middleware is plaintext. Scooping this data up would be trivial, but PCI mandates that unencrypted data has to be segregated off the network from non-PCI stuff. This makes things a bit trickier for an attacker.

As for Target, here's my take: This is the only information in the press release:

The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.

If they were using "true" end-to-end encryption, there are no known attacks other than card skimmer magic*. If that was the case, there wouldn't be much of an investigation, as the facts (and scope) would be pretty clear.

That leaves a network packet monitor attack, a database related breach/attack, log file snarfing (depending on the vendor, log files can contain a LOT of data.), or something I'm not thinking of.

I find it odd that they say that pins have been pilfered, but not the card numbers. That, to me, suggests a DB related attack, and the attackers only got the pin table/columns. A list of pin numbers though, of course, is completely useless (8374 - Here's a free one) on it's own. Decrypting them should be trivial, given the limited number of possible pin numbers, even if the table was salted. But again, what would be the point. I'm guessing that the next release will say that card numbers were compromised as well.

As for the 3des part, It just doesn't make any sense. As other people have already said, 3des is symmetrical, so saying they don't have the key is impossible. My guess is that they are actually using SSL (which could then in turn negotiate a 3des key). If that is the case, then each session key would be unique, and target would never have "access" to it as it would only exist in RAM.

To my knowledge. I'd be happy/interested if someone could prove me wrong here.

Re:

[snowraver1]

Bah, I'm sorry...

[*ThereShouldBeAnAsteriskHere*]To my knowledge. I'd be happy/interested if someone could prove me wrong here.

Re:

[Fnord666]

Take a look at DUKPT, short for Derived Unique Key Per Transaction, to better understand how a PIN pad can be loaded with a set of keys that the merchant does not know. Similarly many PIN pads support remote key loading where asymmetric encryption is used to send a random 'working' 3DES key to the terminal. That key will be periodically replaced with a new one. Again the merchant has no idea what key is being used by the terminal at any given time.

Re:

[WuphonsReach]

Decrypting them should be trivial, given the limited number of possible pin numbers, even if the table was salted.

Don't confuse hashing of PINs with encryption of PINs.

If the PINs were stored / sniffed in a hashed form where the hash algorithm is known *and* the salt is known, then yes it is trivial to figure out what PIN number appears in each record.

OTOH, if the PINs are encrypted and the key is not known by the attackers, then the attackers have to break that key. Which might be 56 bit or it mig

Re:

[beelsebob]

I don't understand why any part of the PIN machine with firmware has access to the PIN at all. The key pad could easily simply route the inputs to the chip on the card, and generate a response from the PIN input, and a challenge there. Only then would the data leave the card/keypad, and be accessible by the firmware.

Magstripe-and-PIN

[tepples]

Most US debit card machines that I've seen (at least in Indiana) are magstripe-and-PIN, not chip-and-PIN. My debit card from Chase Bank doesn't even have visible "chip" contacts. Besides, there aren't 11 contacts (10 digits + common ground), so the PIN pad machine has to do some sort of translation to get the digits to the serial contacts.

Re:

[tibit]

You didn't seriously expect there to be a parallel decimal interface between the terminal and the chip on the card, did you? That stuff was en vogue in instrumentation in the 70s, when you could buy digital voltmeters of various kinds with parallel digital output, sometimes binary, sometimes BCD, sometimes even 1-of-10 decimal. Chip cards use a standardized serial protocol.

Re:

[FlyHelicopters]

The card can't do anything, most debit cards have no chips in them, they just have a magnetic strip on them with fixed info, nothing else.

Re:

[tibit]

Uh-huh, since, obviously, using a hash of the CC number for that purpose is out of the question. What a doofus of an AC.

We'll know soon

[Above]

When 25% of the pins encrypt to one string, and 25% to another, we'll know they used a symmetric cipher with a fixed key, and that one batch is "0000" and one is "1234".

Re:

[Spy Handler]

Yes but if that's the case they don't even have to crack the encryption, they've already got the PIN for 50% of the cards!

50% of 4 million cards (or whatever the number was) aught to be more than enough for anybody.

Re:

[Above]

Winner winner chicken dinner!

PIN frequencies

[tepples]

But some of those possibilities are more likely than others [datagenetics.com].

Re:

[Above]

I hate to reply to my own post, but I appear to be modded "Insightful". The correct mod selection was "Funny".

*sigh*

Re:We'll know soon

[Fnord666]

Except that they were almost certainly using ANSI PIN blocks which XOR the card number into the data before encryption so that two identical PINs do not encrypt to the same cipher block. In addition, the terminals may have been using DUKPT [wikipedia.org], which is short for Derived Unique Key Per Transaction. This means that each PIN block is encrypted with a different key. Brute forcing one PIN block will not yield any information about the next one.

Re:

[Above]

You should be modded Insightful.

Re:

[girlintraining]

Except that they were almost certainly using ANSI PIN blocks which XOR the card number into the

You're assuming competence here when every aspect of this breach has demonstrated incompetence. I happen to know what Target considers "encrypted" PINs, and it's nothing so elaborate. They are referring to the drive-level encryption mandated by Sarbanes-Oxley. They are correct in that the keys to decrypt the drive is tied to the hardware and that the only copies are stored on a remote server. However, what they aren't telling you is that this breach didn't consist of someone walking into a server closet and

Can encyption experts chime in?

[postmortem]

How hard it would be to decrypt, knowing that each pin is exactly 4 digits?

I would think if salting was not using, it is just a matter of the time.

Re:

[Anonymous Coward]

They are encrypted using 3Des using the following algorigthm.

http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction [wikipedia.org]

Re:

[ShanghaiBill]

How hard it would be to decrypt, knowing that each pin is exactly 4 digits?

It would not be difficult. But what is the point? The PIN is only useful if you physically swipe the card. You don't use a PIN during a "card not present" transaction, such as an online purchase.

Re:Can encyption experts chime in?

[EvilSS]

There is already evidence that the cards are being cloned and used overseas, so having the pin would be very useful for them. They got the entire magstripe for each card in the attack.

Re:

[Fnord666]

PIN blocks are encrypted using PIN block format 0 [wikipedia.org]. In this format a portion of the account number is XORed with the PIN block prior to encryption. The result is that for two different accounts with the same PIN, even if they are encrypted with the same key, the resulting encrypted PIN blocks will be entirely different.

Re:Can encyption experts chime in?

[hargrand]

You're assuming the PIN was in any way related to the 3DES key. That's almost certainly not the case. More likely, Target requests a transaction key from the bank which is then used to encrypt the PIN and sent the encrypted PIN to the bank. The bank then decrypts the PIN using the 3DES key and verifies the PIN.

They probably should switch to RSA or some other public key algorithm. With 3DES, both parties need to share the key. With RSA, there is a public key and a matched private key. If the public key is compromised, it's no big deal. Since the bank retains the private key and doesn't share it, it's at least theoretically more secure for this kind of transaction.

Re:

[beelsebob]

I don't understand why any one would use encryption here at all. Why would they not use challenge/response, so that the PIN never leaves the card/keypad (encrypted or not).

Re:

[snowraver1]

Because it's not part of ISO8583?

Re:

[beelsebob]

Right, because you know, the ISO standard appeared out of thin air, no one ever sat there and thought "should we use encryption or hashing for this?"

Re:Can encyption experts chime in?

[WuphonsReach]

I don't understand why any one would use encryption here at all. Why would they not use challenge/response, so that the PIN never leaves the card/keypad (encrypted or not).

Because parts of the system are still asynchronous. There is not real-time communication in a lot of parts of the banking system. And it was much worse 10-15 years ago when a lot of these systems were designed.

sigh, lamestream press strikes again

[sribe]

The article I read stated that the key necessary to decrypt the data was never on the systems which encrypted the data, then went on to state that the data was encrypted with triple DES. Oh my lord. Which is it? Symmetric or asymmetric encryption?

Re:sigh, lamestream press strikes again

[taustin]

It depends on what was compromised. Normally, debit card stuff is encrypted on the pad you swipe the card in. If the pad was wasn't what was compromised, then the key wasn't on what was, because that's the only place the key is kept.

(Earlier reports claimed the pads had been compromised, but that smelled like bullshit then, and even more like it now.)

Re:

[sribe]

It depends on what was compromised. Normally, debit card stuff is encrypted on the pad you swipe the card in. If the pad was wasn't what was compromised, then the key wasn't on what was, because that's the only place the key is kept.

Ah, thanks for the clarification.

Re:

[Eric Cordian]

Point of Sale terminals keep their 3DES encryption keys in firmware within a tamper-resistant module. Even with advanced technology like plasma ablation and electron microscopy, it is believed to be impractical to extract the key. The keys are loaded by a courier who swipes special cards while the device is in maintenance mode. This permits the POS stations to be used over an insecure line to the payment processor, and cleartext is never present anywhere outside the sealed module, from which the key cann

Re:

[Man On Pink Corner]

It doesn't matter if they used Triple Double-Dog Secret Patent Pending NSA-Certified ROT13, a large collection of four-digit PINs is about the best known plaintext short of the Pledge of Allegiance. If they aren't salted, it's open season on those cardholders.

Re:

[Fnord666]

Fortunately the PIN block encryption is salted. Please see my other post [slashdot.org] for the details.

inside job?

[wbr1]

To me this whole fiasco smacks of an inside job, or at least having a compromised employee/contractor. Certainly other scenarios are plausible, but IIRC they got into a system that pushed corrupt firmware to the card readers. I am assuming Target uses such firmware to put their graphics on screen, plus other Target specific things (like discount ts for target debit card users).

The number of people with knowledge of how to change the firmware is probably a pretty short list. When crossed against the list

Re:inside job?

[Rhyas]

They didn't get anything onto the card readers from all that's been published publicly so far. Most card readers these days will encrypt the pin *before* sending the data to the terminal. Thus, only getting encrypted pins.

Given that the terminals run windows, it's not that difficult to get some malware to spread to them from a central source. Could still be an inside job for sure, but none of the details published yet can confirm that for fact.

Re:

[Bert64]

Windows corporate networks almost always operate on the idea of protecting the perimeter, and leaving the inside horrendously insecure... For something like a retail store, where the general public have physical access to the building that idea breaks down very quickly... You only need to have momentary access to a network socket/cable, and these will often be available at random points on the shop floor or at the very least at the back (i.e. facing the customer) of the pos terminals...
Once you're on, chanc

Re:

[swb]

I've heard from a Target insider that they do believe it involved an insider.

What I don't understand is even if it was, don't PCI standards, Sarbannes-Oxley, internal financial controls and the sheer IT scale of company of Target's size mean that any random insider would not have broad enough administrative access to compromise enough systems to pull this off?

In other words, someone with high level data network access (network engineer) wouldn't have access to databases, applications, and operating systems,

PIN?? is it useful

[Nikademus]

OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.

Re:PIN?? is it useful

[Em Adespoton]

OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.

The trip a card purchase takes from your physical card to the merchant bank is actually pretty convoluted -- the simplified explanation is that a card purchase with PIN has a lot fewer safeguards and security checks than an online purchase with card, address and CV only. For card purchases where only the number is used, the vendor assumes a HUGE amount of liability. It often makes sense for fast food vendors and such, where the transaction values are small and they get a significant uptick in sales for shorter transaction times, but for purchasing big ticket items, you either do chip+pin or track 1 data plus second factor (usually stored by the vendor).

So the even shorter answer is: PIN codes mean relative anonymity. Without the PIN, you need to provide other PII at some point in the transaction.

Is it that important with PINs?

[damn_registrars]

I could be missing something here, but by my understanding PINs are usually only 4 digits long. I would think that the people who were able to snag the cards that they correspond to could probably come up with a clever way to figure out the PINs on most of these cards without ever needing to decrypt the data. I recall not long ago seeing a publication of the frequency of PINs in use today; it would seem that they could probably gain access to a significant share with just that list alone.

Why are pins stored?

[metrix007]

Why combine something you know with something you have? I thought only banks stored pins?

Re:

[EvilSS]

The PINs could have been captured in flight. They can't be stored, but they still need to make their way from the terminal to the bank for verification.

Re:

[ljheidel]

I know for a fact that one of the items on the PCI list for CC transactions is 'no storage of CVV data.' If Target was indeed storing the PIN numbers, I feel like they have some real 'splainin to do about that one. However, based on the fact that they're obsessive about data mining, I wouldn't put it past them. "Why do we need to keep the PIN numbers?" "I dunno, but we can." "Okay, let's do it."

However, if the data was stolen 'in flight' as EvilSS suggests and it *is* encrypted (and based on the prevar

Re:

[EvilSS]

They are required, by standard, to be encrypted at the POS terminal. CC #'s are not because they can be stored by the merchant. Should they be? Hell yes but I didn't make the rules.

From my experience working with PCI compliant companies, the CC info is usually kept on a completely separate network from the normal corporate network. It usually routes back to a central office or branch office before making it's way to the payment processor in large companies (small mom & pop it probably dials/VPNs di

Re:

[radarskiy]

Why are you claiming that the PINs were stored?

Re:

[AHuxley]

The entire transaction with a request for a postcode noted with the transaction might provide real quality marketing data?

Salt

[mrflash818]

Hope Target's systems used a salt when creating the 3DES.

If the Triple DES used a salt, then good, it will make it much more likely the PINS are secure, because then the hackers would have to brute-force trying a salt value, then all possible pins for 1 of the Triple DES encrypted PINS, which would take longer.

If the salt was unique for each PIN, then that would be the most secure ( but I do not know how a little machine where people give their pins could do that )

If no salt was used, then might be another

Re:

[BlackHawk-666]

Given advances in both ASIC and GPU design, I wonder how long it would take to brute force a card these days - or brute force the top 20% of all numbers for instance. GPUs have massively parallel execution which could be brought to bear on the problem.

That said, over here in Aus, transactions under $100 can be performed just by waving your card near a terminal - no pin or CCV required. If they can clone the card details onto those sorts of cards, then they can use 'smurfs' to run around hitting 1,000s of sh

Re:

[WuphonsReach]

(sends you back to Encryption 101)

Hashing relies on salt for security. Encryption does not.

Passwords are hashed instead of encrypted because you want to make it near impossible to reverse the process and discover the original password. In fact, you hash, because you are simply not interested in being able to reverse the process. You then use custom salt along with the hash step to make pre-generated rainbow attack tables useless. And to prevent the breaking of one account to instantly grant access t

DUKPT

[Anonymous Coward]

PIN are supposed to be encrypted on the terminal (not on the POS computer but the actual card reader/terminal) using Triple-DES Derived unique key per transaction (DUKPT - http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction ).

So no the PINs are safe unless the card terminals have been hacked too.

"Unencrypted PIN data" wasn't compromised?

[MillionthMonkey]

Only "weakly encrypted" PINs. How do you "encrypt" a four-decimal-digit PIN? Even if they only had PIN hashes that were as yet uncompromised, it wouldn't offer much protection. if Target changed policy and invalidated your card immediately after you entered the first wrong PIN, the crooks still stole 40 million cards and would have scored a list of about 4000 working card numbers. At least if the PINs were required to be base-64, the crooks would only find a few.

Re:

[AHuxley]

Yes the users cards would have some long numbers in the mix when used with the pin to send back to the bank...

Re:

[WuphonsReach]

Only "weakly encrypted" PINs. How do you "encrypt" a four-decimal-digit PIN?

The same way that you protect any other plain text of nearly any length at all. You generate an encryption key (56bit DES, 112bit 3DES, 128bit AES or 256bit AES) and encrypt the plain text with that key.

The only way to get the plain text back is to brute-force the key (assuming that the algorithm is well designed, properly implemented, and that the key can't be leaked in some other fashion).

Here is an example for you: Please

What was Target collecting all that data for?

[AnalogDiehard]

What was Target collecting credit card numbers AND PIN numbers for? What business purpose did they need that data for? Why has no one raised this question? They have just created a huge credit theft problem for their customers. This is a shining example why businesses should not maintain any database of sensitive customer information.

I already suffered identity theft and credit card theft in the past and I'm not at all anxious to go through that again. I'm taking my business elsewhere. In fact I may avoid large national chains for this very reason.

Software that Target uses

[Orion Blastar]

Can anyone tell me what operating system and software that Target uses?

I'd really like to know what exploits this software has and if any other store uses them so I can avoid shopping there.

I think retailers and wholesale clubs ought to be transparent in what operating systems and software they use for their POS system and then list the vulnerabilities they found with an code audit and how they plan to fix them.

This ought to be a law, so consumers can be protected from retailers and wholesale clubs who don't care about their privacy and credit card and debit card data and just use operating systems and software with exploits in them that they never tested nor figured out how to fix.

I think the same should be done with websites as well.

Am I right here or wrong?

Re:

[Shados]

If they're like virtually every other retail chain in the world (short of maybe Amazon, but do they even count?), its probably not an issue with the particular software they use, but that they use old, outdated, or poorly configured versions.

These companies run -countless- systems, for their ERP, CRM, CMS, a bunch of other 3 letter acronyms, stuff to integrate all of them, stuff to integrate the stuff that integrates them, all those things use different operating systems, need to be in sync to be "supported

Re:

[thegarbz]

I'd really like to know what exploits this software has and if any other store uses them so I can avoid shopping there.

People. That's the exploit. You shouldn't shop anywhere with people, they are incredibly fallible and sometimes quite evil bags of mostly water.

Sorry but if you're looking for perfect security you won't find it anywhere. The NSA couldn't keep control of it's own people, how is some dumb chain store.

Re:

[hargrand]

The article also says "Target does not have access to nor does it store the encryption key within our system." The problem is that 3DES is a symmetric encryption algorithm; both parties need to share the same key to encrypt or decrypt anything. So at some point, they needed to have a key for the transaction.

Re:3des

[CreatureComfort]

I think they meant to say the key was stored on somebody's Nintendo 3DS.

Re:

[denmarkw00t]

They said that the keys weren't on the "compromised" systems

Re:

[hargrand]

From the first article linked:

The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.

Re:

[Em Adespoton]

The article also says "Target does not have access to nor does it store the encryption key within our system." The problem is that 3DES is a symmetric encryption algorithm; both parties need to share the same key to encrypt or decrypt anything. So at some point, they needed to have a key for the transaction.

The way the system works, the 3DES key is embedded in the pin pad which is sealed against tampering. It is also held by the processor (who owns the pad). In this way, the merchant never knows the key, and so only holds the encrypted PINs.

What I'm waiting for is the moment when some criminally minded individual realizes that "targeting" vendors isn't the way to go, and instead starts APT attacks against the processors -- suddenly, you can pick and choose what data you take, and have access to all the proce

Re:

[Cederic]

Perhaps the vendors are targeted because they have weaker security than the banks - both the issuers and acquirers.

The banks are already being targeted, continually. Eventually someone will succeed, but banks and card providers spend an awfully large amount of time, money and effort in making sure they aren't the first one.

Anyway, why go for a card company? Sure Visa or Mastercard would be the motherlode? Of course, they too have data security at the top of their requirements list for any new systems.

Re:

[mwvdlee]

How hard can it be to brute force the key when you know there are only 10000 possible plaintexts?

Re:

[TechyImmigrant]

Provided it is CPA and KPA secure (chosen plaintext attack, known plaintext attack) then it's as hard as brute forcing the keys.

However the ANSI X9 series crypto specs and the PCI-DSS stuff, the banks and card processors use are hardly the best available. They might be secure, but without specifics of what crypto profiles the devices were using, you cannot be sure.

Re:3des

[Proudrooster]

How did this breach happen? What were the mechanics behind the data theft? Was the server hacked? As it firmware in the POS registers? How did this happen?

Re:

[davester666]

the usual. an excel spreadsheet on a computer running bittorrent in the background.

at least they put a password on the spreadsheet.

Re:

[davester666]

triple rot26

Re:

[AHuxley]

Depends on your part of the world http://en.wikipedia.org/wiki/EFTPOS [wikipedia.org]
http://en.wikipedia.org/wiki/Maestro_(debit_card) [wikipedia.org]
You country may have a marketing backend, a store or other loyalty points system, at the checkout you may be asked for your postcode... thats a lot of unique data with your card use in many countries.

Re:

[Bert64]

If all you have to do is "sign" then thats even worse, a random pen mark is useless for any form of security...
The PIN will be used to withdraw cash from an ATM using a cloned card, if they have a cloned card they can already make purchases without knowing the PIN if only a signature is required.

Tar-zhay

[tepples]

In case you aren't familiar with major U.S. retail chains, it's a breach of the payment processing systems of Target Corporation [wikipedia.org]. An unrelated Australian company operates a chain called "Target." (with the period) under license from Target Corporation.