Target PINs stolen, too — what does that mean to you? And why the fun begins now for crypto geeks

by Bob Sullivan on December 27, 2013

Click for Target's announcement

Click for Target’s announcement

We’re about to find out how effective a major implementation of encryption really is. Target’s quite tardy admission that it’s lost encrypted PIN codes along with millions of credit card numbers might be one of the largest public tests of encryption were ever seen.

Remember, a person with a debit card number and its associated PIN can basically print money. Now we know the Target hackers have both pieces of data, and they know it’s worth a lot of money — if they can solve the cryptographic puzzle which protects the PINs. Even if the criminals who stole it aren’t cryptologists, you can imagine evil-doer code-breakers are lining up to offer help.  

Theoretically, the triple DES encryption employed by Target and its payment processor means the stolen data is scrambled well enough that it’s functionally useless to the criminals or anyone who might help them. For this reason, consumers who used their debit cards, and entered a PIN instead of offering a signature at the checkout counter, still have no reason to panic.  Change your PIN as soon as possible, and watch carefully for fraud.  Until you actually experience fraud, there is no need to do anything more.

But that all assumes one important thing: the encryption was implemented correctly.  Generally, when encryption fails, it’s not the math that fails — it’s the human beings.  PINs are supposed to be scrambled from the moment you enter them into a point of sale terminal that’s been loaded with a “key” used to scramble the digits. At that point, it’s converted into a “PIN block,” which is then transmitted along with your account number to the payment processor.  The processor unscrambles the PIN block with another key.   But if those keys were loaded incorrectly at either end, a criminal could more easily figure out what the PINs are.  Or, often more likely, an employee with access to the technology could intentionally screw things up, making theft easier. Keys can be stolen, for example.


BillGuard-white-175 Worried about credit card fraud? Try BillGuard’s free app, which uses crowdsourcing to find fraud on your bill.  (Sponsored)

 

The standards for protecting PINs, part of the so-called PCI standards issued by the Security  Standards Council, are exacting and clear.  Target says it was PCI compliant, and there’s no reason not to believe that.  That means Target didn’t keep PIN blocks lying around, for example — they stored them only as part of a “store and forward” system which allowed stores to batch process blocks of credit card accounts.  (Just a guess: Theft of the PIN blocks does suggest the data was stolen en route to payment processing, as opposed to at rest on Target servers. We’ve heard precious little from Target’s processor so far).

If Target followed the rules, there is no additional reason to worry today.

However, Target already has waffled on the PIN theft issue. That’s common after a hack like this: It’s not always clear right away to investigators what the bad guys stole.  When a burglar breaks into your car or home, you often don’t realize all that’s been taken, either.  Expect more disclosures as time passes.

Again, today’s news only impacts that subset of Target shoppers who used PINs at the checkout counter.  Those consumers should change their PINs and watch their checking accounts very carefully.

Sing up for Bob Sullivan’s free newsletter.

Comments

  1. 4UrEyezOnly says:

    …presume all of the standard were fully met on the PIN encryption. And then let’s presume that all of the public key information was on the machine(s) involved and were extracted as well. Also presume that the data that was stolen also references the origination device.

    That, IMHO, would/should like provide all of the information for the public key encryption. Granted, this would only be good for performing the same encryption operation (and the decryption, which would be near impossible would require the private key which was not acquired in the theft). However, the decryption wouldn’t be necessary to determine the PIN(s). By public-key encrypting the ~10,000 pin combo’s it would not at all be unreasonable to find a match for every card in a short time frame.

    The finesse point would be if the criminals had used (their own) cards with PINs to facilitate a known-text/value attack vector.

    The nightmare would be if the public-key portion was not unique for every transaction.

Previous post:

Next post: