Target PINs stolen, too — what does that mean to you? And why the fun begins now for crypto geeks

Click for Target's announcement
Click for Target’s announcement

We’re about to find out how effective a major implementation of encryption really is. Target’s quite tardy admission that it’s lost encrypted PIN codes along with millions of credit card numbers might be one of the largest public tests of encryption were ever seen.

Remember, a person with a debit card number and its associated PIN can basically print money. Now we know the Target hackers have both pieces of data, and they know it’s worth a lot of money — if they can solve the cryptographic puzzle which protects the PINs. Even if the criminals who stole it aren’t cryptologists, you can imagine evil-doer code-breakers are lining up to offer help.  

Theoretically, the triple DES encryption employed by Target and its payment processor means the stolen data is scrambled well enough that it’s functionally useless to the criminals or anyone who might help them. For this reason, consumers who used their debit cards, and entered a PIN instead of offering a signature at the checkout counter, still have no reason to panic.  Change your PIN as soon as possible, and watch carefully for fraud.  Until you actually experience fraud, there is no need to do anything more.

But that all assumes one important thing: the encryption was implemented correctly.  Generally, when encryption fails, it’s not the math that fails — it’s the human beings.  PINs are supposed to be scrambled from the moment you enter them into a point of sale terminal that’s been loaded with a “key” used to scramble the digits. At that point, it’s converted into a “PIN block,” which is then transmitted along with your account number to the payment processor.  The processor unscrambles the PIN block with another key.   But if those keys were loaded incorrectly at either end, a criminal could more easily figure out what the PINs are.  Or, often more likely, an employee with access to the technology could intentionally screw things up, making theft easier. Keys can be stolen, for example.


BillGuard-white-175 Worried about credit card fraud? Try BillGuard’s free app, which uses crowdsourcing to find fraud on your bill.  (Sponsored)

 

The standards for protecting PINs, part of the so-called PCI standards issued by the Security  Standards Council, are exacting and clear.  Target says it was PCI compliant, and there’s no reason not to believe that.  That means Target didn’t keep PIN blocks lying around, for example — they stored them only as part of a “store and forward” system which allowed stores to batch process blocks of credit card accounts.  (Just a guess: Theft of the PIN blocks does suggest the data was stolen en route to payment processing, as opposed to at rest on Target servers. We’ve heard precious little from Target’s processor so far).

If Target followed the rules, there is no additional reason to worry today.

However, Target already has waffled on the PIN theft issue. That’s common after a hack like this: It’s not always clear right away to investigators what the bad guys stole.  When a burglar breaks into your car or home, you often don’t realize all that’s been taken, either.  Expect more disclosures as time passes.

Again, today’s news only impacts that subset of Target shoppers who used PINs at the checkout counter.  Those consumers should change their PINs and watch their checking accounts very carefully.

Sing up for Bob Sullivan’s free newsletter.

About Bob Sullivan 1443 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

1 Trackback / Pingback

  1. Target Data Breach: There Hasn't Been Much Fraud...Yet | Credit.com

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.