Attacks/Breaches
12/26/2013
03:19 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Target's Christmas Data Breach

Why, oh, why would Target be storing debit card PINs?

A week after Target's breach and probable compromise of 40 million credit and debit card details, there appears to be little new public information as to how the attack occurred and what remedies Target has taken to prevent it from happening again. This is, of course, both worrying and par for the course, unfortunately.

A number of press articles have focused on the likelihood of PIN data also being accessed by the attackers. According to the New York Daily News, Target spokeswoman Molly Snyder stated, "We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised."

The fact that PIN data has even come up in the discussions concerns me for two reasons. Either Target finds it necessary to store PIN data along with debit card details in some system or another, or the compromise vector was via the point-of-sale (POS) system directly.

If Target has been storing PIN data for third-party debit cards, then that is deeply worrying to me. I can't think of a legitimate reason why any corporation would want to retain this data -- unless it has a process for managing delayed or deferred payments (e.g., reducing the amount it pays to merchant bankers for processing cards at nonpeak times). Regardless, there's no way that kind of data should be retained for more than a few hours -- and I hate the idea of it happening at all because it exposes customer data to unnecessary threats. Having worked with many other retail organizations around the world, I've never encountered any legitimate organization willfully storing PIN data.

So if that has been removed from the table, the only other place PIN data could exist (ideally in a transitory and encrypted state) should be at the POS system. Attacking the POS system offers a number of challenges. For one, while the POS register may be networked for inventory tracking and price lookups, the actual card swipe components generally operate autonomously and are secured at the hardware level. This typically means that the attackers must physically compromise or replace the hardware. Unfortunately, this attack vector occurs more frequently than people willingly admit. For example, last year 63 Barnes and Noble stores were hacked this way, resulting in the chain removing the customer PIN pads.

Alternatively, the POS system may route all PIN pad operations through a back-office system in order to better handle store cards, gift cards, and other partial payment options. This means that the customer PIN pad simply proxies the data from the POS to a centralized system. I'd hope that the transaction details (including the PIN) are encrypted, but you never know. Regardless, this store-centralized payment processing system would be an extremely valuable target for attackers. Such a system may make economic sense for a retailer, but it raises its risk profile considerably.

While Target keeps the details of its breach close to its collective chest, there is very little information to form an opinion about negligence or attacker sophistication. That doesn't mean people aren't already lining up with their hands out for compensation. Apparently there are already three class-action lawsuits filed in the wake of the breach, seeking more than $5 million in damages.

I'm not opposed to the use of fines as a means of correcting errant business practices, but my first reaction to hearing about class-action suits is "opportunistic money-grabbers." I'd rather support a system that forces breached organizations to increase the security of their customers' data than a system that forces the attacked organization to simply take out insurance policies and argue over minimum levels of legal compliance. Earlier this month, I wrote about an alternative means of upping the information security stature of an organization through the divvying up of data breach fines in which larger fines are imposed and a high proportion of those funds are directed back at the organization for investing in new defenses.

U.S. Sen. Robert Menendez (a member of the Senate banking committee) is investigating whether the Federal Trade Commission (FTC) has the authority to impose a fine for data breaches, such as this one affecting Target. If the FTC does not, then he intends to propose legislation that would grant it that power. I'd be an advocate for that, subject to a proportion of that fine going back to directly secure the organization.

It is unfortunate that data breaches are on the rise. However, I see it is a reflection of criminals perpetually targeting where the money is, and the increasing gap between professional hacker and corporate compliance teams. This isn't the first time Target has been the victim of a data breach, and it won't be the last, and I feel comfortable saying that it isn't the only one happening right now ... merely the latest to be detected.

-- Gunter Ollmann, CTO IOActive Inc.

Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LucasZa
50%
50%
LucasZa,
User Rank: Apprentice
1/9/2014 | 6:28:01 PM
re: Target's Christmas Data Breach
All the criminals got for PIN is the encrypted PIN block. It's encrypted using TDES which is impractical to crack (http://www.voltage.com/blog/cr.... Brute force guessing the PIN to crack it doesn't work. Guessing at the plain text doesn't allow them to compare against the encrypted PIN block and get back a yes/no answer. That would be considered a known plain text attack which TDES isn't vulnerable to last I checked.

The criminals only hope for decypting the encrypted PIN blocks would be to get the key from the payment processor Target uses. As you said, there is no reason to believe they breached the payment processor. If that were the case, we'd all be in a world of hurt, similar to the Heartland and Global Payments breaches.
LucasZa
50%
50%
LucasZa,
User Rank: Apprentice
1/9/2014 | 6:21:22 PM
re: Target's Christmas Data Breach
The CVV is separate from CVV2/CID printed on the card. The CVV is embedded in track data which is not supposed to be stored post-authorization just like CVV2/CID. There is no proof Target was storing track data or CVV2/CID. Criminals steal this data as it passes through compromised POS networks. They've been doing this for many years. Track data and CVV2/CID can both be stolen this way.

Only the PIN usid in Debit transactions is actually encrypted from PIN Entry Device (PED) all the way to the payment processor where it's decrypted with US payment processing the way it is today. This is why point to point encryption provided through payment processors for magstripe and manually keyed in cards has been catching on. It reduces the PCI card data environment tremendously for merchants just like debit PINs are protected.

Even EMV is no magic bullet. The value in EMV is they can't make EMV card clones if they sniff an EMV transaction, thereby eliminating card-present transaction fraud at merchants that only accept EMV (as opposed to also accepting magstripe reads or manually keyed in card data). When a transaction is run using EMV, track equivalent data including the card number and expiration date are handled by the POS systems in plain text. The CVV normally found in real track data is changed to something false meaning criminals wouldn't be able to make working magstripe cards from the sniffed EMV transaction to commit fraud. They'd have to resort to card-not-present fraud such as phone ordering using the card number and expiration date, hoping the cashier doesn't ask for CVV2/CID which the criminals wouldn't have.
Brian45242
50%
50%
Brian45242,
User Rank: Apprentice
1/8/2014 | 4:32:56 PM
re: Target's Christmas Data Breach
Who said they are storing the CVV? Not knowing all of the facts about this breach, we are all left to surmise based on what is provided. Given the things that reportedly were accessed such as CVV number and PINs for debit cards, it certainly leads us to think of either a POS breach or something in the flow of this data from the register to their payment processor (i'm not saying the payment processor itself was breached!). These would be possible points where these highly sensitive attributes could be present.
paulie5825
50%
50%
paulie5825,
User Rank: Apprentice
1/3/2014 | 5:56:44 AM
re: Target's Christmas Data Breach
The question you should actually be asking is why is Target storing the CVV number. Which is in direct violation of the PCI standard.
independent_forever
50%
50%
independent_forever,
User Rank: Apprentice
12/31/2013 | 2:21:14 PM
re: Target's Christmas Data Breach
I agree...enough with the lawsuits because as you mentioned all that does is focus the company on protecting ITSELF from lawsuits rather than fixing the core problem..security of their systems. Let's hope Target learns lessons and tightens down their systems to avoid this in the future...my trust in them is shaken and I will only spend cash or use their own credit card going forward..no more using my personal credit cards now....
pgregory98001
50%
50%
pgregory98001,
User Rank: Apprentice
12/30/2013 | 3:10:51 PM
re: Target's Christmas Data Breach
The byline of this article ("Why, oh, why would Target be storing debit card PINs?") is misleading. There is nothing to conclude that Target is storing PINs.

The Target intruders may have merely grabbed copies of the magstripe as they passed through the Target network. And perhaps the magstripe was not protected by encryption as it was transmitted through the internal Target network - well, that is not a PCI violation, though I wish it was. In my opinion, card numbers should be encrypted when transmitted through internal networks, but PCI still does not require that practice.
macker490
50%
50%
macker490,
User Rank: Ninja
12/29/2013 | 1:11:15 PM
re: Target's Christmas Data Breach
Fixing the Point of Sale Terminal (POST)

THINK: when you use your card: you are NOT authorizing ONE transaction: you are giving the merchant INDEFINITE UNRESTRICTED access to your account.

if the merchant is hacked the card numbers are then sold on the black market. hackers then prepare bogus cards -- with real customer numbers -- and then send "mules" out to purchase high value items -- that can be resold

it's a rough way to scam cash and the "mules" are most likely to get caught -- not the hackers who compromised the merchants' systems .

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
macker490
50%
50%
macker490,
User Rank: Ninja
12/29/2013 | 1:08:10 PM
re: Target's Christmas Data Breach
anyone interested in this issue should read this article

http://arstechnica.com/tech-po...

related to Whitfield Diffie's testimony in TQP v Newegg. particularly the "Brief history of public key cryptography" which starts under that heading

Mr. Diffie notes that he and others involved in the development of public key cryptography recoginzed early on that a method of authentication transactions of all sorts that would work in a digital networtk environment was going to be in important need.

PCI has done nothing except to port the pen and ink process used with credit card embossers to the network.

it hasn't worked and it isn't going to. i don't know if the Target embarrasment will turn the trick; perhaps it will. if we adopt the European method of using smart-cards with PINs we may be able to correct one major defect -- that being that the card holder should authorize each transaction individually. as things stand -- anyone with your account number can initiate a transaction.

PCI doesn't care -- "it's just part of the cost of doing business". but we the people do care. if you cave 900 bucks charged on your card for a new gizzie and you call the bank to get the charge reversed -- you are likely to get the run-around.

it's time for reform.

I've gone back to cash.
JamesR010
50%
50%
JamesR010,
User Rank: Strategist
12/28/2013 | 6:33:23 PM
re: Target's Christmas Data Breach
Magnetic stripes are dinosaur-like. They should be abandoned in favor of on-card chips like those found in mass transit smartcards and enhanced drivers licenses. Smartphones with NFC would be better also. BTW: its the POTUS abusing the Constitution, not Congress.
jlindema
50%
50%
jlindema,
User Rank: Apprentice
12/27/2013 | 11:46:00 PM
re: Target's Christmas Data Breach
I too would support Sen. Menendez in his efforts to grant authority for the FTC to impose fines.

However, the story I wish more people were made aware of is how payment card fraud could be all but eliminated, if the issuing banks were to embrace technology that's existed for several (7+?) years. Just ONE of the technologies that could be used are 'dynamically' created or changing card numbers that are only valid for one time and by one merchant.

One perceived roadblock to a wider acceptance of "one time use" credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly. This is simply NOT TRUE.

Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode the one-time-use card number onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer card technology. A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

See Dynamics Inc.'s webpage (/Corporate/Products) + their "Dynamics Inc. - Enabling Payments 2.0-«" Dynamic Credit Card via web.archive.org [http://bit.ly/19fbXKb] (last archived Oct. 1st, 2013).

The single most frightening thing anyone could say that _should_ be the catalyst for the card industry to move toward changing the 1950's card technology that we currently endure is: "I'm just going to pay cash and stop using credit cards". Of course that'll never happen and as long as everyone continues to believe the myth that "all we can do" is to cancel compromised cards and pay extra for "account monitoring", "recover" from identity theft best we can, yada, yada, yada.

What consumers should be hearing is the truth, that card skimming fraud could have been eliminated years ago. I believe Target, or any merchant that gets compromised, is simply a victim themselves -a victim of our current card technology that hasn't changed significantly since it was first introduced.

Target is partially to blame, in that its network was compromised, but then being "PCI" compliant these days means about as much as the US Constitution does to Congress right now... close to nothing!

I say SOLVE THE PROBLEM instead of sweeping the problem under the rug (again) by not holding the card issuers responsible for their lack of innovation -or lack of bringing to mass-market the innovation that has existed for years.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.