Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/27/2013
01:54 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

PINs Stolen In Target Breach

Target now says customers' encrypted PINs were compromised in the massive credit- and debit-card breach that began Thanksgiving eve

The PIN question has been answered: Target today confirmed that customer PIN numbers were pilfered in the massive breach that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15.

Target initially had said only that encrypted data was stolen, and speculation was high over whether PINs, indeed, were exposed in the massive hack. A company spokesperson told news outlets earlier this week that it did not believe PIN data was affected in the attack. Customer names, credit and debit card numbers, card expiration dates, and embedded code on the magnetic strips on the backs of the cards also were exposed in the attack.

But Target maintains that the PINs are safe because they are encrypted at the keypads with Triple DES encryption.

"While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems," the retailer said in a statement today.

The retailer says it neither has access to, nor does it store, the encryption key in its systems. "The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the 'key' necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident. The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken," the company said today.

But security experts say Triple DES encryption won't necessarily stop a determined and sophisticated attacker. Gunter Ollmann, CTO of IOActive, says attackers can recover PIN data and then make physical copies of stolen cards in order to withdraw funds from ATM machines. And Triple DES is "broken," with tools available to crack it, he says.

"Triple DES should have been replaced 5-plus years ago," Ollmann says. "I'd be surprised if past security assessments and PCI tests hadn't already flagged this as a security flaw."

The question, he says, is why Target would not have remedied this. "Was it an 'acceptable risk' business decision?" he says.

[Target's massive cardholder breach is a prime example for why security pros have pushed for improved POS and payment application security. See Target Breach Should Spur POS Security, PCI 3.0 Awareness.]

Hints that PINs had been hit in the breach emerged earlier this week, as Reuters reported that JP Morgan Chase & Co. and Spain's Santander Bank had lowered their customers' withdrawal limits from ATMs as well as total card transaction amounts.

Meanwhile, Target has seen "limited incidents of phishing" in the wake of the breach, the company says, and it is now posting all official communications it sends to customers on its website so they can confirm legitimate information from the retailer.

Target is working with the U.S. Secret Service and the Department of Justice on an investigation into the breach.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LucasZa
50%
50%
LucasZa,
User Rank: Moderator
1/9/2014 | 9:49:18 PM
re: PINs Stolen In Target Breach
There isn't a mechanism to "guess the PIN" against the ciphertext and get back a yes/no answer. Known plain text attacks don't work against modern ciphers including TDES. That would be considered a tremendous weakness. The only way to decrypt is to have the key or guess it. Think of it this way: Let's say there's a piece of paper in a lockbox with a 4 digit number. Yelling 4 digit numbers at the lockbox isn't going to make it open up if you guess right. The criminals could clone cards and try guessing PINs at ATM machines, but a few failed attempts would cause the card to go on security hold and fraud monitoring departments would notice after a few cards are attempted.
Guest
50%
50%
Guest,
User Rank: Apprentice
1/3/2014 | 8:44:47 PM
re: PINs Stolen In Target Breach
I may be ignorant on this, but can't you guess what the known plaintext would be... There are only 10,000 possibilities: 0000 to 9999
Mark Bower
50%
50%
Mark Bower,
User Rank: Apprentice
1/3/2014 | 1:26:04 AM
re: PINs Stolen In Target Breach
Unless the attackers have the keys from every device, which is very unlikely, retrieving PIN numbers will be impossible for all intents and purposes, even to determined attackers. Correctly implemented Triple-DES is still resilient to brute force attacks with 168-bits of encryption strength. It should not be confused with Single-DES 56 bit encryption. To retrieve PIN's an attacker would need to physically retrieve each unique PIN encryption key from every PIN entry device - quite a challenge. The devices for PIN entry are also likely PCI-PTS (and card scheme) validated which ensures physical and logical tamper detection is effective to erase PIN keys and other sensitive data in the event of detected compromise such as device being drilled into, put into a spurious operating condition and so on.

Strong PIN encryption has been with us for some time, and encrypted PIN's are routinely transmitted over open networks. It is well defined in ANSI standards and proven. The point of encryption is to protect from inadvertent compromise.

The details of why this is true are nicely and accurately summarized by Matt Green from John Hopkins University including comments on the PCI aspect:

http://blog.cryptographyengine...

Disclaimer - I work for a vendor in the data protection industry providing end-to-end protection of payment cardholder data for major retailers and acquirers.

Regards,
Mark Bower
VP Product Management and Solution Architecture
Voltage Security, Inc.
SubtleLogic
50%
50%
SubtleLogic,
User Rank: Apprentice
12/31/2013 | 9:46:16 PM
re: PINs Stolen In Target Breach
Uh, the current standards in the financial industry dictate the use of triple DES for encrypting PINs so this not something Target chooses to use, nor would any security or PCI audit have any problems with this.

It's still not trivial to crack TDES encryption, and the end result would only be one PIN. The effort is not worth it, especially when the unprotected track data can be used so easily.

Too many "experts" offering opinions on the Target hack.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.