Why, oh, why would Target be storing debit card PINs?

Gunter Ollmann, CTO, Security, Microsoft Cloud and AI Division

December 26, 2013

4 Min Read

A week after Target's breach and probable compromise of 40 million credit and debit card details, there appears to be little new public information as to how the attack occurred and what remedies Target has taken to prevent it from happening again. This is, of course, both worrying and par for the course, unfortunately.

A number of press articles have focused on the likelihood of PIN data also being accessed by the attackers. According to the New York Daily News, Target spokeswoman Molly Snyder stated, "We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised."

The fact that PIN data has even come up in the discussions concerns me for two reasons. Either Target finds it necessary to store PIN data along with debit card details in some system or another, or the compromise vector was via the point-of-sale (POS) system directly.

If Target has been storing PIN data for third-party debit cards, then that is deeply worrying to me. I can't think of a legitimate reason why any corporation would wantto retain this data -- unless it has a process for managing delayed or deferred payments (e.g., reducing the amount it pays to merchant bankers for processing cards at nonpeak times). Regardless, there's no way that kind of data should be retained for more than a few hours -- and I hate the idea of it happening at all because it exposes customer data to unnecessary threats. Having worked with many other retail organizations around the world, I've never encountered any legitimate organization willfully storing PIN data.

So if that has been removed from the table, the only other place PIN data could exist (ideally in a transitory and encrypted state) should be at the POS system. Attacking the POS system offers a number of challenges. For one, while the POS register may be networked for inventory tracking and price lookups, the actual card swipe components generally operate autonomously and are secured at the hardware level. This typically means that the attackers must physically compromise or replace the hardware. Unfortunately, this attack vector occurs more frequently than people willingly admit. For example, last year 63 Barnes and Noble stores were hackedthis way, resulting in the chain removing the customer PIN pads.

Alternatively, the POS system may route all PIN pad operations through a back-office system in order to better handle store cards, gift cards, and other partial payment options. This means that the customer PIN pad simply proxies the data from the POS to a centralized system. I'd hope that the transaction details (including the PIN) are encrypted, but you never know. Regardless, this store-centralized payment processing system would be an extremely valuable target for attackers. Such a system may make economic sense for a retailer, but it raises its risk profile considerably.

While Target keeps the details of its breach close to its collective chest, there is very little information to form an opinion about negligence or attacker sophistication. That doesn't mean people aren't already lining up with their hands out for compensation. Apparently there are already three class-action lawsuits filed in the wake of the breach, seeking more than $5 million in damages.

I'm not opposed to the use of fines as a means of correcting errant business practices, but my first reaction to hearing about class-action suits is "opportunistic money-grabbers." I'd rather support a system that forces breached organizations to increase the security of their customers' data than a system that forces the attacked organization to simply take out insurance policies and argue over minimum levels of legal compliance. Earlier this month, I wrote about an alternative means of upping the information security stature of an organization through the divvying up of data breach finesin which larger fines are imposed and a high proportion of those funds are directed back at the organization for investing in new defenses.

U.S. Sen. Robert Menendez (a member of the Senate banking committee) is investigating whether the Federal Trade Commission (FTC) has the authority to impose a fine for data breaches, such as this one affecting Target. If the FTC does not, then he intends to propose legislation that would grant it that power. I'd be an advocate for that, subject to a proportion of that fine going back to directly secure the organization.

It is unfortunate that data breaches are on the rise. However, I see it is a reflection of criminals perpetually targeting where the money is, and the increasing gap between professional hacker and corporate compliance teams. This isn't the first time Target has been the victim of a data breach, and it won't be the last, and I feel comfortable saying that it isn't the only one happening right now ... merely the latest to be detected.

-- Gunter Ollmann, CTO IOActive Inc.


About the Author(s)

Gunter Ollmann

CTO, Security, Microsoft Cloud and AI Division

Gunter Ollmann serves as CTO for security and helps drive the cross-pillar strategy for the cloud and AI security groups at Microsoft. He has over three decades of information security experience in an array of cyber security consulting and research roles. Before to joining Microsoft, Gunter served as chief security officer at Vectra AI, driving new research and innovation into machine learning and AI-based threat detection of insider threats. Prior to Vectra AI, he served as CTO of domain services at NCC Group, where he drove the company's generic Top Level Domain (gTLD) program. He was also CTO at security consulting firm IOActive, CTO and vice president of research at Damballa, chief security strategist at IBM, and built and led well-known and respected security research groups around the world, such as X-Force. Gunter is a widely respected authority on security issues and technologies and has researched, written and published hundreds of technical papers and bylined articles.

Originally, Gunter had wanted to be an architect but he lost interest after designing retaining walls during a three-month internship. After that, he qualified as a meteorologist, but was lured to the dark side of forecasting Internet threats and cyberattacks. His ability to see dead people stoked an interest in history and first-millennium archaeology.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights