Saturday, December 28, 2013

Important security notice

If you have used your debit/ATM card at Target, change your PIN:
Target Corp. said Friday that PIN data of its customers' bank ATM cards were stolen as part of the massive data breach at the third-largest U.S. retailer, but it was confident that the information was "safe and secure."

The stolen PIN data was "strongly encrypted" when it was removed from Target's systems, and the "key" necessary to decrypt data is not within its system and could not have been taken during the breach, spokeswoman Molly Snyder said in a statement. "We remain confident that PIN numbers are safe and secure."
I can't for the life of me figure out why they would store the PIN (as opposed to the card number - there are all sorts of legitimate reasons to do this).  As to strong encryption, I think that's almost certainly true.  However, I'm not so confident that someone couldn't crack this.  It would take some pretty intense knowledge of cryptography, but I wouldn't rule it out as impossible.  I also think that more information will continue to come out about this over the next week or two.  There could very well be another shoe about to drop.

If you've used your debit card at Target, change your PIN.


Alan said...

It doesn't matter how "secure" the encryption is. If Wiley Hacker can figure out the hash/salt/algorithm (and they can) then it's trivially simple to brute force a 4 digit number for ATM accounts.

cryptical said...

Hmm. "PIN data" could be several of things... not necessarily the number.

The question is if there's enough data to derive the PIN, and if they didn't get the PVK from Target have they gotten it in some other breach?

Interesting stuff.

azmrmacs said...

Two problems with this Target info theft:
Encrypted PINs are stored and compared like passwords on PCs. Hence, you don't have to compare the password or PIN, just compare the hash values. That's why you protect the SAM or shadow file on a PC or Unix system.
Scarier is the type of encryption used. Triple-DES is reversible, that's why it was used for a long time to send secret messages. But Triple-DES was broken a long time ago, hence AES and elliptical-curve standards.
Better than changing your PIN, replace the whole card. If a PIN is only four numbers, how long will it take to brute-force?
Just my $0.02...

Jake (formerly Riposte3) said...

I'm going to reiterate my suggestion from the earlier post on this breach (which echos azmrmacs' advice above) - replace the card.

As I also noted at that post, it was reported that "The stolen data include customer names, credit and debit card numbers, card expiration dates and the three-digit security codes located on the backs of cards." That's everything needed to bleed you dry either with a fake card (run as credit instead of debit) or online. If you've shopped at Target during this timeframe, you should act as if the entire card is compromised.

Note: I've seen other stories denying that the security codes were compromised, so it's not certain. For safety's sake, I would treat it as if they were until it's confirmed otherwise.

b0aa11e6-1765-11e3-a620-000bcdcb5194 said...

Requirements for the PCI standard is weak at best. It does cover data in transit and in storage. Data is required to be segregated however, I have seen in security audits acceptable methods of segregation is encrypted data sitting next to data in the clear. STUPID. It makes sense that once breached, they got both which makes it certain that this was not a jr. jr. operation. With both, payouts are high. Its about marketshare versus margin for the length of time these can be used. BTW, dual elliptical-curve as mentioned was perverted by Numerically Stupid Ass-hats at inception.