Digital Transactions Authoritative, insightful and timely information for payments professionals
Target Corp. on Friday confirmed that data thieves obtained customers’ encrypted debit card PINs, but said the sensitive numbers remain useless to the criminals because of the technology masking them.
”While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” the Minneapolis-based mass merchandiser said as part of a 250-word update issued late Friday morning.
Fears that PINs may have been among the data taken by cyber criminals as part of a massive breach first reported Dec. 18 were stoked by a Dec. 25 Reuters report. The story cited an unnamed “senior payments executive” in reporting that the thieves had captured an unknown quantity of PINs. While it denied PINs had been among the data stolen in the breach, which affected as many as 40 million credit and debit cards used at the chain’s nearly 1,800 U.S. stores between Nov. 27 and Dec. 15, Target did concede some encrypted information had been taken, without saying whether this information included PINs.
Friday’s confirmation that encrypted PINs are in the hands of data thieves adds an even darker dimension to the breach, since the four-digit codes, if decrypted, can be used to access customers’ checking accounts at the point of sale or through ATMs. The Target update, however, discounts the likelihood of any such outcome. “We remain confident that PIN numbers are safe and secure,” the statement reads. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
The statement says customers’ PINs are encrypted at the terminal using a masking protocol called Triple DES. The data remain cloaked until they reach Target’s third-party processor, which holds the decryption key, the statement says. “Target does not have access to nor does it store the encryption key within our system,” the retailer says in a bold-faced paragraph. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
Investment firm Robert W. Baird & Co. last week reported that Target’s acquirer is Bank of America Merchant Services (BAMS), a joint venture of Bank of America Corp. and payment processor First Data Corp., though a BofA spokesperson would not confirm this link when contacted by Digital Transactions News.
While Target is reassuring its customers, security experts differ on the effectiveness of Triple DES in protecting PINs. “Independent encryption of a PIN is inherently weak because a four-digit field amounts to 10,000 possible values, which can be brute-force cryptanalyzed,” notes Gideon Samid, chief technology officer at BitMint LLC, a Rockville, Md.-based digital-currency startup, and security columnist for Digital Transactions magazine, in an email message. “And if one of the stolen PINs is mine, and I know its value, I can use this to quickly find the key and decrypt the rest.”
But Shirley Inscoe, a senior analyst specializing in fraud and security at Boston-based Aite Group LLC, agrees with Target that the stolen PINs should be safe. “To my knowledge, triple DES encryption has never been broken. A hacker would have an extremely difficult time breaking the encryption,” she says in an email message.
A Target spokeswoman tells Digital Transactions News in an email that she has no “specific numbers to provide” regarding how many encrypted PINs may have been affected, nor is there any indication so far of any fraud linked to PINs stolen from Target. The retailer flatly states its customers have nothing to worry about because of encrypted PINs having been part of the breach. “The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken,” says the Friday statement.
The breach, one of the largest yet reported, is being investigated by the U.S. Secret Service and the Federal Bureau of Investigation. Target has also hired a unit of Verizon Communications Inc. to conduct a forensic investigation.
