×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Encrypted PIN Data Taken In Target Breach

Soulskill posted about 4 months ago | from the now-you're-all-targets dept.

Security 213

New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

213 comments

3des (0)

Anonymous Coward | about 4 months ago | (#45801519)

Other artiicles say the crypto was 3des.

Re:3des (1)

hargrand (1301911) | about 4 months ago | (#45801935)

The article also says "Target does not have access to nor does it store the encryption key within our system." The problem is that 3DES is a symmetric encryption algorithm; both parties need to share the same key to encrypt or decrypt anything. So at some point, they needed to have a key for the transaction.

Re:3des (3, Interesting)

Proudrooster (580120) | about 4 months ago | (#45802173)

How did this breach happen? What were the mechanics behind the data theft? Was the server hacked? As it firmware in the POS registers? How did this happen?

Re:3des (2)

davester666 (731373) | about 4 months ago | (#45802521)

the usual. an excel spreadsheet on a computer running bittorrent in the background.

at least they put a password on the spreadsheet.

Time to ask the bank for a new debit card and PIN (1, Informative)

WilliamGeorge (816305) | about 4 months ago | (#45801529)

Subject line says it all :)

Re:Time to ask the bank for a new debit card and P (0)

Stargoat (658863) | about 4 months ago | (#45801587)

It's not that big of a deal for the consumer. According to, ah, GLBA I think it was, the consumer is completely off the hook for any fraudulent activity that takes place on their cards. So if some bad guy gets a hold of your card and begins a spending spree, that's on Chase or Citi or Navy Federal or whoever your card is with. You should always pay attention to activity on your card, but no need to go nuts.

Re:Time to ask the bank for a new debit card and P (4, Insightful)

Todd Knarr (15451) | about 4 months ago | (#45801735)

That depends. How understanding will your landlord or your bank be when your rent or mortgage check bounces because the day it was deposited somebody ran up charges on your debit card that emptied your bank account? Sure you'll be able to dispute the charge, but that didn't stop the checks from bouncing between the time it happened and the time you got to the bank to fill out the paperwork on the fraudulent charge. Same if you're at the end of a trip and go to pay your hotel bill and your credit card's over limit because of fraudulent charges. Sure you'll be able to dispute them, but that doesn't make the hotel bill magically paid.

Re:Time to ask the bank a new debit card and P (2)

AK Marc (707885) | about 4 months ago | (#45801927)

When I've had issues, some quick arguing with the bank got money invented from nowhere and put in my account. Yes, it would delay the checkout from the hotel by a few minutes, but it will get the hotel bill paid. I'm sure you can find some cases where someone was a jackass to their bank, who then refused to fix the issue on the customer's time frame. But I've had this issue before, and the bank took care of it outside the minimum contractual requirements.

Re:Time to ask the bank a new debit card and P (4, Interesting)

Jah-Wren Ryel (80510) | about 4 months ago | (#45802531)

Your response is orthogonal to the question. Your example is not that of bounced checks, it is of trying to use a debit card at point of sale when the balance was low.

It is an entirely different thing to write a check and then have it bounce 3 days later. There are all kinds of fees and penalties that get assessed when that happens, some of which can come from the company you wrote the check to, the bank never even sees the penalty. There are even non-monetary penalties like your landlord, or your utility company reporting the bounced check to the credit agencies.

There really is only one reason to ever use a debit card - your credit is so bad that you can't actually get a credit card. In all other ways credit cards are the superior tool.

Re:Time to ask the bank for a new debit card and P (1)

george14215 (929657) | about 4 months ago | (#45802265)

That depends. How understanding will your landlord or your bank be when your rent or mortgage check bounces because the day it was deposited somebody ran up charges on your debit card that emptied your bank account? Sure you'll be able to dispute the charge, but that didn't stop the checks from bouncing between the time it happened and the time you got to the bank to fill out the paperwork on the fraudulent charge. Same if you're at the end of a trip and go to pay your hotel bill and your credit card's over limit because of fraudulent charges. Sure you'll be able to dispute them, but that doesn't make the hotel bill magically paid.

Not only that, if you have a debit card and you are disputing charges, the banks will put a freeze on your account while the dispute is being investigated.

Re:Time to ask the bank for a new debit card and P (0)

Anonymous Coward | about 4 months ago | (#45802307)

Bullshit.

Re:Time to ask the bank for a new debit card and P (5, Informative)

Anonymous Coward | about 4 months ago | (#45801785)

To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards. Banks make a lot of promises about zero liability on debit cards but you'll have to read the fine print and beg for mercy when the time comes.

Re:Time to ask the bank for a new debit card and P (1)

Mashiki (184564) | about 4 months ago | (#45802003)

It depends on where you live and what bank you have. Where I live in Ontario, the same rights are afforded to me on my debit card that my credit card has. Including a lock limit on the RFID of no more than $50.

Re:Time to ask the bank for a new debit card and P (1)

Jah-Wren Ryel (80510) | about 4 months ago | (#45802551)

To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards.

In recent years, things have gotten better for debit card holders, you are right that it used to be all promises. Now there are some federal regulations, but they still aren't anywhere near as strong as the federal laws protecting credit card holders.

http://www.fdic.gov/consumers/consumer/news/cnfall09/debit_vs_credit.html [fdic.gov]

Re:Time to ask the bank for a new debit card and P (0)

Anonymous Coward | about 4 months ago | (#45802155)

So what happened to me a few years ago, there was a suspicious and expensive activity with my debit card. My credit union left the money in my account, but froze it. My rent check was bounced. Thankfully had a good history with my landlord and they didn't go nuts.

Re:Time to ask the bank for a new debit card and P (0)

Anonymous Coward | about 4 months ago | (#45802435)

Oh, it isn't on Chase or Citi or NFCU - it's on the vendor who accepted the charges. Remember children, win or lose - the bank never loses money...

Re:Time to ask the bank for a new debit card and P (0)

Anonymous Coward | about 4 months ago | (#45802471)

Not entirely true. I know Visa, and think Master Card is mostly the same (Other cards rules may vary)

For credit cards, you are responsible for the first $50 of fraud, if you report the fraud in a reasonable amount of time. They usually use 60 or 90 days, but that may have shortened in the last few years. I don't think any bank or credit union will hold you to the $50, but they have every right to.

For debot cards, you are responsible for the first $500 of fraud. Other than amount the ruels are the same.

For fruad, you must contact merchant and attempt to get them to reverse it (If they do that is the end of it). If they refuse you have to go to your bank and file a dispute (Not sure if you have to do 1 for each transaction or not). You will be out the money until the dispute resolves, unless bank is nice to you. The key words to use is "card holder not present for transaction". If the amount is under $30, merchant will not be told and you will probably win automatically. Over that amount they "may" try to go after merchant and full dispute it.

The more you know!

Why are they storing this data anyway? (3, Interesting)

Anonymous Coward | about 4 months ago | (#45801549)

Is there a good reason for keeping this that I'm not seeing?

Re:Why are they storing this data anyway? (0)

Anonymous Coward | about 4 months ago | (#45801581)

The government requires it.

Re:Why are they storing this data anyway? (4, Insightful)

Tool Man (9826) | about 4 months ago | (#45801637)

Nope, horse-puckey. This would be the same PIN data that their PCI compliance *cough* would disallow from storing after authorization for a transaction, just like the CVV codes which I think also got nabbed. Now, it is possible that they were all captured "in-flight" and not being stored against the rules, but it is very much verboten to keep even with encryption.

Re:Why are they storing this data anyway? (0)

Anonymous Coward | about 4 months ago | (#45801773)

It wasn't more than a few days before the breach started that we were hearing about POS-targeting malware that was going for this kind of data. It looks like it was probably software card-skimming, in which case things like encrypted pins and CVV's would be entirely reasonable to get nabbed.

But yes, if it does turn out that Target was storing this data, it'll be pretty bad news for them.

Re:Why are they storing this data anyway? (1)

failedlogic (627314) | about 4 months ago | (#45801815)

I don't work in PCI compliance, but I've been reading up on it. This is, as I've understood it, a violation of PCI. Adding to parent comment, that it was taken "in-flight" is probably as much a rule breaker .... and one has to wonder how if this data was not being stored just how long it was being taken "in-flight". There's several million cards been taken from the news release. This might represent several hours worth of transactions (given the busy time of the year) so if this info was tapped for a few hours this is concerning.

Re:Why are they storing this data anyway? (0)

Anonymous Coward | about 4 months ago | (#45801887)

Well the PIN *does* have to be transmitted from the card-swipe terminal down to the ATM/Debit network that processes the transaction and verify the PIN. So the PIN has to "fly".

There is probably any number of places where the encrypted PIN data could have been stolen, if it was indeed taken in flight.

plenty of ways to confirm PIN without sending it (1)

raymorris (2726007) | about 4 months ago | (#45802459)

You could confirm whether a PIN is correct without sending it.
For example, send sha1(card number + pin + time of day)
The machine at bank's end does the same calculation with the correct pin and returns whether or not it matches.

Re:Why are they storing this data anyway? (4, Insightful)

snowraver1 (1052510) | about 4 months ago | (#45802489)

I have been doing card processing for a living for 7 years now. The pin, of course, has to go over the wire along with the track2 data. How exactly that happens can differ greatly though. Larger merchants are more likely to use some sort of middleware processing software, and that introduces weaknesses. In many cases communication between the POS and middleware is plaintext. Scooping this data up would be trivial, but PCI mandates that unencrypted data has to be segregated off the network from non-PCI stuff. This makes things a bit trickier for an attacker.

As for Target, here's my take: This is the only information in the press release:

The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.

If they were using "true" end-to-end encryption, there are no known attacks other than card skimmer magic*. If that was the case, there wouldn't be much of an investigation, as the facts (and scope) would be pretty clear.

That leaves a network packet monitor attack, a database related breach/attack, log file snarfing (depending on the vendor, log files can contain a LOT of data.), or something I'm not thinking of.

I find it odd that they say that pins have been pilfered, but not the card numbers. That, to me, suggests a DB related attack, and the attackers only got the pin table/columns. A list of pin numbers though, of course, is completely useless (8374 - Here's a free one) on it's own. Decrypting them should be trivial, given the limited number of possible pin numbers, even if the table was salted. But again, what would be the point. I'm guessing that the next release will say that card numbers were compromised as well.

As for the 3des part, It just doesn't make any sense. As other people have already said, 3des is symmetrical, so saying they don't have the key is impossible. My guess is that they are actually using SSL (which could then in turn negotiate a 3des key). If that is the case, then each session key would be unique, and target would never have "access" to it as it would only exist in RAM.

To my knowledge. I'd be happy/interested if someone could prove me wrong here.

Re:Why are they storing this data anyway? (1)

snowraver1 (1052510) | about 4 months ago | (#45802495)

Bah, I'm sorry...

[*ThereShouldBeAnAsteriskHere*]To my knowledge. I'd be happy/interested if someone could prove me wrong here.

Re:Why are they storing this data anyway? (1)

beelsebob (529313) | about 4 months ago | (#45802361)

I don't understand why any part of the PIN machine with firmware has access to the PIN at all. The key pad could easily simply route the inputs to the chip on the card, and generate a response from the PIN input, and a challenge there. Only then would the data leave the card/keypad, and be accessible by the firmware.

Magstripe-and-PIN (1)

tepples (727027) | about 4 months ago | (#45802503)

Most US debit card machines that I've seen (at least in Indiana) are magstripe-and-PIN, not chip-and-PIN. My debit card from Chase Bank doesn't even have visible "chip" contacts. Besides, there aren't 11 contacts (10 digits + common ground), so the PIN pad machine has to do some sort of translation to get the digits to the serial contacts.

Re:Why are they storing this data anyway? (0)

Anonymous Coward | about 4 months ago | (#45802145)

Target stores your CC/CD number because they use it as a tracker. I use my debit card there and while checking out I the register will print coupons for things I have purchased in the past that I have not bought at Target in a while.

It appears that the CC info isn't encrypted so they can track customers but the PIN is? Sounds like pure and simple negligence to me. "We don't feel the need to encrypt the portion of the card data that can be used to print fake cards that can make any online purchase for debit cards, and any purchases at all for credit cards, but those PINs? We care a whole lot about those, yes siree bob!".

Re:Why are they storing this data anyway? (1)

Baloroth (2370816) | about 4 months ago | (#45802157)

They don't (necessarily) have to, if the attack was ongoing (which it sounds like it very much was) then the attackers could have retrieved the PINs in transit.

Re:Why are they storing this data anyway? (1)

beelsebob (529313) | about 4 months ago | (#45802373)

As I said above, why are the chip & pin machines not designed to avoid this? Surely the keypad should operate without firmware, and be responsible only for sending the key presses to the card. The card's chip can then generate a response from a hash of the challenge and the PIN, and only then send the data off the card/key pad, and into the system controlled by firmware.

Re:Why are they storing this data anyway? (1)

rollingcalf (605357) | about 4 months ago | (#45802411)

In the US they generally don't use chip & PIN. The stolen PINs involved are for bank ATM cards without chips, not PINs for credit cards with chips.

Re: Why are they storing this data anyway? (2, Interesting)

khanta (820056) | about 4 months ago | (#45802193)

Terminals encrypt PIN data inside the device. The terminals they use are PED certified. DUKPT is used, and the data should be safe. The PIN block should stay encrypted all the way to the processor. If it is decrypted it should be done in an HSM. The malware was most likely scraping memory on the POS and grabbing track data as it was passed from terminal to the POS. Then they somehow exfiltrated it out. Obviously they weren't using encrypted terminals. I don't think target stored this data centrally. Most likely just infected POS stations. My bet is at the source and they all booted up infected stations. Sorry for the terse responses.

Re:Why are they storing this data anyway? (0)

beelsebob (529313) | about 4 months ago | (#45802351)

What's even more confusing, is... why does this data ever leave the card?

Why does the bank not send a challenge, have the response generated, on the card, with a hash of the pin and the challenge, and verify the result?

We'll know soon (5, Funny)

Above (100351) | about 4 months ago | (#45801561)

When 25% of the pins encrypt to one string, and 25% to another, we'll know they used a symmetric cipher with a fixed key, and that one batch is "0000" and one is "1234".

Re:We'll know soon (1)

Spy Handler (822350) | about 4 months ago | (#45801905)

Yes but if that's the case they don't even have to crack the encryption, they've already got the PIN for 50% of the cards!

50% of 4 million cards (or whatever the number was) aught to be more than enough for anybody.

Re:We'll know soon (0)

Anonymous Coward | about 4 months ago | (#45802119)

When 25% of the pins encrypt to one string, and 25% to another, we'll know they used a symmetric cipher with a fixed key, and that one batch is "0000" and one is "1234".

It depends on the encryption mode used. If it was ECB, then yes, a particular plain-text will always have the same cipher text.

If they used CTR with a difference nonce/IV for each PIN, then it's a different story.

Given that most PINs are four characters (32b), they could have also used OAEP and done straight RSA without a symmetrical cipher (AES): public key on that small an amount of data is (assuming per PIN scrambling, and not of a large file) not too pad.

Re:We'll know soon (0)

Anonymous Coward | about 4 months ago | (#45802345)

Ha! Mine is 1111. Shows how wrong you are.

Re:We'll know soon (1, Insightful)

Above (100351) | about 4 months ago | (#45802357)

I hate to reply to my own post, but I appear to be modded "Insightful". The correct mod selection was "Funny".

*sigh*

Can encyption experts chime in? (3, Interesting)

postmortem (906676) | about 4 months ago | (#45801573)

How hard it would be to decrypt, knowing that each pin is exactly 4 digits?

I would think if salting was not using, it is just a matter of the time.

Re:Can encyption experts chime in? (0)

Anonymous Coward | about 4 months ago | (#45801619)

Even with salts, it would still take an average of 5,000 tries to get each PIN. Unless something like bcrypt was used, this translates to several dozen milliseconds per PIN.

Re:Can encyption experts chime in? (3, Insightful)

hargrand (1301911) | about 4 months ago | (#45801997)

You're assuming the PIN was in any way related to the 3DES key. That's almost certainly not the case. More likely, Target requests a transaction key from the bank which is then used to encrypt the PIN and sent the encrypted PIN to the bank. The bank then decrypts the PIN using the 3DES key and verifies the PIN.

They probably should switch to RSA or some other public key algorithm. With 3DES, both parties need to share the key. With RSA, there is a public key and a matched private key. If the public key is compromised, it's no big deal. Since the bank retains the private key and doesn't share it, it's at least theoretically more secure for this kind of transaction.

Re:Can encyption experts chime in? (1)

beelsebob (529313) | about 4 months ago | (#45802391)

I don't understand why any one would use encryption here at all. Why would they not use challenge/response, so that the PIN never leaves the card/keypad (encrypted or not).

Re:Can encyption experts chime in? (1)

ShanghaiBill (739463) | about 4 months ago | (#45801963)

How hard it would be to decrypt, knowing that each pin is exactly 4 digits?

It would not be difficult. But what is the point? The PIN is only useful if you physically swipe the card. You don't use a PIN during a "card not present" transaction, such as an online purchase.

Re:Can encyption experts chime in? (3, Informative)

EvilSS (557649) | about 4 months ago | (#45802025)

There is already evidence that the cards are being cloned and used overseas, so having the pin would be very useful for them. They got the entire magstripe for each card in the attack.

Re:Can encyption experts chime in? (0)

Anonymous Coward | about 4 months ago | (#45802355)

How hard it would be to decrypt, knowing that each pin is exactly 4 digits?

Trivial to brute force depending on how many times you can run the PIN before the bank locks you out. A four digit pin of the numbers 0-9 is only 10,000 different combinations.

Re:Can encyption experts chime in? (1)

irregehen (1967014) | about 4 months ago | (#45802539)

There is a sequence number involved so you got to have a sequential trail for a given terminal and know the valid PIN of one of the cards used to brute it out.

sigh, lamestream press strikes again (4, Interesting)

sribe (304414) | about 4 months ago | (#45801589)

The article I read stated that the key necessary to decrypt the data was never on the systems which encrypted the data, then went on to state that the data was encrypted with triple DES. Oh my lord. Which is it? Symmetric or asymmetric encryption?

Re:sigh, lamestream press strikes again (4, Informative)

taustin (171655) | about 4 months ago | (#45801631)

It depends on what was compromised. Normally, debit card stuff is encrypted on the pad you swipe the card in. If the pad was wasn't what was compromised, then the key wasn't on what was, because that's the only place the key is kept.

(Earlier reports claimed the pads had been compromised, but that smelled like bullshit then, and even more like it now.)

Re:sigh, lamestream press strikes again (1)

sribe (304414) | about 4 months ago | (#45802073)

It depends on what was compromised. Normally, debit card stuff is encrypted on the pad you swipe the card in. If the pad was wasn't what was compromised, then the key wasn't on what was, because that's the only place the key is kept.

Ah, thanks for the clarification.

Re:sigh, lamestream press strikes again (0)

Anonymous Coward | about 4 months ago | (#45801671)

It's, um, triple RSA DES ECDH BIGNAME IMPRESSIVE SOUNDING ACRONYM.

Salted.

OK, salt is not healthy for you, so we used "POTASSIUM CHLORIDE" instead.

Nobody would ever guess that. Really, trust me.

Re:sigh, lamestream press strikes again (1)

Man On Pink Corner (1089867) | about 4 months ago | (#45802247)

It doesn't matter if they used Triple Double-Dog Secret Patent Pending NSA-Certified ROT13, a large collection of four-digit PINs is about the best known plaintext short of the Pledge of Allegiance. If they aren't salted, it's open season on those cardholders.

Re:sigh, lamestream press strikes again (1)

DeathByLlama (2813725) | about 4 months ago | (#45801843)

I'm guessing they meant that the key necessary to decrypt the data was never on the systems which *stored* the data, but that's just a guess (since as you pointed out, if they used 3DES, the encryption key IS the decryption key, and I doubt they lied about that).

Re:sigh, lamestream press strikes again (0)

Anonymous Coward | about 4 months ago | (#45801917)

http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction

Re:sigh, lamestream press strikes again (0)

Anonymous Coward | about 4 months ago | (#45802225)

Debit pins are injected at a key injection facility (usually) and generally DUKPT is used to generate an encrypting key for the pin. Target was (im pretty sure) using PCI PTS compliant devices. Go read about DUKPT and PTS on the web. The corresponding base key or IPEK is housed at the payment processor inside an HSM.

Re:sigh, lamestream press strikes again (2)

Eric Cordian (2901383) | about 4 months ago | (#45802533)

Point of Sale terminals keep their 3DES encryption keys in firmware within a tamper-resistant module. Even with advanced technology like plasma ablation and electron microscopy, it is believed to be impractical to extract the key. The keys are loaded by a courier who swipes special cards while the device is in maintenance mode. This permits the POS stations to be used over an insecure line to the payment processor, and cleartext is never present anywhere outside the sealed module, from which the key cannot be recovered. So unless you tap the keypad, you cannot have access to the unencrypted PIN. Stealing data is insufficient to obtain the information necessary to use the card. That having been said, if there is any way you can do a trial of a large number of PINs, it is trivial to try all 10,000 possibilities, and see which one works, no matter how strong the encryption is.

US Military Commissions Sock Puppet Program (-1)

Anonymous Coward | about 4 months ago | (#45801635)

US Military Commissions Sock Puppet Program

What's old is new again

http://yro.slashdot.org/story/11/03/18/023239/us-military-commissions-sock-puppet-program [slashdot.org]

"The Guardian and The Telegraph are reporting that US based Ntrepid Corporation has been awarded a $2.76 million contract to develop software aimed at manipulating social media. The project aims to enable military personnel to control multiple 'sock puppets' located at a range of geographically diverse IP addresses, with the aim of spreading pro-US propaganda. The project will not target English speaking web sites (yet) but will be limited to foreign languages, including Arabic, Farsi, Urdu and Pashto. The project will be funded as part of the $200 million Operation Earnest Voice program run by US Central Command."

http://www.ntrepidcorp.com/ [ntrepidcorp.com]
http://www.guardian.co.uk/technology/2011/mar/17/us-spy-operation-social-networks [guardian.co.uk]
http://www.telegraph.co.uk/news/8388603/US-military-creates-fake-online-personas.html [telegraph.co.uk]

inside job? (1)

wbr1 (2538558) | about 4 months ago | (#45801651)

To me this whole fiasco smacks of an inside job, or at least having a compromised employee/contractor. Certainly other scenarios are plausible, but IIRC they got into a system that pushed corrupt firmware to the card readers. I am assuming Target uses such firmware to put their graphics on screen, plus other Target specific things (like discount ts for target debit card users).

The number of people with knowledge of how to change the firmware is probably a pretty short list. When crossed against the list of people who have access to the compromised systems it likely gets smaller

Could others break in and figure it out? Sure, but I think Occam's Razor applies. The data is likely already split and sold (Krebs evidence suggests this). So the guys at the top, if smart, have made their money, and can sit back and relax.

Re:inside job? (4, Interesting)

Rhyas (100444) | about 4 months ago | (#45801801)

They didn't get anything onto the card readers from all that's been published publicly so far. Most card readers these days will encrypt the pin *before* sending the data to the terminal. Thus, only getting encrypted pins.

Given that the terminals run windows, it's not that difficult to get some malware to spread to them from a central source. Could still be an inside job for sure, but none of the details published yet can confirm that for fact.

Re:inside job? (2)

Bert64 (520050) | about 4 months ago | (#45802209)

Windows corporate networks almost always operate on the idea of protecting the perimeter, and leaving the inside horrendously insecure... For something like a retail store, where the general public have physical access to the building that idea breaks down very quickly... You only need to have momentary access to a network socket/cable, and these will often be available at random points on the shop floor or at the very least at the back (i.e. facing the customer) of the pos terminals...
Once you're on, chances are all the windows boxes are on one domain making them a very easy target.

Re:inside job? (0)

Anonymous Coward | about 4 months ago | (#45802327)

That may have been true 15 years ago but XP on forward comes with a firewall that is turned on by default. Presumably Target's POS' had the firewall turned on and disabled any irrelevant services on the system.

PIN?? is it useful (1)

Nikademus (631739) | about 4 months ago | (#45801661)

OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.

Re:PIN?? is it useful (5, Informative)

Em Adespoton (792954) | about 4 months ago | (#45801775)

OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.

The trip a card purchase takes from your physical card to the merchant bank is actually pretty convoluted -- the simplified explanation is that a card purchase with PIN has a lot fewer safeguards and security checks than an online purchase with card, address and CV only. For card purchases where only the number is used, the vendor assumes a HUGE amount of liability. It often makes sense for fast food vendors and such, where the transaction values are small and they get a significant uptick in sales for shorter transaction times, but for purchasing big ticket items, you either do chip+pin or track 1 data plus second factor (usually stored by the vendor).

So the even shorter answer is: PIN codes mean relative anonymity. Without the PIN, you need to provide other PII at some point in the transaction.

Re:PIN?? is it useful (0)

Anonymous Coward | about 4 months ago | (#45801813)

The PIN allows you to go to a cash machine and withdraw cash. So a thief could drain bank accounts by creating a cloned card and visiting an ATM (most or all banks have daily withdraw limits but if you don't pay attention, a thief could still do a lot of damage over the course of a few days).

You are correct however that the cards could be used at places where ordinary credit cards are accepted without the use of the PIN.

Re:PIN?? is it useful (0)

Anonymous Coward | about 4 months ago | (#45801859)

Have you tried buying anything in France with a credit card that's not Chip & PIN? Though that's not what this debit card story is about.

Is it that important with PINs? (1)

damn_registrars (1103043) | about 4 months ago | (#45801669)

I could be missing something here, but by my understanding PINs are usually only 4 digits long. I would think that the people who were able to snag the cards that they correspond to could probably come up with a clever way to figure out the PINs on most of these cards without ever needing to decrypt the data. I recall not long ago seeing a publication of the frequency of PINs in use today; it would seem that they could probably gain access to a significant share with just that list alone.

Nov 27 - Dec 15 (0)

Anonymous Coward | about 4 months ago | (#45801687)

This is the first time I've heard the date range, and it lets me off the hook.

Having said that, big companies (and especially big non-tech companies) have a history of not being accurate when disclosing the details of data breeches the first time around.

Target of what ? (0)

Anonymous Coward | about 4 months ago | (#45801749)

What is a "target breach" ?

Why are pins stored? (2)

metrix007 (200091) | about 4 months ago | (#45801755)

Why combine something you know with something you have? I thought only banks stored pins?

Re:Why are pins stored? (1)

Horshu (2754893) | about 4 months ago | (#45801889)

My thoughts exactly. It seems to me that the user should enter the pin, the bank and store should exchange keys, encrypt the pin, send it to the bank for decryption/verification, and that's it. What would be the point of storing the pin at the store?

Re:Why are pins stored? (1)

AHuxley (892839) | about 4 months ago | (#45802111)

The entire transaction with a request for a postcode noted with the transaction might provide real quality marketing data?

Re:Why are pins stored? (0)

Anonymous Coward | about 4 months ago | (#45801951)

afaik, merchants are NOT supposed to retain PIN or CVV once they receive authorization for the transaction.. and at a retail point-of-sale, they have absolutely NO FUCKING REASON TO.

Re:Why are pins stored? (1)

EvilSS (557649) | about 4 months ago | (#45802057)

The PINs could have been captured in flight. They can't be stored, but they still need to make their way from the terminal to the bank for verification.

Re:Why are pins stored? (2)

ljheidel (72508) | about 4 months ago | (#45802285)

I know for a fact that one of the items on the PCI list for CC transactions is 'no storage of CVV data.' If Target was indeed storing the PIN numbers, I feel like they have some real 'splainin to do about that one. However, based on the fact that they're obsessive about data mining, I wouldn't put it past them. "Why do we need to keep the PIN numbers?" "I dunno, but we can." "Okay, let's do it."

However, if the data was stolen 'in flight' as EvilSS suggests and it *is* encrypted (and based on the prevarication in which Target has engaged, I wouldn't hold my breath), it does kind of help narrow down the mechanism of the breach. It basically means they didn't crack the individual POS terminals, but some point in between the terminal and the bank. But, as I sit here and think about this, why would the POS terminals encrypt the PIN but not the CC number? This is where my lack of knowledge of the arcane world of computerized banking (and having worked in it for a brief time, I know it's full of WTF) prevents me from making any more guesses. Perhaps it's required by standard that the PIN be encrypted leaving the POS terminal. Perhaps the intercept point was between the Target and the bank, and target was sending the PINs as a hash.

Exactly how hard would be to run a attack against, say, 40 million salted hashes if you knew each of the pre-hashed values was four digit code from 0000-9999?

But the more I think about this...this means that each of the CC transactions individually leave the POS terminal, get routed through some branch office infrastructure then back to Target HQ, then onto the banking network. Way too much speculation on my part, but I'm hellishly curious to find out what actually happened.

Re:Why are pins stored? (2)

EvilSS (557649) | about 4 months ago | (#45802433)

They are required, by standard, to be encrypted at the POS terminal. CC #'s are not because they can be stored by the merchant. Should they be? Hell yes but I didn't make the rules.

From my experience working with PCI compliant companies, the CC info is usually kept on a completely separate network from the normal corporate network. It usually routes back to a central office or branch office before making it's way to the payment processor in large companies (small mom & pop it probably dials/VPNs direct from the POS terminal). There would be plenty of chances to grab it along the way if you penetrated that secure network. The upside is that PCI makes it very painful if you fail to protect that network. Thus why Target is staring at a VERY big ($3.6 billion) PCI fine.

Salt (1)

mrflash818 (226638) | about 4 months ago | (#45801767)

Hope Target's systems used a salt when creating the 3DES.

If the Triple DES used a salt, then good, it will make it much more likely the PINS are secure, because then the hackers would have to brute-force trying a salt value, then all possible pins for 1 of the Triple DES encrypted PINS, which would take longer.

If the salt was unique for each PIN, then that would be the most secure ( but I do not know how a little machine where people give their pins could do that )

If no salt was used, then might be another case like what happened to Adobe: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ [sophos.com]

DUKPT (3, Informative)

Anonymous Coward | about 4 months ago | (#45801777)

PIN are supposed to be encrypted on the terminal (not on the POS computer but the actual card reader/terminal) using Triple-DES Derived unique key per transaction (DUKPT - http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction ).

So no the PINs are safe unless the card terminals have been hacked too.

chip and pin (EMV) (0)

Anonymous Coward | about 4 months ago | (#45801805)

at least the hackers didn't get the chip information on the card. who enters PIN numbers into a point of sale terminal anyways? I tap the card onto the console and sign the receipt. am I missing something that the U.S. does that the E.U. doesn't?

Re:chip and pin (EMV) (1)

silentphate (1245152) | about 4 months ago | (#45802015)

am I missing something that the U.S. does that the E.U. doesn't?

People in the US are too lazy to sign something.

Re:chip and pin (EMV) (1)

Streetlight (1102081) | about 4 months ago | (#45802109)

It's not what the US does that the EU doesn't. It's the other way around, IIRC. In the EU credit cards and debit cards have RFI or other kind of chips so "tapping" a card is an unheard of phenomenon here. In the US. The card reader reads a magnetic stripe and if it's a debit card a four digit pin is entered by hand (fingers!) using a number pad on the reader. I'm not sure whether the information on the magnetic stripe is encrypted or is in plain text. My guess is it's in plain text. Gasp!

Our family doesn't use a debit card here because we think they're insecure. The terms of service say that if you use them at a cash dispensing terminal and you don't get the cash you asked for it's too bad. Bank employees always say that they've never refused to make good on such an error, but we are not willing to test their assertions.

Re:chip and pin (EMV) (1)

Bert64 (520050) | about 4 months ago | (#45802245)

If all you have to do is "sign" then thats even worse, a random pen mark is useless for any form of security...
The PIN will be used to withdraw cash from an ATM using a cloned card, if they have a cloned card they can already make purchases without knowing the PIN if only a signature is required.

PIN and credit cards? (0)

Anonymous Coward | about 4 months ago | (#45801897)

Whenever I use a credit card in America I only need to swipe it and sign, either a printed slip or a touch screen. I've never had to enter a PIN.

So is this story really that credit and debit card numbers have been stolen, and also the PINs for the debit cards - or have American credit card companies suddenly started issuing Chip & PIN cards without telling anyone?

"Unencrypted PIN data" wasn't compromised? (1)

MillionthMonkey (240664) | about 4 months ago | (#45801915)

Only "weakly encrypted" PINs. How do you "encrypt" a four-decimal-digit PIN? Even if they only had PIN hashes that were as yet uncompromised, it wouldn't offer much protection. if Target changed policy and invalidated your card immediately after you entered the first wrong PIN, the crooks still stole 40 million cards and would have scored a list of about 4000 working card numbers. At least if the PINs were required to be base-64, the crooks would only find a few.

Re:"Unencrypted PIN data" wasn't compromised? (1)

Anonymous Coward | about 4 months ago | (#45802041)

Encryption and hashing are not the same thing.

Re:"Unencrypted PIN data" wasn't compromised? (1)

AHuxley (892839) | about 4 months ago | (#45802095)

Yes the users cards would have some long numbers in the mix when used with the pin to send back to the bank...

What was Target collecting all that data for? (2)

AnalogDiehard (199128) | about 4 months ago | (#45802115)

What was Target collecting credit card numbers AND PIN numbers for? What business purpose did they need that data for? Why has no one raised this question? They have just created a huge credit theft problem for their customers. This is a shining example why businesses should not maintain any database of sensitive customer information.

I already suffered identity theft and credit card theft in the past and I'm not at all anxious to go through that again. I'm taking my business elsewhere. In fact I may avoid large national chains for this very reason.

easy solution (0)

Anonymous Coward | about 4 months ago | (#45802227)

Target notifies banks, who then terminate all of the cards and reissue new ones. Seems like banks should make this a standard practice. Target should of course have to pay for all of it.

Why do I have to write a subject? (0)

beelsebob (529313) | about 4 months ago | (#45802311)

What the hell was Target doing holding onto PINs in any form, encrypted or not...

Chip and PIN (0)

Anonymous Coward | about 4 months ago | (#45802469)

Is it _still_ too expensive to roll out Chip and PIN in the US now?

Merry Christmas For NSA (0)

Anonymous Coward | about 4 months ago | (#45802491)

They got the Target $$$ and the "Judge."

Watch Ft. Meade for new stretched limos dropping off the "regulars."

It will be a Happy New Year for the near by Maryland malls and stores.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...