Target Confirms Encrypted PINs StolenRetailer Describes Why It Believes Risk Is Low
Target Corp. has confirmed that attackers stole encrypted PINs associated with debit card transactions when the retailer's point-of-sale network was breached (see: Target: Were Debit PINs Compromised?).
In a statement issued Dec. 27, Target says: "We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."
Additionally, Target points out that it "does not have access to nor does it store the encryption key within our system."
PIN data, the retailer says, can only be decrypted when it is received by the payments processor.
"What this means is that the 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," Target states.
On Dec. 23, Target confirmed malware was to blame for an infection of its point-of-sale system that likely exposed details associated with 40 million debit and credit cards between Nov. 27 and Dec. 15.
In its Dec. 27 statement, Target provides more details about the breadth of the breach:
"While we previously shared that encrypted data was obtained, this morning, through additional forensics work, we were able to confirm that strongly encrypted PIN data was removed," the retailer states. "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
Assessing the Risks
Ben Knieff, an independent financial fraud expert and consultant, says it's unlikely that the hackers that hit Target's network could also get their hands on encryption keys used to decrypt PINs at the processor level.
"This doesn't mean it is impossible, considering there have been security breaches of payments processors before," he adds. "But it would seem unlikely."
Still, Knieff says debit cards compromised during the attack will probably be at greater risk for fraud than credit cards. "Since cards with PINs tend to go for a higher price, it would be a little shocking if the hackers were choosing not to sell them," he says. "Naturally, these hackers are pretty smart, so they could be holding those back for future release."
Whether Target's latest statement about the encrypted PINs will ease consumers' concerns remains to be seen, Knieff says. "Most people don't really understand what encryption really means and how and why it works," he says. "There has also been confusing advice, such as offering credit report monitoring, which would be worthless in this sort of compromise and I doubt makes anyone feel any better anyway."
Knieff says Target and banking institutions should be reinforcing their consumer education campaigns to help cardholders better understand their protections should fraud on their accounts occur.
"The average person has a very poor understanding, in general, of the differences between debit and credit: where liability sits, how fraud is handled slightly differently, etc.," he says. "Continued reinforcement of 'zero liability' policies (or limited liability) in plain language from issuers could really go a long way in reducing the panic and engaging the customer in the process."
But Nick Shelby, a financial fraud expert and co-author of "Blackhatonomics: An Inside Look at the Economics of Cybercrime," says Target's response to questions about PIN security has raised more questions.
In its statement, Target notes that PINs are "encrypted at the keypad with what is known as Triple DES" - a standard the retailer refers to as being highly secure and "used broadly throughout the U.S." But Shely says Triple DES is not "strong" security, and the use of Triple DES, also known as 3DES, has raised eyebrows among security experts.
"Target would have been far better off simply stating that the PINs were encrypted and difficult to access," he says. "I would not ever refer to 3DES as strong encryption, as it is misleading. ... It appears that Target is allowing marketing people, not security experts, to select the language being used to describe their actions."
In recent days, some card issuers had questioned whether PINs may have been compromised during the Target breach.
JPMorgan Chase Bank's decision to impose limits on daily ATM withdrawals on debit cards used at Target during the breach raised concerns that PINs might have been exposed. Two executives with card issuing institutions affected by the Target attack told Information Security Media Group that they wondered if Chase had information other banking institutions do not.
And a news story from Reuters on Dec. 24, quoting an unnamed executive with a leading U.S. card issuer who claimed the hackers could have cracked the encryption code used to protect PINs at Target, has only raised more questions.