Sign in with
Sign up | Sign in
Your question
Closed

Target Says Hackers Stole Encrypted PIN Numbers

Last response: in News comments
Share
December 27, 2013 11:51:05 AM

Epic facepalm... Target just got in Sherbrooke(canada) and nothing on the shelves, with a big mistake like that, they should stay in the US!
Score
0
a b 8 Security
December 27, 2013 11:56:24 AM

To quote the great Homer (Simpson)...."Doh!!!"
Score
1
Related resources
December 27, 2013 12:19:48 PM

PIN numbers and ATM machines in the same article... Shame on toms hardware editors...
Score
3
December 27, 2013 1:10:50 PM

next week when we find out whoever pulled this also got into their payment processor shits really gonna hit the fan huh
Score
0
December 27, 2013 2:08:38 PM

Another day, another cloud disaster.... gotta love the logic to collect all the eggs in one spot...
Score
0
December 27, 2013 2:25:19 PM

@Jacobdrj
Why is it shame on Tom's Hardware editors? You do know that the PIN you use at the till is the same one you use at the ATM right?
Score
-2
December 27, 2013 10:20:03 PM

Quote:
PIN numbers and ATM machines in the same article... Shame on toms hardware editors...


And yet another moron. The PIN can be used to easily take money out of an ATM. There is more than video on youtube of someone using something as innocuous as a prepaid phone card to program as a debit card to withdraw money from an ATM. With the PIN number it wouldn't take long to clean out an account.

Now for those who don't know STORING the PIN numbers is a major PCI compliance violation, for the very obvious reasons here. No merchant is ever allowed to store the PIN number or the CVV/CVN number on the back of your card. If the Payment Processing Industry is serious about security they'll ban Target from accepting their debit/credit cards. I'm interested to see what happens here.
Score
-4
December 28, 2013 1:10:04 PM

Rhinofart and ddpruitt,

PIN is an acronym for "personal identification number;" likewise, ATM is an acronym for "automated teller machine." Thus, when the author writes "PIN number," it actually means personal identification number number, and "ATM machine" is automated teller machine machine. Perhaps you should leave the hyperbole and epithets by the wayside.
Score
5
December 28, 2013 2:20:29 PM

@rogue
I thought the same as you. Unfortunately, your comment sparked a "ur soooo dumb!" Rant between those two..because they didnt understand.
Score
2
December 29, 2013 12:46:50 PM

If the thieves/hackers got unencrypted PINs, or have the ability to unencrypt them, people should have reported thefts of their money by now. Their window of opportunity was very short, since those card numbers (and PINs) would be deactivated as soon as they discovered the theft.

This is no different than what happens when a person reports a lost/stolen card, except it happened for millions at once.

So what is the big deal here? The stolen info is useless. The story is over, except for how much they managed to steal before the theft was discovered. My guess is that they failed to steal anything with the stolen info.
Score
0
December 29, 2013 7:09:59 PM

with the stolen data, even encrypted, the hacker can take his/her leisure time to cook out the key, unless the key is changed.
Score
0
December 30, 2013 4:33:19 AM

Target claims there is a silver lining in all this, the 'glass half full': since the master key for the encryption of the credit card pins was separate from the breached Target system, the bad guys cannot unencrypt those pins. Target is therefore able to claim a kind of 'Safe Harbor' claim: that the key to decrypt the data could not have been taken, and "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

Safe Harbor is a respectable concept with some clear technologies emerging to enable it, for both larger companies and (using cloud technology) for SMEs. For example, see http://www.porticor.com/2013/12/target-claims-strong-en...
Score
0
January 2, 2014 8:37:28 AM

@Rogue
I Install, and repair ATMs for a living for NCR. I know a thing or 2 about them, their software, PCI compliance, 3DES, (known as Triple DES), communications between the ATMs, and the Financial Networks. My question to Jaccob is still relevant. Why is it shame on Toms for including both those items in an article? Most of the people on these forums automatically blame Target for storing the information, which as already pointed out is against PCI regulations, and the regular PCI audits (If you think Revenu Canada, or the IRS Audits are bad, try a PCI compliance audit) that organizations go through would pick that up. No company worth a grain of salt would do that. Especially as large as Target. Also, any stored transactions (usually stored for atleast 6 months, don't include the PIN, and are used for evidence against chargebacks), are stored in highly secure databases using Random SALT.

PIN (Personal Identification Number) ohhh thank you so much for clearing that up for me, is the same for your bank card (Debit Card as we call it up here) when using it at the ATM (also thanks for pointing out Automated Teller Machine), or a POS (Point of Sale). Same PIN both places.
If you don't know the industry, or how it works, simply STFU.
Score
-1
January 2, 2014 9:58:24 AM

@ Rhinofart

I believe Rogue was complaining of the Editors poor journalistic ability to allow acronyms PIN and ATM without explanation. Basic journalism practice. Not calling out the technical feasability of using said items together.
Score
0
January 2, 2014 11:52:59 AM

@Rhinofart ( and subsequently hwangchan )
It's just the grammatical error of *duplicating* the the final word of the acronym. Nothing more, nothing less.

Read rogue's response again. He's illustrating the redundancy error the his original comment was lamenting.
Score
0
!