Target Says Hackers Stole Encrypted PIN Numbers

[exfileme]

PIN numbers may be a part of the massive Target breach. Updated with news that PINs were actually stolen.

Target Says Hackers Stole Encrypted PIN Numbers : Read more

 

[dextermat]

Epic facepalm... Target just got in Sherbrooke(canada) and nothing on the shelves, with a big mistake like that, they should stay in the US!

 

[COLGeek]

To quote the great Homer (Simpson)...."Doh!!!"

 

[jacobdrj]

PIN numbers and ATM machines in the same article... Shame on toms hardware editors...

 

[osamabinrobot]

next week when we find out whoever pulled this also got into their payment processor shits really gonna hit the fan huh

 

[rantoc]

Another day, another cloud disaster.... gotta love the logic to collect all the eggs in one spot...

 

[Rhinofart]

@Jacobdrj
Why is it shame on Tom's Hardware editors? You do know that the PIN you use at the till is the same one you use at the ATM right?

 

[ddpruitt]

PIN numbers and ATM machines in the same article... Shame on toms hardware editors...

And yet another moron. The PIN can be used to easily take money out of an ATM. There is more than video on youtube of someone using something as innocuous as a prepaid phone card to program as a debit card to withdraw money from an ATM. With the PIN number it wouldn't take long to clean out an account.

Now for those who don't know STORING the PIN numbers is a major PCI compliance violation, for the very obvious reasons here. No merchant is ever allowed to store the PIN number or the CVV/CVN number on the back of your card. If the Payment Processing Industry is serious about security they'll ban Target from accepting their debit/credit cards. I'm interested to see what happens here.

 

[techguy911]

This article is WRONG they got the pin numbers unencrypted it was posted on targets website seems the malware was in the card terminal and prob keylogged the pin pad as well as get stripe info.
http://money.cnn.com/2013/12/27/technology/target-pin/index.html?hpt=hp_c2

 

[techguy911]

I don't think Target was storing the pin numbers for what i have read the malware reads memory locations in the POS and possibly the pin pad.

http://storefrontbacktalk.com/securityfraud/thousands-of-cards-compromised-at-retailers%E2%80%99-pos/

 

[rogue3542]

Rhinofart and ddpruitt,

PIN is an acronym for "personal identification number;" likewise, ATM is an acronym for "automated teller machine." Thus, when the author writes "PIN number," it actually means personal identification number number, and "ATM machine" is automated teller machine machine. Perhaps you should leave the hyperbole and epithets by the wayside.

 

[stingstang]

@rogue
I thought the same as you. Unfortunately, your comment sparked a "ur soooo dumb!" Rant between those two..because they didnt understand.

 

[DXRick]

If the thieves/hackers got unencrypted PINs, or have the ability to unencrypt them, people should have reported thefts of their money by now. Their window of opportunity was very short, since those card numbers (and PINs) would be deactivated as soon as they discovered the theft.

This is no different than what happens when a person reports a lost/stolen card, except it happened for millions at once.

So what is the big deal here? The stolen info is useless. The story is over, except for how much they managed to steal before the theft was discovered. My guess is that they failed to steal anything with the stolen info.

 

[kelmen]

with the stolen data, even encrypted, the hacker can take his/her leisure time to cook out the key, unless the key is changed.

 

[Gilad Parann-Nissany]

Target claims there is a silver lining in all this, the 'glass half full': since the master key for the encryption of the credit card pins was separate from the breached Target system, the bad guys cannot unencrypt those pins. Target is therefore able to claim a kind of 'Safe Harbor' claim: that the key to decrypt the data could not have been taken, and "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

Safe Harbor is a respectable concept with some clear technologies emerging to enable it, for both larger companies and (using cloud technology) for SMEs. For example, see http://www.porticor.com/2013/12/target-claims-strong-encryption-saves-neck

 

[Rhinofart]

@Rogue
I Install, and repair ATMs for a living for NCR. I know a thing or 2 about them, their software, PCI compliance, 3DES, (known as Triple DES), communications between the ATMs, and the Financial Networks. My question to Jaccob is still relevant. Why is it shame on Toms for including both those items in an article? Most of the people on these forums automatically blame Target for storing the information, which as already pointed out is against PCI regulations, and the regular PCI audits (If you think Revenu Canada, or the IRS Audits are bad, try a PCI compliance audit) that organizations go through would pick that up. No company worth a grain of salt would do that. Especially as large as Target. Also, any stored transactions (usually stored for atleast 6 months, don't include the PIN, and are used for evidence against chargebacks), are stored in highly secure databases using Random SALT.

PIN (Personal Identification Number) ohhh thank you so much for clearing that up for me, is the same for your bank card (Debit Card as we call it up here) when using it at the ATM (also thanks for pointing out Automated Teller Machine), or a POS (Point of Sale). Same PIN both places.
If you don't know the industry, or how it works, simply STFU.

 

[hwangchan]

@ Rhinofart

I believe Rogue was complaining of the Editors poor journalistic ability to allow acronyms PIN and ATM without explanation. Basic journalism practice. Not calling out the technical feasability of using said items together.

 

[fiddleus]

@Rhinofart ( and subsequently hwangchan )
It's just the grammatical error of *duplicating* the the final word of the acronym. Nothing more, nothing less.

Read rogue's response again. He's illustrating the redundancy error the his original comment was lamenting.