Sign in with
Sign up | Sign in

Target Says Hackers Stole Encrypted PIN Numbers

By - Source: Reuters | B 17 comments

Unnamed sources close to the Target hacking incident revealed last week have confirmed with Reuters that encrypted personal identification numbers (PINs) were also stolen. One major U.S. bank even fears that the thieves will be able to crack the encryption code and make huge, fraudulent withdrawals from consumer bank accounts.

A Target rep reassured Reuters on Friday that "no unencrypted PIN data was accessed," and so far there is no evidence to support talk that PIN data was "compromised." However, the rep did confirm that some encrypted data was stolen, but did not say that PINs were part of the theft.

"We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date," Target spokeswoman Molly Snyder said by email. "We are very early in an ongoing forensic and criminal investigation."

Last week, Target confirmed that hackers managed to access its computers and stole the credit and debit information of around 40 million customers who shopped at Target, which has nearly 1,800 stores nationwide, between November 27 and December 15. The thieves retrieved customer names, credit card numbers and expiration dates.

Target reported the infiltration to banks that issue debit and credit cards on December 18. The public didn't know about the breach until a day later, December 19.

As of last Friday, two separate class action lawsuits were filed in U.S. District Court in Minnesota, filed on behalf of three Target customers who claim they're suing for all affected customers. They are accusing the company of negligence, and claim that the company failed to notify customers as soon as it learned of the theft.

Reuters reports that several banks have lowered limits on how much customers can withdraw from ATM machines, and how much they can charge/spend each day. This is reportedly a highly unusual move for banks, and shows that financial institutions fear that hackers will break the encryption and drain them dry.

"That's a really extreme measure to take," said Avivah Litan, a Gartner analyst, regarding the reduced spending limits. "They definitely found something in the data that showed there was something happening with cash withdrawals."

The big worry about encrypted PINs is that if the hackers are sophisticated enough to infiltrate Target for three weeks, then they're likely sophisticated enough to break the encryption.

UPDATE: Yes, encrypted PIN numbers were stolen, but not the encryption key. The full announcement can be read here.

Display 17 Comments.
This thread is closed for comments
  • 0 Hide
    dextermat , December 27, 2013 11:51 AM
    Epic facepalm... Target just got in Sherbrooke(canada) and nothing on the shelves, with a big mistake like that, they should stay in the US!
  • 1 Hide
    COLGeek , December 27, 2013 11:56 AM
    To quote the great Homer (Simpson)...."Doh!!!"
  • 3 Hide
    jacobdrj , December 27, 2013 12:19 PM
    PIN numbers and ATM machines in the same article... Shame on toms hardware editors...
  • 0 Hide
    osamabinrobot , December 27, 2013 1:10 PM
    next week when we find out whoever pulled this also got into their payment processor shits really gonna hit the fan huh
  • 0 Hide
    rantoc , December 27, 2013 2:08 PM
    Another day, another cloud disaster.... gotta love the logic to collect all the eggs in one spot...
  • -2 Hide
    Rhinofart , December 27, 2013 2:25 PM
    @Jacobdrj
    Why is it shame on Tom's Hardware editors? You do know that the PIN you use at the till is the same one you use at the ATM right?
  • -4 Hide
    ddpruitt , December 27, 2013 10:20 PM
    Quote:
    PIN numbers and ATM machines in the same article... Shame on toms hardware editors...


    And yet another moron. The PIN can be used to easily take money out of an ATM. There is more than video on youtube of someone using something as innocuous as a prepaid phone card to program as a debit card to withdraw money from an ATM. With the PIN number it wouldn't take long to clean out an account.

    Now for those who don't know STORING the PIN numbers is a major PCI compliance violation, for the very obvious reasons here. No merchant is ever allowed to store the PIN number or the CVV/CVN number on the back of your card. If the Payment Processing Industry is serious about security they'll ban Target from accepting their debit/credit cards. I'm interested to see what happens here.
  • 0 Hide
    techguy911 , December 28, 2013 4:51 AM
    This article is WRONG they got the pin numbers unencrypted it was posted on targets website seems the malware was in the card terminal and prob keylogged the pin pad as well as get stripe info.
    http://money.cnn.com/2013/12/27/technology/target-pin/index.html?hpt=hp_c2
  • 0 Hide
    techguy911 , December 28, 2013 5:12 AM
    I don't think Target was storing the pin numbers for what i have read the malware reads memory locations in the POS and possibly the pin pad.

    http://storefrontbacktalk.com/securityfraud/thousands-of-cards-compromised-at-retailers%E2%80%99-pos/
  • 5 Hide
    rogue3542 , December 28, 2013 1:10 PM
    Rhinofart and ddpruitt,

    PIN is an acronym for "personal identification number;" likewise, ATM is an acronym for "automated teller machine." Thus, when the author writes "PIN number," it actually means personal identification number number, and "ATM machine" is automated teller machine machine. Perhaps you should leave the hyperbole and epithets by the wayside.
  • 2 Hide
    stingstang , December 28, 2013 2:20 PM
    @rogue
    I thought the same as you. Unfortunately, your comment sparked a "ur soooo dumb!" Rant between those two..because they didnt understand.
  • 0 Hide
    DXRick , December 29, 2013 12:46 PM
    If the thieves/hackers got unencrypted PINs, or have the ability to unencrypt them, people should have reported thefts of their money by now. Their window of opportunity was very short, since those card numbers (and PINs) would be deactivated as soon as they discovered the theft.

    This is no different than what happens when a person reports a lost/stolen card, except it happened for millions at once.

    So what is the big deal here? The stolen info is useless. The story is over, except for how much they managed to steal before the theft was discovered. My guess is that they failed to steal anything with the stolen info.
  • 0 Hide
    kelmen , December 29, 2013 7:09 PM
    with the stolen data, even encrypted, the hacker can take his/her leisure time to cook out the key, unless the key is changed.
  • 0 Hide
    Gilad Parann-Nissany , December 30, 2013 4:33 AM
    Target claims there is a silver lining in all this, the 'glass half full': since the master key for the encryption of the credit card pins was separate from the breached Target system, the bad guys cannot unencrypt those pins. Target is therefore able to claim a kind of 'Safe Harbor' claim: that the key to decrypt the data could not have been taken, and "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."

    Safe Harbor is a respectable concept with some clear technologies emerging to enable it, for both larger companies and (using cloud technology) for SMEs. For example, see http://www.porticor.com/2013/12/target-claims-strong-encryption-saves-neck
  • -1 Hide
    Rhinofart , January 2, 2014 8:37 AM
    @Rogue
    I Install, and repair ATMs for a living for NCR. I know a thing or 2 about them, their software, PCI compliance, 3DES, (known as Triple DES), communications between the ATMs, and the Financial Networks. My question to Jaccob is still relevant. Why is it shame on Toms for including both those items in an article? Most of the people on these forums automatically blame Target for storing the information, which as already pointed out is against PCI regulations, and the regular PCI audits (If you think Revenu Canada, or the IRS Audits are bad, try a PCI compliance audit) that organizations go through would pick that up. No company worth a grain of salt would do that. Especially as large as Target. Also, any stored transactions (usually stored for atleast 6 months, don't include the PIN, and are used for evidence against chargebacks), are stored in highly secure databases using Random SALT.

    PIN (Personal Identification Number) ohhh thank you so much for clearing that up for me, is the same for your bank card (Debit Card as we call it up here) when using it at the ATM (also thanks for pointing out Automated Teller Machine), or a POS (Point of Sale). Same PIN both places.
    If you don't know the industry, or how it works, simply STFU.
  • 0 Hide
    hwangchan , January 2, 2014 9:58 AM
    @ Rhinofart

    I believe Rogue was complaining of the Editors poor journalistic ability to allow acronyms PIN and ATM without explanation. Basic journalism practice. Not calling out the technical feasability of using said items together.
  • 0 Hide
    fiddleus , January 2, 2014 11:52 AM
    @Rhinofart ( and subsequently hwangchan )
    It's just the grammatical error of *duplicating* the the final word of the acronym. Nothing more, nothing less.

    Read rogue's response again. He's illustrating the redundancy error the his original comment was lamenting.