Slashdot Mirror
Encrypted PIN Data Taken In Target Breach
New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them."
Another article at Time takes Target to task for its PR doublespeak about the breach.
Other artiicles say the crypto was 3des.
Subject line says it all :)
William George
Is there a good reason for keeping this that I'm not seeing?
When 25% of the pins encrypt to one string, and 25% to another, we'll know they used a symmetric cipher with a fixed key, and that one batch is "0000" and one is "1234".
How hard it would be to decrypt, knowing that each pin is exactly 4 digits?
I would think if salting was not using, it is just a matter of the time.
It's not that big of a deal for the consumer. According to, ah, GLBA I think it was, the consumer is completely off the hook for any fraudulent activity that takes place on their cards. So if some bad guy gets a hold of your card and begins a spending spree, that's on Chase or Citi or Navy Federal or whoever your card is with. You should always pay attention to activity on your card, but no need to go nuts.
Hoist Number One and Number Six.
The article I read stated that the key necessary to decrypt the data was never on the systems which encrypted the data, then went on to state that the data was encrypted with triple DES. Oh my lord. Which is it? Symmetric or asymmetric encryption?
The number of people with knowledge of how to change the firmware is probably a pretty short list. When crossed against the list of people who have access to the compromised systems it likely gets smaller
Could others break in and figure it out? Sure, but I think Occam's Razor applies. The data is likely already split and sold (Krebs evidence suggests this). So the guys at the top, if smart, have made their money, and can sit back and relax.
Silence is a state of mime.
OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.
I gave up with the idea of an useful sig...
I could be missing something here, but by my understanding PINs are usually only 4 digits long. I would think that the people who were able to snag the cards that they correspond to could probably come up with a clever way to figure out the PINs on most of these cards without ever needing to decrypt the data. I recall not long ago seeing a publication of the frequency of PINs in use today; it would seem that they could probably gain access to a significant share with just that list alone.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
This is the first time I've heard the date range, and it lets me off the hook.
Having said that, big companies (and especially big non-tech companies) have a history of not being accurate when disclosing the details of data breeches the first time around.
That depends. How understanding will your landlord or your bank be when your rent or mortgage check bounces because the day it was deposited somebody ran up charges on your debit card that emptied your bank account? Sure you'll be able to dispute the charge, but that didn't stop the checks from bouncing between the time it happened and the time you got to the bank to fill out the paperwork on the fraudulent charge. Same if you're at the end of a trip and go to pay your hotel bill and your credit card's over limit because of fraudulent charges. Sure you'll be able to dispute them, but that doesn't make the hotel bill magically paid.
What is a "target breach" ?
Why combine something you know with something you have? I thought only banks stored pins?
If you ignore ACs because they are anonymous - you're an idiot.
Hope Target's systems used a salt when creating the 3DES.
If the Triple DES used a salt, then good, it will make it much more likely the PINS are secure, because then the hackers would have to brute-force trying a salt value, then all possible pins for 1 of the Triple DES encrypted PINS, which would take longer.
If the salt was unique for each PIN, then that would be the most secure ( but I do not know how a little machine where people give their pins could do that )
If no salt was used, then might be another case like what happened to Adobe: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
Uh, Linux geek since 1999.
PIN are supposed to be encrypted on the terminal (not on the POS computer but the actual card reader/terminal) using Triple-DES Derived unique key per transaction (DUKPT - http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction ).
So no the PINs are safe unless the card terminals have been hacked too.
To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards. Banks make a lot of promises about zero liability on debit cards but you'll have to read the fine print and beg for mercy when the time comes.
at least the hackers didn't get the chip information on the card. who enters PIN numbers into a point of sale terminal anyways? I tap the card onto the console and sign the receipt. am I missing something that the U.S. does that the E.U. doesn't?
Whenever I use a credit card in America I only need to swipe it and sign, either a printed slip or a touch screen. I've never had to enter a PIN.
So is this story really that credit and debit card numbers have been stolen, and also the PINs for the debit cards - or have American credit card companies suddenly started issuing Chip & PIN cards without telling anyone?
Only "weakly encrypted" PINs. How do you "encrypt" a four-decimal-digit PIN? Even if they only had PIN hashes that were as yet uncompromised, it wouldn't offer much protection. if Target changed policy and invalidated your card immediately after you entered the first wrong PIN, the crooks still stole 40 million cards and would have scored a list of about 4000 working card numbers. At least if the PINs were required to be base-64, the crooks would only find a few.
When I've had issues, some quick arguing with the bank got money invented from nowhere and put in my account. Yes, it would delay the checkout from the hotel by a few minutes, but it will get the hotel bill paid. I'm sure you can find some cases where someone was a jackass to their bank, who then refused to fix the issue on the customer's time frame. But I've had this issue before, and the bank took care of it outside the minimum contractual requirements.
Learn to love Alaska
It depends on where you live and what bank you have. Where I live in Ontario, the same rights are afforded to me on my debit card that my credit card has. Including a lock limit on the RFID of no more than $50.
Om, nomnomnom...
What was Target collecting credit card numbers AND PIN numbers for? What business purpose did they need that data for? Why has no one raised this question? They have just created a huge credit theft problem for their customers. This is a shining example why businesses should not maintain any database of sensitive customer information.
I already suffered identity theft and credit card theft in the past and I'm not at all anxious to go through that again. I'm taking my business elsewhere. In fact I may avoid large national chains for this very reason.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
So what happened to me a few years ago, there was a suspicious and expensive activity with my debit card. My credit union left the money in my account, but froze it. My rent check was bounced. Thankfully had a good history with my landlord and they didn't go nuts.
Target notifies banks, who then terminate all of the cards and reissue new ones. Seems like banks should make this a standard practice. Target should of course have to pay for all of it.
That depends. How understanding will your landlord or your bank be when your rent or mortgage check bounces because the day it was deposited somebody ran up charges on your debit card that emptied your bank account? Sure you'll be able to dispute the charge, but that didn't stop the checks from bouncing between the time it happened and the time you got to the bank to fill out the paperwork on the fraudulent charge. Same if you're at the end of a trip and go to pay your hotel bill and your credit card's over limit because of fraudulent charges. Sure you'll be able to dispute them, but that doesn't make the hotel bill magically paid.
Not only that, if you have a debit card and you are disputing charges, the banks will put a freeze on your account while the dispute is being investigated.
Bullshit.
What the hell was Target doing holding onto PINs in any form, encrypted or not...
Oh, it isn't on Chase or Citi or NFCU - it's on the vendor who accepted the charges. Remember children, win or lose - the bank never loses money...
You could confirm whether a PIN is correct without sending it.
For example, send sha1(card number + pin + time of day)
The machine at bank's end does the same calculation with the correct pin and returns whether or not it matches.
Is it _still_ too expensive to roll out Chip and PIN in the US now?
Not entirely true. I know Visa, and think Master Card is mostly the same (Other cards rules may vary)
For credit cards, you are responsible for the first $50 of fraud, if you report the fraud in a reasonable amount of time. They usually use 60 or 90 days, but that may have shortened in the last few years. I don't think any bank or credit union will hold you to the $50, but they have every right to.
For debot cards, you are responsible for the first $500 of fraud. Other than amount the ruels are the same.
For fruad, you must contact merchant and attempt to get them to reverse it (If they do that is the end of it). If they refuse you have to go to your bank and file a dispute (Not sure if you have to do 1 for each transaction or not). You will be out the money until the dispute resolves, unless bank is nice to you. The key words to use is "card holder not present for transaction". If the amount is under $30, merchant will not be told and you will probably win automatically. Over that amount they "may" try to go after merchant and full dispute it.
The more you know!
They got the Target $$$ and the "Judge."
Watch Ft. Meade for new stretched limos dropping off the "regulars."
It will be a Happy New Year for the near by Maryland malls and stores.
Most US debit card machines that I've seen (at least in Indiana) are magstripe-and-PIN, not chip-and-PIN. My debit card from Chase Bank doesn't even have visible "chip" contacts. Besides, there aren't 11 contacts (10 digits + common ground), so the PIN pad machine has to do some sort of translation to get the digits to the serial contacts.
Your response is orthogonal to the question. Your example is not that of bounced checks, it is of trying to use a debit card at point of sale when the balance was low.
It is an entirely different thing to write a check and then have it bounce 3 days later. There are all kinds of fees and penalties that get assessed when that happens, some of which can come from the company you wrote the check to, the bank never even sees the penalty. There are even non-monetary penalties like your landlord, or your utility company reporting the bounced check to the credit agencies.
There really is only one reason to ever use a debit card - your credit is so bad that you can't actually get a credit card. In all other ways credit cards are the superior tool.
When information is power, privacy is freedom.
You're a douchebag... http://www.today.com/money/5-lessons-learned-target-security-breach-2D11803343 "After the Target breach, a few banks took the unprecedented step of limiting how much customers could spend at stores or withdraw from ATMs using their debit cards. No such restrictions were put on credit card customers."
To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards.
In recent years, things have gotten better for debit card holders, you are right that it used to be all promises. Now there are some federal regulations, but they still aren't anywhere near as strong as the federal laws protecting credit card holders.
http://www.fdic.gov/consumers/consumer/news/cnfall09/debit_vs_credit.html
When information is power, privacy is freedom.
But some of those possibilities are more likely than others.
I apologize. I didn't read Todd Knar's entire post. You were addressing his point about hotels, and what you wrote was a reasonable response to that. But being at the mercy of a customer service person feelings about my attitude when I am under a lot of stress is not appealing.
When information is power, privacy is freedom.
The Target CEO has stated the problem has been fixed. Is anybody confident in this assessment? Is it now safe to use a card at Target?
Or even use the PIN as part of the encryption key used to encrypt a random string sent from the bank once authentication is requested.
And the connection between the PoS and the bank should also be encrypted.
And that connection should be 100% private. ISDN or whatever. Nothing going across the Internet. Not even with a VPN.
In case you aren't familiar with major U.S. retail chains, it's a breach of the payment processing systems of Target Corporation. An unrelated Australian company operates a chain called "Target." (with the period) under license from Target Corporation.
I think you can safely assume that when a Slashdot poster talks about a legal problem, a problem with consumer protection or issues with the health care system, they are either talking about the USA or, perhaps, North Korea.
Faster! Faster! Faster would be better!
Can anyone tell me what operating system and software that Target uses?
I'd really like to know what exploits this software has and if any other store uses them so I can avoid shopping there.
I think retailers and wholesale clubs ought to be transparent in what operating systems and software they use for their POS system and then list the vulnerabilities they found with an code audit and how they plan to fix them.
This ought to be a law, so consumers can be protected from retailers and wholesale clubs who don't care about their privacy and credit card and debit card data and just use operating systems and software with exploits in them that they never tested nor figured out how to fix.
I think the same should be done with websites as well.
Am I right here or wrong?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
The data *is* encrypted. I'm not sure what the method is but it's not being sent plaintext (see the other posts in this story regarding this topic). The person I was responding to may not have got that point, so it's good that you brought this up, but regardless, the companies that process transactions have already thought about these problems and made these rules standard.
The thieves making off with encrypted PIN data in of itself is not indicative of Target violating any rules it's only indicative of the thieves capturing the data at some point in the transport (from the card reader, the POS terminal, the store's ethernet network, the store's internet uplink, Target's datacenter, and etc.).
Your proposal to hash the combination of card #, PIN, and TOD isn't particularly useful though. There's a good chance that the PIN data is already timestamped (if the thieves were capturing the data live, they have their own timestamps to work off of) so it's a matter of just brute-forcing the hash to determine the right sequence of numbers.to come up with the PIN. Remember that the thieves already have a list of card numbers, so that drastically reduces the universe of possible numbers to work with, so they only need to guess --. Too easy.
"Time of day" would seem to be the weak link there. How does the bank-end machine know that exact value so as to replicate the sha1 calculation?
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
I went to target a few years ago to buy a game (BF2 I think). The woman asked to see my driver license to verify I was 18. I snickered because I am well over 18, and handed her my license. She took my license and she swiped it on her keyboard card reader. I immediately asked her why she scanned my card (in a not so happy voice) I told her that when I handed it to her i assumed that she just wanted to get a better look. I told her she did not have permission to scan to scan my id. She said that she needed to verify that i was 18 using the computer. I then asked her what Target privacy policy was on storing customers information. She looked at me with a blank face and said I would have to talk to customer service.
If you read Targets Privacy policy you will see that they collect and store your Driver License information.
2 things happened that day. I never shopped at Target again, and I destroyed the back of my card so it is no longer readable by a swipe or scanner.
Also, some gas stations are using this method to verify age and wont sell 18+ unless your card swipes in the machine. The ones i have called are also collecting your DL information as well. Its not just age verification.
US consumer law seems pretty weak. In the UK the bank is entirely liable unless they can prove that the fraud was your fault. That includes things like charges incurred from other companies, interest, fines etc.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Yeah they don't think they can be un-encrypted. On the other hand, they didn't think they'd be stolen either.
Wuddooeyeno? IITYWYBMAD? Like nuts? eclecticallyincorrect.com
Superior, how? Superior as in just about anybody is able to easily find out about all your credit cards, and plenty of purchase details? Is that the kinds of "superior" you were talking about?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Superior, how? Superior as in just about anybody is able to easily find out about all your credit cards, and plenty of purchase details? Is that the kinds of "superior" you were talking about?
I feel you are assuming an air of stupidity to make a point. Perhaps you would like to make your explicitly rather than come at it sideways? I remind you that this is a debate about the merits of debit cards versus credit cards. References to other payment methods would be more than just stupid.
When information is power, privacy is freedom.
Huh? How so? In the UK, won't the bank just say "But your personal PIN was entered for the transaction so it was you!"?
Same as in not actually having money leave your personal account till well after the dispute has been processed?
It depends on where you live and what bank you have. Where I live in Ontario, the same rights are afforded to me on my debit card that my credit card has. Including a lock limit on the RFID of no more than $50.
Wrong.
In Ontario, the relevant legislation is the Consumer Protection Act: http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_02c30_e.htm and associated regulations: http://www.e-laws.gov.on.ca/html/source/regs/english/2005/elaws_src_regs_r05017_e.htm
It does cover unauthorized credit card charges, but not debit cards.
I like protections in law, not in bank marketing materials with a lot of fine print and weasel clauses.
Go read the card agreement for your interac purchases, then come back & talk.
Why can't the major credit card companies disable the cards and mail out new ones?
Fuck you asshole.
"limiting how much customers could spend at stores or withdraw from ATMs using their debit card" Is very different from the "freeze on your account" that you suggested.
If you can't get ALL YOUR money when YOU want, then your account is effectively frozen, asshat. Same deal as a bank run, when they don't allow you to get all YOUR money.
Information about debit cards are NOT shared with anyone outside of the issuing bank. They are every bit as private as writing a check, doing a wire transfer, or similar. Credit cards are the polar opposite, with all your financial information being reported, and being easy for anyone on the planet to access.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Information about debit cards are NOT shared with anyone outside of the issuing bank.
I find that impossible to believe when the exact same processing system is used for both credit and debit cards.
Hell, there are even "rewards" programs for visa and mastercard branded debit cards. I think you would be hard pressed to explain how visa can do that without knowing your spending.
http://usa.visa.com/personal/cards/debit/visa_extras.html
When information is power, privacy is freedom.
Information about debit cards are NOT shared with anyone outside of the issuing bank.
LOLWUT? Who cares about the cards, they are meaningless by themselves, the information about underlying accounts (whether credit, checking, etc.) is what counts, and it is most certainly shared! By changing the amount of average monthly balance on the checking account I can select what kind of spam I get via USPS. Seriously. The running joke around here is that if you keep the average above $10K, you are bougie since all your firestarter paper comes by mail!
A successful API design takes a mixture of software design and pedagogy.
It's even worse. They don't have to guess at all. They can all just use one arbitrary combination, and keep trying it on each card. They've got enough cards to get tens of thousands of hits.
A successful API design takes a mixture of software design and pedagogy.
No, they won't. I've disputed fraudulent charges on my debit card before, and the bank didn't freeze my account. What they did do was invalidate the compromised card and issue me a new one, but that happened right there while I was filling out the paperwork so it didn't really impact me. The only time it impacted me was the one time it came from the bank's end rather than me reporting the charge, and I got a phone call from the security department saying the bank'd been notified and I'd need to stop in ASAP to get the card reissued. Annoying, but I'd rather that than have my account emptied.
The problem is that you're away from home, you don't have access to everything you normally would, and you can't deal with the bank in person. It's easy to get the charge handled when you're in the branch and can fill out the paperwork. It's less easy when you're in a different time zone and can't just fork over a driver's license as proof of identity. I could probably handle it, but that's because I'm paranoid and travel with at least one portable device set up for access to everything. But most people aren't that paranoid.
Credit cards are in fact better than a debit card in one way: the money doesn't actually come out of your pocket until you pay your bill. With a debit card the money's gone and you're trying to get it back (and the fact that the bank tends to be cooperative doesn't change this dynamic). And the old adage about possession being 9/10ths of the law does ring true here: it's much easier to keep what you have than to get back what you don't.
When away from home, I have the 800-number for the bank. On the card. When I travel internationally, I put a stickey-note on every card with the bank's toll-free numbers from every country on my itinerary. Reaching the bank isn't an issue while on the road. I've never had someone ask for ID over the phone. At most, they ask for your most recent transaction, and standard account info anyone would know off the top of their head, like SSN and address.
Learn to love Alaska
Sorry but what the fuck are people still using cheques for in this day and age?
Especially for rent!
Just set up a recurring electronic transfer ffs. It's not hard.
Yes. I think so.
Guy in front of Sandy and me in Wal-Mart, just before Christmas, had received a new card after shopping at Target. His first warning was when his fraud protection plan called and asked (going from memory, here): "are you buying $$$ worth of exercise equipment in Utah???" We're in Alabama
Assuming the guy wasn't lying or making it up (he had a new debit card, though -- nice and shiny), this tells me that some of the numbers HAVE been exploited. So, I'm not being an alarmist, but yeah, if you've shopped at Target in the past couple of months, I'd say get a new card. That's just me.
Also just me: you want my opinion? Target knew about the breach early on, and was hoping that it was inconsequential ... but once fraudulent charges started appearing and customers started screaming, they had no choice but to call in law enforcement and confess to the problem. :)
-- Stephen (smpoole7) (posting anonymous because I'm on the road)
It all depends on the bank. Last time my debit card got lifted they reported my card as stolen. They overnighted a new card for me (they called me at 6pm, I had the new card in my hands by 9am, four states away), and they setup a 90 day, interest-free loan to cover all the transactions that happened during the time the card was being used by somebody else. I got back a week later, filled out a form, the charges were reversed and I paid back the loan with the money that came in on the reversed charges.
Sure it was an extra headache, but they really didn't put me out for anything. In fact, they called back a few times to make sure everything was ok.
You don't have to have a fork up your ass all the time -- you choose it by association. If you let assholes handle your money then expected to be treated as such when things go wonky ;)
If you use your card with a PIN (or PIN and Chip), then there are much fewer protections. If you use your debit card with a VISA or MC logo as a credit-card then you are generally protected (although you will need to fight for the money to come back in your account sooner than later, as opposed to not paying that amount when your statement comes).
in systems I design, such as Strongbox, the sender also sends gettimeofday() and the receiver confirms the timestamp is within X milliseconds. Both sides use NTP, so both have accurate time to within a few milliseconds.
I've also implemented systems in which the timestamp element is modulo a few seconds. The receiver accepts either the current modulo time or the previous.
There was some television "news" saying the protections of debit and credits cards today were the same as far as zero liability in the case of fraud goes, but it may take longer to remedy if it was a debit card. Personally, I have no reason to vouch for this as I've only used credit cards in my life.
To-do List: Receive telemarketing call during a tornado warning. Check.
Surely the bank locks out the card after a few bad tries?
Yes, they do try that however in practice it's very rare for a genuine dispute to happen, partly because the system is pretty secure. You simply don't get Target style bulk thefts. If money gets mysteriously withdrawn and the PIN was entered, you might be on the sharp end of a new zero-day breach against EMV, but much more likely, someone who knows you managed to figure out your PIN (or you told them) and turned out to not be quite as trustworthy as you thought they were.
Credit cards have certain properties that are desirable if you're using plastic (much less impact if your card is stolen, etc.). However, people tend to spend more using credit cards than when using cash and debit cards fall in the middle. For that reason, I prefer using debit cards if using plastic.
http://money.usnews.com/money/blogs/alpha-consumer/2009/08/18/fraud-protection-debit-versus-credit-cards
That seems to be the going consensus at different sources. I've used both and prefer to use the debit card. However, I have only had one instance I could consider fraud and that turned out to be a battle in and of itself because the merchant that charged my card attempted to validate the purchase even though it was shipped to an address for a house that had been destroyed in a fire in another city altogether 4 or 5 years before the purchase.
I ended up getting lucky because the UPS driver refused to leave the package in an empty field and instead left a "you can pick it up" thing and the person who took my number actually did. It was a friend of a friend's kid who came over during a holiday party and we moved a TV and gaming system into the basement so they could pass the time doing kids things with the adults upstairs doing more adult things (drinking). Evidently, I left an old card with the same numbers out or something because he wrote down what was needed to order some crap online. (well, that or he broke in later and took the information, he waited for about 5 months before trying to use the numbers, but he told the police it was at the party that he found them). Either way, the bank wasn't going to treat it as fraud because the merchant shows it was delivered and it ended up being UPS that proved who received it making it fraud again. Took about 4 months to get cleared up.
Surprising lack of information and misinformation for a slashdot post and comments. In general, PINs are the most protected part of payment transactions. PIN encryption doesn't use bad/crackable crypto concepts like Adobe did on their passwords. And while it's Triple DES-based, its actually quite strong. All debit PINs in the US are encrypted using the same few standards:
* PIN Block and PIN encrypytion: ANS X9.8 part 1 and ISO 9564. Examples: http://www.paymentsystemsblog.com/2010/03/03/pin-block-formats/
* Key management: DUKPT from Annex A of ANS X9.24 part 1. Some DUKPT details: http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction
Each PIN pad is injected with a unique initial key that is a double-length Triple DES key. That initial key is derived into a key set of 21 keys that are used to derive up to 1 million future keys (the counter rules in DUKPT only let it count 1 million values). Those are all unique per device. Each transaction uses a unique future key and that is derived into a PIN encryption key to encrypt the PIN block (according to the ANSI and ISO standards).
Encryption of the PIN block is Triple DES ECB using a unique key for that transaction for that device. Breaking the encryption for that key would be a 2^112 brute force effort (no shortcuts because only one ciphertext used that key). And breaking that key will not get you any past keys and only some future keys for that device depending on where it is in the key space. In all, cracking PIN blocks coming from PIN pads is not a low hanging fruit.
PIN pads and their design has to be lab certified and signed off by the PCI Security Council. Merchants can only use PCI certified PIN devices if they take debit cards. (strangely, credit only devices are not required to be PCI certified, but they could be if they encrypt credit card data). While there are older versions of the PIN pad certification requirements, basically the PIN security is the strongest part of the certification. The lab tests for side channel attacks against PIN encryption, ensures physical security of the device, logical security of the device, that applications running on the device (if any) cannot impact/access PIN encryption, and that tampering devices causes them to erase keys.
list of PCI approved PIN Transaction Security (PTS) devices: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php#
PCI documents (including PIN security): https://www.pcisecuritystandards.org/security_standards/documents.php?association=PTS&document=PTS%20Program%20Guide%20FINAL%201%201#PTS%20Program%20Guide%20FINAL%201%201
Absolutely not true that they freeze the account. I have had two unauthorized use cases. Both times low tech someone took a photo of the debit mastercard in a restaurant. The card was reissued at the nearest branch and the underlying checking acct remained intact. All fraudulent charges were refunded. I was out a total of no money, a half hour in the bank and an hour in the local PD. Yes they caught the first case perps once several people had the same experience after dining at the same restaurant.
The real problem is that Target had the opportunity to say something useful about the mess and blew it. On top of their earlier doublespeak, their latest press release was a mess of inconsistent and incomplete information. They said the encryption was 3DES, which anyone who knows cryptology knows is a symmetric key system, then said they only had the encryption key and not the decryption key. They didn't say that the PIN data is combined with other information so that a dictionary attack would be rendered infeasible, so people were free to assume that the system is as weak as they implied it was. But most of all, PIN numbers themselves are weak thin gruel of security soup. Target had a pulpit where they could have said "If your PIN number is 1234, or the same four digits repeated, like 0000, 1111, 2222, etc., you should change it to something thieves can't easily guess." Fully fifteen percent of people could have read that and realized that they were being morons about their financial security, helping to turn this crisis around for Target. But they missed the opportunity. Who knows if they'll get another?
Here's my deeper question - why do banks let users choose a PIN number and not tell the idiots who pick 1234 that they're being stupid? They could say: "Ten percent of people pick 1234, please choose another number so that you don't lose all your money to a thief." or they could say to everyone "Please choose a four digit code that isn't 1234." If you're a banker, you should know better: http://www.datagenetics.com/blog/september32012/
Lol.. Not every rental or land lord is a thriving business. Most of them are simple day to day people who ended up with an extra house somehow. My landlord inherited two houses from his parents when they passed away so check or money order is most appropriate. He's a simple farmer who worked for the country road department all his life, hardly a high tech businessman even though he does have quite a bit of business savvy when it comes to farming.
Lots of rentals are a lot like this. They either kept their first home when they purchased a better one and rent it out, inherited the home somehow or saw an investment opportunity. When growing up, my father got remarried and my step mom owned a house, we rented it. You would be surprised at how many rentals come about like this and aren't really set up for online bill pay or credit cards or wire transfers and so on once you get away from the big cities. Cash, check, or money order will be just fine to these landlords.
I'm not so sure it is all encrypted.
I had a go with a company that implemented credit card processing directly into their hospitality suit (manage rental cabins and charges). This software is sold to small hotels and rental businesses with it being able to manage reservations, availabilities, different seasonal rates, and so on. They used their own processing center but it had the ability to use any we wanted to but the company I was working with used the provider's processing. Anyways, we had a problem with the processing module functioning with our proxy server. After doing some snooping with wire shark, I noticed some packets containing the numbers and names of the test credit cards. I pieced a couple packets together and had all the information on the transaction including name, address, credit card numbers, the cvc number, expiration dates and for some reason, information about the guest that you wouldn't think a processor needed like phone number and number of guests and dates of the stay.
Of course I was online with their tech support department trying to figure this all out and they have assured me a number of times that they have this system up and running at over 5,000 locations without a problem and the only difference is we had a proxy server segmenting the network (they actually suggested to the owner that we scrap the proxy and just use a netgear router to separate the public and private networks and I had to show the PCI compliance forms that recommend using a proxy). When I asked about it being sent in plain text, they at first didn't believe me until I sent all the packets. Then they stopped working on making their crap work with a proxy server and supposedly fixed the clear text problem which the solution was to send the CC data to a https site instead of an IP address which the software defaulted to. So the encryption wasn't even built into the program, it basically used a web browser to place the data on a TLS stream and with each update they did, you had to go back into the software and check that the address it was sending to had an https:/// in front of it because some of the updates reverted back.
Finally, the owner ended up trashing the entire system and going with a complete online version from another company that integrated with the reservation module on the website better that even allowed you to put a deposit on a cabin to confirm the reservation instead of calling and doing it over the phone.
But you assume it is encrypted because it is supposed to be encrypted but I have first hand experience where amusing didn't have the expected results and we only found out by accident. With any software processing like most modern POS machines and complicated inventory and tracking systems being integrated within them seem to be, anything is possible. Even if it was a lazy tech who decided to take a short cut or something to allow the info to not be encrypted.
I'm not impressed with Triple DES, nor the "security" allegedly provided by having the PIN decryption at the point of sale boxes. But you can always just go for brute force decryption.
http://www.popsci.com/technology/article/2012-09/infographic-day-fastest-way-crack-4-digit-pin-number
Given tens of millions of credit cards, you're bound to slide right into enough of them to make the crack worth while.
Most debit cards have a Visa/MC logo and can be used without a pin. In many cases this can avoid a debit card processing fee (most retailers did away with the fee). Making a purchase only requires a signature and gas stations require a zip code and likely a $100 limit. Small purchases at fast food don't require a signature nor pin. The pin is only used at an ATM for cash withdrawal or debit mode at a swipe/keypad terminal.
Now, if the entire file of PIN data was itself encrypted with 3DES, so that the stolen file of pins and 3DES hashes just looks like:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (GNU/Linux)
jA0EAgMCmK7S4A7OWXhgyWYzILMlE7ATCioESasDPY3H3JiCSGtoQ/UE0VJJPEry ...imagine this is really really long and big...megabytes of scrambled data...
qLwoiFhm/Nz1laSMQS/wRITAHSzDTSPnry14W0EdQeAVhvpkhWpJqYovLNTGhweC
dm3MtNIZu3oN/jQkghTTfTVY4/WEIdo=
=pg5p
-----END PGP MESSAGE-----
Then fantastic! Now the Bad Guys have the PITA of brute forcing the sensitive information file 1st, before they can wreck havoc with the stolen info.
Uh, Linux geek since 1999.
There's no truth in that at all. The fact that you have to write a check doesn't obviate any responsibility you have to pay your bill, nor does the bank's possession of your money obviate them of the responsibility to fully reimburse you for fraud very quickly. Legally, the two are entirely equivalent.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That only proves you are a fool. There is no "debit reporting agency".
Debit cards do not affect your public credit history. Credit cards, do.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I get no such spam. Of course every time I sign-up for a bank account, I jump through hoops sending in cards or calling-up automated phone numbers to opt-out of ALL information sharing.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That only proves you are a fool. There is no "debit reporting agency".
Yes. indeed, I am a fool for thinking you meant more than just credit reports. I figured you were educated enough to be aware of data brokers who look at spending habits like, where, when and how much you spend. What a fool I was for thinking you were putting on an air of stupidity instead of actually being stupid.
When information is power, privacy is freedom.
I can personally attest to this. This past labor day my debit card (which I'd had all of six months) was used to purchase some pharmaceuticals over in Spain to the tune of $300+. Since the debit card is through Visa, their protection services called me to let me know about the odd charge. My credit union I had the card with did diddly to inform me; I had to call them. After some pain with paperwork (which they had to mail/fax and I had to mail/fax back) Visa ruled in favor of the merchant (because it's totally plausible for me to order pills from Spain that were likely shipped to a Spanish address when I've never stepped foot outside the continental US.)
Thankfully, my credit union is really good (aside from not catching the charge themselves) and reimbursed me the total amount after the ruling, but I was still down that amount for about two weeks (and, since I already end each month with no money, this made things quite stressful.) But I will never again use my debit card online.