Encrypted PIN Data Taken In Target Breach

New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.

Time to ask the bank for a new debit card and PIN

[WilliamGeorge]

Subject line says it all :)

Re:sigh, lamestream press strikes again

[taustin]

It depends on what was compromised. Normally, debit card stuff is encrypted on the pad you swipe the card in. If the pad was wasn't what was compromised, then the key wasn't on what was, because that's the only place the key is kept.

(Earlier reports claimed the pads had been compromised, but that smelled like bullshit then, and even more like it now.)

Re:Can encyption experts chime in?

They are encrypted using 3Des using the following algorigthm.

http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction

Re:PIN?? is it useful

[Em+Adespoton]

OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.

The trip a card purchase takes from your physical card to the merchant bank is actually pretty convoluted -- the simplified explanation is that a card purchase with PIN has a lot fewer safeguards and security checks than an online purchase with card, address and CV only. For card purchases where only the number is used, the vendor assumes a HUGE amount of liability. It often makes sense for fast food vendors and such, where the transaction values are small and they get a significant uptick in sales for shorter transaction times, but for purchasing big ticket items, you either do chip+pin or track 1 data plus second factor (usually stored by the vendor).

So the even shorter answer is: PIN codes mean relative anonymity. Without the PIN, you need to provide other PII at some point in the transaction.

DUKPT

PIN are supposed to be encrypted on the terminal (not on the POS computer but the actual card reader/terminal) using Triple-DES Derived unique key per transaction (DUKPT - http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction ).

So no the PINs are safe unless the card terminals have been hacked too.

Re:Time to ask the bank for a new debit card and P

To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards. Banks make a lot of promises about zero liability on debit cards but you'll have to read the fine print and beg for mercy when the time comes.

Re:Can encyption experts chime in?

[EvilSS]

There is already evidence that the cards are being cloned and used overseas, so having the pin would be very useful for them. They got the entire magstripe for each card in the attack.

Re:Can encyption experts chime in?

[WuphonsReach]

I don't understand why any one would use encryption here at all. Why would they not use challenge/response, so that the PIN never leaves the card/keypad (encrypted or not).

Because parts of the system are still asynchronous. There is not real-time communication in a lot of parts of the banking system. And it was much worse 10-15 years ago when a lot of these systems were designed.