Slashdot Mirror
Encrypted PIN Data Taken In Target Breach
New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them."
Another article at Time takes Target to task for its PR doublespeak about the breach.
Subject line says it all :)
William George
Is there a good reason for keeping this that I'm not seeing?
When 25% of the pins encrypt to one string, and 25% to another, we'll know they used a symmetric cipher with a fixed key, and that one batch is "0000" and one is "1234".
How hard it would be to decrypt, knowing that each pin is exactly 4 digits?
I would think if salting was not using, it is just a matter of the time.
The article I read stated that the key necessary to decrypt the data was never on the systems which encrypted the data, then went on to state that the data was encrypted with triple DES. Oh my lord. Which is it? Symmetric or asymmetric encryption?
The number of people with knowledge of how to change the firmware is probably a pretty short list. When crossed against the list of people who have access to the compromised systems it likely gets smaller
Could others break in and figure it out? Sure, but I think Occam's Razor applies. The data is likely already split and sold (Krebs evidence suggests this). So the guys at the top, if smart, have made their money, and can sit back and relax.
Silence is a state of mime.
OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.
I gave up with the idea of an useful sig...
I could be missing something here, but by my understanding PINs are usually only 4 digits long. I would think that the people who were able to snag the cards that they correspond to could probably come up with a clever way to figure out the PINs on most of these cards without ever needing to decrypt the data. I recall not long ago seeing a publication of the frequency of PINs in use today; it would seem that they could probably gain access to a significant share with just that list alone.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
That depends. How understanding will your landlord or your bank be when your rent or mortgage check bounces because the day it was deposited somebody ran up charges on your debit card that emptied your bank account? Sure you'll be able to dispute the charge, but that didn't stop the checks from bouncing between the time it happened and the time you got to the bank to fill out the paperwork on the fraudulent charge. Same if you're at the end of a trip and go to pay your hotel bill and your credit card's over limit because of fraudulent charges. Sure you'll be able to dispute them, but that doesn't make the hotel bill magically paid.
Why combine something you know with something you have? I thought only banks stored pins?
If you ignore ACs because they are anonymous - you're an idiot.
Hope Target's systems used a salt when creating the 3DES.
If the Triple DES used a salt, then good, it will make it much more likely the PINS are secure, because then the hackers would have to brute-force trying a salt value, then all possible pins for 1 of the Triple DES encrypted PINS, which would take longer.
If the salt was unique for each PIN, then that would be the most secure ( but I do not know how a little machine where people give their pins could do that )
If no salt was used, then might be another case like what happened to Adobe: http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/
Uh, Linux geek since 1999.
PIN are supposed to be encrypted on the terminal (not on the POS computer but the actual card reader/terminal) using Triple-DES Derived unique key per transaction (DUKPT - http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction ).
So no the PINs are safe unless the card terminals have been hacked too.
To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards. Banks make a lot of promises about zero liability on debit cards but you'll have to read the fine print and beg for mercy when the time comes.
Only "weakly encrypted" PINs. How do you "encrypt" a four-decimal-digit PIN? Even if they only had PIN hashes that were as yet uncompromised, it wouldn't offer much protection. if Target changed policy and invalidated your card immediately after you entered the first wrong PIN, the crooks still stole 40 million cards and would have scored a list of about 4000 working card numbers. At least if the PINs were required to be base-64, the crooks would only find a few.
When I've had issues, some quick arguing with the bank got money invented from nowhere and put in my account. Yes, it would delay the checkout from the hotel by a few minutes, but it will get the hotel bill paid. I'm sure you can find some cases where someone was a jackass to their bank, who then refused to fix the issue on the customer's time frame. But I've had this issue before, and the bank took care of it outside the minimum contractual requirements.
Learn to love Alaska
The article also says "Target does not have access to nor does it store the encryption key within our system." The problem is that 3DES is a symmetric encryption algorithm; both parties need to share the same key to encrypt or decrypt anything. So at some point, they needed to have a key for the transaction.
It depends on where you live and what bank you have. Where I live in Ontario, the same rights are afforded to me on my debit card that my credit card has. Including a lock limit on the RFID of no more than $50.
Om, nomnomnom...
Depends on your part of the world http://en.wikipedia.org/wiki/EFTPOS
http://en.wikipedia.org/wiki/Maestro_(debit_card)
You country may have a marketing backend, a store or other loyalty points system, at the checkout you may be asked for your postcode... thats a lot of unique data with your card use in many countries.
Domestic spying is now "Benign Information Gathering"
I think they meant to say the key was stored on somebody's Nintendo 3DS.
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
Our family doesn't use a debit card here because we think they're insecure. The terms of service say that if you use them at a cash dispensing terminal and you don't get the cash you asked for it's too bad. Bank employees always say that they've never refused to make good on such an error, but we are not willing to test their assertions.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
What was Target collecting credit card numbers AND PIN numbers for? What business purpose did they need that data for? Why has no one raised this question? They have just created a huge credit theft problem for their customers. This is a shining example why businesses should not maintain any database of sensitive customer information.
I already suffered identity theft and credit card theft in the past and I'm not at all anxious to go through that again. I'm taking my business elsewhere. In fact I may avoid large national chains for this very reason.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
How did this breach happen? What were the mechanics behind the data theft? Was the server hacked? As it firmware in the POS registers? How did this happen?
If all you have to do is "sign" then thats even worse, a random pen mark is useless for any form of security...
The PIN will be used to withdraw cash from an ATM using a cloned card, if they have a cloned card they can already make purchases without knowing the PIN if only a signature is required.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
That depends. How understanding will your landlord or your bank be when your rent or mortgage check bounces because the day it was deposited somebody ran up charges on your debit card that emptied your bank account? Sure you'll be able to dispute the charge, but that didn't stop the checks from bouncing between the time it happened and the time you got to the bank to fill out the paperwork on the fraudulent charge. Same if you're at the end of a trip and go to pay your hotel bill and your credit card's over limit because of fraudulent charges. Sure you'll be able to dispute them, but that doesn't make the hotel bill magically paid.
Not only that, if you have a debit card and you are disputing charges, the banks will put a freeze on your account while the dispute is being investigated.
You could confirm whether a PIN is correct without sending it.
For example, send sha1(card number + pin + time of day)
The machine at bank's end does the same calculation with the correct pin and returns whether or not it matches.
Most US debit card machines that I've seen (at least in Indiana) are magstripe-and-PIN, not chip-and-PIN. My debit card from Chase Bank doesn't even have visible "chip" contacts. Besides, there aren't 11 contacts (10 digits + common ground), so the PIN pad machine has to do some sort of translation to get the digits to the serial contacts.
triple rot26
Sleep your way to a whiter smile...date a dentist!
the usual. an excel spreadsheet on a computer running bittorrent in the background.
at least they put a password on the spreadsheet.
Sleep your way to a whiter smile...date a dentist!
Your response is orthogonal to the question. Your example is not that of bounced checks, it is of trying to use a debit card at point of sale when the balance was low.
It is an entirely different thing to write a check and then have it bounce 3 days later. There are all kinds of fees and penalties that get assessed when that happens, some of which can come from the company you wrote the check to, the bank never even sees the penalty. There are even non-monetary penalties like your landlord, or your utility company reporting the bounced check to the credit agencies.
There really is only one reason to ever use a debit card - your credit is so bad that you can't actually get a credit card. In all other ways credit cards are the superior tool.
When information is power, privacy is freedom.
You're a douchebag... http://www.today.com/money/5-lessons-learned-target-security-breach-2D11803343 "After the Target breach, a few banks took the unprecedented step of limiting how much customers could spend at stores or withdraw from ATMs using their debit cards. No such restrictions were put on credit card customers."
To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards.
In recent years, things have gotten better for debit card holders, you are right that it used to be all promises. Now there are some federal regulations, but they still aren't anywhere near as strong as the federal laws protecting credit card holders.
http://www.fdic.gov/consumers/consumer/news/cnfall09/debit_vs_credit.html
When information is power, privacy is freedom.
But some of those possibilities are more likely than others.
I apologize. I didn't read Todd Knar's entire post. You were addressing his point about hotels, and what you wrote was a reasonable response to that. But being at the mercy of a customer service person feelings about my attitude when I am under a lot of stress is not appealing.
When information is power, privacy is freedom.
Or even use the PIN as part of the encryption key used to encrypt a random string sent from the bank once authentication is requested.
And the connection between the PoS and the bank should also be encrypted.
And that connection should be 100% private. ISDN or whatever. Nothing going across the Internet. Not even with a VPN.
In case you aren't familiar with major U.S. retail chains, it's a breach of the payment processing systems of Target Corporation. An unrelated Australian company operates a chain called "Target." (with the period) under license from Target Corporation.
I think you can safely assume that when a Slashdot poster talks about a legal problem, a problem with consumer protection or issues with the health care system, they are either talking about the USA or, perhaps, North Korea.
Faster! Faster! Faster would be better!
Can anyone tell me what operating system and software that Target uses?
I'd really like to know what exploits this software has and if any other store uses them so I can avoid shopping there.
I think retailers and wholesale clubs ought to be transparent in what operating systems and software they use for their POS system and then list the vulnerabilities they found with an code audit and how they plan to fix them.
This ought to be a law, so consumers can be protected from retailers and wholesale clubs who don't care about their privacy and credit card and debit card data and just use operating systems and software with exploits in them that they never tested nor figured out how to fix.
I think the same should be done with websites as well.
Am I right here or wrong?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
They said that the keys weren't on the "compromised" systems
"Time of day" would seem to be the weak link there. How does the bank-end machine know that exact value so as to replicate the sha1 calculation?
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
From the first article linked:
The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
I went to target a few years ago to buy a game (BF2 I think). The woman asked to see my driver license to verify I was 18. I snickered because I am well over 18, and handed her my license. She took my license and she swiped it on her keyboard card reader. I immediately asked her why she scanned my card (in a not so happy voice) I told her that when I handed it to her i assumed that she just wanted to get a better look. I told her she did not have permission to scan to scan my id. She said that she needed to verify that i was 18 using the computer. I then asked her what Target privacy policy was on storing customers information. She looked at me with a blank face and said I would have to talk to customer service.
If you read Targets Privacy policy you will see that they collect and store your Driver License information.
2 things happened that day. I never shopped at Target again, and I destroyed the back of my card so it is no longer readable by a swipe or scanner.
Also, some gas stations are using this method to verify age and wont sell 18+ unless your card swipes in the machine. The ones i have called are also collecting your DL information as well. Its not just age verification.
The article also says "Target does not have access to nor does it store the encryption key within our system." The problem is that 3DES is a symmetric encryption algorithm; both parties need to share the same key to encrypt or decrypt anything. So at some point, they needed to have a key for the transaction.
The way the system works, the 3DES key is embedded in the pin pad which is sealed against tampering. It is also held by the processor (who owns the pad). In this way, the merchant never knows the key, and so only holds the encrypted PINs.
What I'm waiting for is the moment when some criminally minded individual realizes that "targeting" vendors isn't the way to go, and instead starts APT attacks against the processors -- suddenly, you can pick and choose what data you take, and have access to all the processing information required to make, modify, and revoke transactions. Next stop... compromising the credit companies themselves.
US consumer law seems pretty weak. In the UK the bank is entirely liable unless they can prove that the fraud was your fault. That includes things like charges incurred from other companies, interest, fines etc.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Yeah they don't think they can be un-encrypted. On the other hand, they didn't think they'd be stolen either.
Wuddooeyeno? IITYWYBMAD? Like nuts? eclecticallyincorrect.com
Superior, how? Superior as in just about anybody is able to easily find out about all your credit cards, and plenty of purchase details? Is that the kinds of "superior" you were talking about?
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Superior, how? Superior as in just about anybody is able to easily find out about all your credit cards, and plenty of purchase details? Is that the kinds of "superior" you were talking about?
I feel you are assuming an air of stupidity to make a point. Perhaps you would like to make your explicitly rather than come at it sideways? I remind you that this is a debate about the merits of debit cards versus credit cards. References to other payment methods would be more than just stupid.
When information is power, privacy is freedom.
If you can't get ALL YOUR money when YOU want, then your account is effectively frozen, asshat. Same deal as a bank run, when they don't allow you to get all YOUR money.
Information about debit cards are NOT shared with anyone outside of the issuing bank. They are every bit as private as writing a check, doing a wire transfer, or similar. Credit cards are the polar opposite, with all your financial information being reported, and being easy for anyone on the planet to access.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Information about debit cards are NOT shared with anyone outside of the issuing bank.
I find that impossible to believe when the exact same processing system is used for both credit and debit cards.
Hell, there are even "rewards" programs for visa and mastercard branded debit cards. I think you would be hard pressed to explain how visa can do that without knowing your spending.
http://usa.visa.com/personal/cards/debit/visa_extras.html
When information is power, privacy is freedom.
How hard can it be to brute force the key when you know there are only 10000 possible plaintexts?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Not any harder or easier than any other number of possible plaintexts, ecrypted with the same key. In modern crypto, knowing the plaintext is irrelelvant (even if you know exactly what it is), only the quality of the key matters. If the key is apropriately random and unknown to the attackers, then they will have to brute force the entire keyspace to get to the pins, same as any other encrypted piece of information.
Information about debit cards are NOT shared with anyone outside of the issuing bank.
LOLWUT? Who cares about the cards, they are meaningless by themselves, the information about underlying accounts (whether credit, checking, etc.) is what counts, and it is most certainly shared! By changing the amount of average monthly balance on the checking account I can select what kind of spam I get via USPS. Seriously. The running joke around here is that if you keep the average above $10K, you are bougie since all your firestarter paper comes by mail!
A successful API design takes a mixture of software design and pedagogy.
It's even worse. They don't have to guess at all. They can all just use one arbitrary combination, and keep trying it on each card. They've got enough cards to get tens of thousands of hits.
A successful API design takes a mixture of software design and pedagogy.
No, they won't. I've disputed fraudulent charges on my debit card before, and the bank didn't freeze my account. What they did do was invalidate the compromised card and issue me a new one, but that happened right there while I was filling out the paperwork so it didn't really impact me. The only time it impacted me was the one time it came from the bank's end rather than me reporting the charge, and I got a phone call from the security department saying the bank'd been notified and I'd need to stop in ASAP to get the card reissued. Annoying, but I'd rather that than have my account emptied.
The problem is that you're away from home, you don't have access to everything you normally would, and you can't deal with the bank in person. It's easy to get the charge handled when you're in the branch and can fill out the paperwork. It's less easy when you're in a different time zone and can't just fork over a driver's license as proof of identity. I could probably handle it, but that's because I'm paranoid and travel with at least one portable device set up for access to everything. But most people aren't that paranoid.
Credit cards are in fact better than a debit card in one way: the money doesn't actually come out of your pocket until you pay your bill. With a debit card the money's gone and you're trying to get it back (and the fact that the bank tends to be cooperative doesn't change this dynamic). And the old adage about possession being 9/10ths of the law does ring true here: it's much easier to keep what you have than to get back what you don't.
When away from home, I have the 800-number for the bank. On the card. When I travel internationally, I put a stickey-note on every card with the bank's toll-free numbers from every country on my itinerary. Reaching the bank isn't an issue while on the road. I've never had someone ask for ID over the phone. At most, they ask for your most recent transaction, and standard account info anyone would know off the top of their head, like SSN and address.
Learn to love Alaska
Provided it is CPA and KPA secure (chosen plaintext attack, known plaintext attack) then it's as hard as brute forcing the keys.
However the ANSI X9 series crypto specs and the PCI-DSS stuff, the banks and card processors use are hardly the best available. They might be secure, but without specifics of what crypto profiles the devices were using, you cannot be sure.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Perhaps the vendors are targeted because they have weaker security than the banks - both the issuers and acquirers.
The banks are already being targeted, continually. Eventually someone will succeed, but banks and card providers spend an awfully large amount of time, money and effort in making sure they aren't the first one.
Anyway, why go for a card company? Sure Visa or Mastercard would be the motherlode? Of course, they too have data security at the top of their requirements list for any new systems.
Sorry but what the fuck are people still using cheques for in this day and age?
Especially for rent!
Just set up a recurring electronic transfer ffs. It's not hard.
It all depends on the bank. Last time my debit card got lifted they reported my card as stolen. They overnighted a new card for me (they called me at 6pm, I had the new card in my hands by 9am, four states away), and they setup a 90 day, interest-free loan to cover all the transactions that happened during the time the card was being used by somebody else. I got back a week later, filled out a form, the charges were reversed and I paid back the loan with the money that came in on the reversed charges.
Sure it was an extra headache, but they really didn't put me out for anything. In fact, they called back a few times to make sure everything was ok.
You don't have to have a fork up your ass all the time -- you choose it by association. If you let assholes handle your money then expected to be treated as such when things go wonky ;)
If you use your card with a PIN (or PIN and Chip), then there are much fewer protections. If you use your debit card with a VISA or MC logo as a credit-card then you are generally protected (although you will need to fight for the money to come back in your account sooner than later, as opposed to not paying that amount when your statement comes).
in systems I design, such as Strongbox, the sender also sends gettimeofday() and the receiver confirms the timestamp is within X milliseconds. Both sides use NTP, so both have accurate time to within a few milliseconds.
I've also implemented systems in which the timestamp element is modulo a few seconds. The receiver accepts either the current modulo time or the previous.
There was some television "news" saying the protections of debit and credits cards today were the same as far as zero liability in the case of fraud goes, but it may take longer to remedy if it was a debit card. Personally, I have no reason to vouch for this as I've only used credit cards in my life.
To-do List: Receive telemarketing call during a tornado warning. Check.
Yes, the key is needed to encrypt, but the encrypted PIN block is already encrypted by the card embosser on behalf of the bank. If the merchant passes along the encrypted PIN block as sensitive authentication data to the processor for authorization, the merchant has no need to decrypt.
This, unfortunately, makes the encrypted PIN block more of a password than encrypted data. Cloning cards is still quite possible.
Yes, they do try that however in practice it's very rare for a genuine dispute to happen, partly because the system is pretty secure. You simply don't get Target style bulk thefts. If money gets mysteriously withdrawn and the PIN was entered, you might be on the sharp end of a new zero-day breach against EMV, but much more likely, someone who knows you managed to figure out your PIN (or you told them) and turned out to not be quite as trustworthy as you thought they were.
The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.
Which is dammed misleading. Maybe the information truly is never decrypted on their system, but it is encrypted and it's encrypted with exactly the same key as it would be decrypted with at the external, independent payment processor.
Credit cards have certain properties that are desirable if you're using plastic (much less impact if your card is stolen, etc.). However, people tend to spend more using credit cards than when using cash and debit cards fall in the middle. For that reason, I prefer using debit cards if using plastic.
http://money.usnews.com/money/blogs/alpha-consumer/2009/08/18/fraud-protection-debit-versus-credit-cards
That seems to be the going consensus at different sources. I've used both and prefer to use the debit card. However, I have only had one instance I could consider fraud and that turned out to be a battle in and of itself because the merchant that charged my card attempted to validate the purchase even though it was shipped to an address for a house that had been destroyed in a fire in another city altogether 4 or 5 years before the purchase.
I ended up getting lucky because the UPS driver refused to leave the package in an empty field and instead left a "you can pick it up" thing and the person who took my number actually did. It was a friend of a friend's kid who came over during a holiday party and we moved a TV and gaming system into the basement so they could pass the time doing kids things with the adults upstairs doing more adult things (drinking). Evidently, I left an old card with the same numbers out or something because he wrote down what was needed to order some crap online. (well, that or he broke in later and took the information, he waited for about 5 months before trying to use the numbers, but he told the police it was at the party that he found them). Either way, the bank wasn't going to treat it as fraud because the merchant shows it was delivered and it ended up being UPS that proved who received it making it fraud again. Took about 4 months to get cleared up.
Surprising lack of information and misinformation for a slashdot post and comments. In general, PINs are the most protected part of payment transactions. PIN encryption doesn't use bad/crackable crypto concepts like Adobe did on their passwords. And while it's Triple DES-based, its actually quite strong. All debit PINs in the US are encrypted using the same few standards:
* PIN Block and PIN encrypytion: ANS X9.8 part 1 and ISO 9564. Examples: http://www.paymentsystemsblog.com/2010/03/03/pin-block-formats/
* Key management: DUKPT from Annex A of ANS X9.24 part 1. Some DUKPT details: http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction
Each PIN pad is injected with a unique initial key that is a double-length Triple DES key. That initial key is derived into a key set of 21 keys that are used to derive up to 1 million future keys (the counter rules in DUKPT only let it count 1 million values). Those are all unique per device. Each transaction uses a unique future key and that is derived into a PIN encryption key to encrypt the PIN block (according to the ANSI and ISO standards).
Encryption of the PIN block is Triple DES ECB using a unique key for that transaction for that device. Breaking the encryption for that key would be a 2^112 brute force effort (no shortcuts because only one ciphertext used that key). And breaking that key will not get you any past keys and only some future keys for that device depending on where it is in the key space. In all, cracking PIN blocks coming from PIN pads is not a low hanging fruit.
PIN pads and their design has to be lab certified and signed off by the PCI Security Council. Merchants can only use PCI certified PIN devices if they take debit cards. (strangely, credit only devices are not required to be PCI certified, but they could be if they encrypt credit card data). While there are older versions of the PIN pad certification requirements, basically the PIN security is the strongest part of the certification. The lab tests for side channel attacks against PIN encryption, ensures physical security of the device, logical security of the device, that applications running on the device (if any) cannot impact/access PIN encryption, and that tampering devices causes them to erase keys.
list of PCI approved PIN Transaction Security (PTS) devices: https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php#
PCI documents (including PIN security): https://www.pcisecuritystandards.org/security_standards/documents.php?association=PTS&document=PTS%20Program%20Guide%20FINAL%201%201#PTS%20Program%20Guide%20FINAL%201%201
The real problem is that Target had the opportunity to say something useful about the mess and blew it. On top of their earlier doublespeak, their latest press release was a mess of inconsistent and incomplete information. They said the encryption was 3DES, which anyone who knows cryptology knows is a symmetric key system, then said they only had the encryption key and not the decryption key. They didn't say that the PIN data is combined with other information so that a dictionary attack would be rendered infeasible, so people were free to assume that the system is as weak as they implied it was. But most of all, PIN numbers themselves are weak thin gruel of security soup. Target had a pulpit where they could have said "If your PIN number is 1234, or the same four digits repeated, like 0000, 1111, 2222, etc., you should change it to something thieves can't easily guess." Fully fifteen percent of people could have read that and realized that they were being morons about their financial security, helping to turn this crisis around for Target. But they missed the opportunity. Who knows if they'll get another?
Here's my deeper question - why do banks let users choose a PIN number and not tell the idiots who pick 1234 that they're being stupid? They could say: "Ten percent of people pick 1234, please choose another number so that you don't lose all your money to a thief." or they could say to everyone "Please choose a four digit code that isn't 1234." If you're a banker, you should know better: http://www.datagenetics.com/blog/september32012/
Lol.. Not every rental or land lord is a thriving business. Most of them are simple day to day people who ended up with an extra house somehow. My landlord inherited two houses from his parents when they passed away so check or money order is most appropriate. He's a simple farmer who worked for the country road department all his life, hardly a high tech businessman even though he does have quite a bit of business savvy when it comes to farming.
Lots of rentals are a lot like this. They either kept their first home when they purchased a better one and rent it out, inherited the home somehow or saw an investment opportunity. When growing up, my father got remarried and my step mom owned a house, we rented it. You would be surprised at how many rentals come about like this and aren't really set up for online bill pay or credit cards or wire transfers and so on once you get away from the big cities. Cash, check, or money order will be just fine to these landlords.
I'm not so sure it is all encrypted.
I had a go with a company that implemented credit card processing directly into their hospitality suit (manage rental cabins and charges). This software is sold to small hotels and rental businesses with it being able to manage reservations, availabilities, different seasonal rates, and so on. They used their own processing center but it had the ability to use any we wanted to but the company I was working with used the provider's processing. Anyways, we had a problem with the processing module functioning with our proxy server. After doing some snooping with wire shark, I noticed some packets containing the numbers and names of the test credit cards. I pieced a couple packets together and had all the information on the transaction including name, address, credit card numbers, the cvc number, expiration dates and for some reason, information about the guest that you wouldn't think a processor needed like phone number and number of guests and dates of the stay.
Of course I was online with their tech support department trying to figure this all out and they have assured me a number of times that they have this system up and running at over 5,000 locations without a problem and the only difference is we had a proxy server segmenting the network (they actually suggested to the owner that we scrap the proxy and just use a netgear router to separate the public and private networks and I had to show the PCI compliance forms that recommend using a proxy). When I asked about it being sent in plain text, they at first didn't believe me until I sent all the packets. Then they stopped working on making their crap work with a proxy server and supposedly fixed the clear text problem which the solution was to send the CC data to a https site instead of an IP address which the software defaulted to. So the encryption wasn't even built into the program, it basically used a web browser to place the data on a TLS stream and with each update they did, you had to go back into the software and check that the address it was sending to had an https:/// in front of it because some of the updates reverted back.
Finally, the owner ended up trashing the entire system and going with a complete online version from another company that integrated with the reservation module on the website better that even allowed you to put a deposit on a cabin to confirm the reservation instead of calling and doing it over the phone.
But you assume it is encrypted because it is supposed to be encrypted but I have first hand experience where amusing didn't have the expected results and we only found out by accident. With any software processing like most modern POS machines and complicated inventory and tracking systems being integrated within them seem to be, anything is possible. Even if it was a lazy tech who decided to take a short cut or something to allow the info to not be encrypted.
I'm not impressed with Triple DES, nor the "security" allegedly provided by having the PIN decryption at the point of sale boxes. But you can always just go for brute force decryption.
http://www.popsci.com/technology/article/2012-09/infographic-day-fastest-way-crack-4-digit-pin-number
Given tens of millions of credit cards, you're bound to slide right into enough of them to make the crack worth while.
Most debit cards have a Visa/MC logo and can be used without a pin. In many cases this can avoid a debit card processing fee (most retailers did away with the fee). Making a purchase only requires a signature and gas stations require a zip code and likely a $100 limit. Small purchases at fast food don't require a signature nor pin. The pin is only used at an ATM for cash withdrawal or debit mode at a swipe/keypad terminal.
Now, if the entire file of PIN data was itself encrypted with 3DES, so that the stolen file of pins and 3DES hashes just looks like:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (GNU/Linux)
jA0EAgMCmK7S4A7OWXhgyWYzILMlE7ATCioESasDPY3H3JiCSGtoQ/UE0VJJPEry ...imagine this is really really long and big...megabytes of scrambled data...
qLwoiFhm/Nz1laSMQS/wRITAHSzDTSPnry14W0EdQeAVhvpkhWpJqYovLNTGhweC
dm3MtNIZu3oN/jQkghTTfTVY4/WEIdo=
=pg5p
-----END PGP MESSAGE-----
Then fantastic! Now the Bad Guys have the PITA of brute forcing the sensitive information file 1st, before they can wreck havoc with the stolen info.
Uh, Linux geek since 1999.
There's no truth in that at all. The fact that you have to write a check doesn't obviate any responsibility you have to pay your bill, nor does the bank's possession of your money obviate them of the responsibility to fully reimburse you for fraud very quickly. Legally, the two are entirely equivalent.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That only proves you are a fool. There is no "debit reporting agency".
Debit cards do not affect your public credit history. Credit cards, do.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I get no such spam. Of course every time I sign-up for a bank account, I jump through hoops sending in cards or calling-up automated phone numbers to opt-out of ALL information sharing.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
That only proves you are a fool. There is no "debit reporting agency".
Yes. indeed, I am a fool for thinking you meant more than just credit reports. I figured you were educated enough to be aware of data brokers who look at spending habits like, where, when and how much you spend. What a fool I was for thinking you were putting on an air of stupidity instead of actually being stupid.
When information is power, privacy is freedom.
The encrypted PIN block is only a password to the processor / merchant combination for which that PIN pad was provisioned. The encrypted block couldn’t be substituted in like (for example) an unsalted hash of a password since the key “should” be different for each set of PIN pads (possibly/preferably each individual PIN pad) that is issued.
I can personally attest to this. This past labor day my debit card (which I'd had all of six months) was used to purchase some pharmaceuticals over in Spain to the tune of $300+. Since the debit card is through Visa, their protection services called me to let me know about the odd charge. My credit union I had the card with did diddly to inform me; I had to call them. After some pain with paperwork (which they had to mail/fax and I had to mail/fax back) Visa ruled in favor of the merchant (because it's totally plausible for me to order pills from Spain that were likely shipped to a Spanish address when I've never stepped foot outside the continental US.)
Thankfully, my credit union is really good (aside from not catching the charge themselves) and reimbursed me the total amount after the ruling, but I was still down that amount for about two weeks (and, since I already end each month with no money, this made things quite stressful.) But I will never again use my debit card online.