Encrypted PIN Data Taken In Target Breach

New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.

Why are they storing this data anyway?

Is there a good reason for keeping this that I'm not seeing?

Re:Why are they storing this data anyway?

[Tool+Man]

Nope, horse-puckey. This would be the same PIN data that their PCI compliance *cough* would disallow from storing after authorization for a transaction, just like the CVV codes which I think also got nabbed. Now, it is possible that they were all captured "in-flight" and not being stored against the rules, but it is very much verboten to keep even with encryption.

Re: Why are they storing this data anyway?

[khanta]

Terminals encrypt PIN data inside the device. The terminals they use are PED certified. DUKPT is used, and the data should be safe. The PIN block should stay encrypted all the way to the processor. If it is decrypted it should be done in an HSM. The malware was most likely scraping memory on the POS and grabbing track data as it was passed from terminal to the POS. Then they somehow exfiltrated it out. Obviously they weren't using encrypted terminals. I don't think target stored this data centrally. Most likely just infected POS stations. My bet is at the source and they all booted up infected stations. Sorry for the terse responses.

Re:Why are they storing this data anyway?

[snowraver1]

I have been doing card processing for a living for 7 years now. The pin, of course, has to go over the wire along with the track2 data. How exactly that happens can differ greatly though. Larger merchants are more likely to use some sort of middleware processing software, and that introduces weaknesses. In many cases communication between the POS and middleware is plaintext. Scooping this data up would be trivial, but PCI mandates that unencrypted data has to be segregated off the network from non-PCI stuff. This makes things a bit trickier for an attacker.

As for Target, here's my take: This is the only information in the press release:

The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.

If they were using "true" end-to-end encryption, there are no known attacks other than card skimmer magic*. If that was the case, there wouldn't be much of an investigation, as the facts (and scope) would be pretty clear.

That leaves a network packet monitor attack, a database related breach/attack, log file snarfing (depending on the vendor, log files can contain a LOT of data.), or something I'm not thinking of.

I find it odd that they say that pins have been pilfered, but not the card numbers. That, to me, suggests a DB related attack, and the attackers only got the pin table/columns. A list of pin numbers though, of course, is completely useless (8374 - Here's a free one) on it's own. Decrypting them should be trivial, given the limited number of possible pin numbers, even if the table was salted. But again, what would be the point. I'm guessing that the next release will say that card numbers were compromised as well.

As for the 3des part, It just doesn't make any sense. As other people have already said, 3des is symmetrical, so saying they don't have the key is impossible. My guess is that they are actually using SSL (which could then in turn negotiate a 3des key). If that is the case, then each session key would be unique, and target would never have "access" to it as it would only exist in RAM.

To my knowledge. I'd be happy/interested if someone could prove me wrong here.

We'll know soon

[Above]

When 25% of the pins encrypt to one string, and 25% to another, we'll know they used a symmetric cipher with a fixed key, and that one batch is "0000" and one is "1234".

Re:We'll know soon

[Fnord666]

Except that they were almost certainly using ANSI PIN blocks which XOR the card number into the data before encryption so that two identical PINs do not encrypt to the same cipher block. In addition, the terminals may have been using DUKPT, which is short for Derived Unique Key Per Transaction. This means that each PIN block is encrypted with a different key. Brute forcing one PIN block will not yield any information about the next one.

Re:We'll know soon

[girlintraining]

Except that they were almost certainly using ANSI PIN blocks which XOR the card number into the

You're assuming competence here when every aspect of this breach has demonstrated incompetence. I happen to know what Target considers "encrypted" PINs, and it's nothing so elaborate. They are referring to the drive-level encryption mandated by Sarbanes-Oxley. They are correct in that the keys to decrypt the drive is tied to the hardware and that the only copies are stored on a remote server. However, what they aren't telling you is that this breach didn't consist of someone walking into a server closet and absconding with the hard drives -- which is the only scenario in which drive encryption protects the data.

From what I've been able to gather, the breach targetted the POS terminals directly because they are booted over DHCP and the DHCP server is located on the other side of a WAN link. As you know, DHCP is a broadcast protocol and the first reply is assumed authoritative. All an attacker would have to do is gain access to the wifi or a hard line (accessible on the floor of the store as their IP cameras run on the same network), download the POS image, make a few modifications, and then activate their own DHCP server. For more stealth, you could write a simple daemon to reply to the DHCP sent from the real server so that the leasing database still appears legitimate.

Oh, and by the way... DUKPT isn't an encryption standard, it's a protocol for exchanging keys. It still requires a shared key, and guess where that would be stored: In the TFTP image. Which is sent in plain text over the wire every morning when the POS terminals get turned on.

Great security there. Yup. Highly secure. I'm sure nobody figured out how to hack the "super secret encryption key" (bonus: That's actually what early documentation for DUKPT referred to it as)... by simply sending a DHCP request and asking for it...

Can encyption experts chime in?

[postmortem]

How hard it would be to decrypt, knowing that each pin is exactly 4 digits?

I would think if salting was not using, it is just a matter of the time.

Re:Can encyption experts chime in?

They are encrypted using 3Des using the following algorigthm.

http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction

Re:Can encyption experts chime in?

[hargrand]

You're assuming the PIN was in any way related to the 3DES key. That's almost certainly not the case. More likely, Target requests a transaction key from the bank which is then used to encrypt the PIN and sent the encrypted PIN to the bank. The bank then decrypts the PIN using the 3DES key and verifies the PIN.

They probably should switch to RSA or some other public key algorithm. With 3DES, both parties need to share the key. With RSA, there is a public key and a matched private key. If the public key is compromised, it's no big deal. Since the bank retains the private key and doesn't share it, it's at least theoretically more secure for this kind of transaction.

Re:Can encyption experts chime in?

[EvilSS]

There is already evidence that the cards are being cloned and used overseas, so having the pin would be very useful for them. They got the entire magstripe for each card in the attack.

Re:Can encyption experts chime in?

[snowraver1]

Because it's not part of ISO8583?

Re:Can encyption experts chime in?

[Fnord666]

PIN blocks are encrypted using PIN block format 0. In this format a portion of the account number is XORed with the PIN block prior to encryption. The result is that for two different accounts with the same PIN, even if they are encrypted with the same key, the resulting encrypted PIN blocks will be entirely different.

Re:Can encyption experts chime in?

[WuphonsReach]

I don't understand why any one would use encryption here at all. Why would they not use challenge/response, so that the PIN never leaves the card/keypad (encrypted or not).

Because parts of the system are still asynchronous. There is not real-time communication in a lot of parts of the banking system. And it was much worse 10-15 years ago when a lot of these systems were designed.

sigh, lamestream press strikes again

[sribe]

The article I read stated that the key necessary to decrypt the data was never on the systems which encrypted the data, then went on to state that the data was encrypted with triple DES. Oh my lord. Which is it? Symmetric or asymmetric encryption?

Re:sigh, lamestream press strikes again

[taustin]

It depends on what was compromised. Normally, debit card stuff is encrypted on the pad you swipe the card in. If the pad was wasn't what was compromised, then the key wasn't on what was, because that's the only place the key is kept.

(Earlier reports claimed the pads had been compromised, but that smelled like bullshit then, and even more like it now.)

Re:sigh, lamestream press strikes again

[EricCordian2855]

Point of Sale terminals keep their 3DES encryption keys in firmware within a tamper-resistant module. Even with advanced technology like plasma ablation and electron microscopy, it is believed to be impractical to extract the key. The keys are loaded by a courier who swipes special cards while the device is in maintenance mode. This permits the POS stations to be used over an insecure line to the payment processor, and cleartext is never present anywhere outside the sealed module, from which the key cannot be recovered. So unless you tap the keypad, you cannot have access to the unencrypted PIN. Stealing data is insufficient to obtain the information necessary to use the card. That having been said, if there is any way you can do a trial of a large number of PINs, it is trivial to try all 10,000 possibilities, and see which one works, no matter how strong the encryption is.

Re:Time to ask the bank for a new debit card and P

[Todd+Knarr]

That depends. How understanding will your landlord or your bank be when your rent or mortgage check bounces because the day it was deposited somebody ran up charges on your debit card that emptied your bank account? Sure you'll be able to dispute the charge, but that didn't stop the checks from bouncing between the time it happened and the time you got to the bank to fill out the paperwork on the fraudulent charge. Same if you're at the end of a trip and go to pay your hotel bill and your credit card's over limit because of fraudulent charges. Sure you'll be able to dispute them, but that doesn't make the hotel bill magically paid.

Why are pins stored?

[metrix007]

Why combine something you know with something you have? I thought only banks stored pins?

Re:Why are pins stored?

[ljheidel]

I know for a fact that one of the items on the PCI list for CC transactions is 'no storage of CVV data.' If Target was indeed storing the PIN numbers, I feel like they have some real 'splainin to do about that one. However, based on the fact that they're obsessive about data mining, I wouldn't put it past them. "Why do we need to keep the PIN numbers?" "I dunno, but we can." "Okay, let's do it."

However, if the data was stolen 'in flight' as EvilSS suggests and it *is* encrypted (and based on the prevarication in which Target has engaged, I wouldn't hold my breath), it does kind of help narrow down the mechanism of the breach. It basically means they didn't crack the individual POS terminals, but some point in between the terminal and the bank. But, as I sit here and think about this, why would the POS terminals encrypt the PIN but not the CC number? This is where my lack of knowledge of the arcane world of computerized banking (and having worked in it for a brief time, I know it's full of WTF) prevents me from making any more guesses. Perhaps it's required by standard that the PIN be encrypted leaving the POS terminal. Perhaps the intercept point was between the Target and the bank, and target was sending the PINs as a hash.

Exactly how hard would be to run a attack against, say, 40 million salted hashes if you knew each of the pre-hashed values was four digit code from 0000-9999?

But the more I think about this...this means that each of the CC transactions individually leave the POS terminal, get routed through some branch office infrastructure then back to Target HQ, then onto the banking network. Way too much speculation on my part, but I'm hellishly curious to find out what actually happened.

Re:Why are pins stored?

[EvilSS]

They are required, by standard, to be encrypted at the POS terminal. CC #'s are not because they can be stored by the merchant. Should they be? Hell yes but I didn't make the rules.

From my experience working with PCI compliant companies, the CC info is usually kept on a completely separate network from the normal corporate network. It usually routes back to a central office or branch office before making it's way to the payment processor in large companies (small mom & pop it probably dials/VPNs direct from the POS terminal). There would be plenty of chances to grab it along the way if you penetrated that secure network. The upside is that PCI makes it very painful if you fail to protect that network. Thus why Target is staring at a VERY big ($3.6 billion) PCI fine.

Re:PIN?? is it useful

[Em+Adespoton]

OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.

The trip a card purchase takes from your physical card to the merchant bank is actually pretty convoluted -- the simplified explanation is that a card purchase with PIN has a lot fewer safeguards and security checks than an online purchase with card, address and CV only. For card purchases where only the number is used, the vendor assumes a HUGE amount of liability. It often makes sense for fast food vendors and such, where the transaction values are small and they get a significant uptick in sales for shorter transaction times, but for purchasing big ticket items, you either do chip+pin or track 1 data plus second factor (usually stored by the vendor).

So the even shorter answer is: PIN codes mean relative anonymity. Without the PIN, you need to provide other PII at some point in the transaction.

DUKPT

PIN are supposed to be encrypted on the terminal (not on the POS computer but the actual card reader/terminal) using Triple-DES Derived unique key per transaction (DUKPT - http://en.wikipedia.org/wiki/Derived_unique_key_per_transaction ).

So no the PINs are safe unless the card terminals have been hacked too.

Re:Time to ask the bank for a new debit card and P

To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards. Banks make a lot of promises about zero liability on debit cards but you'll have to read the fine print and beg for mercy when the time comes.

Re:inside job?

[Rhyas]

They didn't get anything onto the card readers from all that's been published publicly so far. Most card readers these days will encrypt the pin *before* sending the data to the terminal. Thus, only getting encrypted pins.

Given that the terminals run windows, it's not that difficult to get some malware to spread to them from a central source. Could still be an inside job for sure, but none of the details published yet can confirm that for fact.

Re:Time to ask the bank a new debit card and P

[AK+Marc]

When I've had issues, some quick arguing with the bank got money invented from nowhere and put in my account. Yes, it would delay the checkout from the hotel by a few minutes, but it will get the hotel bill paid. I'm sure you can find some cases where someone was a jackass to their bank, who then refused to fix the issue on the customer's time frame. But I've had this issue before, and the bank took care of it outside the minimum contractual requirements.

Re:3des

[CreatureComfort]

I think they meant to say the key was stored on somebody's Nintendo 3DS.

What was Target collecting all that data for?

[AnalogDiehard]

What was Target collecting credit card numbers AND PIN numbers for? What business purpose did they need that data for? Why has no one raised this question? They have just created a huge credit theft problem for their customers. This is a shining example why businesses should not maintain any database of sensitive customer information.

I already suffered identity theft and credit card theft in the past and I'm not at all anxious to go through that again. I'm taking my business elsewhere. In fact I may avoid large national chains for this very reason.

Re:3des

[Proudrooster]

How did this breach happen? What were the mechanics behind the data theft? Was the server hacked? As it firmware in the POS registers? How did this happen?

Re:inside job?

[Bert64]

Windows corporate networks almost always operate on the idea of protecting the perimeter, and leaving the inside horrendously insecure... For something like a retail store, where the general public have physical access to the building that idea breaks down very quickly... You only need to have momentary access to a network socket/cable, and these will often be available at random points on the shop floor or at the very least at the back (i.e. facing the customer) of the pos terminals...
Once you're on, chances are all the windows boxes are on one domain making them a very easy target.

Re:3des

[davester666]

triple rot26

Re:3des

[davester666]

the usual. an excel spreadsheet on a computer running bittorrent in the background.

at least they put a password on the spreadsheet.

Re:Time to ask the bank a new debit card and P

[Jah-Wren+Ryel]

Your response is orthogonal to the question. Your example is not that of bounced checks, it is of trying to use a debit card at point of sale when the balance was low.

It is an entirely different thing to write a check and then have it bounce 3 days later. There are all kinds of fees and penalties that get assessed when that happens, some of which can come from the company you wrote the check to, the bank never even sees the penalty. There are even non-monetary penalties like your landlord, or your utility company reporting the bounced check to the credit agencies.

There really is only one reason to ever use a debit card - your credit is so bad that you can't actually get a credit card. In all other ways credit cards are the superior tool.

Tar-zhay

[tepples]

In case you aren't familiar with major U.S. retail chains, it's a breach of the payment processing systems of Target Corporation. An unrelated Australian company operates a chain called "Target." (with the period) under license from Target Corporation.

Re:Time to ask the bank for a new debit card and P

[ColdWetDog]

I think you can safely assume that when a Slashdot poster talks about a legal problem, a problem with consumer protection or issues with the health care system, they are either talking about the USA or, perhaps, North Korea.

Software that Target uses

[Orion+Blastar]

Can anyone tell me what operating system and software that Target uses?

I'd really like to know what exploits this software has and if any other store uses them so I can avoid shopping there.

I think retailers and wholesale clubs ought to be transparent in what operating systems and software they use for their POS system and then list the vulnerabilities they found with an code audit and how they plan to fix them.

This ought to be a law, so consumers can be protected from retailers and wholesale clubs who don't care about their privacy and credit card and debit card data and just use operating systems and software with exploits in them that they never tested nor figured out how to fix.

I think the same should be done with websites as well.

Am I right here or wrong?

Re:Software that Target uses

[Shados]

If they're like virtually every other retail chain in the world (short of maybe Amazon, but do they even count?), its probably not an issue with the particular software they use, but that they use old, outdated, or poorly configured versions.

These companies run -countless- systems, for their ERP, CRM, CMS, a bunch of other 3 letter acronyms, stuff to integrate all of them, stuff to integrate the stuff that integrates them, all those things use different operating systems, need to be in sync to be "supported"... Now add all the in-house applications and customization...

Tack on the fact that no self respective developer will work there, so you have a bunch of self taught peanut gallery writing code they barely understand, thinking its trivial (hint: a shopping cart software for a company of that scale is NOT easy to write), and well, you're screwed.

Re:3des

[Em+Adespoton]

The article also says "Target does not have access to nor does it store the encryption key within our system." The problem is that 3DES is a symmetric encryption algorithm; both parties need to share the same key to encrypt or decrypt anything. So at some point, they needed to have a key for the transaction.

The way the system works, the 3DES key is embedded in the pin pad which is sealed against tampering. It is also held by the processor (who owns the pad). In this way, the merchant never knows the key, and so only holds the encrypted PINs.

What I'm waiting for is the moment when some criminally minded individual realizes that "targeting" vendors isn't the way to go, and instead starts APT attacks against the processors -- suddenly, you can pick and choose what data you take, and have access to all the processing information required to make, modify, and revoke transactions. Next stop... compromising the credit companies themselves.

Re:Time to ask the bank a new debit card and P

[Jah-Wren+Ryel]

Information about debit cards are NOT shared with anyone outside of the issuing bank.

I find that impossible to believe when the exact same processing system is used for both credit and debit cards.

Hell, there are even "rewards" programs for visa and mastercard branded debit cards. I think you would be hard pressed to explain how visa can do that without knowing your spending.

http://usa.visa.com/personal/cards/debit/visa_extras.html

Re:Time to ask the bank a new debit card and P

[Todd+Knarr]

Credit cards are in fact better than a debit card in one way: the money doesn't actually come out of your pocket until you pay your bill. With a debit card the money's gone and you're trying to get it back (and the fact that the bank tends to be cooperative doesn't change this dynamic). And the old adage about possession being 9/10ths of the law does ring true here: it's much easier to keep what you have than to get back what you don't.

Re:Time to ask the bank a new debit card and P

[AK+Marc]

When away from home, I have the 800-number for the bank. On the card. When I travel internationally, I put a stickey-note on every card with the bank's toll-free numbers from every country on my itinerary. Reaching the bank isn't an issue while on the road. I've never had someone ask for ID over the phone. At most, they ask for your most recent transaction, and standard account info anyone would know off the top of their head, like SSN and address.

Re:3des

[TechyImmigrant]

Provided it is CPA and KPA secure (chosen plaintext attack, known plaintext attack) then it's as hard as brute forcing the keys.

However the ANSI X9 series crypto specs and the PCI-DSS stuff, the banks and card processors use are hardly the best available. They might be secure, but without specifics of what crypto profiles the devices were using, you cannot be sure.