Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted PIN Data Taken In Target Breach

Posted by Soulskill on from the now-you're-all-targets dept.

New submitter danlip writes "Target has confirmed that encrypted PIN data was taken during its recent credit card breach. Target doesn't think they can be unencrypted by whoever may have taken them, because the key was never on the breached system. The article has no details on exactly how the PINs were encrypted, but it doesn't seem like it would be hard to brute force them." Another article at Time takes Target to task for its PR doublespeak about the breach.

5 of 213 comments (clear)

  1. We'll know soon by Above · · Score: 5, Funny

    When 25% of the pins encrypt to one string, and 25% to another, we'll know they used a symmetric cipher with a fixed key, and that one batch is "0000" and one is "1234".

    1. Re:We'll know soon by Fnord666 · · Score: 5, Insightful

      Except that they were almost certainly using ANSI PIN blocks which XOR the card number into the data before encryption so that two identical PINs do not encrypt to the same cipher block. In addition, the terminals may have been using DUKPT, which is short for Derived Unique Key Per Transaction. This means that each PIN block is encrypted with a different key. Brute forcing one PIN block will not yield any information about the next one.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  2. Re:PIN?? is it useful by Em+Adespoton · · Score: 5, Informative

    OK, that's fine, but how is PIN code useful? Can't you just order on the web with your credit card without any PIN code? Can't you just pay for speedways in at least France and Italy without PIN?
    To be honest I am wondering why there is even a PIN code on those cards given there are so many ways to use them without entering the PIN code.

    The trip a card purchase takes from your physical card to the merchant bank is actually pretty convoluted -- the simplified explanation is that a card purchase with PIN has a lot fewer safeguards and security checks than an online purchase with card, address and CV only. For card purchases where only the number is used, the vendor assumes a HUGE amount of liability. It often makes sense for fast food vendors and such, where the transaction values are small and they get a significant uptick in sales for shorter transaction times, but for purchasing big ticket items, you either do chip+pin or track 1 data plus second factor (usually stored by the vendor).

    So the even shorter answer is: PIN codes mean relative anonymity. Without the PIN, you need to provide other PII at some point in the transaction.

  3. Re:Time to ask the bank for a new debit card and P by Anonymous Coward · · Score: 5, Informative

    To my knowledge the laws that protect consumers against fraudulent credit card transactions don't apply to debit cards. Banks make a lot of promises about zero liability on debit cards but you'll have to read the fine print and beg for mercy when the time comes.

  4. Re:Can encyption experts chime in? by WuphonsReach · · Score: 5, Informative

    I don't understand why any one would use encryption here at all. Why would they not use challenge/response, so that the PIN never leaves the card/keypad (encrypted or not).

    Because parts of the system are still asynchronous. There is not real-time communication in a lot of parts of the banking system. And it was much worse 10-15 years ago when a lot of these systems were designed.

    --
    Wolde you bothe eate your cake, and have your cake?