Target: Customers' encrypted PINs were stolen

Dec 27, 2013 by Barbara Ortutay
In this Dec. 19, 2013 file photo, a passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target on Friday, Dec. 27, 2013 said that customers' encrypted PIN data was removed during the data breach that occurred earlier this month. But the company says it believes the PIN numbers are still safe because the information was strongly encrypted. (AP Photo/Steven Senne, File)

Target said Friday that debit card PIN numbers were among the financial information stolen from millions of U.S. customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which shoppers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."

Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the U.S. Secret Service and the Department of Justice.

Explore further: Target says be wary of phishing emails

4.2 /5 (6 votes)
add to favorites email to friend print save as pdf

Related Stories

Target says be wary of phishing emails

Dec 25, 2013

Target says it has learned of some incidents of scam emails related to its recent data breach and is setting up a section of its corporate website to post copies of all official communication.

B&N: PIN pad tampering was "sophisticated" crime

Oct 24, 2012

(AP)—Barnes & Noble Inc. said Wednesday the tampering of devices used by customers to swipe credit and debit cards in 63 of its stores was a "sophisticated criminal effort" to steal information, and reiterated it's working ...

Recommended for you

Britain's UKIP issues online rules after gaffes

Dec 21, 2014

UK Independence Party (UKIP), the British anti-European Union party, has ordered a crackdown on the use of social media by supporters and members following a series of controversies.

Sony saga blends foreign intrigue, star wattage

Dec 21, 2014

The hackers who hit Sony Pictures Entertainment days before Thanksgiving crippled the network, stole gigabytes of data and spilled into public view unreleased films and reams of private and sometimes embarrassing ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

wictor
not rated yet Dec 29, 2013
"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday.

This is simply not true. You don't have to be a crypto expert to realize that a 4 digit PIN gives you only 10 thousand possible combinations which makes a brute force attack a piece of cake no matter how strong their cipher is.
antialias_physorg
5 / 5 (1) Dec 29, 2013
You don't have to be a crypto expert to realize that a 4 digit PIN gives you only 10 thousand possible combinations

In theory. In practice, though - if you enter a wrong PIN too often (as happens in a brute force attack) then that card will be blocked. Especially if the card data is already reported as 'potentially stolen'

That said: If you have the numbers for 40 million debit cards then even if they block on the third unsuccessful try you'll get about 24000 hits.

But since the credit card numbers are encrypted as well that's not going to help, either. (Depending, of course, on what kind of encryption they used. The card numbers aren't fully random. The first few digits are known, as they denote the major industry identifier and the cerdit card issuer - so this is a pretty strong crib. And the last is a parity number, which is another, weaker, crib)

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.