Target: Customers' encrypted PINs were stolen

Dec 27, 2013 by Barbara Ortutay
In this Dec. 19, 2013 file photo, a passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target on Friday, Dec. 27, 2013 said that customers' encrypted PIN data was removed during the data breach that occurred earlier this month. But the company says it believes the PIN numbers are still safe because the information was strongly encrypted. (AP Photo/Steven Senne, File)

Target said Friday that debit card PIN numbers were among the financial information stolen from millions of U.S. customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which shoppers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."

Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the U.S. Secret Service and the Department of Justice.

Explore further: Target: 40M card accounts may be breached (Update 2)

4.2 /5 (6 votes)
add to favorites email to friend print save as pdf

Related Stories

Target says be wary of phishing emails

Dec 25, 2013

Target says it has learned of some incidents of scam emails related to its recent data breach and is setting up a section of its corporate website to post copies of all official communication.

B&N: PIN pad tampering was "sophisticated" crime

Oct 24, 2012

(AP)—Barnes & Noble Inc. said Wednesday the tampering of devices used by customers to swipe credit and debit cards in 63 of its stores was a "sophisticated criminal effort" to steal information, and reiterated it's working ...

Recommended for you

Study: Social media users shy away from opinions

Aug 26, 2014

People on Facebook and Twitter say they are less likely to share their opinions on hot-button issues, even when they are offline, according to a surprising new survey by the Pew Research Center.

US warns shops to watch for customer data hacking

Aug 23, 2014

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

Aug 22, 2014

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

Aug 22, 2014

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

wictor
not rated yet Dec 29, 2013
"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday.

This is simply not true. You don't have to be a crypto expert to realize that a 4 digit PIN gives you only 10 thousand possible combinations which makes a brute force attack a piece of cake no matter how strong their cipher is.
antialias_physorg
5 / 5 (1) Dec 29, 2013
You don't have to be a crypto expert to realize that a 4 digit PIN gives you only 10 thousand possible combinations

In theory. In practice, though - if you enter a wrong PIN too often (as happens in a brute force attack) then that card will be blocked. Especially if the card data is already reported as 'potentially stolen'

That said: If you have the numbers for 40 million debit cards then even if they block on the third unsuccessful try you'll get about 24000 hits.

But since the credit card numbers are encrypted as well that's not going to help, either. (Depending, of course, on what kind of encryption they used. The card numbers aren't fully random. The first few digits are known, as they denote the major industry identifier and the cerdit card issuer - so this is a pretty strong crib. And the last is a parity number, which is another, weaker, crib)