Target: Customers' encrypted PINs were stolen

Dec 27, 2013 by Barbara Ortutay
In this Dec. 19, 2013 file photo, a passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target on Friday, Dec. 27, 2013 said that customers' encrypted PIN data was removed during the data breach that occurred earlier this month. But the company says it believes the PIN numbers are still safe because the information was strongly encrypted. (AP Photo/Steven Senne, File)

Target said Friday that debit card PIN numbers were among the financial information stolen from millions of U.S. customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which shoppers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."

Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the U.S. Secret Service and the Department of Justice.

Explore further: Target: 40M card accounts may be breached (Update 2)

4.2 /5 (6 votes)
add to favorites email to friend print save as pdf

Related Stories

Target says be wary of phishing emails

Dec 25, 2013

Target says it has learned of some incidents of scam emails related to its recent data breach and is setting up a section of its corporate website to post copies of all official communication.

B&N: PIN pad tampering was "sophisticated" crime

Oct 24, 2012

(AP)—Barnes & Noble Inc. said Wednesday the tampering of devices used by customers to swipe credit and debit cards in 63 of its stores was a "sophisticated criminal effort" to steal information, and reiterated it's working ...

Recommended for you

T-Mobile deal helps Rhapsody hit 2M paying subs

22 hours ago

(AP)—Rhapsody International Inc. said Tuesday its partnership with T-Mobile US Inc. has helped boost its number of paying subscribers to more than 2 million, up from 1.7 million in April.

Airbnb woos business travelers

22 hours ago

Airbnb on Monday set out to woo business travelers to its service that lets people turn unused rooms in homes into de facto hotel space.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

wictor
not rated yet Dec 29, 2013
"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday.

This is simply not true. You don't have to be a crypto expert to realize that a 4 digit PIN gives you only 10 thousand possible combinations which makes a brute force attack a piece of cake no matter how strong their cipher is.
antialias_physorg
5 / 5 (1) Dec 29, 2013
You don't have to be a crypto expert to realize that a 4 digit PIN gives you only 10 thousand possible combinations

In theory. In practice, though - if you enter a wrong PIN too often (as happens in a brute force attack) then that card will be blocked. Especially if the card data is already reported as 'potentially stolen'

That said: If you have the numbers for 40 million debit cards then even if they block on the third unsuccessful try you'll get about 24000 hits.

But since the credit card numbers are encrypted as well that's not going to help, either. (Depending, of course, on what kind of encryption they used. The card numbers aren't fully random. The first few digits are known, as they denote the major industry identifier and the cerdit card issuer - so this is a pretty strong crib. And the last is a parity number, which is another, weaker, crib)