Target: Customers' encrypted PINs were stolen

Target: Customers' encrypted PINs were stolen
In this Dec. 19, 2013 file photo, a passer-by walks near an entrance to a Target retail store in Watertown, Mass. Target on Friday, Dec. 27, 2013 said that customers' encrypted PIN data was removed during the data breach that occurred earlier this month. But the company says it believes the PIN numbers are still safe because the information was strongly encrypted. (AP Photo/Steven Senne, File)

Target said Friday that debit card PIN numbers were among the financial information stolen from millions of U.S. customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which shoppers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."

Minneapolis-based Target said it is still in the early stages of investigating the breach. It has been working with the U.S. Secret Service and the Department of Justice.


Explore further

Target: 40M card accounts may be breached (Update 2)

© 2013 The Associated Press. All rights reserved.

Citation: Target: Customers' encrypted PINs were stolen (2013, December 27) retrieved 19 August 2019 from https://phys.org/news/2013-12-customers-encrypted-pins.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
0 shares

Feedback to editors

User comments

Dec 29, 2013
"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday.

This is simply not true. You don't have to be a crypto expert to realize that a 4 digit PIN gives you only 10 thousand possible combinations which makes a brute force attack a piece of cake no matter how strong their cipher is.

Dec 29, 2013
You don't have to be a crypto expert to realize that a 4 digit PIN gives you only 10 thousand possible combinations

In theory. In practice, though - if you enter a wrong PIN too often (as happens in a brute force attack) then that card will be blocked. Especially if the card data is already reported as 'potentially stolen'

That said: If you have the numbers for 40 million debit cards then even if they block on the third unsuccessful try you'll get about 24000 hits.

But since the credit card numbers are encrypted as well that's not going to help, either. (Depending, of course, on what kind of encryption they used. The card numbers aren't fully random. The first few digits are known, as they denote the major industry identifier and the cerdit card issuer - so this is a pretty strong crib. And the last is a parity number, which is another, weaker, crib)

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more