PINs Stolen In Target Breach

Target now says customers encrypted PINs were compromised in the massive credit- and debit-card breach that began Thanksgiving eve

The PIN question has been answered: Target today confirmed that customer PIN numbers were pilfered in the massive breach that affected some 40 million credit and debit cards in its stores between Nov. 27 and Dec. 15.
Target initially had said only that encrypted data was stolen, and speculation was high over whether PINs, indeed, were exposed in the massive hack. A company spokesperson told news outlets earlier this week that it did not believe PIN data was affected in the attack. Customer names, credit and debit card numbers, card expiration dates, and embedded code on the magnetic strips on the backs of the cards also were exposed in the attack.
But Target maintains that the PINs are safe because they are encrypted at the keypads with Triple DES encryption.
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems, the retailer said in a statement today.
The retailer says it neither has access to, nor does it store, the encryption key in its systems. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the key necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident. The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken, the company said today.
But security experts say Triple DES encryption wont necessarily stop a determined and sophisticated attacker. Gunter Ollmann, CTO of IOActive, says attackers can recover PIN data and then make physical copies of stolen cards in order to withdraw funds from ATM machines. And Triple DES is broken, with tools available to crack it, he says.
Triple DES should have been replaced 5-plus years ago, Ollmann says. Id be surprised if past security assessments and PCI tests hadnt already flagged this as a security flaw.
The question, he says, is why Target would not have remedied this. Was it an acceptable risk business decision? he says.
[Targets massive cardholder breach is a prime example for why security pros have pushed for improved POS and payment application security. See
Target Breach Should Spur POS Security, PCI 3.0 Awareness
.]
Hints that PINs had been hit in the breach
emerged earlier this week
, as Reuters reported that JP Morgan Chase & Co. and Spains Santander Bank had lowered their customers withdrawal limits from ATMs as well as total card transaction amounts.
Meanwhile, Target has seen limited incidents of phishing in the wake of the breach, the company says, and it is now posting all official communications it sends to customers on its website so they can confirm legitimate information from the retailer.
Target is working with the U.S. Secret Service and the Department of Justice on an investigation into the breach.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
PINs Stolen In Target Breach