Target Confirms Encrypted PIN Data Stolen

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Raise your hand if you have any confidence in Target at this point. Didn't they say everything was okay, then offer a 10% discount after card numbers started appearing on the black market? I'm afraid of what the next "update" will be. :(

Hackers who stole data for up to 40 million credit cards and debit cards used in Target stores removed encrypted data with personal identification numbers — but the theft isn't expected to compromise card holder accounts — the retail giant said Friday. "We remain confident that PIN numbers are safe and secure," said a statement issued by Molly Snyder, a spokeswoman for the company hit by the November-December data breach.
Click to expand...
 
The next update will be if you weren't affected by the first breach you are now by the second breach when we offered you the 10% discount.
 
That's possible. I used my card at Target after the official breach period and noticed a bunch of fraudulent charges on my card. Not sure if it was Target that compromised it, though, since they appeared only a day after the purchase.
 
The wife went to Target during the breach period and we've not seen anything. Not a store we frequent much, kind of expensive for what it is on most items.
 
I've been to Target once since they've come to Canada here some months ago but I've never purchased anything there.
 
My bank sent me note starting that they would monitor my account. When this happened to harbor freight they automatically issued me a new card. I think I'm going to call and ask for a new card. Guessing they haven't issued new cards due to the size and cost of the breach.
 
U need to give them your info again, that way they will make sure, that, you, are....error, re-enter the correct PIN number...
 
The only way to prevent fraud charges is to get a new card, monitoring does nothing but tell you when they think something happened, freezing debt only prevents new loans/cards from being issued. But if you really love your cards number you could always challenge every fraud charge!
 
so the breach period is from Black Friday through mid-December?...luckily I didn't buy anything from them during that time period but I have in the past year...am I safe?
 
polonyc2 said:
so the breach period is from Black Friday through mid-December?...luckily I didn't buy anything from them during that time period but I have in the past year...am I safe?
Click to expand...

If you have a good financial institution they generally will alert you that someone did something odd with your account. Of course one should monitor all their transactional accounts to make sure nothing funky is going on as a matter of routine. Good institutions will fix it in no more than a day.
 
I know they say it's heavily encrypted, but why would they even store PIN data? Shouldn't that be transitory, and cleared as soon as the POS system receives transaction approval?
 
Spleen said:
I know they say it's heavily encrypted, but why would they even store PIN data? Shouldn't that be transitory, and cleared as soon as the POS system receives transaction approval?
Click to expand...

That's what I was thinking ..Now on the news they are talking about your bank debit cards lol wtf. I never thought that would be stored. Atleast it does say encrypted and very hard to break. change pin and be done.
 
Encrypted with 3DES. And that bit length on the key was what again?

I can't help but notice that the breach was not discovered at Target, but instead by the banks keeping an eye on carder sites for large influxes of new accounts for sale. Score one for the banks. Seriously, that's one of the things they need to be doing.

I can guess Target stopped whatever breach was happening on Dec 15th, 3 days before being outed by the press, but it sure would be nice to say something. I'm sure they'll claim silence as commanded by some ongoing investigation.

Since this is big, at least we'll likely hear the details for once, as this no doubt will work its way through the courts over the next 2 years. And details will get made public.
 
Couldn't you buy some stuff for yourself and simulate that your card was stolen and take advantage of this situation and get something out of it?
 
sliverjazz said:
Couldn't you buy some stuff for yourself and simulate that your card was stolen and take advantage of this situation and get something out of it?
Click to expand...

Depends how much you value jail time and a criminal record.
 
PIN number changed. Waiting for new card. Never using a card at Target again. Probably not shopping with a debit card anymore.
 
the card i used was nuked from orbit by my bank new card incoming hope it has the god damn smart chip like euro cards
 
So the question becomes, how strong is 3DES?

The key length is either 56, 112 or 168 bits, depending on the implementation. Target is unlikely to disclose that information, so lets assume they were smart (ha) and picked the hardest to break into; the hardest to break into; that is they used three individual 56-bit keys. since 3DES is a symmetric cypher (it has to be to decode your pin at the other end, where its needed), the same input has to equal the same output. Meaning, if you run "1234" thru the cypher, you can run the output thru it again, in reverse, to get "1234" again. Follow?

the 168- bit implementation works very basically like this...
you have message; X, that you want to encrypt
you have three 56-bit keys; K1, K2, K3

You take the message, X, and K1 and run them thru the DES algorithm. Take the output, and decrypt it (run it in reverse) thru the algorithm, except using K2 as the key. This further scrambles the original input. Finally, you take the output of that decryption, and feed it into DES algorithm one last time using K3 as the key. The output is the 3DES cypher text of X. [less secure implementations are K1=K3, or worst of all- all 3 keys are the same; equivalent to regular DES]

How do you go about attacking this, you may ask....

What the attackers have:
40 million 3DES encoded pin numbers
google "list of most common pin numbers"


Well, a flaw inherent in symmetric cyphers is that if multiple people use the same pin, say "1234", then multiple cipher outputs will be identical. A statistical analysis of the most common pin numbers used, vs the times a particular hash in the database appears will give you a pretty good idea of both the original input and the cipher output.

Knowing both the input and its corresponding hash, an attack (a known-plaintext attack) on the keys used to encode the pins is possible... which is much, much easier than brute force on them all, one by one (or until you have enough pairs to do a known-plaintext attack on the keys themselves). This attack is only possible because of the number of people who use "1234" as their pins. If pins were truly selected at random, the attackers would not have (reasonably) known-plaintexts to be able to match up and work out the encryption keys.
Thanks, Neighbor.

If Targets payment processor was not smart and used only a single DES key (as hardware implementation of yester-year are likely to do), they may as well just have stolen plain-text pins themselves... you can download 56-bit DES rainbow table off the internet, precomputed, and find the key in about 5 seconds. Then decrypt all 40 million with that key ...as they would have certainly done by now ...This could be why they started seeing stolen cards used almost the same day.
 
xxEIEIOxx said:
PIN number changed. Waiting for new card. Never using a card at Target again. Probably not shopping with a debit card anymore.
Click to expand...

The first part of your statement isn't very thought-out. For instance, Target is likely now going to be more secure due to this issue, in the coming years. And their operations are likely going to be pretty heavily scrutinized. We hopefully do learn from mistakes.

The second part of your statement? Yeah, that's the right answer. :)
 
You must log in or register to reply here.
Back
Top