Target breach: Expert explains why stolen PIN data is worth worrying about

Categories: Crime, Target
TargetHQ.jpg
Target says there's nothing to worry about, but not everyone agrees.
Today, Target confirmed that in addition to credit card numbers, the cyberthieves who recently victimized roughly 40 million shoppers made off with "strongly encrypted" PIN data.

RELATED: Target breach: Tech blogger outs guy allegedly selling stolen card info [PHOTOS]

That seems extremely concerning, because stolen PINs suggest whole accounts are at risk, not just particular cards. But in a statement, Target officials asked customers not to panic.

"We remain confident that PIN numbers are safe and secure," the Target statement says. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

RELATED: Target Breach: Top 10 tweets

But in a Wednesday Reuters report that broke the news about stolen PINs, Daniel Clemens, CEO of cyber security consulting firm Packet Ninjas, said news that PINs were stolen -- encrypted or not -- is sufficient cause for concern, despite what Target says.

From the report:
As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.
Officials at JPMorgan Chase, the largest bank in America, appear to be at least somewhat concerned about the stolen PINs, as news of the Target breach caused them to lower limits on how much cash customers can take out of teller machines and spend at stores.

"That's a really extreme measure to take," Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection, told Reuters, referring to JPMorgan's move. "They definitely found something in the data that showed there was something happening with cash withdrawals."

As a way to make up for the breach, Target offered a 10 percent discount on some store purchases last weekend. But that wasn't enough to make up for all the negative publicity -- Target's transaction numbers were 3 to 4 percent down from the same weekend a year ago, the HuffingtonPost reports.

-- Follow Aaron Rupar on Twitter at @atrupar. Got a tip? Drop him a line at arupar@citypages.com.

My Voice Nation Help
13 comments
Leon
Leon

It's not Target's fault that US banks, with a few exceptions like US Bank Flexperks Visa, have refused to go to the "chip and pin" type of credit card that is used throughout Europe.

Jennifer Smith
Jennifer Smith

My bank contacted me to tell me about the Target problem and to say they are sending a new card

Edward Green
Edward Green

Target should pay every one who used a credit card Or debit card 1000 for letting there compters get hacked. This is a lot work for something that should have never end happened D

Bob B Bopp
Bob B Bopp

Of course everything is fine. Just keep shopping.

Kevin Cornell
Kevin Cornell

The PINs that were included in the hacked data are.only those that were entered, correct? They weren't read from the card if the transaction was processed as a credit card, right?

Patrick Kane
Patrick Kane

I wouldn't be surprised if this was a move by another larger retailer to hire this hacker to pull this to destroy the competitions sales base. Movie script on its way.

Jeremy Hop
Jeremy Hop

Using pin saves the business money by bypassing visa/mastercard and having the ACH direct from your account. I do this at small busineses to show my support. Better yet use cash.

Shane Weber
Shane Weber

That's why I never enter my pin. It's not required if you aren't getting cash back you know.

Daren L. MN
Daren L. MN

This just in: water is thought to be wet.

MNjoe
MNjoe topcommenter

Why don't you tell Target that? But use 'their', not there.

Now Trending

From the Vault

 

Loading...