Target says PINs stolen, but confident data secure

BOSTON Sat Dec 28, 2013 2:00am IST

Shopping carts from a Target store are lined up in Encinitas, California May 22, 2013. REUTERS/Mike Blake/Files

Shopping carts from a Target store are lined up in Encinitas, California May 22, 2013.

Credit: Reuters/Mike Blake/Files

Stocks

   

BOSTON (Reuters) - Target Corp (TGT.N) said PIN data of some customers' bank ATM cards were stolen in a massive cyber attack at the third-largest U.S. retailer, but it was confident that the information was "safe and secure."

The stolen PIN data was "strongly encrypted" when it was removed from Target's systems, spokeswoman Molly Snyder said in a statement on Friday.

"The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken," Snyder said.

News of the PIN theft was first reported by Reuters on Tuesday.

Target uses the Triple DES encryption standard that can only be unlocked with a digital cryptographic "key" when the PIN data is received by the company's outside payment processor, she noted.

Target has declined to identify its payment processor.

"The 'key' necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident," Snyder said.

Some security experts said that even if the encryption is not broken, cyber criminals can still break the PINs.

"There is potential for gaining access to debit card accounts," said Shane Shook, an executive with the cyber security firm Cylance Inc, who has investigated some of the biggest cyber breaches.

While it is virtually impossible to decrypt a PIN without the digital key to unlock it, Shook said many debit card holders choose easy-to-guess numbers like 1234. He said that in some investigations he has found that more than 20 percent of PINs could easily be guessed.

Chris Morales, research director with NSS Labs and a security expert who has helped investigate major breaches, said the hackers may be able to crack the PINs on some of the stolen debit cards.

U.S. merchants and banks have refused to adopt technologies used overseas, such as embedding credit cards with computer chips for additional security. Instead they use PINs to secure accounts, which leave them more vulnerable to theft.

"PINs are not secure," Morales said.

Criminals can identify PINs by using online systems some banks offer which allow customers to access their accounts using their debit card numbers and PINs, he said.

Madeline Aufseeser, a credit card analyst with research firm Aite Group, said she does not believe the hackers could unscramble the PINs, but still advises Target customers whose accounts have been compromised to replace their cards immediately.

"Smart consumers are calling their banks and getting them reissued," she said. "Better safe than sorry."

Target has said little about how the cyber crooks accessed its network or stole the data in the attack which breached 40 million payment card numbers at unprecedented speed.

The attack began on November 27, the day before the Thanksgiving holiday and continued until December 1, making it the second-largest data breach in U.S. retail history.

The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos Inc (TJX.N), led to the theft of data from more than 90 million credit cards over about 18 months.

(Reporting by Jim Finkle and Dhanya Skariachan; Editing by Bob Burgdorfer and Richard Chang)

FILED UNDER:
Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

Bitcoin

REUTERS SHOWCASE

Online Purge

Online Purge

China steps up purge of online porn amid wider censorship push  Full Article 

Game Apps

Game Apps

Apple, Google vie to offer exclusive game apps - WSJ  Full Article 

Sqare Inc Sale

Sqare Inc Sale

Mobile payment startup Square plans sale as losses widen - WSJ  Full Article 

No-hire Trial

No-hire Trial

Tech workers seek to use Steve Jobs evidence in upcoming trial on no-hire accords  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage