Target: Encrypted PINs stolen but not encryption key

Encrypted PINs were taken in the recent hack but Target says the data should be "safe and secure" since the actual encryption key was not obtained.

Target

Target is again trying to calm customers in the wake of the recent hack that snatched credit card information for as many as 40 million account holders.

A Target spokeswoman revealed on Friday that strongly encrypted credit and debit card PINs were stolen by the hackers. But she said that those personal identification numbers cannot be decrypted without the right key, which could not have been taken during the data breach as the company does not store that information. The PINs are encrypted at the point-of-sale keypad, stay encrypted in the system, and continued to remain encrypted when obtained by the hackers, the spokeswoman added.

As such, Target remains "confident that PIN numbers are safe and secure."

However, one major U.S. bank is worried that the hackers might be able to crack the encryption code, giving them the ability to withdraw money from bank accounts, an anonymous executive told Reuters this week. So far, JPMorgan Chase & Co and Santander Bank have lowered the amount of money that customers can withdraw from ATMs and spend at stores, Reuters added.

"That's a really extreme measure to take," Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection, told Reuters. "They definitely found something in the data that showed there was something happening with cash withdrawals."

Target's full statement reads as follows:

Our investigation into the data breach incident is continuing and ongoing. While we are still in the early stages of this criminal and forensic investigation, we continue to be committed to sharing the facts as they are confirmed.

While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.

To help explain this, we want to provide more context on how the encryption process works. When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S.

Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target's systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the "key" necessary to decrypt that data has never existed within Target's system and could not have been taken during this incident.

The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.

Tags:
Security
About the author

Journalist, software trainer, and Web developer Lance Whitney writes columns and reviews for CNET, Computer Shopper, Microsoft TechNet, and other technology sites. His first book, "Windows 8 Five Minutes at a Time," was published by Wiley & Sons in November 2012.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

The Next Big Thing

Consoles go wide and far beyond gaming with power and realism.