Target admits encrypted debit card PIN data was stolen during Black Friday hack

By on December 27, 2013, 5:15 PM
hacking, theft, black friday, target, credit card, debit card, pin number, pin

Target has confirmed that encrypted debit card PIN numbers were also stolen as part of the massive Black Friday hack after vehemently denying such reports earlier in the week. The good news for shoppers, however, is that the key needed to decrypt the data was never in danger of being compromised.

In a statement on the matter, Target outlined how their system handles debit card purchases. When the PIN is entered, it is encrypted via Triple DES encryption within their system and can only be decrypted when it is received by their external, independent payment processor. As such, the key necessary to decrypt the data never existed in Target’s system and couldn’t have been stolen during the breach.

Unless the hackers are able to crack the high level encryption, there’s little chance that the stolen PINs will be of any use.

Card numbers, expiration dates and security codes from some 40 million cards were stolen between late November and mid-December according to the retailer. The information is already flooding the black market and is said to be priced at anywhere between a quarter to $100 per card based on the credit limit.

The retailer is working with the Justice Department and the Secret Service to try and locate those responsible for the breach. In the meantime, it’d probably be best to keep a close eye on your bank account and / or credit card account in the event you shopped at Target during the last month.




User Comments: 6

Got something to say? Post a comment
Guest said:

Get a google wallet card, or any pre-paid debit card really. Load only the amount you need on the card for the shopping trips you wish to take. Load 200 bucks on the card and go use that to go grocery shopping or to the mall. Don't leave very much money on the card. If it is ever compromised you'll only be out a small amount of money, and they can't steal money directly from your bank account.

You literally cannot do anything whatsoever to stop credit card fraud. Nothing.

The battle isn't between you and the hackers. It's between the store and hackers. And store owners are categorically stupid and cheap. They don't understand the threats but they understand that the latest and greatest hardware / software / security measures are expensive. It's unfortunate but the bottom line is far more important for business owners than the security of your credit card data.

What's even more unfortunate is just how many stores / bars / restaurants are woefully insecure.

I do this work for a living. What I don't understand about this story is how all of these credit card numbers were stolen in the first place. If literally MILLIONS of credit card numbers were stolen, please tell me WHY IN THE F*CK does Target store millions of credit card numbers? Why is no one asking this question? Did they even ask you if they could store your credit card number? Also, was the main HQ of Target hacked or was it many individual stores? What POS software does Target run? Which other major retailers run this same software?

Target needs to pony up more information. It could help the industry along. Maybe make some folks understand the needs for better security. It's the only way most of these companies will learn anything. Think about it, Target is going to spend hundreds of millions of dollars upgrading their systems now. They never would have done this without being hacked.

Do you think this is going to get more or less secure as NFC payments and other creative payment solutions are offered up in the future? Just something to think about.

Skidmarksdeluxe Skidmarksdeluxe said:

What? No 'Target' puns yet? Surprising.

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Thats because the target puns were in the last thread. Including your own puns. lol

Guest said:

So, everyone thinks this was actually the fault of Target ?

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Not the actual theft, but storing what was stolen "YES".

Guest said:

You can't get pin numbers from the encrypted flow of data it is a 2048 bit key it will be too big for them to hack it. I used to work on ATM's 20 years ago we used 56bit but now days it's a lot more. The only way to get pins is to catch it off the key pad like those devices in the fuel pumps. Never use your debit with a pin number anywhere except at you bank always use credit that way you are protected by Visa, or MasterCard. I think Target is going to turn out to be a wireless hack lot of these stores I see using WPA for security that has been hacked with free tools off the internet.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.