IBJNews

Target says customers' encrypted PINs were stolen

Back to TopCommentsE-mailPrintBookmark and Share

 Target said Friday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary to decrypt that data never existed within Target's system and could not have been taken during the hack.

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."

Litan said that while she has no information about the encrypted PIN information in Target's case, such data has been decrypted before, in particular the 2005 TJX Cos. hacking case that's believed the largest case of identity theft in U.S. history.

In 2009 computer hacker Albert Gonzalez plead guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted companies such as T.J. Maxx, Barnes & Noble and OfficeMax. Gonzalez's group was able to decrypt encrypted data. Litan said changes have been made since then to make decrypting more difficult but "nothing is infallible."

"It's not impossible, not unprecedented (and) has been done before," she said.

Besides changing your PIN, Litan says shoppers should opt to use their signature to approve transactions instead because it is safer.

Still, she said Target did "as much as could be reasonably expected" in this case. "It's a leaky system to begin with," she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in IBJ editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT

facebook - twitter on Facebook & Twitter

Follow on TwitterFollow IBJ on Facebook:
Follow on TwitterFollow IBJ's Tweets on these topics:
 
Subscribe to IBJ
  1. Apologies for the wall of text. I promise I had this nicely formatted in paragraphs in Notepad before pasting here.

  2. I believe that is incorrect Sir, the people's tax-dollars are NOT paying for the companies investment. Without the tax-break the company would be paying an ADDITIONAL $11.1 million in taxes ON TOP of their $22.5 Million investment (Building + IT), for a total of $33.6M or a 50% tax rate. Also, the article does not specify what the total taxes were BEFORE the break. Usually such a corporate tax-break is a 'discount' not a 100% wavier of tax obligations. For sake of example lets say the original taxes added up to $30M over 10 years. $12.5M, New Building $10.0M, IT infrastructure $30.0M, Total Taxes (Example Number) == $52.5M ININ's Cost - $1.8M /10 years, Tax Break (Building) - $0.75M /10 years, Tax Break (IT Infrastructure) - $8.6M /2 years, Tax Breaks (against Hiring Commitment: 430 new jobs /2 years) == 11.5M Possible tax breaks. ININ TOTAL COST: $41M Even if you assume a 100% break, change the '30.0M' to '11.5M' and you can see the Company will be paying a minimum of $22.5, out-of-pocket for their capital-investment - NOT the tax-payers. Also note, much of this money is being spent locally in Indiana and it is creating 430 jobs in your city. I admit I'm a little unclear which tax-breaks are allocated to exactly which expenses. Clearly this is all oversimplified but I think we have both made our points! :) Sorry for the long post.

  3. Clearly, there is a lack of a basic understanding of economics. It is not up to the company to decide what to pay its workers. If companies were able to decide how much to pay their workers then why wouldn't they pay everyone minimum wage? Why choose to pay $10 or $14 when they could pay $7? The answer is that companies DO NOT decide how much to pay workers. It is the market that dictates what a worker is worth and how much they should get paid. If Lowe's chooses to pay a call center worker $7 an hour it will not be able to hire anyone for the job, because all those people will work for someone else paying the market rate of $10-$14 an hour. This forces Lowes to pay its workers that much. Not because it wants to pay them that much out of the goodness of their heart, but because it has to pay them that much in order to stay competitive and attract good workers.

  4. GOOD DAY to you I am Mr Howell Henry, a Reputable, Legitimate & an accredited money Lender. I loan money out to individuals in need of financial assistance. Do you have a bad credit or are you in need of money to pay bills? i want to use this medium to inform you that i render reliable beneficiary assistance as I'll be glad to offer you a loan at 2% interest rate to reliable individuals. Services Rendered include: *Refinance *Home Improvement *Inventor Loans *Auto Loans *Debt Consolidation *Horse Loans *Line of Credit *Second Mortgage *Business Loans *Personal Loans *International Loans. Please write back if interested. Upon Response, you'll be mailed a Loan application form to fill. (No social security and no credit check, 100% Guaranteed!) I Look forward permitting me to be of service to you. You can contact me via e-mail howellhenryloanfirm@gmail.com Yours Sincerely MR Howell Henry(MD)

  5. It is sad to see these races not have a full attendance. The Indy Car races are so much more exciting than Nascar. It seems to me the commenters here are still a little upset with Tony George from a move he made 20 years ago. It was his decision to make, not yours. He lost his position over it. But I believe the problem in all pro sports is the escalating price of admission. In todays economy, people have to pay much more for food and gas. The average fan cannot attend many events anymore. It's gotten priced out of most peoples budgets.

ADVERTISEMENT