IBJNews

Target says customers' encrypted PINs were stolen

Back to TopCommentsE-mailPrintBookmark and Share

 Target said Friday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary to decrypt that data never existed within Target's system and could not have been taken during the hack.

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people "should change them at this point."

Litan said that while she has no information about the encrypted PIN information in Target's case, such data has been decrypted before, in particular the 2005 TJX Cos. hacking case that's believed the largest case of identity theft in U.S. history.

In 2009 computer hacker Albert Gonzalez plead guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted companies such as T.J. Maxx, Barnes & Noble and OfficeMax. Gonzalez's group was able to decrypt encrypted data. Litan said changes have been made since then to make decrypting more difficult but "nothing is infallible."

"It's not impossible, not unprecedented (and) has been done before," she said.

Besides changing your PIN, Litan says shoppers should opt to use their signature to approve transactions instead because it is safer.

Still, she said Target did "as much as could be reasonably expected" in this case. "It's a leaky system to begin with," she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

ADVERTISEMENT

Post a comment to this story

COMMENTS POLICY
We reserve the right to remove any post that we feel is obscene, profane, vulgar, racist, sexually explicit, abusive, or hateful.
 
You are legally responsible for what you post and your anonymity is not guaranteed.
 
Posts that insult, defame, threaten, harass or abuse other readers or people mentioned in IBJ editorial content are also subject to removal. Please respect the privacy of individuals and refrain from posting personal information.
 
No solicitations, spamming or advertisements are allowed. Readers may post links to other informational websites that are relevant to the topic at hand, but please do not link to objectionable material.
 
We may remove messages that are unrelated to the topic, encourage illegal activity, use all capital letters or are unreadable.
 

Messages that are flagged by readers as objectionable will be reviewed and may or may not be removed. Please do not flag a post simply because you disagree with it.

Sponsored by
ADVERTISEMENT

facebook - twitter on Facebook & Twitter

Follow on TwitterFollow IBJ on Facebook:
Follow on TwitterFollow IBJ's Tweets on these topics:
 
Subscribe to IBJ
  1. Angela IS the best RD

  2. We are a nation of speed. All of our younger lives are filled with deadlines, quotas and bottom lines. We start to ease out of the pressured rat-race when we finally see "retirement." The most enjoyable travel on the planet is passenger rail service. Indy to Chicago does not beat Megabus or Southwest Airlines in speed. Passenger rail however has the best seating, mammoth legroon, seat backs that recline to more than 45 degrees and employers that really want you to return as a customer. Indiana municipalities need to maintain subsidies to support this transportation mode. Losing it is loss for all of us.

  3. Good day! I just want to testify how i got my loan from Mr. Eric Lefkofsky after i applied several times from various loan lenders who claimed to also testify right in this forum,i thought the testimonies where real and i applied but they never gave me loan. I was in need of an urgent loan to start a business and i applied from various loan lenders who promised to help but they never gave me the loan. Until a friend of mine introduce me to this popular Mr. Eric Lefkofsky who promised to help me and indeed he did as he promised without any form of delay. I never thought there are still reliable loan lenders until i met Mr. Eric lefkofsky who indeed helped me with the loan and changed my belief. I promised to share this testimony after I got my loan. I don't know if you are in any way in need of a genuine and urgent loan,free feel to contact Mr. Eric Lefkofsky via their email{grouponfunding@hotmail.com}

  4. Its a THUG issue. Bleecker Street and NYX are thug bars. They attract thugs of all races. Places that attract thugs need to be kicked out of Broad Ripple. Ain't nobody got time for that!

  5. Hello everyone, My name is Marian Gareth, I am from the Texas, United State, am here to testify of how i got my loan from Mr Andre Frank {frankloancompany@yahoo.com} after i applied Two times from various loan lenders who claimed to be lenders right in this forum,i thought their lending where real and i applied but they never gave me loan. I was in need of an urgent loan to start a business and i applied from various loan lenders who promised to help but they never gave me the loan.Until a friend of mine introduce me to Mr Andre Frank the C.E.O of Andre Frank Loan Company who promised to help me with a loan of my desire and he really did as he promised without any form of delay, I never thought there are still reliable loan lenders until i met Mr Andre Frank, who really help me with my loan and changed my lief for better. I don't know if you are in need of an urgent loan, free feel to contact Mr Andre Frank on his email{ Frankloancompany@yahoo.com} for help

ADVERTISEMENT