Target PINs stolen, too -- what does that mean to you? And why the fun begins now for crypto geeks
Click for Target's announcement
We're about to find out how effective a major implementation of encryption really is. Target's quite tardy admission that it's lost encrypted PIN codes along with millions of credit card numbers might be one of the largest public tests of encryption were ever seen.
Remember, a person with a debit card number and its associated PIN can basically print money. Now we know the Target hackers have both pieces of data, and they know it's worth a lot of money -- if they can solve the cryptographic puzzle which protects the PINs. Even if the criminals who stole it aren't cryptologists, you can imagine evil-doer code-breakers are lining up to offer help.
Theoretically, the triple DES encryption employed by Target and its payment processor means the stolen data is scrambled well enough that it's functionally useless to the criminals or anyone who might help them. For this reason, consumers who used their debit cards, and entered a PIN instead of offering a signature at the checkout counter, still have no reason to panic. Change your PIN as soon as possible, and watch carefully for fraud. Until you actually experience fraud, there is no need to do anything more.
But that all assumes one important thing: the encryption was implemented correctly. Generally, when encryption fails, it's not the math that fails -- it's the human beings. PINs are supposed to be scrambled from the moment you enter them into a point of sale terminal that's been loaded with a "key" used to scramble the digits. At that point, it's converted into a "PIN block," which is then transmitted along with your account number to the payment processor. The processor unscrambles the PIN block with another key. But if those keys were loaded incorrectly at either end, a criminal could more easily figure out what the PINs are. Or, often more likely, an employee with access to the technology could intentionally screw things up, making theft easier. Keys can be stolen, for example.
The standards for protecting PINs, part of the so-called PCI standards issued by the Security Standards Council, are exacting and clear. Target says it was PCI compliant, and there's no reason not to believe that. That means Target didn't keep PIN blocks lying around, for example -- they stored them only as part of a "store and forward" system which allowed stores to batch process blocks of credit card accounts. (Just a guess: Theft of the PIN blocks does suggest the data was stolen en route to payment processing, as opposed to at rest on Target servers. We've heard precious little from Target's processor so far).
If Target followed the rules, there is no additional reason to worry today.
However, Target already has waffled on the PIN theft issue. That's common after a hack like this: It's not always clear right away to investigators what the bad guys stole. When a burglar breaks into your car or home, you often don't realize all that's been taken, either. Expect more disclosures as time passes.
Again, today's news only impacts that subset of Target shoppers who used PINs at the checkout counter. Those consumers should change their PINs and watch their checking accounts very carefully.