Tuesday, July 22, 2014         

 Print   Email   Comment | View 7 Comments   Most Popular   Save   Post   Retweet

Target: Customers' encrypted PINs were stolen

By Barbara Ortutay & Mae Anderson

AP Business Writers

LAST UPDATED: 12:07 p.m. HST, Dec 27, 2013

ATLANTA » Target said today that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type into keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement today. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."

However, Gartner security analyst Avivah Litan said today that the PINs for the affected cards are vulnerable and people should change their codes since such data has been decrypted, or unlocked, before. In 2009 computer hacker Albert Gonzalez pleaded guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted retailers such as T.J. Maxx, Barnes & Noble and OfficeMax. Gonzalez's group was able to unlock encrypted data. Litan said changes have been made since then to make decrypting more difficult but "nothing is infallible."

"It's not impossible, not unprecedented (and) has been done before," she said.

Besides changing your PIN, Litan says shoppers should instead opt to use their signature to approve transactions because it is safer. Still, she said Target did "as much as could be reasonably expected" in this case.

"It's a leaky system to begin with," she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

Ortutay contributed from San Francisco.

 Print   Email   Comment | View 7 Comments   Most Popular   Save   Post   Retweet

You must be subscribed to participate in discussions
By participating in online discussions you acknowledge that you have agreed to the TERMS OF SERVICE. An insightful discussion of ideas and viewpoints is encouraged, but comments must be civil and in good taste, with no personal attacks. Because only subscribers are allowed to comment, we have your personal information and are able to contact you. If your comments are inappropriate, you may receive a warning, and if you persist with such comments you may be banned from posting. To report comments that you believe do not follow our guidelines, email commentfeedback@staradvertiser.com.
Leave a comment

Please login to leave a comment.
LadyNinja wrote:
This is scary, in this day of modern technology and sad that certain segments of our population would do such things. A lot of people don't think twice about stealing, it's almost become a way of life for some folks. But in life what you do, you get back tenfold.
on December 27,2013 | 07:10AM
false wrote:
Same people that infect Windows based systems via Virus, etc., are doing these things. They did in TJ Maxx a few years back and now they targeted Target. We will not hear of breaches to say Wal-Mart, Walgreens, all the big ones, because they have the power of volume, to deal with security issues. We will always have these scum of the earth, same as roaches that will never go away unless we fumigate the entire earth, which will not happen until our sun goes Nova, which is scheduled to happen in 3 billion years. Imagine a person lives say 80 years on average, 80 divided by 3 billion is 0.00000267% of the life time remaining for our Sun, no not Son of God, THE SUN. So we are still in our infancy, especially considering that the Industrial Age started 200 years ago. In about 200 years, maybe we will have Artificial Intelligence to the max, and no one will remember Obama.
on December 27,2013 | 11:19AM
HanabataDays wrote:
Every PIN I've seen is four digits and uses only numbers. Not quite sure how you could "strongly encrypt" a data element that small with such a limited range of possible ASCII values.
on December 27,2013 | 07:46AM
false wrote:
Show off saying ASCII.
on December 27,2013 | 11:21AM
Hapa_Haole_Boy wrote:
time to cancel credit card and get a new one, if you were affected
on December 27,2013 | 08:00AM
false wrote:
on December 27,2013 | 11:21AM
nodaddynotthebelt wrote:
Even signature mode can be a failure. I know of one person whose bank account was drawn from at Bank of Hawaii and the thief's signature did NOT even come close to matching the victim. The teller had simply accepted a fake id complete and no bank card or account number. So if you think your money is secure in even a major bank, you'd better think twice. It only takes a lazy teller for you to lose your money. And what was even most tragic was the bank supervisor's response. She could not expect all of her tellers to follow all of the rules all of the time. Scary, huh?
on December 27,2013 | 12:18PM
Breaking News
Wassup Wit Dat!
Silver Pockets Full

Political Radar

Political Radar

Island Crafters
Christmas in July

Political Radar
IBEW endorsement

Warrior Beat
Travel day

Small Talk
Counting coins