CONSUMER

Target: Customers’ encrypted PINs were stolen

 

Associated Press

Target said Friday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

Security experts say it’s the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.

Target said it doesn’t have access to nor does it store the encryption key within its system, and the PIN information can only be decrypted when it is received by the retailer’s external, independent payment processor.

“We remain confident that PIN numbers are safe and secure,” spokeswoman Molly Snyder said in an emailed statement Friday. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.” The company maintains that the “key” necessary to decrypt that data never existed within Target’s system and could not have been taken during the hack.

However, Gartner security analyst Avivah Litan said Friday that the PINs for the affected cards are not safe and people “should change them at this point.”

Litan said that while she has no information about the encrypted PIN information in Target’s case, such data has been decrypted before, in particular the 2005 TJX Cos. hacking case that’s believed the largest case of identity theft in U.S. history.

In 2009 computer hacker Albert Gonzalez plead guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted companies such as T.J. Maxx, Barnes & Noble and OfficeMax. Gonzalez’s group was able to decrypt encrypted data. Litan said changes have been made since then to make decrypting more difficult but “nothing is infallible.”

“It’s not impossible, not unprecedented [and] has been done before,” she said.

Besides changing your PIN, Litan says shoppers should opt to use their signature to approve transactions instead because it is safer.

Still, she said Target did “as much as could be reasonably expected” in this case. “It’s a leaky system to begin with,” she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.

Read more Top Stories stories from the Miami Herald

  • Ultra

    Ultra Music Festival bans minors

    Festival organizers said the decision to limnit the fest to those 18 and over was ‘made to reinforce and promote the safety of all Ultra Music Festival fans.’

  •  
Norwegian Cruise Line CEO Kevin Sheehan, shown in this file photo at his Miami office, announced Tuesday that his company will acquire Prestige Cruises International.

    Norwegian Cruise to acquire parent of Oceania, Regent lines

    The world’s third-largest cruise ship company is about to get bigger.

  • CAMPAIGN 2014 | Analysis

    Governor candidates stump on Labor Day

    Rick Scott in some respects makes it easy on journalists. If a reporter misses something he says in an interview, maybe even spaces out for a moment, it doesn’t really matter because Scott is certain to say the same thing again. And again. And again.

Miami Herald

Join the
Discussion

The Miami Herald is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere on the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

The Miami Herald uses Facebook's commenting system. You need to log in with a Facebook account in order to comment. If you have questions about commenting with your Facebook account, click here.

Have a news tip? You can send it anonymously. Click here to send us your tip - or - consider joining the Public Insight Network and become a source for The Miami Herald and el Nuevo Herald.

Hide Comments

This affects comments on all stories.

Cancel OK

  • Marketplace

Today's Circulars

  • Quick Job Search

Enter Keyword(s) Enter City Select a State Select a Category