|
 The stolen PIN data was "strongly encrypted" when it was removed
from Target's systems, spokeswoman Molly Snyder said in a statement
on Friday.
"The most important thing for our guests to know is that their debit
card accounts have not been compromised due to the encrypted PIN
numbers being taken," Snyder said.
News of the PIN theft was first reported by Reuters on Tuesday.
Target uses the Triple DES encryption standard that can only be
unlocked with a digital cryptographic "key" when the PIN data is
received by the company's outside payment processor, she noted.
Target has declined to identify its payment processor.
"The 'key' necessary to decrypt that data has never existed within
Target's system and could not have been taken during this incident,"
Snyder said.
Some security experts said that even if the encryption is not
broken, cyber criminals can still break the PINs.
"There is potential for gaining access to debit card accounts," said
Shane Shook, an executive with the cyber security firm Cylance Inc,
who has investigated some of the biggest cyber breaches.
While it is virtually impossible to decrypt a PIN without the
digital key to unlock it, Shook said many debit card holders choose
easy-to-guess numbers like 1234. He said that in some investigations
he has found that more than 20 percent of PINs could easily be
guessed.
Chris Morales, research director with NSS Labs and a security expert
who has helped investigate major breaches, said the hackers may be
able to crack the PINs on some of the stolen debit cards.
U.S. merchants and banks have refused to adopt technologies used
overseas, such as embedding credit cards with computer chips for
additional security. Instead they use PINs to secure accounts, which
leave them more vulnerable to theft.
"PINs are not secure," Morales said.
Criminals can identify PINs by using online systems some banks offer
which allow customers to access their accounts using their debit
card numbers and PINs, he said.
Madeline Aufseeser, a credit card analyst with research firm Aite
Group, said she does not believe the hackers could unscramble the
PINs, but still advises Target customers whose accounts have been
compromised to replace their cards immediately.
"Smart consumers are calling their banks and getting them reissued,"
she said. "Better safe than sorry."
[to top of second column] |
Target has said little about how the cyber crooks accessed its
network or stole the data in the attack which breached 40 million
payment card numbers at unprecedented speed.
BAD TIMING FOR TARGET
The attack began on Nov. 27, the day before the Thanksgiving
holiday and continued until Dec. 1, making it the second-largest
data breach in U.S. retail history.
The largest breach against a U.S. retailer, uncovered in 2007 at TJX
Cos Inc, led to the theft of data from more than 90 million credit
cards over about 18 months.
News of the breach at Target has hurt the retailer's reputation and
stock price.
Target's consumer perception scores dropped to their lowest level
since 2007 after the breach, according to a survey of 15,000 people
by YouGov BrandIndex, which tracks thousands of brands around the
world.
"Target's problems may very well continue and that is unfortunate,
as we've been seeing a little bit of a perception rebound the last
two days," YouGov BrandIndex Chief Executive Ted Marzilli said.
Marzilli said Target's perception scores bottomed out the day before
Christmas and the impact from the latest news could be less severe
now that the holiday shopping rush is over.
The Minneapolis-based retailer's shares have fallen about 2.3
percent since Dec. 18, when news of the cyber attack broke,
while the Standard & Poor's 500 index has risen 1.7 percent over the
same period.
Target is due to report quarterly results on Feb. 26, but may
disclose the impact of the breach sooner.
(Reporting by Jim Finkle and Dhanya
Skariachan; editing by Bob Burgdorfer and Richard Chang)
[© 2013 Thomson Reuters. All rights
reserved.] Copyright 2013 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
