Target hackers got card PINs too - Action News
Home WebMail Saturday, November 23, 2024, 01:06 PM | Calgary | -11.9°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Business

Target hackers got card PINs too

Target says customers' encrypted PIN data was removed during the massive data breach that occurred earlier this month.

Computer hackers were able to steal 40 million card numbers but also passwords, retailer reveals

Target acknowledged Friday that the hackers who stole 40 million debit and credit cards earlier this month were also able to steal some of the accounts' pin numbers.

Target said Friday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.

The company said the stolen personal identification numbers, which customers type in to keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.

Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailerTJXCos.

Target said it doesn't have access to nor does it store the encryption key within its system, and the PIN information can only bedecryptedwhen it is received by the retailer's external, independent payment processor.

"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems." The company maintains that the "key" necessary todecryptthat data never existed within Target's system and could not have been taken during the hack.

However,Gartnersecurity analystAvivahLitansaid Friday that thePINsfor the affected cards are not safe and people "should change them at this point."

Data is encrypted

Litansaid that while she has no information about the encrypted PIN information in Target's case, such data has beendecryptedbefore, in particular the 2005TJXCos. hacking case that's believed the largest case of identity theft in U.S. history.

In 2009 computer hacker Albert Gonzalez plead guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 that targeted companies such as T.J.Maxx, Barnes & Noble andOfficeMaxe. Gonzalez's group was able todecryptencrypted data.Litansaid changes have been made since then to makedecryptingmore difficult but "nothing is infallible."

"It's not impossible, not unprecedented (and) has been done before," she said.

Besides changing your PIN,Litansays shoppers should opt to use their signature to approve transactions instead because it is safer.

Still, she said Target did "as much as could be reasonably expected" in this case. "It's a leaky system to begin with," she said.

Credit card companies in the U.S. plan to replace magnetic strips with digital chips by the fall of 2015, a system already common in Europe and other countries that makes data theft more difficult.

Minneapolis-based Target Corp. said it is still in the early stages of investigating the breach. It has been working with the Secret Service and the Department of Justice.