If Target is to be believed, your money is safe.
Having lost the names, card numbers, expiration dates and CVV security codes of as many as 40 million shoppers, the national retailer announced a few days ago that customers’ PIN numbers were compromised, too.
But Target claims there is no need to worry, because the four-digit PIN numbers were encrypted — Triple DES. That’s a method that jumbles the information, well, three times before sending any transaction on to be authorized.
To boot, the company said it never had the key to decrypt that information.
So, on the surface, the PINs would seem to be safe.
Triple DES is difficult to break; it would take an average criminal months if not years with a commercial computer to crack the encryption through brute force.
However, without knowing the exact details of the crime (which Target has yet to release, if it ever will), it’s really, really difficult to gauge whether the PINs are vulnerable. The question is: Can the thieves also acquire information about the encryption system? After all, they had to be pretty sophisticated to hack Target’s machines in the first place.
“There was an earlier issue with card readers where criminals were able to glean some of the details around the encryption,” said Al Pascual, a senior analyst for security risk and fraud at Javelin Strategy and Research. “They were able to figure out part of the key that was used to encrypt (the information).”
That was eight years ago, when Infamous hacker Albert Gonzalez — the mastermind behind the largest credit and debit card breach in history — was reportedly able to crack through T.J. Maxx’s encrypted data. At the time, at least 46 million cardholders’ records were stolen.
In 2009, Gonzalez plead guilty to conspiracy, wire fraud, and other charges stemming from breaches at T.J. Maxx, Heartland Payment Systems Inc. and others.
Target declined to answer questions about how its system was breached. “I don’t have anything additional to share beyond what is in the statement at this time,” a spokeswoman emailed, referring to the statement in which the company acknowledged the theft of the PINs.
Target has not yet filed a document with the Securities and Exchange Commission, called an Form 8-K, that could shed light on the hack. The SEC requires any public company to explain an event that could materially impact its earnings to its investors using that form.
Although Pascual said decrypting the PINs is theoretically possible, he said the odds are extremely remote. “It’s like buying a lotto ticket and saying I could be a millionaire,” he said. “It would have to be a perfect storm event.”
But Cherian Abraham, the mobile commerce and payments lead at Experian Global Consulting, said it’s not so much a matter of if the encryption is cracked as when. “Now that (criminals) have these PINs on their side, and they have the 16-digit (account) numbers, the question is whether customers will have changed their PINs.”
His advice is that if you think you’ve been affected, change your PIN and order a new card.
That’s the only way to be sure you won’t get bilked.