Target Corporation revealed on Friday that forensic investigators have discovered that the hackers who gained access to some 40 million customers’ debit and credit card account data also have the personal identification numbers (PINs) of the debit cards in question. The hackers stole data from cards used at Target between Black Friday (Nov. 27) and Dec. 15 by using malware installed on Target’s credit card readers. The software directed the information from the cards directly to the hackers.
In a statement released on Friday, Target spokeswoman Molly Snyder wrote,“We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”
The Minneapolis-based retailer uses the Triple DES encryption program to encrypt all PINs entered on keypads during checkout. The PINs were encrypted when they were stolen and can only be revealed if the information is sent to Target’s external payment processor. Target explained that because the information to crack the encryption is held by the independent processor and not in Target’s computers, hackers were not able to gain access to the decryption codes. In addition to the PINs, Target hackers also stole names of customers, account numbers, expiration dates and the code from the back of the cards, which are embedded in the magnetic strip.
Security breaches this widespread and comprehensive generally originate from foreign parties, who sell the information to lower-level criminals who are tasked with buying and selling stolen card information online or printing fake cards using machines that cost as little as $100.00. These machines can be used to apply magnetic strips with the stolen information to the back of the phony cards. Other members of the ring use the stolen information to buy products online and then resell them for a profit.
According to Avivah Litan, Gartner security analyst, customers should still change their PINs because it is possible that the data could be unlocked. A 2005 scam that targeted Barnes & Noble, OfficeMax and T.J. Maxx among others was possible because a hacker was able to unlock the encryption codes. Although changes to the encryption process have been made, Litan warns consumers that “nothing is infallible,” and advises shoppers to approve their transactions via signature instead of PIN.
Bankers also advise using online banking to set up fraud alerts that can be e-mailed or sent via text message to customers when suspicious activity on their credit or debit card accounts is noted. Consumers should also check their bank accounts regularly and contact their bank immediately if something seems wrong.
At least one senator is asking for an investigation. Multiple state attorneys generals have requested more information from Target regarding the stolen information. Target is also facing at least 12 lawsuits. The corporation is working with the Department of Justice and the Secret Service as part of their investigation.
The theft of information from Target is the second largest in U.S. history and is surpassed only by the 2005 scam involving TJX Cos. U.S. banks are planning to replace the magnetic strips on the cards with digital chips by the end of 2015. Digital chips are used in Europe, have been proven to be more secure and will hopefully prevent hackers like those that attacked Target, gaining customers’ credit and debit card information and PINs.
By Jennifer Pfalz