23 April 2014

Finance technology etc

Elton Cane - Independent

113 | posts 440,260 | views 54 | comments

Future Finance

Finextra and Oracle have gathered together some of the industry's top thought leaders to discuss, debate and analyse the key trends and issues within transaction banking, regulations and retail banking. This group will focus on upcoming regulations, new service offerings and industry debate shaping the new financial services landscape with regular blog posts, video interviews, webcasts debates and surveys.

How useful are a bunch of encrypted PINs?

02 January 2014  |  1474 views  |  1

Catching up on online reading after some self imposed offline holiday time I was just reading about the latest US retailer to be plundered for customer personal and card data. For those who also missed it, between November 27 and December 15 customer names, credit and debit card numbers, card expiration dates and magstripe data were stolen from about 40 million credit and debit cards used at Target stores. 

It's the second biggest theft of card account data in US history, behind the 2005 targeting of TJX Co retailers. And it came at an interesting time because I've just finished reading the excellent book Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground, by Kevin Poulsen. It focuses mainly on the journey of one-time white hat hacker Max Butler as he donned a black hat and took over and rolled numerous competitors into his Carders Market forum before he and other card scammers were taken down by an FBI investigation in 2007. But it also touches on the main perpetrator of the TJX attack, Alberto Gonzalez, a one time FBI informant who went back into business in 2005 linking wih other US and Ukrainian  hackers and carders to perpetrate the TJX and other retailer and card processor breaches.

It's relevant to the Target breach because in both cases encrypted PIN data was stolen by the hackers. In the numerous breaches Gonzalez was involved with he had some accomplices cracking Wi-Fi and POS terminals and servers, and another hacker to whom he turned for decrypting the PIN codes.

In the initial reporting about the Target breach, there was no mention of debit card PINs being stolen. But in later reports Target said that PIN data had also been compromised, but that the PIN information was fully encrypted (Triple DES) at the keypad, remained encrypted within their system, and remained encrypted when it was removed from their systems.

Of course, communications have also gone out widely to the public and consumers who might have been compromised that they should change their PINs anyway. But speculation abides on many online security blogs (Matthew Green has a good discussion here ) about the means with which the PINs were taken, from what part of the payment chain, and whether -- despite Target's proclamations -- the attackers also got hold of some encryption keys.

I guess we'll find out if customer losses start coming to light, or if the credit card companies start preparing a lawsuit against Target similar to the one they served against Fifth Third Bancorp and TJX.

TagsSecurityRetail banking

Comments: (1)

A Finextra member | 02 January, 2014, 22:12 Why was Target (allegedly) storing both encrypted PIN Blocks and Track 2 data? Makes no sense at all...
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Elton

Will regulation strangle or enable 'quasi-banks'?

26 March 2014  |  925 views  |  0  |  Recommends 0 TagsRisk & regulationInnovationGroupFuture Finance

Good at maths? Ask your bank for a better mortgage rate

03 March 2014  |  1240 views  |  0  |  Recommends 1 TagsRisk & regulationRetail bankingGroupFuture Finance

Do frictionless payments make you spend more?

26 February 2014  |  1096 views  |  0  |  Recommends 0 TagsCardsPaymentsGroupFuture Finance

Microfinance at a crossroads

03 February 2014  |  2078 views  |  1  |  Recommends 1 TagsMobile & onlineRetail bankingGroupFuture Finance

Are QR codes at a dead-end?

23 January 2014  |  2819 views  |  2  |  Recommends 0 TagsMobile & onlinePaymentsGroupFuture Finance
name

Elton Cane

job title

Journalist copywriter and marketer

company name

Independent

member since

2012

location

Brisbane

Summary profile See full profile »
Writer and media production person

Elton's expertise

Who is commenting on Elton's posts

Eugene Danilkis
Andrew Smith
Ketharaman Swaminathan
Chris Thorpe
Matt Scott
Brett King
Neil Burton
Dave Kershaw