Catching up on online reading after some self imposed offline holiday time I was just reading about the latest US retailer to be plundered for customer personal and card data. For those who also missed it, between November 27 and December 15 customer names,
credit and debit card numbers, card expiration dates and magstripe data were stolen from about 40 million credit and debit cards used at Target stores.
It's the second biggest theft of card account data in US history, behind the 2005 targeting of TJX Co retailers. And it came at an interesting time because I've just finished reading the excellent book Kingpin: How One Hacker Took Over the Billion Dollar
Cyber Crime Underground, by Kevin Poulsen. It focuses mainly on the journey of one-time white hat hacker Max Butler as he donned a black hat and took over and rolled numerous competitors into his Carders Market forum before he and other card scammers were
taken down by an FBI investigation in 2007. But it also touches on the main perpetrator of the TJX attack, Alberto Gonzalez, a one time FBI informant who went back into business in 2005 linking wih other US and Ukrainian hackers and carders to perpetrate
the TJX and other retailer and card processor breaches.
It's relevant to the Target breach because in both cases encrypted PIN data was stolen by the hackers. In the numerous breaches Gonzalez was involved with he had some accomplices cracking Wi-Fi and POS terminals and servers, and another hacker to whom he
turned for decrypting the PIN codes.
In the initial reporting about the Target breach, there was no mention of debit card PINs being stolen. But in later reports Target said that PIN data had also been compromised, but that the PIN information was fully encrypted (Triple DES) at the keypad,
remained encrypted within their system, and remained encrypted when it was removed from their systems.
Of course, communications have also gone out widely to the public and consumers who might have been compromised that they should change their PINs anyway. But speculation abides on many online security blogs (Matthew
Green has a good discussion here ) about the means with which the PINs were taken, from what part of the payment chain, and whether -- despite Target's proclamations -- the attackers also got hold of some encryption keys.
I guess we'll find out if customer losses start coming to light, or if the credit card companies start preparing a lawsuit against Target similar to the one they served against Fifth Third Bancorp and TJX.