Woes at Target Continue – and other security breaches revealed
The trouble at Target continues post-Christmas as the details of the theft of data for 40 million credit and debit cards are shared.
Yesterday news agency Reuters began reporting that the PIN data was stolen.
“(Reuters) – The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.”
Target responded by saying that there was no evidence that unencrypted PIN data had been compromised, and no evidence that PIN data had been compromised.
But, how hard could it be for determined hackers to unencrypt a 4 digit PIN that is purely numerical? There are only 10,000 possible combinations. If a hacker was smart enough to have run his/her own card through the system and maybe one or two others, and could then see a few known PINs in encrypted form, it would seem a relatively straighforward exercise to create a software program and use brute force to reverse engineer the encryption.
Another method to acquire that data could have been to hack into an in-store video surveillance system and record customers as they use their cards and enter their PINs. Or even to have worked as a cashier and simply watched enough customers to learn some PINs and matched them to card numbers. Acquiring enough data to break the system seems not all that hard to do. So, no surprise that banks have lowered credit card limits and ATM withdrawl limits.
Meanwhile, as a regular and even enthusiastic credit card user ( I do love those airline and hotel miles…) , and now, one who is much more concerned – as I suppose I should have been all along, I am going to see if I can change the settings on my credit cards to email me after every use of my card. That’s probably the earliest warning system possible.
“Chip and pin” (EMV) – credit cards with chips on them that require a PIN for each use – is due to arrive in 2015 in the United States. I, for one, would welcome it now. Even if it took retailers a full year to roll out the needed equipment, I would start using the card with a chip on it immediately and preferentially.
Memo to Master, Visa, Amex – how about taking the initiative here and offering chipped cards to US consumers AS AN OPTION… voluntary , right now?? I’ll bite. And I’ll pull that card out first, at every store I go to!
Finally – speaking of security breaches – in a monumental demonstration of government stupidity and corporate greed – this week it was reported that RSA, the well known security company, took a $10 million payoff from the NSA (National Security Agency) to use a weaker encryption method in a security product widely used in industry, including, I am told, our own defense industry. Since it is obvious that weaker security could potentially allow penetration not just by our own government, but by our enemies – the NSA unarguably weakened the security of our entire country. Read more about that here. What actions should we, as citizens, take about the RSA breach of trust? How about a permanent boycott of RSA – (the parent company could disband it), a 50% reduction in funding for the NSA, and throw those Senators who are responsible for oversight of the NSA off that committee.
As for Target, they have my sympathies…there is a Super Target about five miles from me and I shop there occasionally – it’s a great store. Hope you get it all under control soon.