On December 27, 2013, Forbes reported that encrypted PIN data had been stolen in a data breach that occurred between black Friday and December 15th at Target stores.  Specially, the data that was taken was from transactions associated with the check-out point-of-sale (POS) systems where debit cards are used by pay for purchase.

There are some important lessons about this event that are worth highlighting, but first we need a little background on the process of using and processing debit-card transactions.

Debit-card transactions require the customer to enter a PIN after they swipe their card at the point-of-sale.  This process differs from a credit card transaction where the customer signs the signature-capture pad after swiping their card.  From a payment perspective, a debit transaction results in a transfer of funds directly from the customer’s checking account whereas a credit-card transaction results is a “loan” of money from the credit card company to pay for the goods purchased.

Note that the debit cards provide a direct and immediate link to cash in a checking account.  Accordingly, anybody who has a debit card number and the associated PIN has access to all of the cash in the checking account that is linked to the debit card.  As such, debit card information is very appealing to hackers and thieves, especially if they can also obtain the PIN information associated with each card.  There is one other fact to consider – the PIN is not stored on the card (it is only known by the customer and the customer’s bank).

From a system security perspective, when the customer swipes their debit card at the point-of-sale (POS) and enters their PIN number, the PIN is actually encrypted on the device.  If you could put your x-ray glasses on, you would see that the PIN number remains encrypted throughout the POS system, through the store, through the merchant’s (Target’s) infrastructure, and is finally decrypted by the debit card processor.  The encryption key that is used to encrypt the data is unique to the debit terminal (and in most cases unique to the transaction) and is ONLY shared between the debit terminal and the debit processor (as is highlighted by the Target Update).

 

Three Lessons from the Target Hack of Encrypted PIN Data

Enough background already. What does this tell us?

1. Keep your encryption key separate from your encrypted data

The first lesson to take away is simply to keep your encryption key separate from your encrypted data. We know not to write our passwords on the bottom of our keyboard. We know not to put the combination of our safe on a sticky-note on the door to the safe, and we should never allow our encryption keys to be accessed in the same way as we access our data.

2. Encrypted data is absolutely worthless without the key

The second lesson is that encrypted data is absolutely worthless without the key. Presuming that you are using a vetted encryption algorithm (and that you did not build your own), encrypted data thwarts the incentive to steal the data. Simply put, the thief has gone to a lot of effort to steal the data, but once it is known or discovered to be encrypted, the economic value of that data is zilch! In fact, if the hacker knew the data was encrypted, they may have not attempted the breach and avoided the risk of being caught.

3. Encryption is simple and provides high value

The third lesson is that encryption is simple and provides high value. Those low-cost debit terminals at the point-of-sale are able to encrypt data using standards that prevent the data from being disclosed except by authorized individuals. A little forethought into the flow of data, a firm design on what data needs encryption, and a clear decision on who has access to the keys (separate from who can access the data), makes for a very strong data-protection architecture.

If the data was not encrypted and they keys were not separated from the encrypted data (following the rule of “dual-control and split-knowledge”), then Target would have had a much, much bigger problem on their hands (and customers would be out a lot of money).

 

The simple take-away from this event is that Target did things right. Hackers are finding new and innovative ways to penetrate our networks and collect data.  However, good security architectures provide layers of protection (as exemplified by the encryption of debit card PIN data) and nullify the economic value of any information that is stolen.

Lastly, Target is the real benefactor (along with its customers). Because of the breach, Target is now performing a forensic investigation and is taking corrective actions, and the would-be perpetrators have given up one more method for causing a breach.

 

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today