On December 27, 2013, Forbes reported that encrypted PIN data had been stolen in a data breach that occurred between black Friday and December 15th at Target stores. Specially, the data that was taken was from transactions associated with the check-out point-of-sale (POS) systems where debit cards are used by pay for purchase.
There are some important lessons about this event that are worth highlighting, but first we need a little background on the process of using and processing debit-card transactions.
Debit-card transactions require the customer to enter a PIN after they swipe their card at the point-of-sale. This process differs from a credit card transaction where the customer signs the signature-capture pad after swiping their card. From a payment perspective, a debit transaction results in a transfer of funds directly from the customer’s checking account whereas a credit-card transaction results is a “loan” of money from the credit card company to pay for the goods purchased.
Note that the debit cards provide a direct and immediate link to cash in a checking account. Accordingly, anybody who has a debit card number and the associated PIN has access to all of the cash in the checking account that is linked to the debit card. As such, debit card information is very appealing to hackers and thieves, especially if they can also obtain the PIN information associated with each card. There is one other fact to consider – the PIN is not stored on the card (it is only known by the customer and the customer’s bank).
From a system security perspective, when the customer swipes their debit card at the point-of-sale (POS) and enters their PIN number, the PIN is actually encrypted on the device. If you could put your x-ray glasses on, you would see that the PIN number remains encrypted throughout the POS system, through the store, through the merchant’s (Target’s) infrastructure, and is finally decrypted by the debit card processor. The encryption key that is used to encrypt the data is unique to the debit terminal (and in most cases unique to the transaction) and is ONLY shared between the debit terminal and the debit processor (as is highlighted by the Target Update).
Three Lessons from the Target Hack of Encrypted PIN Data
Enough background already. What does this tell us?
1. Keep your encryption key separate from your encrypted data
The first lesson to take away is simply to keep your encryption key separate from your encrypted data. We know not to write our passwords on the bottom of our keyboard. We know not to put the combination of our safe on a sticky-note on the door to the safe, and we should never allow our encryption keys to be accessed in the same way as we access our data.
2. Encrypted data is absolutely worthless without the key
The second lesson is that encrypted data is absolutely worthless without the key. Presuming that you are using a vetted encryption algorithm (and that you did not build your own), encrypted data thwarts the incentive to steal the data. Simply put, the thief has gone to a lot of effort to steal the data, but once it is known or discovered to be encrypted, the economic value of that data is zilch! In fact, if the hacker knew the data was encrypted, they may have not attempted the breach and avoided the risk of being caught.
3. Encryption is simple and provides high value
The third lesson is that encryption is simple and provides high value. Those low-cost debit terminals at the point-of-sale are able to encrypt data using standards that prevent the data from being disclosed except by authorized individuals. A little forethought into the flow of data, a firm design on what data needs encryption, and a clear decision on who has access to the keys (separate from who can access the data), makes for a very strong data-protection architecture.
If the data was not encrypted and they keys were not separated from the encrypted data (following the rule of “dual-control and split-knowledge”), then Target would have had a much, much bigger problem on their hands (and customers would be out a lot of money).
The simple take-away from this event is that Target did things right. Hackers are finding new and innovative ways to penetrate our networks and collect data. However, good security architectures provide layers of protection (as exemplified by the encryption of debit card PIN data) and nullify the economic value of any information that is stolen.
Lastly, Target is the real benefactor (along with its customers). Because of the breach, Target is now performing a forensic investigation and is taking corrective actions, and the would-be perpetrators have given up one more method for causing a breach.