On December 27, 2013, Forbes reported that encrypted PIN data had been stolen in a data breach that occurred between black Friday and December 15th at Target stores.  Specially, the data that was taken was from transactions associated with the check-out point-of-sale (POS) systems where debit cards are used by pay for purchase.

There are some important lessons about this event that are worth highlighting, but first we need a little background on the process of using and processing debit-card transactions.

Debit-card transactions require the customer to enter a PIN after they swipe their card at the point-of-sale.  This process differs from a credit card transaction where the customer signs the signature-capture pad after swiping their card.  From a payment perspective, a debit transaction results in a transfer of funds directly from the customer’s checking account whereas a credit-card transaction results is a “loan” of money from the credit card company to pay for the goods purchased.

Note that the debit cards provide a direct and immediate link to cash in a checking account.  Accordingly, anybody who has a debit card number and the associated PIN has access to all of the cash in the checking account that is linked to the debit card.  As such, debit card information is very appealing to hackers and thieves, especially if they can also obtain the PIN information associated with each card.  There is one other fact to consider – the PIN is not stored on the card (it is only known by the customer and the customer’s bank).

From a system security perspective, when the customer swipes their debit card at the point-of-sale (POS) and enters their PIN number, the PIN is actually encrypted on the device.  If you could put your x-ray glasses on, you would see that the PIN number remains encrypted throughout the POS system, through the store, through the merchant’s (Target’s) infrastructure, and is finally decrypted by the debit card processor.  The encryption key that is used to encrypt the data is unique to the debit terminal (and in most cases unique to the transaction) and is ONLY shared between the debit terminal and the debit processor (as is highlighted by the Target Update).

 

Three Lessons from the Target Hack of Encrypted PIN Data

Enough background already. What does this tell us?

1. Keep your encryption key separate from your encrypted data

The first lesson to take away is simply to keep your encryption key separate from your encrypted data. We know not to write our passwords on the bottom of our keyboard. We know not to put the combination of our safe on a sticky-note on the door to the safe, and we should never allow our encryption keys to be accessed in the same way as we access our data.

2. Encrypted data is absolutely worthless without the key

The second lesson is that encrypted data is absolutely worthless without the key. Presuming that you are using a vetted encryption algorithm (and that you did not build your own), encrypted data thwarts the incentive to steal the data. Simply put, the thief has gone to a lot of effort to steal the data, but once it is known or discovered to be encrypted, the economic value of that data is zilch! In fact, if the hacker knew the data was encrypted, they may have not attempted the breach and avoided the risk of being caught.

3. Encryption is simple and provides high value

The third lesson is that encryption is simple and provides high value. Those low-cost debit terminals at the point-of-sale are able to encrypt data using standards that prevent the data from being disclosed except by authorized individuals. A little forethought into the flow of data, a firm design on what data needs encryption, and a clear decision on who has access to the keys (separate from who can access the data), makes for a very strong data-protection architecture.

If the data was not encrypted and they keys were not separated from the encrypted data (following the rule of “dual-control and split-knowledge”), then Target would have had a much, much bigger problem on their hands (and customers would be out a lot of money).

 

The simple take-away from this event is that Target did things right. Hackers are finding new and innovative ways to penetrate our networks and collect data.  However, good security architectures provide layers of protection (as exemplified by the encryption of debit card PIN data) and nullify the economic value of any information that is stolen.

Lastly, Target is the real benefactor (along with its customers). Because of the breach, Target is now performing a forensic investigation and is taking corrective actions, and the would-be perpetrators have given up one more method for causing a breach.

 

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…