On December 27, 2013, Forbes reported that encrypted PIN data had been stolen in a data breach that occurred between black Friday and December 15th at Target stores.  Specially, the data that was taken was from transactions associated with the check-out point-of-sale (POS) systems where debit cards are used by pay for purchase.

There are some important lessons about this event that are worth highlighting, but first we need a little background on the process of using and processing debit-card transactions.

Debit-card transactions require the customer to enter a PIN after they swipe their card at the point-of-sale.  This process differs from a credit card transaction where the customer signs the signature-capture pad after swiping their card.  From a payment perspective, a debit transaction results in a transfer of funds directly from the customer’s checking account whereas a credit-card transaction results is a “loan” of money from the credit card company to pay for the goods purchased.

Note that the debit cards provide a direct and immediate link to cash in a checking account.  Accordingly, anybody who has a debit card number and the associated PIN has access to all of the cash in the checking account that is linked to the debit card.  As such, debit card information is very appealing to hackers and thieves, especially if they can also obtain the PIN information associated with each card.  There is one other fact to consider – the PIN is not stored on the card (it is only known by the customer and the customer’s bank).

From a system security perspective, when the customer swipes their debit card at the point-of-sale (POS) and enters their PIN number, the PIN is actually encrypted on the device.  If you could put your x-ray glasses on, you would see that the PIN number remains encrypted throughout the POS system, through the store, through the merchant’s (Target’s) infrastructure, and is finally decrypted by the debit card processor.  The encryption key that is used to encrypt the data is unique to the debit terminal (and in most cases unique to the transaction) and is ONLY shared between the debit terminal and the debit processor (as is highlighted by the Target Update).

 

Three Lessons from the Target Hack of Encrypted PIN Data

Enough background already. What does this tell us?

1. Keep your encryption key separate from your encrypted data

The first lesson to take away is simply to keep your encryption key separate from your encrypted data. We know not to write our passwords on the bottom of our keyboard. We know not to put the combination of our safe on a sticky-note on the door to the safe, and we should never allow our encryption keys to be accessed in the same way as we access our data.

2. Encrypted data is absolutely worthless without the key

The second lesson is that encrypted data is absolutely worthless without the key. Presuming that you are using a vetted encryption algorithm (and that you did not build your own), encrypted data thwarts the incentive to steal the data. Simply put, the thief has gone to a lot of effort to steal the data, but once it is known or discovered to be encrypted, the economic value of that data is zilch! In fact, if the hacker knew the data was encrypted, they may have not attempted the breach and avoided the risk of being caught.

3. Encryption is simple and provides high value

The third lesson is that encryption is simple and provides high value. Those low-cost debit terminals at the point-of-sale are able to encrypt data using standards that prevent the data from being disclosed except by authorized individuals. A little forethought into the flow of data, a firm design on what data needs encryption, and a clear decision on who has access to the keys (separate from who can access the data), makes for a very strong data-protection architecture.

If the data was not encrypted and they keys were not separated from the encrypted data (following the rule of “dual-control and split-knowledge”), then Target would have had a much, much bigger problem on their hands (and customers would be out a lot of money).

 

The simple take-away from this event is that Target did things right. Hackers are finding new and innovative ways to penetrate our networks and collect data.  However, good security architectures provide layers of protection (as exemplified by the encryption of debit card PIN data) and nullify the economic value of any information that is stolen.

Lastly, Target is the real benefactor (along with its customers). Because of the breach, Target is now performing a forensic investigation and is taking corrective actions, and the would-be perpetrators have given up one more method for causing a breach.

 

More from Data Protection

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution?Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task.In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each other. As…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

Cost of a data breach 2023: Pharmaceutical industry impacts

3 min read - Data breaches are both commonplace and costly in the medical industry.  Two industry verticals that fall under the medical umbrella — healthcare and pharmaceuticals — sit at the top of the list of the highest average cost of a data breach, according to IBM’s Cost of a Data Breach Report 2023. The health industry’s place at the top spot of most costly data breaches is probably not a surprise. With its sensitive and valuable data assets, it is one of…

Cost of a data breach 2023: Financial industry impacts

3 min read - According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. For the financial industry, however, global statistics don’t tell the whole story. Finance firms lose approximately $5.9 million per data breach, 28% higher than the global average. In addition, evolving regulatory concerns play a role in how financial companies…