Target: Deceive first, answer questions later
Issuing deceptive statements is no way to win back customers' trust. That's a lesson for anyone who might find itself in Target's position someday.
Computerworld - For Target to get beyond its data breach disaster, it needs to regain the trust of its shoppers. Mystifyingly, it has opted to issue statements that are, at best, misleading. Some tiptoe beyond misleading, since the chain had to know they were untrue when it issued them.
The latest example came Friday, when Target confirmed that encrypted PIN data was stolen. Then came the whopper: "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
Of course those debit card accounts have been compromised. Webster's dictionary defines compromise as exposing something "to risk or danger." When personal identification numbers that give full access to someone's bank account are in the hands of experienced and sophisticated cyberthieves, I think it's safe to say that those bank accounts are indeed exposed to risk or danger. How could anyone argue otherwise?
Target's statement emphasized that the cards were triple DES encrypted and that the encryption key was not stored in Target's systems. It added that the data "can only be decrypted when it is received by our external, independent payment processor."
First off, Target's people know well that any encryption can be broken, if the attacker spends enough time and has enough compute power. It may not be easy, but it can certainly be done. Triple DES is an excellent encryption option, but nothing is unbreakable. Therefore, saying that the data "can only be decrypted" by its payment processor is untrue.
Target should be applauded for not storing that encryption key anywhere on its system. Having it stored solely at its payment processor is also a good move, but processors' systems can be broken into as well. Indeed, given that they have data from a huge number of retailers, it's an especially attractive target.
So, in theory, how could the attacker get access to the PINs? First, a brute-force cracking effort on the encrypted data might work. Second, the key might be grabbed by an attack on the processor's systems, as has happened in the past. Third, there might be a Target insider -- or a processor insider -- who could give up the key for money. Or who might be tricked into giving it up, via social engineering, which cyberthieves love.
Had Target simply said that the stolen PINs were fully encrypted so there's an excellent chance that they won't be accessible, that would be fine. It could have also truthfully added, "We currently have not seen proof that the bad guys have in fact deciphered these PINs. We've also not seen any evidence that they haven't."
More by Evan Schuman
- Evan Schuman: Barnes & Noble plays into Amazon's hands
- Evan Schuman: The data dangers of free public Wi-Fi
- Evan Schuman: What if you can't trust your inbox?
- Evan Schuman: Supreme Court on obvious patents: Common sense isn't so horrible
- Evan Schuman: Do you know the people you're following on Twitter? Neither does Twitter, apparently
- Evan Schuman: Is Google forgetting that interactivity pays its bills?
- Evan Schuman: Killer robots? What could go wrong? Oh, yeah ...
- Evan Schuman: One law to rule all data breaches -- but let's make it a real law
- Evan Schuman: Snapchat's reputation is vanishing (unlike its images)
- Evan Schuman: Snapchat's latest feature shows why IT must tame marketing's inner monster
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!