Target: Deceive first, answer questions later
Issuing deceptive statements is no way to win back customers' trust. That's a lesson for anyone who might find itself in Target's position someday.
Computerworld - For Target to get beyond its data breach disaster, it needs to regain the trust of its shoppers. Mystifyingly, it has opted to issue statements that are, at best, misleading. Some tiptoe beyond misleading, since the chain had to know they were untrue when it issued them.
The latest example came Friday, when Target confirmed that encrypted PIN data was stolen. Then came the whopper: "The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
Of course those debit card accounts have been compromised. Webster's dictionary defines compromise as exposing something "to risk or danger." When personal identification numbers that give full access to someone's bank account are in the hands of experienced and sophisticated cyberthieves, I think it's safe to say that those bank accounts are indeed exposed to risk or danger. How could anyone argue otherwise?
Target's statement emphasized that the cards were triple DES encrypted and that the encryption key was not stored in Target's systems. It added that the data "can only be decrypted when it is received by our external, independent payment processor."
First off, Target's people know well that any encryption can be broken, if the attacker spends enough time and has enough compute power. It may not be easy, but it can certainly be done. Triple DES is an excellent encryption option, but nothing is unbreakable. Therefore, saying that the data "can only be decrypted" by its payment processor is untrue.
Target should be applauded for not storing that encryption key anywhere on its system. Having it stored solely at its payment processor is also a good move, but processors' systems can be broken into as well. Indeed, given that they have data from a huge number of retailers, it's an especially attractive target.
So, in theory, how could the attacker get access to the PINs? First, a brute-force cracking effort on the encrypted data might work. Second, the key might be grabbed by an attack on the processor's systems, as has happened in the past. Third, there might be a Target insider -- or a processor insider -- who could give up the key for money. Or who might be tricked into giving it up, via social engineering, which cyberthieves love.
Had Target simply said that the stolen PINs were fully encrypted so there's an excellent chance that they won't be accessible, that would be fine. It could have also truthfully added, "We currently have not seen proof that the bad guys have in fact deciphered these PINs. We've also not seen any evidence that they haven't."
More by Evan Schuman
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Evan Schuman: Transparency about data retention requires knowing what you have
- Evan Schuman: Your data exposed -- Delta, Facebook, others latest to fall into mobile app trap
- Evan Schuman: Get ready, IT; here comes the Internet of Things
- Evan Schuman: Bluetooth bras and bumping bozos
- Evan Schuman: App testing and sins of omission
- Evan Schuman: Fear of Glass
- Evan Schuman: Hijacked by social media
- Evan Schuman: Starbucks sat on its clear-text password problem for months
- Evan Schuman: Starbucks releases security fix for mobile app
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts