Target's security: Better than I thought
The way Target deployed triple DES encryption for debit card PINs makes its statement about the unlikelihood that they were in danger much more believable.
Computerworld - In a column on Saturday, I suggested that Target was being misleading when it told customers that their stolen debit card PINs were not in danger, despite being in the hands of professional cyberthieves. Although Target's phrasing was far more absolute than reality supports, readers of that column who work in retail IT have informed me that the PINs are indeed much better secured than I had thought.
One point I made was that any encryption can be broken, given enough time and compute power. That's true, but some readers argued that the nature of triple DES encryption -- and the way Target deployed it -- makes a brute-force attack pointless. And it's not just a matter of needing a ludicrously large number of computers running for a ludicrously long time. The way Target handles PIN guesses thwarts brute-force efforts to eventually get lucky.
"The practical nature of the implementation of DUKPT (Derived Unique Key Per Transaction key management scheme) in a PIN pad prevents those kinds of attacks," wrote one retail IT security specialist. "The attacker does not get a billion free guesses at entering a PIN: they get exactly one guess, and then the key changes. Furthermore, just in case something like this was attempted, a PCI-certified PIN Entry Device that implements DUKPT must have a built-in limit on its transaction counter: it can encrypt no more than one million transactions, and then it must destroy its internal keys."
Not only does that effectively block a brute-force attack, but it also nicely negates more subtle (and even geekier) attacks, such as trying to work the algorithm backwards by testing attacks on billions of samples or performing differential power analysis on a device, timing attacks on the algorithm or even trying to detect RF emissions given off by the CPU during the encryption process. All of those methods would also require the ability to send a large number of possible PINs through the system. Also, based on the breach investigation to date, "there is no evidence that the bad guy set up an RF laboratory or a timing system in a store to capture thousands of these theoretical PIN pad emissions while a customer was shopping," said one source with knowledge of the probe's initial findings.
I also raised the possibility that the thieves might have an inside accomplice, either at Target or at its payment processor, which housed the encryption key. Apparently we can strike the idea that there might have been a weak link at Target itself. Not only was the key not housed within Target's systems, but no one at the retailer seems to have had access to the key. That means the only people who could be bribed or threatened into revealing the key were at the processor.
More by Evan Schuman
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Evan Schuman: Transparency about data retention requires knowing what you have
- Evan Schuman: Your data exposed -- Delta, Facebook, others latest to fall into mobile app trap
- Evan Schuman: Get ready, IT; here comes the Internet of Things
- Evan Schuman: Bluetooth bras and bumping bozos
- Evan Schuman: App testing and sins of omission
- Evan Schuman: Fear of Glass
- Evan Schuman: Hijacked by social media
- Evan Schuman: Starbucks sat on its clear-text password problem for months
- Evan Schuman: Starbucks releases security fix for mobile app
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts