Target's security: Better than I thought
The way Target deployed triple DES encryption for debit card PINs makes its statement about the unlikelihood that they were in danger much more believable.
Computerworld - In a column on Saturday, I suggested that Target was being misleading when it told customers that their stolen debit card PINs were not in danger, despite being in the hands of professional cyberthieves. Although Target's phrasing was far more absolute than reality supports, readers of that column who work in retail IT have informed me that the PINs are indeed much better secured than I had thought.
One point I made was that any encryption can be broken, given enough time and compute power. That's true, but some readers argued that the nature of triple DES encryption -- and the way Target deployed it -- makes a brute-force attack pointless. And it's not just a matter of needing a ludicrously large number of computers running for a ludicrously long time. The way Target handles PIN guesses thwarts brute-force efforts to eventually get lucky.
"The practical nature of the implementation of DUKPT (Derived Unique Key Per Transaction key management scheme) in a PIN pad prevents those kinds of attacks," wrote one retail IT security specialist. "The attacker does not get a billion free guesses at entering a PIN: they get exactly one guess, and then the key changes. Furthermore, just in case something like this was attempted, a PCI-certified PIN Entry Device that implements DUKPT must have a built-in limit on its transaction counter: it can encrypt no more than one million transactions, and then it must destroy its internal keys."
Not only does that effectively block a brute-force attack, but it also nicely negates more subtle (and even geekier) attacks, such as trying to work the algorithm backwards by testing attacks on billions of samples or performing differential power analysis on a device, timing attacks on the algorithm or even trying to detect RF emissions given off by the CPU during the encryption process. All of those methods would also require the ability to send a large number of possible PINs through the system. Also, based on the breach investigation to date, "there is no evidence that the bad guy set up an RF laboratory or a timing system in a store to capture thousands of these theoretical PIN pad emissions while a customer was shopping," said one source with knowledge of the probe's initial findings.
I also raised the possibility that the thieves might have an inside accomplice, either at Target or at its payment processor, which housed the encryption key. Apparently we can strike the idea that there might have been a weak link at Target itself. Not only was the key not housed within Target's systems, but no one at the retailer seems to have had access to the key. That means the only people who could be bribed or threatened into revealing the key were at the processor.
More by Evan Schuman
- Evan Schuman: With Heartbleed, IT leaders are missing the point
- Evan Schuman: Social media endangers corporate secrets
- Evan Schuman: Resurrection of Full Disclosure mailing list is great news, if you're not a cyberthief
- Evan Schuman: Wal-Mart is latest big company with mobile-app security problems
- Evan Schuman: Can Starbucks get people to use its app to pay for dry cleaning?
- Evan Schuman: Is MasterCard's fraud program just another data grab?
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Evan Schuman: Transparency about data retention requires knowing what you have
- Evan Schuman: Your data exposed -- Delta, Facebook, others latest to fall into mobile app trap
- Evan Schuman: Get ready, IT; here comes the Internet of Things
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts