Timeline of events & what we know
- 12/19 Target acknowledges breach of credit card and debit card data used in stores between Nov. 27 and Dec. 15, 2013
- 12/20 Target update indicates PINs are not at risk "At this time, there is no indication that there has been any impact to PIN numbers."
- 12/21 Chase Bank changes debit card daily limits for impacted customers to $100 cash withdrawals and $300 for purchases. This impacts 2 million Chase accounts
- 12/27 Target update reverses initial statement on 12/20 and confirms that additional investigation shows that encrypted PINs were stolen
- 12/29 Chase Bank maintains limits on impacted accounts but raises daily limits to $250 cash withdrawal and $1500 purchase
On Friday, December 27th Target revealed that the encrypted PINs had been compromised. The press release includes a few important statements:
- Target doesn't have the decryption key - "Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor."
- Triple DES encryption - "PIN is encrypted at the keypad with what is known as Triple DES"
- Target claims customers are safe - "We remain confident that PIN numbers are safe and secure" and "debit card accounts have not been compromised due to the encrypted PIN numbers being taken"
I'm not surprised to see Target attempting to calm customers' fears with their statements about the security of the PINs. However, I'm not convinced I'd support their optimism of safety. Triple-DES encryption, when used correctly, does provide strong encryption and it would be infeasible to brute force the encryption key. However, even in an ideal use case there are several weaknesses to Triple DES that could impact the effective strength.
What could go wrong with Triple DES?
But, when used incorrectly Triple DES may only provide the illusion of security for these PINs. Here are two scenarios that could put PIN data immediately at risk:
- Triple DES encryption is configured with Electronic Code Book (ECB) -or-
- Triple DES encryption is configured with Cipher-block Chaining (CBC) and uses the same Initialization Vector for encryption of each PIN
Other indications of concern
Another reason to be cautious about the safety of breached users is the actions taken by Chase. In the height of the Christmas season Chase bank changed limits for all impacted customers. This may be a cautionary move by Chase with memories of the 2009 RBS WorldPay attack that resulted in the loss of $9 million in a matter of hours. However, such a decision made in the prime spending hours of Christmas must have been thoroughly discussed and had supporting information justifying their concerns.
Lastly, we don't know what other information will be uncovered during the investigation, or worse, won't be uncovered because the investigation can't detect it. Target themselves initially reported that PINs were safe and unaffected only to later find out, as their investigation continued, that the encrypted values were stolen.
Advice to Customers
My advice for customers involved is to proactively request new debit cards. Credit card fraud can be easily reversed but debit card fraud can result in inaccessibility to lost funds for a period of time during the dispute.
-Michael Coates - @_mwc