Monday, December 30, 2013

The Target breach, Encrypted PINs, and Customer Safety

On Friday I sat down with Jon Erlichman on Bloomberg West to discuss the recent Target breach, what we know, and what risks face consumers.
Timeline of events & what we know
Encryption of PINs
On Friday, December 27th Target revealed that the encrypted PINs had been compromised. The press release includes a few important statements:
  1. Target doesn't have the decryption key - "Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor."
  2. Triple DES encryption - "PIN is encrypted at the keypad with what is known as Triple DES"
  3. Target claims customers are safe - "We remain confident that PIN numbers are safe and secure" and "debit card accounts have not been compromised due to the encrypted PIN numbers being taken" 
Are customers safe?
I'm not surprised to see Target attempting to calm customers' fears with their statements about the security of the PINs. However, I'm not convinced I'd support their optimism of safety.  Triple-DES encryption, when used correctly, does provide strong encryption and it would be infeasible to brute force the encryption key. However, even in an ideal use case there are several weaknesses to Triple DES that could impact the effective strength.

What could go wrong with Triple DES?
But, when used incorrectly Triple DES may only provide the illusion of security for these PINs. Here are two scenarios that could put PIN data immediately at risk:
In these situations the encrypted output would be the same if the input (i.e. the PIN) is the same. This allows attackers to perform analysis of the encrypted PIN data and compare the results with frequency analysis of PIN selection to make reasonable guesses about which encrypted value matches to what original PIN. In other words, if the most common encrypted value is "51 91 ca 27 be 68 c2 21" then there's a really good chance the original PIN for those users is 1234.

Other indications of concern
Another reason to be cautious about the safety of breached users is the actions taken by Chase. In the height of the Christmas season Chase bank changed limits for all impacted customers. This may be a cautionary move by Chase with memories of the 2009 RBS WorldPay attack that resulted in the loss of $9 million in a matter of hours. However, such a decision made in the prime spending hours of Christmas must have been thoroughly discussed and had supporting information justifying their concerns.

Lastly, we don't know what other information will be uncovered during the investigation, or worse, won't be uncovered because the investigation can't detect it. Target themselves initially reported that PINs were safe and unaffected only to later find out, as their investigation continued, that the encrypted values were stolen.

Advice to Customers
My advice for customers involved is to proactively request new debit cards. Credit card fraud can be easily reversed but debit card fraud can result in inaccessibility to lost funds for a period of time during the dispute.

-Michael Coates - @_mwc