News

Target hackers stole encrypted bank PINs

Target hackers stole encrypted bank PINs

ATTENTION TARGET SHOPPERS: The data theft is thought to be the second-largest in U.S. history. Photo: Associated Press

By Jim Finkle and David Henry

BOSTON/NEW YORK (Reuters) – The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.

One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation.

Target spokeswoman Molly Snyder said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” was stolen, but declined to say if that included encrypted PINs.

“We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date,” Snyder said by email. “We are very early in an ongoing forensic and criminal investigation.”

The No. 3 U.S. retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the first three weeks of the holiday shopping season, making it the second-largest data breach in U.S. retail history.

Target has not said how its systems were compromised, though it described the operation as “sophisticated.” The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.

The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.

While bank customers are typically not liable for losses because of fraudulent activity on their credit and debit cards, JPMorgan Chase & Co and Santander Bank said they have lowered limits on how much cash customers can take out of teller machines and spend at stores.

The unprecedented move has led to complaints from consumer advocates about the inconvenience it caused from the late November Thanksgiving holiday into the run-up to Christmas. But sorting out account activity after a fraudulent withdrawal could take a lot more time and be worse for customers.

JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping branches open for extended hours. A Santander spokeswoman was not available for comment on Tuesday.

Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects worries that PINs have fallen into criminal hands, even if they are encrypted.

“That’s a really extreme measure to take,” said Avivah Litan, a Gartner analyst who specializes in cyber security and fraud detection. “They definitely found something in the data that showed there was something happening with cash withdrawals.”

BREAKING THE CODE

While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the concern is the coding cannot stop the kind of sophisticated cyber criminal who was able to infiltrate Target for three weeks.

Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target’s PIN encryption was infallible until the investigation is completed.

As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital “key” used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

In other cases, hackers can get PINs by using a tool known as a “RAM scraper,” which captures the PINs while they are temporarily stored in memory, Clemens said.

The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until Dec. 15. Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on Dec. 19.

On Dec. 21, JPMorgan, the largest U.S. bank, alerted 2 million of its debit cardholders that it was lowering the daily limits on ATM withdrawals to $100 and capping store purchases with their cards at $500.

On Monday, the bank partly eased the limits it had imposed on Saturday, setting them at $250 a day for ATM withdrawals and $1,000 a day for purchases. (The usual debit card daily limits are $200 to $500 for cash withdrawals and $500 for purchases, a bank spokeswoman said last week.)

On Monday, Santander – a unit of Spain’s Banco Santander – followed suit, lowering the daily limits on cash withdrawals and purchases on Santander and Sovereign branded debit and credit cards of customers who used them at Target when the breach occurred. Santander did not disclose the new limits, but said it was monitoring the accounts and issuing new cards to customers who were affected.

The largest breach against a U.S. retailer, uncovered in 2007 at TJX Cos Inc, led to the theft of data from more than 90 million credit cards over about 18 months.

(Reporting by Jim Finkle in Boston and David Henry in New York, Additional reporting by Dhanya Skariachan in New York; Writing by Paritosh Bansal, Editing by Tiffany Wu and Grant McCool)

Recent Headlines

in Entertainment

Today in entertainment history: July 29

benjerrys

A look back at the Hollywood headlines that went down in history.

in Music

Glen Matlock denies new Sex Pistols reunion

John Lydon, right, and Glen Matlock of The Sex Pistols perform at the Roxy in West Hollywood, Calif., on Thursday, Oct. 25, 2007.

Sex Pistols star Glen Matlock dashes fans' hopes of another reunion by insisting he hasn't had any contact with John Lydon in five years.

in Music

Aretha Franklin storms out of fast food joint

FILE - In this May 11, 2013 file photo, Aretha Franklin performs during McDonald's Gospelfest 2013 at the Prudential Center in Newark, N.J.Franklin won’t say what has caused her latest health problems, but says she’s had a “miraculous” recovery and is looking forward to performing soon.In a phone interview on Tuesday, Aug. 20, Franklin said that she recently had a cat scan and that it showed she was 85 percent improved. The 71-year-old has canceled several concerts and public appearances and blamed it on unspecified treatment.

Aretha Franklin stormed out a Johnny Rockets in Ontario, Canada last week after a nasty encounter with a rude employee.

in Sports

Only arguing remains in Sterling trail

FILE - In this Nov. 12, 2010, file photo, Shelly Sterling sits with her husband, Donald Sterling, right, during the Los Angeles Clippers' NBA basketball game against the Detroit Pistons in Los Angeles. With a $2 billion sale of the Clippers hanging in the balance, a judge is set to determine Monday, June 30, 2014, if the terms of a family trust alone are enough to confirm Donald Sterling was properly removed as trustee and allow his estranged wife to sell the team without his consent.

Only final arguments and a ruling remain in the trial to determine whether Donald Sterling's estranged wife can sell the Los Angeles Clippers for $2 billion.

in Music

The Beatles wanted to film ‘Lord of the Rings’

FILE- This is a 1967 handout image from Parlophone of The British group, The Beatles,. From left, are: Ringo Starr, John Lennon, Paul McCartney; and George Harrison. The woman who as a child was the basis for the Beatles song "Lucy in the Sky with Diamonds" is gravely ill. It was thought by many at the time that the psychedelic song from Sgt. Pepper's Lonely Heart Club Band was a paean to LSD because of the initials in the title, but it was actually based on a drawing that John Lennon's young son Julian brought home from school. He told his father the drawing was of Lucy in the sky with diamonds. Lucy Vodden, now living in Surrey just outside of London _ drifted apart after schoolyard days, but they have gotten back in touch as Lennon has tried to help Vodden cope with Lupus, a life-threatening disease.

Peter Jackson reveals John Lennon could have played Gollum in a Stanley Kubrick directed LOTR adaptation.