Pages

Friday, December 27, 2013

Target: I'm calling bullshit!

Target got hacked.  Many times companies perform a triage as fast as they can when they are penetrated in such a manner.  I thought Target was pretty forthcoming in that they seemed to make public the incident fairy quickly.  That being said, I'm calling bullshit on the PINs not being exposed.

Their press release seems to not understand that there are different types of encryption that apply for different uses. 

http://money.cnn.com/2013/12/27/technology/target-pin/

Target wants the public to believe that the pins were not exposed.  They claim that the encryption renders the PIN safe.  The PINs were protected with 3DES.  3DES is a symmetric algorithm.  One key performs both encryption and decryption.  The PIN gets encrypted at the POS terminal, and remains encrypted through Targets internal systems until it is presented to the processor.  Then the processor decrypts it.  Original indications were that the breach was at the POS terminal, instead of the a central system that stores the card transactions.  Since we know the 3DES key is present on the POS term and the POS term is where the breach occurs, I would submit that the PINs are far from safe.  Potentially this key could be encrypted on the terminal, however, in memory it would have to be unencrypted to perform the encryption of the pin. 

I am not a designer of these POS systems, so I am not privy to all the safe guards employed at the POS Terminal.  All I'm pointing out is the type of encryption they are claiming to use seems inconsistent with the amount of security that a symmetric algorithm provides.