Target: Customers' encrypted PINs were stolen
Source: AP
Target said Friday that debit-card PINs were among the financial information stolen from millions of customers who shopped at the retailer earlier this month.
The company said the stolen personal identification numbers, which customers type into keypads to make secure transactions, were encrypted and that this strongly reduces risk to customers. In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between Nov. 27 and Dec. 15.
Security experts say it's the second-largest theft of card accounts in U.S. history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.
"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said in an emailed statement Friday. "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."
Read more: http://www.sfgate.com/business/personal-finance/article/Target-Customers-encrypted-PINs-were-stolen-5096237.php
bananas
(27,509 posts)Xipe Totec
(43,889 posts)If so, you can kiss off whatever assurances you hear from Target.
LiberalEsto
(22,845 posts)Remind me not to shop at Tar-JAY again.
SeattleVet
(5,477 posts)Right after getting hacked, they always tighten everything down. It's all the other places you have to worry about...
(but Target isn't necessarily the best place to shop, regardless.)
LiberalEsto
(22,845 posts)I usually go to yard sales,thrift shops,dollar stores or Big Lots.
Kingofalldems
(38,443 posts)use my pin, I have no worries?
mascarax
(1,528 posts)Really, the best thing to do is call your issuer and get a new card with a different number.
Ruby the Liberal
(26,219 posts)Call them and tell them that you feel compromised and need them to reissue it. Better safe than sorry.
We reissued all impacted cards by default, but not all banks are doing that. Be proactive about it - and NEVER use a debit card on the internet (PSA).
Brigid
(17,621 posts)Saying they were sending me a new card shortly. I have a feeling it had to do with this.
Ruby the Liberal
(26,219 posts)where they will cancel your existing card in 10-14 days after sending the new one. If they are being proactive about this, this is normally part of the plan. They don't tell you, they just do it.
When you get the new one, authenticate it ASAP and take the old card to a branch and ask them to shred it.
blkmusclmachine
(16,149 posts)YOHABLO
(7,358 posts)woo me with science
(32,139 posts)their story has been changing, so I wouldn't necessarily trust that.
They were claiming very recently that the PINS hadn't been accessed, and now they admit they were: http://www.democraticunderground.com/10024200309
pothos
(154 posts)take this whopping 10% off coupon and just keep moving along...
dflprincess
(28,075 posts)I had manged to change my PIN on their website last week but I didn't feel like that was enough.
I also had my bank card replaced as I'd used that once at Target during the period. But that was easier to do - I just walked into a branch office, told them I'd used my card at Target and before I could get another word out was told "Let's replace it to be safe." They gave me a temporary card on the spot that will work until the permanent card gets here.
seabeckind
(1,957 posts)rather than expending effort up front to correct the problem.
One more example. If I remember a while back, BP lied about the impact of their "accident" until they no longer could get away with it and in the end cost US so much more.
Tobacco companies lied about their products and cost us even lives.
And the list goes on.
In the end the "justice" department will demand restitution (of pennies on the dollar) then allow the company to pass on the penalty to the taxpayer, put the penalty into the budget, etc,
meanwhile, we the people get nothing but grief, inconvenience, and little restitution.
And are told that we should be more careful in how WE do things. That somehow it was our fault for trusting a company to do the things they said they would do.
LiberalFighter
(50,834 posts)I would think it would be lost in space after the card has been approved instead of stored.
Jesus Malverde
(10,274 posts)They stole all data off the pad, I'm not sure what target says is the whole truth.
The breach was big enough a bank is going to restrict cards at christmas...seems pretty huge and wide open.
I'n theory target should never have access to the pin number, just the merchant.
As George Bush says...."Just send (use) cash"
Maedhros
(10,007 posts)were compromised. This has happened before (e.g. Michael's Arts & Crafts and Hancock Fabrics stores) and involves swapping out the existing terminals for modified terminals to which the criminals have added additional electronic components. This is presently the only way to gather unencrypted PINs.
The Target compromise involves the compromise of a server receiving and forwarding card data. Any PINs in transit were encrypted before actually leaving the merchant terminal.
It's unlikely that the encryption on the PINs has been cracked. If it had, then massive numbers of PIN transactions (e.g. ATM withdrawals) would by now have been made using the compromised cards. Criminals know that there is a clock ticking for each card they steal, and they typically try and cash out as much and as quickly as possible before the cards are blocked. So far the fraud associated with the compromise appears to be POS (i.e. "point of sale" = non-PIN) transactions.
A key issue to understand is whether the card data was being stored long-term. According to VISA rules, card data is to be stored only so long as to complete the transaction at hand. Years ago Office Max got hit with this type of compromise and it was determined that they were keeping card data for marketing analysis, in violation of VISA rules. The Payment Card Industry Data Security Standard is an attempt by the credit card companies to self-regulate the industry, and it obviously hasn't been entirely successful.
If the resulting fraud is POS purchases, rather than PIN transactions, then Federal Regulation Z allows the cardholder's bank to dispute the fraudulent transactions and charge them back to the originating merchant. Given the expense of mitigation for this incident, it seems likely that Target may face legal action from both affected financial institutions as well as merchants facing large losses.