Earlier this month, Target disclosed that 40 million credit cards used at its retail locations were compromised in the second largest retail data breach in U.S. history. Now the company, its customers and even hackers selling the stolen credit card information are dealing with the fallout, and everyone — with the possible exception of the criminals who pulled off the stunt and Brian Krebs, who broke the story and is flexing his cyber security bona fides on the Target crime beat — is worse off. Here's a quick roundup of how the Target debacle is affecting every identifiable party involved.
The Customers: Bank PINs may have been stolen
Target customers were, to put it lightly, disappointed to learn that their credit card information was compromised during the busiest shopping season of the year. Making matters worse for consumers, banks enacted an unorthodox withdrawal and spending cap on debit cards due to the scope of the crime — and possibly because the theft may be even more severe than Target is reporting. According to Reuters, a source familiar with the situation revealed that whoever stole the credit card info also nabbed encrypted personal identification numbers (PINs). The theft of encrypted data would increase the scope of the crime significantly, as hackers could unscramble the encrypted code and use it to withdraw funds from victims' accounts. This breach would help explain why banks would take the drastic measure of restraining use of ATM cards. Reuters elaborates:
Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target's PIN encryption was infallible until the investigation is completed. As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.
Target has denied that any unencrypted PIN information was stolen, though spokeswoman Molly Snyder did say that some "encrypted data" was accessed, adding, "We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date."
Target: Called out for negligence
Though Target has made an effort to ease the burden on affected customers, many are unimpressed by their response. Shoppers — some of whom have taken up a class-action lawsuit against the retailer — received a paltry 10 percent discount for their troubles, in addition to free credit-monitoring services. Target lost customers, and is cooperating with the Department of Justice investigation of the breach, though it says it is not being investigated itself.
The store has been criticized by lawmakers, as well. Senator Robert Menendez accused the chain of caring about "the bottom line" over its patrons and urged the Federal Trade Commission to issue a harsh punishment to the company, saying that "people need to know that they aren’t going to get ripped off shopping, either by silent hackers or by the merchants themselves." Senator Richard Blumenthal also chimed in, writing in a letter to the FTC that “given the scope and duration of Target’s recent data breach, it appears that Target may have failed to employ reasonable and appropriate security measures to protect personal information." The senators hope the FTC will look into security measures across retail shops in general, dragging Target to the center of a larger campaign.
The Hacker: Tracked down and exposed
Krebs took it upon himself to track down at least one vendor of the private data, and did so in a spectacularly intricate fashion. The cyber security expert details the virtual chase on his blog, where he outs Ukrainian hacker Andrew Hodirevski for manning the site rescator.la, which has been selling data stolen during the Target breach. Krebs tracked down Hodirevski, known online as Rescator, by looking up personal information Rescator has offered about himself on the web, including a braggy confession that served as an administrator of the defunct hacker forum darklife.ws. Photos of Helkren, his Darklife nom du guerre, were posted to Darklife by rival hackers. Krebs retrieved the images, along with some of Helkren's user names across other sites, and matched them to social media profiles linked to Hodirevski. Krebs did not hesitate to post some (fairly embarrassing) information culled from the social media sites to his blog — like a list of his goals, including world domination — as well as an IM conversation he had with a contact (kaddafi.me) who works with Hodiresvki. The sting is about as hacker-nerdy as you can would hope:
(2:05:17 PM) kaddafi.me: What’s all the commotion about Rescator anyways?
(2:05:20 PM) krebs//: well i have a story about him going up tomorrow
(2:05:23 PM) kaddafi.me: Did you even notice other shops are selling same shit?
(2:05:32 PM) krebs//: sure
(2:05:46 PM) krebs//: but I’m not looking at other shops right now
(2:06:05 PM) kaddafi.me: Well you should )
(2:06:10 PM) krebs//: in time
Eventually, kaddafi.me offered Krebs a $10,000 bribe not to run the story, and we can imagine he's not super pleased that Krebs did.
Update: Target admitted today that encrypted PINs were, in fact, stolen in the hack. The company said in a statement:
While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed. We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.
The company added that it is still confident that victims' private information will remain safe, however, because it does not store the encryption key within their system - so the means of decryption could not have been stolen. They say [emphasis theirs]:
When a guest uses a debit card in our stores and enters a PIN, the PIN is encrypted at the keypad with what is known as Triple DES. Triple DES encryption is a highly secure encryption standard used broadly throughout the U.S. Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.