Target's Security: Better Than I Thought
The way Target deployed triple DES encryption for debit card PINs makes its statement about the unlikelihood that they were in danger much more believable.
Sun, December 29, 2013
Computerworld — In a column on Saturday, I suggested that Target was being misleading when it told customers that their stolen debit card PINs were not in danger, despite being in the hands of professional cyberthieves. Although Target's phrasing was far more absolute than reality supports, readers of that column who work in retail IT have informed me that the PINs are indeed much better secured than I had thought.
One point I made was that any encryption can be broken, given enough time and compute power. That's true, but some readers argued that the nature of triple DES encryption -- and the way Target deployed it -- makes a brute-force attack pointless. And it's not just a matter of needing a ludicrously large number of computers running for a ludicrously long time. The way Target handles PIN guesses thwarts brute-force efforts to eventually get lucky.
"The practical nature of the implementation of DUKPT (Derived Unique Key Per Transaction key management scheme) in a PIN pad prevents those kinds of attacks," wrote one retail IT security specialist. "The attacker does not get a billion free guesses at entering a PIN: they get exactly one guess, and then the key changes. Furthermore, just in case something like this was attempted, a PCI-certified PIN Entry Device that implements DUKPT must have a built-in limit on its transaction counter: it can encrypt no more than one million transactions, and then it must destroy its internal keys."
Not only does that effectively block a brute-force attack, but it also nicely negates more subtle (and even geekier) attacks, such as trying to work the algorithm backwards by testing attacks on billions of samples or performing differential power analysis on a device, timing attacks on the algorithm or even trying to detect RF emissions given off by the CPU during the encryption process. All of those methods would also require the ability to send a large number of possible PINs through the system. Also, based on the breach investigation to date, "there is no evidence that the bad guy set up an RF laboratory or a timing system in a store to capture thousands of these theoretical PIN pad emissions while a customer was shopping," said one source with knowledge of the probe's initial findings.
I also raised the possibility that the thieves might have an inside accomplice, either at Target or at its payment processor, which housed the encryption key. Apparently we can strike the idea that there might have been a weak link at Target itself. Not only was the key not housed within Target's systems, but no one at the retailer seems to have had access to the key. That means the only people who could be bribed or threatened into revealing the key were at the processor.