Target Hackers Got PINs, Too
But Target thinks they're safely encrypted
By Kevin Spak, Newser User
Posted Dec 27, 2013 2:28 PM CST
In this 2008 file photo, a customer signs his credit card receipt at a Target store in Tallahassee, Fla.   (AP Photo/Phil Coale, File)

(Newser) – Ever since news broke of Target's massive security breach, the retailer has said that customers' PIN and debit card data hadn't been stolen. Today, it admitted that actually, it had been—which, according to the Minneapolis Star Tribune, makes the stolen cards significantly more likely to be fraudulently cloned. But Target says it's "confident that PIN numbers are safe and secure" because they were tightly encrypted.

That means to read them, thieves would need a key that Target says never even existed in its system—the second customers put in their number, it was encrypted and sent to a third-party payment processor. An independent security expert tells CNNMoney that it would be "difficult or impossible to decrypt" Target's algorithm without that key. But an anonymous executive for a major US bank tells Reuters that they're worried nonetheless, and JPMorgan and Santander have both lowered their limits on ATM withdrawals as a precaution.

View 1 more image
More From Newser
My Take on This Story
To report an error on this story,
notify our editors.
Target Hackers Got PINs, Too is...
Show results without voting
You Might Like
Showing 3 of 25 comments
Dec 29, 2013 9:31 PM CST
Target should be held responsible for this and anyone who used their card at Target since this happened should be monetarily compensated. We (customers) dont get to say hey we are sorry the next time in I promise to buy & pay 10% more for your troubles. But Target believes that's fair for them to give you 10% off there 70 to 100% mark up. Fact is that is more of an advertisement then a sincere apology.
Jon Q. Publix
Dec 29, 2013 7:31 AM CST
The part I don't get --- I thought Visa and MasterCard standards prohibited the storage of this information? My understanding was that PINs were supposed to be encrypted at the device and used only for across the wire verification at the point of purchase. Why, for what purpose, was Target storing this information on their servers? Were they planning to ring up a few sales later when no one was looking?
Dec 29, 2013 3:32 AM CST
Every bank's website now has a warning about Target. That can't be good for business.