Retailer a Target in theft of PINs
TARGET says debit- card PINs were among the financial information stolen from millions of customers who shopped at the US retailer this month.
The company said the stolen personal identification numbers, which customers type into keypads to make secure transactions, were encrypted — strongly reducing risk to customers.
In addition to the encrypted PINs, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on back of the cards were stolen from about 40 million credit and debit cards used at Target stores between November 27 and December 15.
Security experts said it was the second-largest theft of card accounts in US history, surpassed only by a scam that began in 2005 involving retailer TJX Cos.
Spokeswoman Molly Snyder said: ‘‘ We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.’’
However, Gartner security analyst Avivah Litan said the PINs for the affected
It’s a leaky system to
begin with
cards were vulnerable and people should change their codes as such data had been decrypted before.
In 2009 computer hacker Albert Gonzalez pleaded guilty to conspiracy, wire fraud and other charges after masterminding debit and credit card breaches in 2005 targeting several retailers. Gonzalez’s group was able to unlock encrypted data.
Litan said changes had been made to make decrypting more difficult but ‘‘nothing is infallible’’.
Besides changing their PIN, Litan said shoppers should instead opt to use their signature to approve transactions. But she said Target did ‘‘as much as could be reasonably expected’’ in this case. ‘‘It’s a leaky system to begin with,’’ she said.
Credit card companies in the US plan to replace magnetic strips with digital chips by late 2015, a system already common in Europe and Australia that makes data theft more difficult.