Security experts warned yesterday that even though personal identification numbers stolen from consumers' debit cards during Target Corp.'s data breach were "strongly encrypted," they still could be vulnerable to abuse.
Target customers who have not already done so should change their PINs, because such data has been decrypted, or unlocked, before, according to Gartner security analyst Avivah Litan.
"Nothing is infallible," she said. "It's not impossible, not unprecedented (and) has been done before."
Target, which announced Dec. 19 that hackers had gained access to sensitive customer information from up to 40 million debit and credit cards used at its U.S. stores from Nov. 27 to Dec. 15, yesterday confirmed customers' "strongly encrypted" PINs also were stolen.
But the Minneapolis retailer said it was confident the PINs were secure, because the "key" needed to decrypt them is not stored in Target's point-of-sales system and therefore could not have been taken during the cyber attack.
"We remain confident that PIN numbers are safe and secure," spokeswoman Molly Snyder said. "The PIN information was fully encrypted at the keypad, remained encrypted within our system and remained encrypted when it was removed from our system."
When a shopper uses a debit card at Target and enters a PIN, it is encrypted at the keypad with Triple DES, a "highly secure" data encryption standard used broadly in the United States, according to Snyder.
"The PIN information ... can only be decrypted when it is received by our external, independent payment processor," she said.
But there's still potential for hackers to gain access to customers' debit card accounts, said Shane Shook of cyber security firm Cylance Inc., which has investigated some of the biggest cyber breaches. Shook said many debit card holders use easy-to-guess PINs such as 1234 and, in some investigations, he's found more than 20 percent of PINs could easily be guessed.
Target, which is in the early stages of the breach investigation, said it will continue to share information as it's confirmed.
"While we believe their statement is accurate right now, we also know that they're continuing to conduct this forensic analysis," said Eva Velasquez, CEO of the nonprofit Identity Theft Resource Center in San Diego. "It stands to reason as they get deeper into that ... they will uncover more information."
Herald wire services were used in this report.
Anda sedang membaca artikel tentang
Target: Card PINs stolen
Dengan url
http://terdiamtersipu.blogspot.com/2013/12/target-card-pins-stolen.html
Anda boleh menyebar luaskannya atau mengcopy paste-nya
Target: Card PINs stolen
namun jangan lupa untuk meletakkan link
sebagai sumbernya
0 komentar:
Posting Komentar