Tuesday, 31 December 2013 10:30

Retail chain Target attacked by hackers

Written by

Reading time is around minutes.

One of the largest US retail chains, Target, founded in 1902 admitted that unknown attackers stolen encrypted PINs from their system. Alienated data contained the names of customers, credit and debit card and CCV numbers that are used to activate the card on Target's webpage.

 

Data of about 40 million of their customers is at risk even though Target assured consumers that all PINs were encrypted with Triple DES algorithm. According to security experts Target's PINs are based on the fact that they are encrypted in the system of individual stores and remain encrypted on the network until the arrival of the payment system. To get access to the data, attackers would have to compromise the system of the specific store and get access to PINs before they are encrypted.

Security experts described the attack as highly sophisticated, both in terms of technological level, and by the comprehensiveness of the attack that affected more than 40 million users. There is information that the card numbers are being sold on some Russian forums.

[Ed – this hack actually happened a while ago, but the effects are still being felt as Target and the banks are trying to ensure their customers are safe from potential theft. There is also the question of exactly how the hackers got into the system. At the time of this writing there are many wild theories (including it being an inside job). The most likely method is that the networks for individual stores were compromised allowing the hackers to gain access to the payment system. In many retail outlets the individual registers and card capture devices are vulnerable if someone can gain access to the network they run over as they are all IP based. A potential thief just needs to grab the data as is transfers from the register to the central payment processing system and they have you.

Sadly this is a well-documented flaw in most payment systems, but it has not been fully addresses yet. There are many new systems that are in the works, but most of those involve the use of encrypted tokens. These tokens are linked to accounts, but appear random to a would-be thief. The store cannot connect the token to a card or account at their level, which makes them less of a target for attack.  Sadly, these systems have their flaws and vulnerabilities as well. All they really do is move the target around the map…]

Tell us what you think in our Forum

 

Read 2542 times Last modified on Tuesday, 31 December 2013 10:35

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.