In a column on Saturday, I suggested that Target was being misleading when it told customers that their stolen debit card PINs were not in danger, despite being in the hands of professional cyberthieves. Although Target's phrasing was far more absolute than reality supports, readers of that column who work in retail IT have informed me that the PINs are indeed much better secured than I had thought.
One point I made was that any encryption can be broken, given enough time and compute power. That's true, but some readers argued that the nature of triple DES encryption -- and the way Target deployed it -- makes a brute-force attack pointless. And it's not just a matter of needing a ludicrously large number of computers running for a ludicrously long time. The way Target handles PIN guesses thwarts brute-force efforts to eventually get lucky.
"The practical nature of the implementation of DUKPT (Derived Unique Key Per Transaction key management scheme) in a PIN pad prevents those kinds of attacks," wrote one retail IT security specialist. "The attacker does not get a billion free guesses at entering a PIN: they get exactly one guess, and then the key changes. Furthermore, just in case something like this was attempted, a PCI-certified PIN Entry Device that implements DUKPT must have a built-in limit on its transaction counter: it can encrypt no more than one million transactions, and then it must destroy its internal keys."
Not only does that effectively block a brute-force attack, but it also nicely negates more subtle (and even geekier) attacks, such as trying to work the algorithm backwards by testing attacks on billions of samples or performing differential power analysis on a device, timing attacks on the algorithm or even trying to detect RF emissions given off by the CPU during the encryption process. All of those methods would also require the ability to send a large number of possible PINs through the system. Also, based on the breach investigation to date, "there is no evidence that the bad guy set up an RF laboratory or a timing system in a store to capture thousands of these theoretical PIN pad emissions while a customer was shopping," said one source with knowledge of the probe's initial findings.
I also raised the possibility that the thieves might have an inside accomplice, either at Target or at its payment processor, which housed the encryption key. Apparently we can strike the idea that there might have been a weak link at Target itself. Not only was the key not housed within Target's systems, but no one at the retailer seems to have had access to the key. That means the only people who could be bribed or threatened into revealing the key were at the processor.
But that was also blocked by the nature of DUKPT. "The key is generally stored offline, with only an operational copy loaded into the processor's hardware security module," said the retail IT security specialist. "Depending on the specific hardware security module they own, it can be split between a set of smart cards that each requires independent passwords to access. An attacker would have to identify all of the people who each independently hold their fractions of the key and successfully bribe or coerce all of them to turn over their smart cards and their passwords. Although this is technically much easier than breaking the encryption, that still doesn't make it particularly easy, practical, or even realistic."
This is all good, for several reasons. Although Target phrased things to make its PIN security sound absolute -- which is never true in security -- its actual implementation was quite impressive. Nothing is perfect, but Target's PIN protections -- thanks to how it handled triple DES and the fact that it used it in the first place in addition to not housing the key anywhere on its premises -- come impressively close.
We still don't know exactly how the attackers broke in, and that will shed light on how well thought out the rest of Target's payment security was.
Many have pointed to this incident as a reason why retailers should rush to embrace EMV, often implemented as chip and PIN. In Target's defense, current payment industry rules require the transmission of payment card data (not the PIN, but the rest of the card's data) in the clear. A move to EMV would help make U.S. payments meaningfully more secure, but that's mostly because it would facilitate all data being encrypted.
EMV is more secure than the magstripe method the U.S. uses, but many retailers would rather make that hugely disruptive and expensive move to an even more secure approach. Some mobile payment approaches -- which have not gone very far -- hold the promise of security much more stringent than is offered by EMV. Retailers are hoping to either embrace mobile or an EMV next-generation package.
Ideally, those will also be bundled with much lower fees than the current interchange program. Retailers have also been waiting to see how a handful of court and legislative matters dealing with interchange fees -- such as the retail interchange legal settlement -- ended up.
With those cases wrapping up and Target providing some recent evidence that retailers can likely wait no more, EMV and mobile are going to be getting a lot more examinations. Until then, though, many may want to look at Target, which -- at least as far as PIN security is concerned -- seems to have gotten a heck of a lot right.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at firstname.lastname@example.org and he can be followed at twitter.com/eschuman. Look for his column every Tuesday.
Read more about security in Computerworld's Security Topic Center.