Target’s 3DES Encryption Statement: What Does It Tell Us? What Information is Missing? And Where Does PCI Apply?

December 31, 2013 • Published Categories Industry Topics Tags , , , , , , ,

On December 27, Target issued an official statement about hackers’ access to encrypted debit card PIN data along with the payment card numbers accessed during its breach event.

Some have wondered whether Target’s claims regarding the encrypted PIN codes are accurate. Although Target has not provided us with enough details to make a firm assertion that they are in fact accurate, there is nothing in their statement to indicate they are inaccurate, either. The details they have disclosed all seem to align with what we know is true about the payment workflow: Customer PIN codes are encrypted on the keypad using encryption keys stored in a limited-feature Hardware Security Module (HSM), and the encrypted PINs are sent to Target’s payment processor, where they are validated in an HSM on the processor side. In other words, neither the unencrypted PIN data nor the encryption keys ever touch any of Target’s systems.

Can the stolen debit PINs be hacked?
The Target statement indicates that their in-store payments are transacted utilizing a data encryption standard called Triple DES (also known as 3DES). There is nothing wrong with 3DES itself, but it does matter which keying option was employed by the payments processor. 3DES provides 56, 112, or 168 bits of security depending on the keying option used. 56 bits would obviously be quite weak, but 168 bits is quite strong. Target does not state what keying option the payments processor used, but there is nothing to indicate they were using a weak keying option.

Furthermore, it is impossible to actually decrypt the data without the decryption keys. Since the keys never resided on any of Target’s systems, and only resided in an HSM on the keypads themselves, there was no opportunity for the attackers to steal the keys. Thus the attackers must brute force the keys if they wish to decrypt the data, which is practically an impossible task as long as the key strength is 112 or 168 bits.

But all of this is moot. The important thing is that the PINs were encrypted, which, regardless of strength, is enough to buy some time to notify everyone affected by the breach. The public needs to work on the assumption that the PINs are already recovered, and anyone affected by the breach needs to change their PINs immediately, regardless of how impossible we feel it may be to crack the encryption keys.

Where does the PCI DSS come in?
Additional commentary by Chris Bucolo

The payments industry has recognized 3DES as an industry standard for some time. In fact, according to the Payment Card Industry Glossary, 3DES is “strong cryptography.” So, based on the above assessment of Target’s Dec 27 statement, where is the company possibly liable?

It’s highly likely that PIN security will not be the area where Target will have big liability exposure. Nothing is certain, of course, until the forensic audit results are in.

The Payment Card Industry Data Security Standard (PCI DSS) is designed to address all the key areas of payment card processing security: The payment application, the card processing equipment/systems and the overall environment of the card accepting business. All these aspects need to be understood and dealt with when attempting to ensure a PCI-compliant status is in place for any organization.

Since it is prohibited to store sensitive information like the PIN information after the transaction is authorized, it is logical to assume that the hackers may have obtained that data while the transaction was “in transit” as opposed to sitting at rest in a database.

Large organizations have more complexity and more points of potential vulnerability to deal with. Many of the attacks we see in today’s world involve the human element in order to succeed, whether they are knowingly involved or not.

To the extent that the processes are reliant on third parties, it is equally important to understand the compliance status of any service provided by those entities. In the payments world, they are referred to as “service providers.” Target made it clear in their announcement that they were relying on third parties for the security of the PIN data. This is very common in the payments world, where so many parties are involved in the handling of a payment card transaction.

The latest version of the PCI DSS (version 3.0) puts additional focus on the contractual relationships with these critical service providers. Organizations will be well served by looking closely at these relationships in the New Year.

Leave a Comment