Target hackers now looking to employ a PIN hacker
Posted by: Timothy Weaver on 01/15/2014 11:52 AM
[
Comments
]
Targets breach has given the cybercriminals a 50GB dump of encrypted debit card PINs. It would seem to follow that the criminals now need someone to decrypt the information.
The credit card swipe was a result of the hackers successful malware-based attack on Target's point-of-sale (PoS) machines.
IntelCrawler has posited that a brute force attack could reveal the data, but Australian outfit Payment Security Consulting concluded that:
The Target attackers appear to have been able to grab the data sent from the POS system to the merchant gateway. So this has given them a lot of sensitive data like track data and the Encrypted PIN Blocks.
Target has stated that the PIN Blocks were encrypted using Triple DES keys, so a brute force attack is out of the question.
Each PIN Block has been encrypted using the unique PIN Key on that POS's PIN Terminal. An attacker would have had to extract the PIN Key of the terminal where the PIN block originates from. This requires at a minimum physical access to that terminal. It is not feasible to extract the plain-text PIN keys remotely.
The credit card swipe was a result of the hackers successful malware-based attack on Target's point-of-sale (PoS) machines.
IntelCrawler has posited that a brute force attack could reveal the data, but Australian outfit Payment Security Consulting concluded that:
The Target attackers appear to have been able to grab the data sent from the POS system to the merchant gateway. So this has given them a lot of sensitive data like track data and the Encrypted PIN Blocks.
Target has stated that the PIN Blocks were encrypted using Triple DES keys, so a brute force attack is out of the question.
Each PIN Block has been encrypted using the unique PIN Key on that POS's PIN Terminal. An attacker would have had to extract the PIN Key of the terminal where the PIN block originates from. This requires at a minimum physical access to that terminal. It is not feasible to extract the plain-text PIN keys remotely.
Comments
