Target Corp of New York was attacked and hacked by hackers’ thereby compromising upto 40 million credit and debit cards also managed to steal the encrypted Personal Identification Number (PIN). Molly Snyder, the Target spokesperson said “no unencrypted PIN data was accessed” and there was no evidence that PIN data has been “compromised.” She confirmed that some “encrypted data” has been stolen, but declined to say if that included any encrypted PINs.
One major U.S. bank fears that the thieves will be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who reacted on the condition of anonymity because the data breach is still under investigation.
The officers are saying that it is very early to come to any conclusion for now as the forensic and criminal investigations are still going on and that there is no reason to believe that PIN data was compromised or not. And that they have not been made aware of any such issue in communications with financial institutions till date.
The No. 3 U.S. retailer said last week that hackers stole data from as many as 40 million cards used at Target stores during the initial 3 weeks of the shopping season, which made it the 2nd largest data breach in U.S. retail history. The attack could end up costing hundreds of millions of dollars, but it is unclear till now that who will bear the expense. While bank customers are not liable for losses because of fraudulent activity on their credit and debit cards, Santander Bank and JPMorgan Chase & Co said they have lowered limits on how much cash customers can take out of teller machines and spend at stores.
JPMorgan has said it was able to reduce inconvenience by giving customers new debit cards printed quickly at many of its branches, and by keeping the bank branches open for extended hours.
Security experts said it is highly unusual for banks to reduce caps on withdrawals, and the move likely reflects any worries that PINs have fallen into criminal hands, even if they are encrypted. While the use of encryption codes may prevent amateur hackers from obtaining the digital keys to customer bank deposits, the main concern is that the coding cannot stop the kind of sophisticated cyber-criminal who was able to infiltrate Target for three weeks.
Daniel Clemens, The CEO of Packet Ninjas, a cyber-security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure whether Target’s PIN encryption was infallible until the investigation is completed.
As an example of security vulnerabilities in PIN encryption, Clemens had once worked for a retailer who hired his firm to hack into its network to find any security vulnerabilities. He was able to access the guarded digital “key” which used to unscramble the encrypted PINs, which he said astonished his client, who thought the data to be secure.
In other cases, hackers can get the PINs by using a tool known as a “RAM scraper,” which captures the PINs while they are temporarily stored in memory, as said by Clemens.
The attack on Target began on Nov. 27th, the day before the Thanks giving holiday, and continued until Dec. 15th. Banks that issue debit and credit cards learned about the breach on Dec. 18th, and Target publicly disclosed the loss of its personal account data on Dec. 19th.
On December 21st, JPMorgan, the largest US bank, alerted 2 million of its debit cardholders that it was lowering the daily limits on ATM withdrawals to $100 and capping store purchases with their cards at $500.
On Monday, the bank partly eased the limits it had imposed on Saturday, setting them at $250 a day for ATM withdrawals and $1,000 a day for purchases. (The usual debit card daily limits are $200 to $500 for cash withdrawals and $500 for purchases, a bank spokesperson said last week.)
On Monday, Santander – a unit of Spain’s Banco Santander – lowered the daily limits on cash withdrawals and purchases on Santander and Sovereign branded debit and credit cards of customers who used them at Target when the breach occurred. Santander, however, didn’t mention the new limits, but said they monitored the accounts and issued new cards to customers who were affected.
The largest breach against a U.S. retailer, discovered at TJX Cos Inc, in 2007 led to the theft of data from more than 90 million credit cards over about 18 months.
This proves in this technology era, nothing is safe from hackers. As this technology is proving boon for some but is showing its negative effects which surely are to be sorted out.
