Target's security: Better than I thought

The way Target deployed triple DES encryption for debit card PINs makes its statement about the unlikelihood that they were in danger much more believable.

In a column on Saturday, I suggested that Target was being misleading when it told customers that their stolen debit card PINs were not in danger, despite being in the hands of professional cyberthieves. Although Target's phrasing was far more absolute than reality supports, readers of that column who work in retail IT have informed me that the PINs are indeed much better secured than I had thought.

One point I made was that any encryption can be broken, given enough time and compute power. That's true, but some readers argued that the nature of triple DES encryption -- and the way Target deployed it -- makes a brute-force attack pointless. And it's not just a matter of needing a ludicrously large number of computers running for a ludicrously long time. The way Target handles PIN guesses thwarts brute-force efforts to eventually get lucky.

"The practical nature of the implementation of DUKPT (Derived Unique Key Per Transaction key management scheme) in a PIN pad prevents those kinds of attacks," wrote one retail IT security specialist. "The attacker does not get a billion free guesses at entering a PIN: they get exactly one guess, and then the key changes. Furthermore, just in case something like this was attempted, a PCI-certified PIN Entry Device that implements DUKPT must have a built-in limit on its transaction counter: it can encrypt no more than one million transactions, and then it must destroy its internal keys."

Not only does that effectively block a brute-force attack, but it also nicely negates more subtle (and even geekier) attacks, such as trying to work the algorithm backwards by testing attacks on billions of samples or performing differential power analysis on a device, timing attacks on the algorithm or even trying to detect RF emissions given off by the CPU during the encryption process. All of those methods would also require the ability to send a large number of possible PINs through the system. Also, based on the breach investigation to date, "there is no evidence that the bad guy set up an RF laboratory or a timing system in a store to capture thousands of these theoretical PIN pad emissions while a customer was shopping," said one source with knowledge of the probe's initial findings.

I also raised the possibility that the thieves might have an inside accomplice, either at Target or at its payment processor, which housed the encryption key. Apparently we can strike the idea that there might have been a weak link at Target itself. Not only was the key not housed within Target's systems, but no one at the retailer seems to have had access to the key. That means the only people who could be bribed or threatened into revealing the key were at the processor.

But that was also blocked by the nature of DUKPT. "The key is generally stored offline, with only an operational copy loaded into the processor's hardware security module," said the retail IT security specialist. "Depending on the specific hardware security module they own, it can be split between a set of smart cards that each requires independent passwords to access. An attacker would have to identify all of the people who each independently hold their fractions of the key and successfully bribe or coerce all of them to turn over their smart cards and their passwords. Although this is technically much easier than breaking the encryption, that still doesn't make it particularly easy, practical, or even realistic."

This is all good, for several reasons. Although Target phrased things to make its PIN security sound absolute -- which is never true in security -- its actual implementation was quite impressive. Nothing is perfect, but Target's PIN protections -- thanks to how it handled triple DES and the fact that it used it in the first place in addition to not housing the key anywhere on its premises -- come impressively close.

We still don't know exactly how the attackers broke in, and that will shed light on how well thought out the rest of Target's payment security was.

Many have pointed to this incident as a reason why retailers should rush to embrace EMV, often implemented as chip and PIN. In Target's defense, current payment industry rules require the transmission of payment card data (not the PIN, but the rest of the card's data) in the clear. A move to EMV would help make U.S. payments meaningfully more secure, but that's mostly because it would facilitate all data being encrypted.

EMV is more secure than the magstripe method the U.S. uses, but many retailers would rather make that hugely disruptive and expensive move to an even more secure approach. Some mobile payment approaches -- which have not gone very far -- hold the promise of security much more stringent than is offered by EMV. Retailers are hoping to either embrace mobile or an EMV next-generation package.

Ideally, those will also be bundled with much lower fees than the current interchange program. Retailers have also been waiting to see how a handful of court and legislative matters dealing with interchange fees -- such as the retail interchange legal settlement -- ended up.

With those cases wrapping up and Target providing some recent evidence that retailers can likely wait no more, EMV and mobile are going to be getting a lot more examinations. Until then, though, many may want to look at Target, which -- at least as far as PIN security is concerned -- seems to have gotten a heck of a lot right.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek and eWeek. Evan can be reached at and he can be followed at Look for his column every Tuesday.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingTargetretailsecurityindustry verticals

More about indeedTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Evan Schuman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts