While mass media are overflown by duplicate information about Target breach, there are other card data breaches that are taking place silently as we speak about Target event. This fact confirms that the Target breach is not exception because PCI data security standards are ineffective, and credit/debit card payment processing technology is insecure by design.
Affinity Gaming card data breach
LAS VEGAS, December 20, 2013 - Affinity Gaming ("Affinity") has confirmed an unauthorized intrusion into the system that processes customer credit and debit cards for its casinos, and is issuing this public notice of the data security incident and encouraging individuals who visited its gaming facilities between March 14th and October 16th of 2013 to take steps to protect their identities and financial information.
Briar Group card data breach
December 27, 2013 by admin
To our valued customers:
As you may be aware, in mid-November a number of residents and visitors to the Boston area learned that they were the victim of credit card data theft. As soon as the Briar Group became aware that our restaurants – and therefore our customers – may have been a target of this crime, we undertook an immediate investigation into this issue. Today we are reporting that the Briar Group’s systems were indeed infiltrated. The investigation remains active and ongoing, but there are some things that we can tell you now.
There are many speculations regarding the possibility of debit PIN data breach at Target - based on information recently posted by Reuters. I would like to comment on those statements.
1. "The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation."
Probability: High. If either stores or data centers were breached, it is very possible that encrypted PIN blocks were intercepted as part of the communication between PED (PIN entry device) and POS (point of sale) machine, or POS and payment gateway/processor.
2. "One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation."
Probability: Medium to Low. Cracking the encrypted PIN numbers would require special knowledge and availability of large amount of ciphertext from single source (PED). Target (as most other US retailers) encrypts debit PINs using TDEA (also known as "Triple DES") and key management scheme called DUKPT (Derived Unique Key Per Transaction). One of the advantages of DUKPT is that it generates new encryption key (which is also knows as "session", or "future" key) for each transaction so the encryption key is unique for each card swipe. Even if single session key is compromised, it will not compromise other sessions (transactions, or cards). In addition, each PED is injected with unique terminal key (also known as "initial key", or "IPEK"), so even if single terminal's key is compromised, it does not compromise other PED devices.
3. "As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure."
Probability: Low. PIN encryption keys are not accessible in the stores because they are stored inside TRSM (tamper resistant security module) of PED devices. This scenario could happen only if two conditions are true: 1. The breach was in the retailer's data center rather than in the stores. While it is possible since they say that all US stores are compromised, we don't know for sure because we don't know the details of the breach. 2. Target performs PIN translation - decrypts PIN numbers using its own key and encrypts them with particular debit network's key. Usually, PIN translation is done using special hardware - HSM (hardware security module) - and even when data center is breached it is still not simple to access the keys.
4. "In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said."
Probability: Low. Perhaps, he confuses between debit PIN and credit card PAN (Primary Account Number) and track 1, 2 data. RAM scrapers are normally used in POS machines to steal the cards' PAN and track 1 and 2, but never PIN numbers. PINs are encrypted in PED pinpad's TRSM and it is impossible to access the RAM of the device. In case of PIN translation, if it is implemented correctly, the PINs are translated inside the HSM so unencrypted numbers are never available in the memory and therefore RAM scrapers are useless. We don't know the details of their PIN processing environment implementation so theoretically everything is possible while in practice this scenario is unlikely.
Overstock.com is going to start accepting bitcoin in 2014. They say the cost is a key driver for the bitcoin move as they save 2% on credit card interchange fees. I think this is not related to the fees, or at least it's not only about the fees. This is marketing move: bitcoin-enabled merchants attract new, constantly growing group of customers - bitcoin owners.
Interesting review of a company dedicated to bitcoin mining. Those days, when anyone could mine bitcoins using regular desktop computer, are gone forever:
The [bitcoin mining] machines ... are worth about $20,000 each on the open market. Today, all of the machines dedicated to mining Bitcoin have a computing power about 4,500 times the capacity of the United States government’s mightiest supercomputer, the IBM Sequoia, according to calculations done by Michael B. Taylor, a professor at the University of California, San Diego. The computing capacity of the Bitcoin network has grown by around 30,000 percent since the beginning of the year.
Another significant PCI "achievement":
Target today confirmed it is aware of unauthorized access to payment card data that may have impacted certain guests making credit and debit card purchases in its U.S. stores. Target is working closely with law enforcement and financial institutions, and has identified and resolved the issue.
Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts. Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.
Interesting article about bitcoin in The New York Times.
"One could argue that bitcoin isn’t chiefly a commercial venture at all, a funny thing to say about a kind of online cash. To its creators and numerous disciples, bitcoin is — and always has been — a mostly ideological undertaking, more philosophy than finance."
The question then arises as to whether security of bitcoin wallets and payments is more philosophical or financial problem...