1. "The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation."
Probability: High. If either stores or data centers were breached, it is very possible that encrypted PIN blocks were intercepted as part of the communication between PED (PIN entry device) and POS (point of sale) machine, or POS and payment gateway/processor.
2. "One major U.S. bank fears that the thieves would be able to crack the encryption code and make fraudulent withdrawals from consumer bank accounts, said the executive, who spoke on the condition of anonymity because the data breach is still under investigation."
Probability: Medium to Low. Cracking the encrypted PIN numbers would require special knowledge and availability of large amount of ciphertext from single source (PED). Target (as most other US retailers) encrypts debit PINs using TDEA (also known as "Triple DES") and key management scheme called DUKPT (Derived Unique Key Per Transaction). One of the advantages of DUKPT is that it generates new encryption key (which is also knows as "session", or "future" key) for each transaction so the encryption key is unique for each card swipe. Even if single session key is compromised, it will not compromise other sessions (transactions, or cards). In addition, each PED is injected with unique terminal key (also known as "initial key", or "IPEK"), so even if single terminal's key is compromised, it does not compromise other PED devices.
3. "As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure."
Probability: Low. PIN encryption keys are not accessible in the stores because they are stored inside TRSM (tamper resistant security module) of PED devices. This scenario could happen only if two conditions are true: 1. The breach was in the retailer's data center rather than in the stores. While it is possible since they say that all US stores are compromised, we don't know for sure because we don't know the details of the breach. 2. Target performs PIN translation - decrypts PIN numbers using its own key and encrypts them with particular debit network's key. Usually, PIN translation is done using special hardware - HSM (hardware security module) - and even when data center is breached it is still not simple to access the keys.
4. "In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said."
Probability: Low. Perhaps, he confuses between debit PIN and credit card PAN (Primary Account Number) and track 1, 2 data. RAM scrapers are normally used in POS machines to steal the cards' PAN and track 1 and 2, but never PIN numbers. PINs are encrypted in PED pinpad's TRSM and it is impossible to access the RAM of the device. In case of PIN translation, if it is implemented correctly, the PINs are translated inside the HSM so unencrypted numbers are never available in the memory and therefore RAM scrapers are useless. We don't know the details of their PIN processing environment implementation so theoretically everything is possible while in practice this scenario is unlikely.