All I know is, I was one of the unlucky Target shoppers. My bank called me yesterday and said there was an “unusual intrusion” into my bank account yesterday and they closed my debit card account (leaving me with no good way to pay any online bills):
Target has confirmed that encrypted debit card PIN data was stolen as part of the massive hack carried out against the retailer between late November and early December. The company previously admitted that card numbers, expiration dates, and security codes were compromised in the attack that affected 40 million customers. That data has already started appearing on the black market, which in turn has put financial institutions across the US on high alert as banks look to protect customers from fraudulent activity.
Target says it remains confident that identification numbers are “safe and secure” thanks to the Triple DES encryption it uses to protect sensitive data. “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the company said in a statement. When you make a debit purchase at one of Target’s stores, your card information is “encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” the retailer says. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.” To underline that point, Target closes its latest update on the incident by saying, “The most important thing for our guests to know is that their debit card accounts have not been compromised due to the encrypted PIN numbers being taken.”
if misery loves company, then we can commiserate: our health insurer had 2 laptops stolen from their Newark office a month ago; data for all our employees was on it. They’re giving everyone free Credit Protection service for a year.
Dumb luck is all that’s kept me out of your predicament (I haven’t shopped at Target since before Thanksgiving, because no reasons) . . . this time. Earlier this summer however, I took a short trip in-state and a couple days later I got the call from the Credit Union. It seems they’d caught a 2 dollar transaction being made from somewhere in China and they’d put a halt on my debit card account. They reissued the account within 24 hours and no problems since. It’s a bitch that this happened just before the weekend, but they might be able to get it righted tomorrow morning. It appears that hacking personally identifiable information is all the rage lately. So much for the naive golden age of the internet.
Apparently, the deal with all those triply secured PINs is that they’re not that hard to guess in a brute force attack. Which is kind of like the corp saying, “Your secret is carefully concealed behind three unbreakable locks! … But the walls of the safe are made of glass. Sorry.”
The other thing is that the technology to make this kind of attack impossible has been around since 2008. Regulations have forced its implementation in Europe. Here? “Oh, gee whiz, that would be expensive.”
I have two credit cards and an ATM/Debit card. The credit cards are for emergencies – like my car breaking down. The ATM/Debit card I use all but exclusively at my bank to withdraw cash which I use to pay for anything I buy. I do like the convenience of plastic and I don’t like carrying cash all the time – robbery and loss are valid concerns. But routine, day to day transactions should almost never be conducted electronically – for several reasons. The Target incident being one. Business/government tracking being another.
Hell, I don’t even use Member Cards unless I’m actually buying something on sale. No one has any business tracking what I’m buying.
quixote – the principle you raised in your comments goes beyond PIN protection.
“Oh, gee whiz, that would be expensive.”
Consider the under-ride guard bars on big rig trucks.
http://www.usatoday.com/story/news/nation/2013/03/14/insurance-institute-warns-truck-guards-allow-crashes/1986219/
“…Most big-rig manufacturers are still building tractor-trailers with rear under-ride guards that allow cars going as slow as 35 mph to slide under the trucks in crashes, according to new research from the Insurance Institute for Highway Safety.
Under-ride guards, those metal bars hanging down from the backs of tractor-trailers, are meant to prevent horrific crashes that can shear the top off a car and behead its occupants.
Two years ago, the Insurance Institute released research showing that many of the guards were ineffective…”
The principle is the same – Spend more money voluntarily in this country for real PIN security? Heck no. Spend more money voluntarily in this country for under-ride guards? Heck no.
Yes indeedy, russ. It just about seems to be turning into the country’s motto.