Target Hack Included PIN Numbers

Tyler Durden's picture

When the first response taken by major banks such as JPMorgan, in the aftermath of the massive 40 million credit and debit card hack of the third largest US retailer Target, was to lower ATM withdrawal and purchase limits, it became clear that there was more here than simply a well-organized credit card number scrape. And indeed, as Reuters reports, the hackers who compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs) according to a senior payments executive familiar with the situation. And since from there to emptying bank accounts and saved deposits is only a keystroke away, with no credit card processor intermediate to offload liability to, banks had no choice but to immediately limit debit card access to as much 10% of their clients, in JPM's case, in an unprecedented first, which just may have shown the way of how to limit a cash withdrawal panic if and when the need to do so arises.

From Reuters:

Target has not said how its systems were compromised, though it described the operation as "sophisticated." The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.

 

The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.

 

...

 

Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target's PIN encryption was infallible until the investigation is completed.

 

As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.

 

In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.

 

The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15. Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.

And since in black hat hacker circles what is known by one is known by all, it is only a matter of time before America's other largest retailers, are hit by the same PIN scraping technique, which in turn "forces" the banks to once again lower ATM withdrawal limits on a few million other debit card users. Ironically, perhaps instead of focusing on where the poor and middle classes shop, it may be time for the black hat hacker community to take a look at companies like Netjets and Ferrari where the PIN "scraping" wouldn't drain the fund of the median income American but focus on those who have directly benefited from Bernanke's ongoing asset inflation monetary experiment.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
tallen's picture

Happy Christmas!

MsCreant's picture

Happy Christmas and a Merry New Year, >>Bitchez!<<

Do I have to do everything around here?

caconhma's picture

It looks more and more as a a professionally executed large-scale operation. It is a false-flag operation.

fonestar's picture

This is yet another great example of why you should not trust the traditional banking network, it is insecure and treats you like a child. 

Get yourself a Christmas present and take your remaining paper or digital dollars and convert them to BTC now!

Tijuana Donkey Show's picture

Guns and gold? Maybe silver? I need something for when the power is out. 

Ying-Yang's picture

Please forgive the thread hijack... A short message to the world from Snowden. 

Hi, and Merry Christmas. I'm honored to have the chance to speak with you and your family this year.

Recently, we learned that our governments, working in concert, have created a system of worldwide mass surveillance, watching everything we do.

Great Britain's George Orwell warned us of the danger of this kind of information. The types of collection in the book -- microphones and video cameras, TVs that watch us -- are nothing compared to what we have available today. We have sensors in our pockets that track us everywhere we go.

Think about what this means for the privacy of the average person. A child born today will grow up with no conception of privacy at all. They'll never know what it means to have a private moment to themselves -- an unrecorded, unanalyzed thought. And that's a problem, because privacy matters. Privacy is what allows us to determine who we are and who we want to be.

The conversation occurring today will determine the amount of trust we can place both in the technology that surrounds us and the government that regulates it. Together, we can find a better balance. End mass surveillance. And remind the government that if it really wants to know how we feel, asking is always cheaper than spying.

For everyone out there listening, thank you, and Merry Christmas.

 http://www.businessinsider.com/snowdens-christmas-messgae-2013-12#ixzz2oUnNQpSf
TeamDepends's picture

And a very Merry Christmas from PRISM!

disabledvet's picture

Apparently it doesn't work very good. How come We the People aren't all rich as a consequence? Why do we have 10 million more uninsured instead of zero? Why do we have to QE? False flags? More like "diversions" as the looting continues apace. Look! It's Booger Bentley! The camera is on, stop picking your nose! I mean credit cards were targeted too? REALLY? I laugh at the claim "the TJ Max looting went on unnoticed for years by authorities." REALLY? That's because it's an Inside Job you morons. Very interesting to see the Governors "involved" here. South Dakota. Really? That's interesting. Time to share the loot? This one really did get out of hand.

EhKnowKneeMass's picture

You from India? You folks use happy for everything - happy weekend; happy day; happy morning; happy afternoon.....

DosZap's picture

And THIS is exacty why I would never,ever have a debit card,100% losses, not insured.When the subject comes up all my friends use them, and I said NO way.Now, CHristmas,and maybe the next years Spending money ios gone.

disabledvet's picture

Debit card losses are finite. Credit card losses are not however.

Papasmurf's picture

Debit card losses are finite. Credit card losses are not however.

The bank's exposure to credit card losses is infinate. Their exposure to debit card loss is limited to account deposits.

ZH Snob's picture

this might sound very conspiracy-theorish but might JP Morgan have something to do with this supposed hack?  this would be an excellent cover for the capital controls they desperatly need.  those overnight credit repos that have kept these zombie banks alive might have finally become a bit shaky.

disabledvet's picture

Ya think? Steal six hundred million...deposit 500 million at JPM...see what happens.

GrinandBearit's picture

Fear, fear and more fear!

I'm sure CC companies will make a fortune selling security features they should be providing for free.

"LifeLock" memberships will also increase exponentially.

Nice false flag Target.

Seer's picture

As cynical as I can be I highly doubt that this is any attempt by Target to "increase" business.  They're Brick-n-Mortar when everything is moving to the virtual space.  Further, it's really a big fucking mess to have to deal with things like this.

In this case the trouble isn't within the domain of the credit card companies (I thought that the article was clear on this), but with Target's systems (POE?).

Whether TPTB have planned this or not who can say, but one this IS certain: it was ALWAYS going to happen.  All responses only go to show that this high-tech world will NEVER be able to stave off attacks, attacks that could very well eventually pull the one big plug (if mother nature doesn't get around to doing so first).

Again, let this be a warning to all the Bitcoin-is-impervious-to-human-interventions crowd.  The existing systems were also thought to be secure (or the risks readily managable), at one point or another.

Human hubris...  "It's unsinkable!" (would you stake your life on in?)

Citxmech's picture

I totally agree that Target was not responsible for this in some attempt to boost sales, but:  "When the first response taken by major banks such as JPMorgan, in the aftermath of the massive 40 million credit and debit card hack of the third largest US retailer Target, was to lower ATM withdrawal and purchase limits, it became clear that there was more here than simply a well-organized credit card number scrape."

That was my first thought.  Let  no good crisis go to waste, eh?

disabledvet's picture

I agree. "Inside Job" without a doubt to me. Better start splitting that role of CEO and Chairman JPM.

Ms No's picture

Has ANGRY DRAGON written all over it (not the one your thinking)  No money stolen just letting you know that they can.  Probably retaliation.  Either that or bank run prevention priming.  Could be both.  Sure as hell wasn't Target.

zerozulu's picture

Thing are moving in the right direction for  people to have RFID in their neck to avoid identity theft.

Save_America1st's picture

since I don't trust anything about the banks, government, crony corporations, or media at all anymore, I'm just gonna go on believing there's a conspiracy involving people connected to some or all of them who do shit like this as test runs or false flags against the unwitting, ignorant  sheeple.

The NSA were probably the hackers or they funded the hackers or maybe Target allowed the breach on behalf of a gov/bankster cartel request and maybe this is being done on behalf of the banks and government to push us towards more capital controls and some global currency reset, and the media helps to lie and cover it up either willingly or by their own ignorance. 

Either way, I have been for 5 years and will remain almost exclusuvely cash only outside the banking system and off the grid as much as possible.

There's nothing I trust or believe about these hacking stories, except that they're most likely perpetrated by high up insiders to attack the little people and steal what little they have left.

It's the old Hegelian Dialectic of Problem, Reaction, Solution

http://www.infowars.com/the-hegelian-dialectic-and-its-use-in-controllin...

Down Vote's picture

is it normal for secret service to be investigating this sort of thing?

disabledvet's picture

Yep. Good question too. The Target obviously was JPM...not Target. The lesson is "don't shop at Target" or you will be one. These things go on all the time...like I said the TJ Max one went on for YEARS. I did see a new ATM going in so obviously cash isn't being banned. At least...not in the USA. This is very light volume...be on the look out for some real craziness to continue this week.

DriveByLurker's picture

Yes.  Part of the Secret Service's original jurisdiction (circa 1865) was to stamp out counterfeiting of U.S. currency.  Over the years, as our idea of "money" has evolved, legislation has given them primary federal jurisdiction on several classes of things that are similar to money, including credit and debit card fraud.  

(In the real world, they generally  yawn and don't get very interested unless the fraud is at least 7 or 8 figures, unless the fraud involved something they haven't seen before, or unless the victim has some sort of clout.)

 

Seer's picture

It's THE SYSTEM!

I don't believe that there's any attempt to fuck with people (other than those who would intentionally look to fuck up the System [I won't spend my energies doing so when I KNOW it's going to do itself in]).  This is all nothing more than human hubris and complex systems, all heaped on a world in decline (running out of readily exploitable resources).

The farther you get from nature the more unstable something is.  It's only common sense to seek to be a bit more grounded (go 180 from the virtual world)...

buzzsaw99's picture

"money" these days is just bits in a computer somewhere whether you bank online or not. be afraid.

Beam Me Up Scotty's picture

Not the cash in your pocket.  I like to keep mine "close to the vest".

IridiumRebel's picture

Merry Christmas to all. Keep spreading the information for it is more valuable than anything. I got love for all of you folks and thanks for awakening me. Heck, I may even buy a BTC one day. Peace on Earth.

I am Jobe's picture

Peace on Earth- Waiting for US Troops to land in Sudan. Lockheed martin is having Orgy with the Govt 

IridiumRebel's picture

It's a Zerohedge Christmas!

----------------------------

"ZeroHedge Christmas"

I'm dreaming of a ZeroHedge Christmas
Because Fukushima is about to blow
Where Thyroid cancer glistens
And children blister
To hear that TEPCO lied you know

I'm dreaming of a ZeroHedge Christmas
With every snide comment I write
May your days be snarky as we fight!
May all your hedges hockey stick to the right

I'm dreaming of a ZeroHedge Christmas
May Jamie Dimon lose his ass
Where the SEC views porn
And the currency is devalued by the morn
And another liberal judge has been sworn

I'm dreaming of a ZeroHedge Christmas
Obamacare expanding .gov
Executive orders handed from above
You all are merely subjects Yes you all are merely subjects
Until we all finally cry out "ENOUGH!"

I'm dreaming of a ZeroHedge
Christmas with you all!!!!!


I am Jobe's picture

Season of Peace Bitchezzz

Jesus loves you if and only if you shop till you drop. 

Now do your patriotic duty and shop more at TGT and start a brawl at WMT. 

KickIce's picture

Only to be interupted by Congress sending other people's children to war.

geewhiz's picture

Theory; NSA did it as a prelude to the bail in and choking off a run on banks when the fun starts.

TuesdayBen's picture

Pop Quiz:
When a stolen/hacked credit or debit/ATM card is used to steal, who has been stolen from and is on the hook for the money - the individual/account holder or the financial institution/fiduciary? In other words, whose money is it that has been stolen?

smacker's picture

It usually comes down to whether the issuer can claim that you failed to take reasonable care.

dick cheneys ghost's picture

just remember, banks are 'borrowers' not lenders.........no money was lent........the money was created by and when the person signed the credit card

TuesdayBen's picture

The card issuer/bank would have the cardholder/depositor believe it is he who has been robbed, but in fact it is nearly always the issuer who is the victim, whose money has been stolen, who is obligated to replenish stolen funds...

razorthin's picture

Coulda bought that whozeewhatsit with a silver eagle.

Seer's picture

Just had a thought!

Maybe we should invest in Nikes rather than Bitcoins and PMs?  Which one of these, if tossed at an approaching mob, would be the best defense mechanism? (no, guns are excluded from this scenario)

disabledvet's picture

Good question. If retailers are forced to start giving away merchandise to attract customers that is not good for the retailer. Having said that this could be VERY good for Nike because they sell direct to the customer. Watch closely the "delay story" in delivery. You could get "hi tech hijacking" and none of us would ever know until the earnings report came out "and there were losses instead."

GrinandBearit's picture

Just another beta test for the coming bank bail-ins and/or social collapse.

Gauge/evaluate the sheeple reactions... just like the EBT card shutdown a while back.

wagthetails's picture

Now I know ZH has made me paranoid...what a perfectly manufactured event just to test the big banks' cash control measures.

el Gallinazo's picture

Just because you're paranoid doesn't mean they ain't out to get you :-)

Seer's picture

No, I don't think that the retailers are going to sign up for this, not given that this is their biggest sales period for the year.

That the opportunity to "test" things may be happening it doesn't mean that the entire scenario was initiated for it.