When the first response taken by major banks such as JPMorgan, in the aftermath of the massive 40 million credit and debit card hack of the third largest US retailer Target, was to lower ATM withdrawal and purchase limits, it became clear that there was more here than simply a well-organized credit card number scrape. And indeed, as Reuters reports, the hackers who compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs) according to a senior payments executive familiar with the situation. And since from there to emptying bank accounts and saved deposits is only a keystroke away, with no credit card processor intermediate to offload liability to, banks had no choice but to immediately limit debit card access to as much 10% of their clients, in JPM's case, in an unprecedented first, which just may have shown the way of how to limit a cash withdrawal panic if and when the need to do so arises.
Target has not said how its systems were compromised, though it described the operation as "sophisticated." The U.S. Secret Service and the Justice Department are investigating. Officials with both agencies have declined comment on the investigations.
The attack could end up costing hundreds of millions of dollars, but it is unclear so far who will bear the expense.
Daniel Clemens, CEO of Packet Ninjas, a cyber security consulting firm, said banks were prudent to lower debit card limits because they will not know for sure if Target's PIN encryption was infallible until the investigation is completed.
As an example of potential vulnerabilities in PIN encryption, Clemens said he once worked for a retailer who hired his firm to hack into its network to find security vulnerabilities. He was able to access the closely guarded digital "key" used to unscramble encrypted PINs, which he said surprised his client, who thought the data was secure.
In other cases, hackers can get PINs by using a tool known as a "RAM scraper," which captures the PINs while they are temporarily stored in memory, Clemens said.
The attack on Target began on November 27, the day before the Thanksgiving holiday and continued until December 15. Banks that issue debit and credit cards learned about the breach on December 18, and Target publicly disclosed the loss of personal account data on December 19.
And since in black hat hacker circles what is known by one is known by all, it is only a matter of time before America's other largest retailers, are hit by the same PIN scraping technique, which in turn "forces" the banks to once again lower ATM withdrawal limits on a few million other debit card users. Ironically, perhaps instead of focusing on where the poor and middle classes shop, it may be time for the black hat hacker community to take a look at companies like Netjets and Ferrari where the PIN "scraping" wouldn't drain the fund of the median income American but focus on those who have directly benefited from Bernanke's ongoing asset inflation monetary experiment.