target

Target security breach: Should you be worried about stolen PINs?

Dec. 27, 2013 at 4:29 PM ET

IMAGE: Customer swipes credit card at a Target store
Joe Raedle / Getty Images
A customer uses the credit card scanner at a Target store on Dec. 19 in Miami.

Target confirmed that debit card PIN data was stolen during the security breach that affected up to 40 million customers over the Thanksgiving holiday, but claimed that the information was encrypted and could not be accessed by criminals.

"We remain confident that PIN numbers are safe and secure," Target said Friday in a statement

Last week, news broke that Target's point-of-sale (POS) systems had been infected with malware, compromising credit and debit card information from purchases made at retail stores across the country.

Concern over stolen PINs was raised on Tuesday when a "senior payments executive" told Reuters that he was afraid that criminals would be able to hack the encryption codes on the numbers, allowing them to withdraw cash at ATMs. 

MORE: Target confirms encrypted PINs stolen in data breach

Now that Target has made it clear that PIN data was stolen, should affected customers be worried that their bank accounts will be emptied?

Video: After a massive data breach of debit and credit cards for 40 million Target customers, the retail giant revealed Friday hackers had also stolen encrypted personal identification numbers – the company insists that data can’t be unlocked, but some security experts say there’s still reason to worry. NBC’s Gabe Gutierrez reports.

Probably not, Terence Spies, chief technology officer at Voltage Security, told NBC News.

"Nothing is certain, but the defenses around that PIN data are pretty reliable," said Spies, whose company deals in similar technology. "For all intents and purposes, it's strong enough to keep most attackers out of that data."

Target claims to be using Triple DES encryption, which is fairly standard procedure for most big retailers. It's the successor to DES, or Data Encryption Standard, an outdated algorithm for protecting data that was first introduced in the 1970s.

DES uses one 56-bit key. Today's hackers can get through that in about 6 hours, Spies sad. Triple DES, as you might guess, uses three of those keys. 

A unique Triple DES key is given to each POS terminal — in most cases, an electronic cash register — with the corresponding key used to decrypt that data stored in security hardware located at the payment processor.

That arrangement makes PIN numbers pretty safe, as Target explained in its statement:

Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor. What this means is that the “key” necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.

So while there have been reports of fake cards with stolen numbers being used, there haven't been any involving criminals withdrawing cash from ATMs. That is because systems are set up to protect personal identification numbers even if other information — like the track data stolen from Target — is hacked.

"The PIN is kind of the sacred data of the payment world," Spies said. "The way that people usually get PINs isn't though encrypted PIN data. Instead, what they will do is make fake PIN pads or even whole fake ATMs."

So, rest at ease Target customers. At least until your next visit to the ATM.

Keith Wagstaff writes about technology for NBC News. He previously covered technology for TIME's Techland and wrote about politics as a staff writer at TheWeek.com. You can follow him on Twitter at @kwagstaff and reach him by email at: Keith.Wagstaff@nbcuni.com

TOP