Breach, Data Security, Incident Response, TDR

Hackers seek to decrypt PIN codes likely stolen in Target breach

A group of individuals communicating in underground forums are attempting to decrypt a 50GB dump of Triple DES (3DES) encrypted PIN numbers believed to have been acquired in the massive 2013 attack on retail giant Target, according to a recent post by research firm IntelCrawler.

Talk regarding decryption of PINs began appearing on private message boards earlier this month, not long after Target announced that card data, CVV numbers and encrypted PIN codes for 40 million of its customers was stolen in a roughly three-week attack on the company's point-of-sale (POS) machines.

On Jan. 3, an individual claiming to be in possession of 50GB of 3DES encrypted PIN data made a topic in which they asked for a “pro hacker” to decrypt the information at a fee of $10 per line. According to the IntelCrawler post, the individual is likely from Eastern Europe.

It may be a slow process, but decrypting the 3DES encrypted PINs is entirely possible, Andrew Komarov, CEO at IntelCrawler, told SCMagazine.com on Wednesday. He explained that 3DES encryption may be vulnerable to brute-force and added that programs such as John the Ripper, a free password cracking tool, may facilitate the process.

Komarov also pointed to a Dec. 27, 2013 blog post by Errata Security owner Robert Graham, in which Graham reveals that “hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value.”

Graham presents an example of a hacker who used his debit card at Target before the database was stolen and subsequently learned that his PIN of ‘8473' encrypts to ‘98hasdHOUa.' The hacker now knows the PIN of everyone who shares his code, Graham wrote, adding the hacker can use similar properties to crack the remainder of the PINs.

This is not possible if the encryption was salted, Graham wrote, but those are details Target has yet to reveal.

It is likely that these are PIN codes extracted in the Target breach because the 50GB dump of encrypted PIN data correlates to how many were impacted in the December breach, Komarov said, adding a sample of cards obtained by IntelCrawler investigators related to U.S. and Canada – which also correlates with the location of victims in the Target breach.

“Some part of the dumps could already be resold, but on some they can still be doing decryption, which takes time,” Komarov said.

[An earlier version of this story has been updated to clarify Robert Graham's post].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.