Feeds

Target hackers: Woohoo, we're rich! Um. Guys? Anyone know how to break bank encryption?

Armour plating won't hold out forever, claim infosec bods

The Essential Guide to IT Transformation

Underground cybercriminals are attempting to decrypt a 50GB dump of encrypted debit card PINs that security watchers reckon were lifted during last year's high profile breach against retail giant Target.

Security intelligence firm IntelCrawler reports that a miscreant claiming to be in possession of 50GB of PIN data secured with 3DES encryption posted a request for a hook-up with a PIN hacker on 3 January, offering a fee of $10 per line. IntelCrawler reckons the hacker is from Eastern Europe.

Chat regarding the decryption of PINs began appearing on private message boards just days after Target admitted the credit card details of 40 million of its customers had gone AWOL.

The retailer also admitted last week that 70 million customers' personal files had also been swiped as part of the same breach. The credit card information swipe came from a successful malware-based attack on Target's point-of-sale (PoS) machines over the pre-Christmas holiday shopping season.

PIN in a haystack

Discussions about decrypting encrypted card data have been happening on underground cybercrime forums since as far back as September 2011, but have gained a particular focus of late. "Most of the underground chatter is among users who know how to sniff traffic but need technical help in addressing the decryption issue," explained Andrew Komarov, IntelCrawler's chief exec.

An active group of Eastern European cybercriminals specialise in attacks on merchants and PoS terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment data and PIN blocks. Many such systems have been compromised in the past during the group's illicit efforts to uncover this data, according to IntelCrawler.

Security experts are split on whether decrypting 3DES encrypted data is feasible or not. Komarov told us that 3DES encryption is vulnerable to brute-force attacks and hackers have proved this in the past with the decryption of PIN dumps from other cyber-heists.

However, a blog post by Australian outfit Payment Security Consulting, featuring an information transaction flow diagram and the likely point of attack in the Target breach, concludes that encrypted PIN blocks from the Target attack are safe. The Australian consultancy describes the brute force attack scenario outlined by IntelCrawler as implausible at best or fear-mongering at worst.

The Target attackers appear to have been able to grab the data sent from the POS system to the merchant gateway. So this has given them a lot of sensitive data like track data and the Encrypted PIN Blocks.

Target has stated that the PIN Blocks were encrypted using Triple DES keys, so a brute force attack is out of the question.

Each PIN Block has been encrypted using the unique PIN Key on that POS's PIN Terminal. An attacker would have had to extract the PIN Key of the terminal where the PIN block originates from. This requires at a minimum physical access to that terminal. It is not feasible to extract the plain-text PIN keys remotely.

Robert Graham of Errata Security argues that the PIN information might be matched against the leaked but encrypted data using some sort of frequency analysis and cryptographic cribs (based on purchases made by fraudsters themselves prior to or during the breach).

"Yes, Triple-DES cannot be broken by hackers," Graham explains in a blog post. "If they don't have the secret key, they can't decrypt the PIN numbers. But here's the deal: hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value."

But Graham adds that "the Payment Card Industry (PCI) standards indeed call for salt, so this is probably what Target did", in which case attempts to use frequency distribution of PINs and similar tricks to infer the corresponding hashes from siphoned off information are going to flounder. Ways in which the PINs should be encrypted, according to the PCI, are described here.

IntelCrawler, which is undaunted by doubts elsewhere that hackers are probably on a hiding to nothing in attempted to decrypt the stolen data, reckons the cybercrooks behind the target scam are also researching the development of their own custom field-programmable gate array (FPGA) board for successful decryption. The security start-up sees similarities between the Target breach and previous mega-breaches involving US retail outfits such as the Heartland Payment Systems hack of 2007/8.

"IntelCrawler has also noticed some nuances with this current possible sniffer breach with a few cases from the past, specifically the RBS and Heartland card breaches. In those cases, a few of the hackers are still on the loose and although no direct linkage can be made yet, the similarities are starting to line up," Komarov concludes in a bulletin on its research.

Komarov told El Reg: "The attack used in Target breach was related to special malware distribution (http://www.bankinfosecurity.com/-a-6316/op-1) and interception of network communications.”

“The same attacks were also used previously by the same group of criminals from Eastern Europe according to our opinion," he added. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Fiendishly complex password app extension ships for iOS 8
Just slip it in, won't hurt a bit, 1Password makers urge devs
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.