Feeds

Target hackers: Woohoo, we're rich! Um. Guys? Anyone know how to break bank encryption?

Armour plating won't hold out forever, claim infosec bods

Protecting against web application threats using SSL

Underground cybercriminals are attempting to decrypt a 50GB dump of encrypted debit card PINs that security watchers reckon were lifted during last year's high profile breach against retail giant Target.

Security intelligence firm IntelCrawler reports that a miscreant claiming to be in possession of 50GB of PIN data secured with 3DES encryption posted a request for a hook-up with a PIN hacker on 3 January, offering a fee of $10 per line. IntelCrawler reckons the hacker is from Eastern Europe.

Chat regarding the decryption of PINs began appearing on private message boards just days after Target admitted the credit card details of 40 million of its customers had gone AWOL.

The retailer also admitted last week that 70 million customers' personal files had also been swiped as part of the same breach. The credit card information swipe came from a successful malware-based attack on Target's point-of-sale (PoS) machines over the pre-Christmas holiday shopping season.

PIN in a haystack

Discussions about decrypting encrypted card data have been happening on underground cybercrime forums since as far back as September 2011, but have gained a particular focus of late. "Most of the underground chatter is among users who know how to sniff traffic but need technical help in addressing the decryption issue," explained Andrew Komarov, IntelCrawler's chief exec.

An active group of Eastern European cybercriminals specialise in attacks on merchants and PoS terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment data and PIN blocks. Many such systems have been compromised in the past during the group's illicit efforts to uncover this data, according to IntelCrawler.

Security experts are split on whether decrypting 3DES encrypted data is feasible or not. Komarov told us that 3DES encryption is vulnerable to brute-force attacks and hackers have proved this in the past with the decryption of PIN dumps from other cyber-heists.

However, a blog post by Australian outfit Payment Security Consulting, featuring an information transaction flow diagram and the likely point of attack in the Target breach, concludes that encrypted PIN blocks from the Target attack are safe. The Australian consultancy describes the brute force attack scenario outlined by IntelCrawler as implausible at best or fear-mongering at worst.

The Target attackers appear to have been able to grab the data sent from the POS system to the merchant gateway. So this has given them a lot of sensitive data like track data and the Encrypted PIN Blocks.

Target has stated that the PIN Blocks were encrypted using Triple DES keys, so a brute force attack is out of the question.

Each PIN Block has been encrypted using the unique PIN Key on that POS's PIN Terminal. An attacker would have had to extract the PIN Key of the terminal where the PIN block originates from. This requires at a minimum physical access to that terminal. It is not feasible to extract the plain-text PIN keys remotely.

Robert Graham of Errata Security argues that the PIN information might be matched against the leaked but encrypted data using some sort of frequency analysis and cryptographic cribs (based on purchases made by fraudsters themselves prior to or during the breach).

"Yes, Triple-DES cannot be broken by hackers," Graham explains in a blog post. "If they don't have the secret key, they can't decrypt the PIN numbers. But here's the deal: hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value."

But Graham adds that "the Payment Card Industry (PCI) standards indeed call for salt, so this is probably what Target did", in which case attempts to use frequency distribution of PINs and similar tricks to infer the corresponding hashes from siphoned off information are going to flounder. Ways in which the PINs should be encrypted, according to the PCI, are described here.

IntelCrawler, which is undaunted by doubts elsewhere that hackers are probably on a hiding to nothing in attempted to decrypt the stolen data, reckons the cybercrooks behind the target scam are also researching the development of their own custom field-programmable gate array (FPGA) board for successful decryption. The security start-up sees similarities between the Target breach and previous mega-breaches involving US retail outfits such as the Heartland Payment Systems hack of 2007/8.

"IntelCrawler has also noticed some nuances with this current possible sniffer breach with a few cases from the past, specifically the RBS and Heartland card breaches. In those cases, a few of the hackers are still on the loose and although no direct linkage can be made yet, the similarities are starting to line up," Komarov concludes in a bulletin on its research.

Komarov told El Reg: "The attack used in Target breach was related to special malware distribution (http://www.bankinfosecurity.com/-a-6316/op-1) and interception of network communications.”

“The same attacks were also used previously by the same group of criminals from Eastern Europe according to our opinion," he added. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.