Feeds

Target hackers: Woohoo, we're rich! Um. Guys? Anyone know how to break bank encryption?

Armour plating won't hold out forever, claim infosec bods

Internet Security Threat Report 2014

Underground cybercriminals are attempting to decrypt a 50GB dump of encrypted debit card PINs that security watchers reckon were lifted during last year's high profile breach against retail giant Target.

Security intelligence firm IntelCrawler reports that a miscreant claiming to be in possession of 50GB of PIN data secured with 3DES encryption posted a request for a hook-up with a PIN hacker on 3 January, offering a fee of $10 per line. IntelCrawler reckons the hacker is from Eastern Europe.

Chat regarding the decryption of PINs began appearing on private message boards just days after Target admitted the credit card details of 40 million of its customers had gone AWOL.

The retailer also admitted last week that 70 million customers' personal files had also been swiped as part of the same breach. The credit card information swipe came from a successful malware-based attack on Target's point-of-sale (PoS) machines over the pre-Christmas holiday shopping season.

PIN in a haystack

Discussions about decrypting encrypted card data have been happening on underground cybercrime forums since as far back as September 2011, but have gained a particular focus of late. "Most of the underground chatter is among users who know how to sniff traffic but need technical help in addressing the decryption issue," explained Andrew Komarov, IntelCrawler's chief exec.

An active group of Eastern European cybercriminals specialise in attacks on merchants and PoS terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment data and PIN blocks. Many such systems have been compromised in the past during the group's illicit efforts to uncover this data, according to IntelCrawler.

Security experts are split on whether decrypting 3DES encrypted data is feasible or not. Komarov told us that 3DES encryption is vulnerable to brute-force attacks and hackers have proved this in the past with the decryption of PIN dumps from other cyber-heists.

However, a blog post by Australian outfit Payment Security Consulting, featuring an information transaction flow diagram and the likely point of attack in the Target breach, concludes that encrypted PIN blocks from the Target attack are safe. The Australian consultancy describes the brute force attack scenario outlined by IntelCrawler as implausible at best or fear-mongering at worst.

The Target attackers appear to have been able to grab the data sent from the POS system to the merchant gateway. So this has given them a lot of sensitive data like track data and the Encrypted PIN Blocks.

Target has stated that the PIN Blocks were encrypted using Triple DES keys, so a brute force attack is out of the question.

Each PIN Block has been encrypted using the unique PIN Key on that POS's PIN Terminal. An attacker would have had to extract the PIN Key of the terminal where the PIN block originates from. This requires at a minimum physical access to that terminal. It is not feasible to extract the plain-text PIN keys remotely.

Robert Graham of Errata Security argues that the PIN information might be matched against the leaked but encrypted data using some sort of frequency analysis and cryptographic cribs (based on purchases made by fraudsters themselves prior to or during the breach).

"Yes, Triple-DES cannot be broken by hackers," Graham explains in a blog post. "If they don't have the secret key, they can't decrypt the PIN numbers. But here's the deal: hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value."

But Graham adds that "the Payment Card Industry (PCI) standards indeed call for salt, so this is probably what Target did", in which case attempts to use frequency distribution of PINs and similar tricks to infer the corresponding hashes from siphoned off information are going to flounder. Ways in which the PINs should be encrypted, according to the PCI, are described here.

IntelCrawler, which is undaunted by doubts elsewhere that hackers are probably on a hiding to nothing in attempted to decrypt the stolen data, reckons the cybercrooks behind the target scam are also researching the development of their own custom field-programmable gate array (FPGA) board for successful decryption. The security start-up sees similarities between the Target breach and previous mega-breaches involving US retail outfits such as the Heartland Payment Systems hack of 2007/8.

"IntelCrawler has also noticed some nuances with this current possible sniffer breach with a few cases from the past, specifically the RBS and Heartland card breaches. In those cases, a few of the hackers are still on the loose and although no direct linkage can be made yet, the similarities are starting to line up," Komarov concludes in a bulletin on its research.

Komarov told El Reg: "The attack used in Target breach was related to special malware distribution (http://www.bankinfosecurity.com/-a-6316/op-1) and interception of network communications.”

“The same attacks were also used previously by the same group of criminals from Eastern Europe according to our opinion," he added. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.