Target hackers: Woohoo, we're rich! Um. Guys? Anyone know how to break bank encryption?
Armour plating won't hold out forever, claim infosec bods
Underground cybercriminals are attempting to decrypt a 50GB dump of encrypted debit card PINs that security watchers reckon were lifted during last year's high profile breach against retail giant Target.
Security intelligence firm IntelCrawler reports that a miscreant claiming to be in possession of 50GB of PIN data secured with 3DES encryption posted a request for a hook-up with a PIN hacker on 3 January, offering a fee of $10 per line. IntelCrawler reckons the hacker is from Eastern Europe.
Chat regarding the decryption of PINs began appearing on private message boards just days after Target admitted the credit card details of 40 million of its customers had gone AWOL.
The retailer also admitted last week that 70 million customers' personal files had also been swiped as part of the same breach. The credit card information swipe came from a successful malware-based attack on Target's point-of-sale (PoS) machines over the pre-Christmas holiday shopping season.
PIN in a haystack
Discussions about decrypting encrypted card data have been happening on underground cybercrime forums since as far back as September 2011, but have gained a particular focus of late. "Most of the underground chatter is among users who know how to sniff traffic but need technical help in addressing the decryption issue," explained Andrew Komarov, IntelCrawler's chief exec.
An active group of Eastern European cybercriminals specialise in attacks on merchants and PoS terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment data and PIN blocks. Many such systems have been compromised in the past during the group's illicit efforts to uncover this data, according to IntelCrawler.
Security experts are split on whether decrypting 3DES encrypted data is feasible or not. Komarov told us that 3DES encryption is vulnerable to brute-force attacks and hackers have proved this in the past with the decryption of PIN dumps from other cyber-heists.
However, a blog post by Australian outfit Payment Security Consulting, featuring an information transaction flow diagram and the likely point of attack in the Target breach, concludes that encrypted PIN blocks from the Target attack are safe. The Australian consultancy describes the brute force attack scenario outlined by IntelCrawler as implausible at best or fear-mongering at worst.
The Target attackers appear to have been able to grab the data sent from the POS system to the merchant gateway. So this has given them a lot of sensitive data like track data and the Encrypted PIN Blocks.
Target has stated that the PIN Blocks were encrypted using Triple DES keys, so a brute force attack is out of the question.
Each PIN Block has been encrypted using the unique PIN Key on that POS's PIN Terminal. An attacker would have had to extract the PIN Key of the terminal where the PIN block originates from. This requires at a minimum physical access to that terminal. It is not feasible to extract the plain-text PIN keys remotely.
Robert Graham of Errata Security argues that the PIN information might be matched against the leaked but encrypted data using some sort of frequency analysis and cryptographic cribs (based on purchases made by fraudsters themselves prior to or during the breach).
"Yes, Triple-DES cannot be broken by hackers," Graham explains in a blog post. "If they don't have the secret key, they can't decrypt the PIN numbers. But here's the deal: hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value."
But Graham adds that "the Payment Card Industry (PCI) standards indeed call for salt, so this is probably what Target did", in which case attempts to use frequency distribution of PINs and similar tricks to infer the corresponding hashes from siphoned off information are going to flounder. Ways in which the PINs should be encrypted, according to the PCI, are described here.
IntelCrawler, which is undaunted by doubts elsewhere that hackers are probably on a hiding to nothing in attempted to decrypt the stolen data, reckons the cybercrooks behind the target scam are also researching the development of their own custom field-programmable gate array (FPGA) board for successful decryption. The security start-up sees similarities between the Target breach and previous mega-breaches involving US retail outfits such as the Heartland Payment Systems hack of 2007/8.
"IntelCrawler has also noticed some nuances with this current possible sniffer breach with a few cases from the past, specifically the RBS and Heartland card breaches. In those cases, a few of the hackers are still on the loose and although no direct linkage can be made yet, the similarities are starting to line up," Komarov concludes in a bulletin on its research.
Komarov told El Reg: "The attack used in Target breach was related to special malware distribution (http://www.bankinfosecurity.com/-a-6316/op-1) and interception of network communications.”
“The same attacks were also used previously by the same group of criminals from Eastern Europe according to our opinion," he added. ®