Shostack + Friends Blog Archive


Some additional info on the debit card breach

American Banker has a useful article about the debit card/PIN breach that has been making news. Unfortunately, it is behind a paywall. After reciting the background, the article presents some additional info in Q and A form.
Herewith, some fair-use excerpts. All italics emphasis is added. If you have access, I urge you to read the whole thing.

How did the breach occur?
The lead theory, according to sources close to the matter, is that hackers
accessed servers at about 30 stores belonging to a large, national
retailer and stole data from the cards’ magnetic stripes, encrypted
customer PINs (in a format known as PIN blocks), and the keys to decode
the PIN blocks
The criminals used the magnetic stripe information to create counterfeit
cards, and the decrypted PINs to withdraw cash from automated teller
machines, the sources said.
But others doubt that the thieves had access to PIN blocks. Jerry Silva,
the service director for the retail banking and delivery-channel practices
at TowerGroup Inc., a Needham, Mass., research unit of MasterCard
International, said the thieves could have used a “brute-force” approach.
If they had the magnetic stripe information and access to a point of sale
terminal, they could have used software to test every possible combination
until they found the correct PIN.
Though ATMs will generally halt a transaction when someone enters several
incorrect PINs, many point of sale terminals do not
How many people were affected?
So far sources close to the matter say at least 600,000 accounts could
have been compromised.
Which retailer’s systems were hacked?
There may have been more than one retailer, according to Eric Zahren, a
spokesman for the Secret Service, who said the breach “involved a number
of retailers and issuers.”
Mr. Zahren would not name them or discuss the
status of the investigation.
Don’t card companies prohibit retailers from storing PIN information?
Yes. Retailers, processors, and any other parties involved in processing
transactions may not store PINs, even if they are encrypted, according to
section 3.2.3 of the Payment Card Industry Data Security Standard, which
was developed by all the major card companies. The standard also requires
companies to “restrict” access to encryption keys to the fewest number of
parties possible, and to store the keys securely in the fewest possible
places and forms.
Card companies can fine merchant acquirers if their merchant customers do
not adhere to the standards, and Visa U.S.A. is considering imposing a
fine on B of A, OfficeMax’s acquirer, according to one source close to the

600,000 acccounts, eh? That number looks familiar, but in this case it is probably just a coincidence.