
Target hackers stole encrypted bank PINs, according to source [video] - iamtechaddict
http://www.chicagotribune.com/business/sns-rt-us-target-databreach-20131224,0,1031401.story
======
jtokoph
More misinformation in the video: She mentions that the CVV on the back was
"fair game". The CVV is on the magnetic strip, but the code on the back of the
card is the CVV2 which is not on the magnetic strip.

~~~
tjohns
I though the one on the mag stripe was the "CVV1", whereas "CVV" was ambiguous
and could refer to either?

As far as most consumers are concerned, CVV or CVC is synonymous with CVV2,
since that's what folks are asked to enter when shopping online. If you're not
an engineer or work in the payment industry, you probably don't know CVV1
exists.

------
fiberoptick
Why were they storing the PINs?

~~~
astrodust
I'm not familiar with the US system, but here in Canada you're not even
supposed to _get_ the PIN in the first place. The keypad is supposed to
encrypt it and use it for one transaction only. Then that information is
discarded.

Storing PINs in any form is absolutely insane. People deserve to get fired for
this.

~~~
dlubarov
It's the same here - pins must be encrypted by a tamper-resistant hardware pin
pad (in this case Verifone's).

I don't think Target was storing pins, which is prohibited regardless of
encryption. It sounds like the attackers sniffed encrypted pins.

------
nnnnni
Is this saying then that it only affects cards that were used in debit mode,
not cards that were used in credit mode?

------
officialjunk
Interesting detective work here on the target credit card compromise:

[http://krebsonsecurity.com/2013/12/whos-selling-credit-
cards...](http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-
target/)

------
kclay
So wait, do we know when this data breach started and this means that if I
used my chase card (not target card) as debit it could of been comprised?

