Saturday, December 28, 2013

Target: just 'cause it's 3DES doesn't mean it's secure

Target: just 'cause it's 3DES doesn't mean it's secure
 
In a blogpost referring to the recent breach of millions of debit cards, Target claims there is no danger, because the PIN is encrypted with Triple-DES at the terminal, and decrypted at the payment processor. Since hackers stole only the encrypted PINs, Target claims the debit card info is useless to the hackers.

This is wrong. Either Target doesn't understand cybersecurity, or they are willfully misleading the public, or they are leaving out important details. In all probability, it's the last item: they left out the detail of there being salt.

Yes, Triple-DES cannot be broken by hackers. If they don't have the secret key, they can't decrypt the PIN numbers. But here's the deal: hackers can get PINs without decrypting them, because two identical PINs decrypt to the same value.

For example, let's say that the hacker shopped at Target before stealing the database. The hacker's own debit card information will be in the system. Let's say the hacker's PIN was 8473. Let's say that this encrypts to 98hasdHOUa. The hacker now knows that everyone with the encrypted PIN of "98hasdHOUa" has the same pin number as him/her, or "8473". Since there are only 10,000 combination of PIN numbers, the hacker has now cracked 1000 PIN numbers out of 10 million debit cards stolen.

This just gets one debit card. The hacker can crack the rest using the same property. The hacker simply starts at PIN number "0000", and then using online sites, starts using that number, trying one card at a time, until s/he gets a hit. On average, the hacker will have to try 10,000 before a good result is found. Once found, all debit cards with the same encrypted PIN of "0000" are moved aside to the "known" category. The hacker then repeats the process with "0001", "0002", and so on for all combinations.

This process is further simplified by the fact that some PIN numbers are vastly more common than others. People choose simply patterns (like "0000"), birthdays, and so on. The hacker can create a popularity distribution among the cracked PINs. Since "1234" is the most popular PIN number, the hacker can look at the most popular encrypted PIN and try that first. It'll probably work, but if not, s/he can try the next most popular encrypted PIN, until a match for 1234 is found. The top most popular 100 PINs can be discovered with only a few thousand attempts, giving over a million cracked debit cards to work with. This is something that can be done even if a person had to stand in front of an ATM for hours trying one card after another.

One way to correct this is to salt the encryption, such as using the credit card number as part of the key that encrypts the PIN, or as part of additional data prepended to the PIN. Done this way, every PIN number now decrypts to a different value. If they did this, then it would indeed be the same as if no PIN information were stolen at all.

As Mathew Greene describes, the Payment Card Industry (PCI) standards indeed call for salt, so this is probably what Target did.

It's nice that Target gives intermediate results of their investigation. Transparency like this should be commended. But they should just give us the raw information, like the specific PCI standard they follow, without the marketing spin about whether it's secure or not. I suppose I should've just known the PCI standard off the top of my head and filled in the blanks myself, but when I see incomplete info like this, it makes me distrust their honesty/competence instead.
http://blog.erratasec.com/2013/12/target-displays-its-incompetence.html#.Ur622cKA3IU

No comments:

Post a Comment