Hacker News new | past | comments | ask | show | jobs | submit login

Chip and Pin would have prevented zero of the accounts escaping Target.

There was a complete lack of encryption at key points.




Chip and Pin would prevent none of the leaks, it would prevent the usage of the stolen card numbers after the fact.


Ok, let's think this through. The chip is embedded in the card, and works if you bring the card physically to the POS terminal.

The chip is not part of the equation for online transactions. So if everything but the chip is stolen, the bad guys are going to use the card online.

Check out http://krebsonsecurity.com/2014/05/the-target-breach-by-the-..., particularly his "by the numbers" section:

0 – The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach (without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions).


The PIN system as used in Europe (or at least where I live) always requires you to physically enter your PIN-Number with any purchase, even online. The card alone is useless as you MUST enter the PIN-Number, and 3 wrong tries blocks the card permanently. To make purchases online your bank would send you a small device which takes: a number supplied by the online website indicating your purchase, your card and then asks you for a PIN-Number. It then does some magic and outputs a number that you would need to verify the purchase.

It seems that this is not that same type of system or am I mistaken in some way? Seems to me that it would have helped; my account number/card number/exp. date are useless on their own.


I'm not sure how they figure that. How would having a having the Chip and Pin have prevented the data from being stolen? How does them encrypting the data they send relate to the cards? Those seems like separate issues.

With regards to online use, I'll say I'm not familiar with how Chip and Pin really works, but presumably they have some guard for online use, right? Or is that just wide open still?


With online use, the chip does not come into play.

How would having a having the Chip and Pin have prevented the data from being stolen? It does not. The "Chip and Pin" argument is brought up each time this sort of retail breach happens, like a reflex.


But what good are a bunch of card numbers if you're unable to use them due to not having the pin? Not sure you understood what I meant.


From the Brian Krebs article I referenced in another comment in this thread:

1 million – 3 million – The estimated number of cards stolen from Target that were successfully sold on the black market and used for fraud before issuing banks got around to canceling the rest (based on interviews with three different banks, which found that between 3-7 percent of all cards they were told by Visa/MasterCard were compromised actually ended up experiencing fraud).

So clearly they were able to use the cards.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: