



When you enter your PIN, the computer inside the PIN pad hashes the number you entered with the hashed PIN encoded on the card you swiped. If the hash of the number you entered matches the hash on the card then it verifies the transaction. If the hash of the number you entered doesn't match, then the computer denys the transaction saying that the PIN is incorrect.





Now if they are hashed with the card number as well, then this exploit would not work assuming that the hackers did not get the card numbers as well. But if the PIN numbers are hashed seperately then they have a problem. This is because hackers don't usually try to crack the hash nowadays. Instead they perform a brute force search to find a matching hash string. So for example, they would take all the numbers from here 0000-9999 and hash every single one of them. Then they would compare each and everyone of them to the hashed PINs in the stolen data and search for matches. This essentially a dictionary attack with numbers instead of words.





Once they found a hash string that matches, then now they know that that particular mumber is the PIN. So they will continue to run this search until they match them all up and then they can use them. This type of search is trivial to do and your average desktop computer can perform such a search in a reasonable amount of time. And because they now have their own copy of the database, they can perform Black Bag Cryptanalysis ie stealing the encrypted data and crack it at their own leisure.





The only way to keep this from working is to have all the compromised cards changed immediately along with the PINs which no doubt Target has already done. So this is only a theoretical attack that can easily be fixed. However I am putting this on here so that you can be aware of how this attack works so that you can also take measures to protect yourself.

Recently Target reported that their debt card database got pwned and a metric ton of PIN numbers got nicked. They claimed that they have not been compromised because the PIN numbers are encrypted. Well here's the problem with that. You see just like passwords, PIN numbers are encrypted with a one-way cryptographic hash function. Usually MD5 or SHA-1 which people should stop using BECAUSE MD5 AND SHA-1 HAVE BEEN CRACKED FOR LIKE 5 YEARS NOW! Use SHA-256 or even SHA-512.