Updated: 12/28/2013 7:08 AM KSTP.com By: Stephen Tellier
Target is changing course, confirming PIN data was stolen when the retailer was hacked.
The company believes the PINs are "safe and secure," but that hasn't stopped people from calling their banks and changing their PIN numbers. The news comes after the breach that left 40 million customers' payment information in the wrong hands.
One of the central questions from the beginning has been: Did the hackers get debit card PINs? On Friday, we finally got an answer -- but it's not a simple one.
Just four little numbers. But in the wrong hands, they could leave you uttering four letter words.
"It's a direct connection to cash," said computer forensic analyst Mark Lanterman.
That's true for customers -- and criminals.
Lanterman said some PINs are actually embedded in the data right on your debit card's magnetic strip.
"Even if Target had the best security measures in place, the information that banks have chosen to include on your magnetic stripe may have been compromised," Lanterman said.
For the first time on Friday, Target confirmed such PINs were stolen. But Target said the hackers still can't access them, stating, "The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems."
"It would be very, very difficult to break that encryption," Lanterman said.
Target also said, "... debit card accounts have not been compromised due to the encrypted PIN numbers being taken."
"I think that their statement was very carefully worded and technically accurate," Lanterman said.
But Lanterman said he worries hackers could have snagged PIN numbers another way -- by recording the key strokes shoppers used to punch in their PINs.
Either way, Lanterman said there is only one sure solution.
"I think it's important to take control of your own security and simply order a new card," Lanterman said.
KSTP then asked Lanterman why Target -- and the banks -- haven't been telling customers to do just that.
"It costs, I would estimate, probably $5 per card to reissue, but also, it's the holidays, and if you're cancelling your card, you're not spending money," Lanterman said.
Whether your PIN is embedded on your debit card depends on which bank you use. But Lanterman said he called his bank, and was told his PIN number isn't on his magnetic strip. He then tested his card and found out it is.
But despite all of these issues, Lanterman still praised Target's overall response to the incident, saying it's been quick and efficient -- just not without a few speed bumps.