The Target breach, Encrypted PINs, and Customer Safety

On Friday I sat down with Jon Erlichman on Bloomberg West to discuss the recent Target breach, what we know, and what risks face consumers.

 
Timeline of events & what we know

• 12/19 Target acknowledges breach of credit card and debit card data used in stores between Nov. 27 and Dec. 15, 2013
• 12/20 Target update indicates PINs are not at risk "At this time, there is no indication that there has been any impact to PIN numbers."
• 12/21 Chase Bank changes debit card daily limits for impacted customers to $100 cash withdrawals and $300 for purchases. This impacts 2 million Chase accounts
• 12/27 Target update reverses initial statement on 12/20 and confirms that additional investigation shows that encrypted PINs were stolen
• 12/29 Chase Bank maintains limits on impacted accounts but raises daily limits to $250 cash withdrawal and $1500 purchase

Encryption of PINs
On Friday, December 27th Target revealed that the encrypted PINs had been compromised. The press release includes a few important statements:

1. Target doesn't have the decryption key - "Target does not have access to nor does it store the encryption key within our system. The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor."
2. Triple DES encryption - "PIN is encrypted at the keypad with what is known as Triple DES"
3. Target claims customers are safe - "We remain confident that PIN numbers are safe and secure" and "debit card accounts have not been compromised due to the encrypted PIN numbers being taken" 

Are customers safe?
I'm not surprised to see Target attempting to calm customers' fears with their statements about the security of the PINs. However, I'm not convinced I'd support their optimism of safety.  Triple-DES encryption, when used correctly, does provide strong encryption and it would be infeasible to brute force the encryption key. However, even in an ideal use case there are several weaknesses to Triple DES that could impact the effective strength.

What could go wrong with Triple DES?
But, when used incorrectly Triple DES may only provide the illusion of security for these PINs. Here are two scenarios that could put PIN data immediately at risk:

• Triple DES encryption is configured with Electronic Code Book (ECB) -or-
• Triple DES encryption is configured with Cipher-block Chaining (CBC) and uses the same Initialization Vector for encryption of each PIN

In these situations the encrypted output would be the same if the input (i.e. the PIN) is the same. This allows attackers to perform analysis of the encrypted PIN data and compare the results with frequency analysis of PIN selection to make reasonable guesses about which encrypted value matches to what original PIN. In other words, if the most common encrypted value is "51 91 ca 27 be 68 c2 21" then there's a really good chance the original PIN for those users is 1234.



Other indications of concern
Another reason to be cautious about the safety of breached users is the actions taken by Chase. In the height of the Christmas season Chase bank changed limits for all impacted customers. This may be a cautionary move by Chase with memories of the 2009 RBS WorldPay attack that resulted in the loss of $9 million in a matter of hours. However, such a decision made in the prime spending hours of Christmas must have been thoroughly discussed and had supporting information justifying their concerns.

Lastly, we don't know what other information will be uncovered during the investigation, or worse, won't be uncovered because the investigation can't detect it. Target themselves initially reported that PINs were safe and unaffected only to later find out, as their investigation continued, that the encrypted values were stolen.

Advice to Customers
My advice for customers involved is to proactively request new debit cards. Credit card fraud can be easily reversed but debit card fraud can result in inaccessibility to lost funds for a period of time during the dispute.


-Michael Coates - @_mwc

Gmail Changes Enables Tracking of User Email Activity

Changes to Gmail Image Handling Enables Tracking of User Activity with Emails

Google has just modified Gmail so images automatically load within emails.

An important privacy element was omitted from discussion with this change. The change to image handling in gmail creates a reliable method for companies and advertisers to track if a user opens any email sent by the company/advertiser.

This is accomplished since the image within the email can be accompanied with a unique URL parameter that acts as a tracking beacon. If a user opens the email then the image will be automatically loaded and the beacon will be sent back to a web server controlled by the sender. This provides an alert that the specific user opened the email.

Previously Gmail blocked images by default and required users to take a specific action to display the images. So while this beacon based email tracking has always been possible, the default handling in gmail previously made it an unreliable tracking method that wasn't worth the effort.


How Does The Tracking Work?
In this example the company sending the email would own site.com

1. Company crafts an email and includes an image with a tracking beacon number within a url parameter
   http://site.com/picture.jpg?beacon=0001234
2. User opens the email within gmail and the browser automatically requests the image included in the email
3. Google has modified the email so the image new resolves through the new proxy service. This means the url from step #1 now looks like this in the source
   https://ci4.googleusercontent.com/proxy/wLmL7aeWQ5zwvPCbo5nG=s0-d-e1-ft#http://site.com/picture.jpg?beacon=0001234
4. The browser automatically requests the image
5. The google proxy service at ci4.googleusercontent.com receives this request and makes an outbound request to http://site.com/picture.jpg?beacon=0001234
6. The sender of the email returns picture.jpg and records that user 0001234 has opened the email

Here's a screenshot of my webserver showing the request which includes the URL parameter and also a mention to google's domain ggpht.com

[12/Dec/2013:23:48:10 +0000] "GET /Turkish_Van_Cat.jpg?id=01234 HTTP/1.1" 200 1718186 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (via ggpht.com)"



In practice companies wishing to track email activity will simply add a hidden 1 pixel by 1 pixel image that will perform this tracking unbeknownst to the end user.

Opt-Out Argument
The argument that you can opt-out of this new setting is a red-herring. If only those that read this post take actions to opt-out then the vast majority of people can still be tracked using this technique.

Security Win and Privacy Loss?
Perhaps there are security merits to this change. However, the collateral damage should not be ignored and overlooked in this change that impacts all gmail users.



-Michael Coates - @_mwc

3 Bottles of Whiskey for SSL on your News Org Website - Standing Offer

https://twitter.com/csoghoian/status/410858495890583552

https://twitter.com/_mwc/status/410864015045193728

The original washingtonpost.com article :
News sites could protect your privacy with encryption. Here’s why they probably won’t.




-Michael Coates - @_mwc

Eliminate Application Attackers before Exploitation - Podcast OWASP AppSensor

Podcast recorded at OWASP AppSecUSA on the AppSensor project.



-Michael Coates - @_mwc

Missed OWASP AppSecUSA? Videos Online Now

OWASP AppSecUSA videos are now online here.
A quick wrap-up of AppSecUSA from Tom Brennan is posted here.
The whole catalog of owasp videos can be found here.
 

-Michael Coates - @_mwc