Maybe you're in possession of one of the 40 million credit or debit cards that were affected by thieves who infiltrated Target's (TGT 0.33%) point-of-sale system over the holidays -- lucky you. Today, Target revealed that customer PINs were picked up as well, but that the PINs were encrypted. Apart from an omnipresent sense of dread, what does it really mean?
When stolen stuff is worthless
Let's start with the easy one. A pile of encrypted PINs is effectively worthless. Target's PIN pads take the number that you put in and turn it into an incredibly complicated other number. To be clear, I don't mean that you put in 5544 and they turn it into 6655. Oh my, no. Instead, your four-digit PIN gets turned into a long string of numbers and letters that means nothing to a person without the correct key.
Luckily -- which is to say, by very strict purposeful design -- Target doesn't hold on to those keys. Those are stored with the payment processor. That means that the encrypted PINs that Target lost are worthless. It's like stealing 40 million pounds of coal because you want diamonds.
Card numbers are a different story
The biggest loss is the raw card data. According to reports, Target's systems were infected with software that skimmed the numbers off the cards as they were swiped through at cash registers. That allows the people on the receiving end to create physical replicas of the 40 million cards. Those can be used online or in person with a signature, and are the weakest link in the credit card chain.
As many analysts have pointed out, the U.S. is well behind the times on credit card protection. Many other countries have moved on to chip and pin cards, which do not use the easy-to-skim magnetic stripe. America has been a notable holdout. As a result, widespread thefts, like those at Target, are much easier to pull off in the U.S.
What consumers can do
While encrypted PINs may be effectively uncrackable, that doesn't mean that you should be blase about the theft. Consumers who used their cards between Nov. 27 and Dec. 15 in a Target store in the U.S. could be at risk. Target has said that it will give all affected customers free credit monitoring, but hasn't said how that's going to work.
The company has also highlighted an important point: Consumers are not liable for unauthorized charges on their cards. Credit card or debit card, it doesn't matter. The law says that if your card information is stolen but the physical card is not stolen, you are not held liable for the resulting transactions.
If you have the ability to do so, it's never a bad idea to get out ahead of the problem. Getting a new card now, before anything is run on your account, is much easier than getting money back later. No matter what you do, keep a close eye on your accounts, and check with Target for periodic updates.
