Target's Word May Not Be Enough To Keep Your Stolen PIN Safe Despite news that hackers stole PIN data from the giant retailer Target during prime buying season, shoppers say they will still use their cards to ring up purchases there. Target says the PINs are encrypted, but security experts say that given time, hackers could still outwit the system.
NPR logo

Target's Word May Not Be Enough To Keep Your Stolen PIN Safe

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Target's Word May Not Be Enough To Keep Your Stolen PIN Safe


This is WEEKEND EDITION from NPR News. I'm Jennifer Ludden.

The giant retailer Target continues to feel the fallout from a massive security breach at its stores. The latest revelation: Hackers who stole credit and debit card numbers also collected encrypted personal identification numbers.

NPR's Sam Sanders has the latest.

SAM SANDERS, BYLINE: Forty million, that's how many Target customers had their card information hacked. The breach took place over 19 days in November and December. In spite of this news, Brigitte Clark had no worries as she left a Target in Los Angeles Saturday morning, a cart full of groceries.

BRIDITTE CLARK: I feel about as safe as any - as we can be.

SANDERS: Clark says things like Target's security breach just happen. She says she'll keep shopping.

CLARK: I mean, I'm going to check my accounts like I always do on a daily basis, which is what everybody should be doing. I have not changed. I have always checked my accounts daily. The hackers are on it. So we have to be on it.

SANDERS: Clark's got a point. Those hackers were on it. Target recently acknowledged that on top of card numbers, customer's PIN numbers were also stolen. Those are the four-digit codes used to verify purchases on debit cards.

In a statement, Target says the PINs were encrypted, so they're safe. They say the only people that could decrypt the PINs are at Target's external, independent payment processor.

STUART MCCLURE: To me that's fantasy. I'm not quite sure what makes them think that.

SANDERS: Stuart McClure is the CEO of Cylance, a computer security company. He says those stolen PIN numbers can be decrypted by the hackers. They can conduct what's called brute-force decrypting, says Stuart, if they've got the right tools and the time.

MCCLURE: It just depends on how determined the adversary is and how committed they are to performing the fraud. You're probably talking about weeks or months.

SANDERS: Stuart does have some advice for people who shopped at Target during the dates in question.

MCCLURE: Either change your PIN now or just be hyper vigilant about your account and all the withdrawals that are coming out of your bank.


SANDERS: Outside of that Los Angeles Target, shopper Sam Choi says he feels safe shopping at Target. He only uses a credit card, which doesn't require a PIN. Choi does think someone should be punished, though.

SAM CHOI: Is this Target's fault? You know, somebody in their IT department probably needs to get fired, but that's about it.

SANDERS: Target stock's been down since news of the hack. And to keep customers in stores, it instituted a 10 percent sale on all items the weekend before Christmas. The company's quarterly results should come out in February. Those numbers might offer a clearer view into just how much this episode will affect the company's bottom-line.

Sam Sanders, NPR News.

Copyright © 2013 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.