In a recent interview, Andrew Komarov, CEO of U.S. security startup IntelCrawler, described the malware used in the Target data breach to be a dump-memory-scraper that infected Target's Windows-based Point-Of-Sale (POS) registers. The malware Komarov identified, named Reedum, was a variant of the BlackPOS malware that he discovered in March of 2013, and is difficult to detect using malware scanners. But Target could have defended against it nevertheless.
If all of the POS systems deployed in Target's stores used the credit card readers like those in its store in Braintree, Massachusetts, the credit card data could have been encrypted using the Triple DES (3DES) algorithm. In the side-by-side comparison below, the credit card terminal used in Braintree looks like the Hypercom Optimum L4150 (pdf).
The Optimum L4150 was connected to the point of sale register with a USB, Ethernet or RS232 cable and supports encryption of credit card data.
Jason Schnellbacher of the Prineta software development team, which is familiar with the L4150 card reader terminal and related encryption practices, reviewed this point of sale equipment:
"The bank card pins were definitely encrypted with the 3DES algorithm, but there is a question if the credit card data was encrypted. The L4150 terminal has the capability to encrypt the credit card data using any of a number of standard encryption algorithms, but if the POS system vendor chose one, it would be 3DES. However, the connection between the card reader terminal and the POS device is considered secure and often times the credit card data is sent as clear text to the POS device where it is only then encrypted and sent upstream for processing. We don't know how Target and its POS vendor NCR implemented this encryption, but based on industry practices there is a better than even chance that the credit card data was not encrypted. If POS system vendor NCR enabled 3DES, all the thieves stole were encrypted data."
Chris Wysopal, founder and CTO of Veracode, responded to the question "how difficult would it be to extract the key and decrypt the data from 100 million credit cards if they were encrypted with 3DES?"
"It shouldn't be possible to brute force 3DES in a reasonable amount of time without a very big supercomputer."
Unencrypted credit card data can't be monetized, so the thieves may have only made themselves targets of an FBI manhunt. Instead of a treasure trove of credit cards, if 3DES encryption was implemented, all they got was a bucket of bits.
POS system manufacturer NCR did not respond to a request for comment on the details of encryption of the credit card data between the carder reader terminal and the POS device.