No. Not my opinion. I had no opinion on Target security because I know only a little bit of the specifics of how Target manages information security. I suspect this guy, Evan Schuman, a columnist for ComputerWorld.com, didn’t either. It seems he made some assumptions about Target security based on the information Target originally released. To his credit, however, he retracted at least some of his statements in this article on ComputerWorld.com.
The gist of the article is that because target uses something called DUKPT (Derived Unique Key Per Transaction) encryption to protect PIN numbers that they are better at security than the author thought.
Ok. That’s great. The problem, though, is that author made assumptions about Target’s overall handling of security. The use of DUKPT is an industry standard for retail industry credit card processing transactions. This does protect PIN numbers about as well as they can be protected. But this says nothing about Target’s overall security.
In my opinion, the author has made another mistake with this retraction. The first mistake was assuming that because Target was successfully attacked they must have been doing something wrong. The second mistake is to assume that because it is now known that they were doing one thing right that Target’s overall security management is somehow better than he thought.
I’m not trying to suggest that Target’s information security management is either good or bad. I’m only saying that, at this point, nobody outside of Target has enough information to measure the quality of Target’s information security management. I believe that those with the bigger megaphones have a responsibility to know more about what they write about before they utter their opinions.
I can only hope that I did enough due diligence before writing this post