The TJX case just keeps giving and giving. A recent indictment of a man named Gonzales, which has the rather revealing filename of N:\SHeymann\Case Files\TJX\Indictment and Informations\Final Versions\Gonzalez Indictment Final.wpd, shows that PIN numbers were being decrypted in large batches:
e. Downloaded from the corporate networks processing and/or storing payment card transactions the track 2 data for tens of millions of credit and debit cards and PIN blocks associated with millions of debit cards;
f. Obtained technical assistance from criminal associates in decrypting encrypted PIN numbers
This is major news. How did they decrypt PINs?
I have seen few report on the implications of this for bank security, but frankly it changes everything. If an attacker can steal your PIN number even when it is encrypted and stored within a bank, then your financial data is under an even bigger threat than ever before.