Attacks/Breaches
10/25/2012
01:11 PM
Connect Directly
RSS
E-Mail
50%
50%

Barnes & Noble Probes PIN Keypad Hack

Criminals hacked one PIN keypad in each of 63 stores and have already used the stolen data to commit fraud. Was it an inside job?

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Barnes & Noble Wednesday confirmed that point-of-sale systems in 63 of its stores had been physically hacked as part of what it described as "a sophisticated criminal effort to steal credit and debit card information from our customers who have swiped their cards through PIN pads when they made purchases at certain retail stores."

That information was disclosed to customers Wednesday via a data breach notification, as well as a related press release, both of which were distributed via the website of the California Attorney General.

According to Barnes & Noble, the hacked PIN pads--only one of which was hacked in each of the stores--were capable of "capable of capturing information such as name, card account number, and PIN," but only for in-person purchases in which a card was swiped. The company said that its online customer database hadn't been breached. Still, stolen information from the hacked PIN pads has reportedly already been used by fraudsters.

[ Read Many Identity Theft Protection Services Promise The Impossible. ]

Barnes & Noble said that it detected the PIN pad tampering "during maintenance and inspection of the devices," and said it immediately discontinued the use of all PIN pads across its nearly 700 U.S. stores, disconnected and sent them to an offsite location for inspection, and informed federal authorities, who are now investigating the tampering. Barnes & Noble has now completed physical inspections of every PIN pad for tampering, but hasn't returned them to stores, owing to ongoing concerns over tampering and data theft.

"The PIN pads were removed from stores on September 14, and the transactions are being made now through the register," said Barnes & Noble spokeswoman Mary Ellen Keating via phone. She declined to comment on whether the bookseller might resume using PIN pads at a future date.

A senior Barnes & Noble official told The New York Times, which first reported the story of the data breach Wednesday, that the company did inform credit card companies about the data breach. But the Barnes & Noble didn't immediately disclose the breach to its customers. The company official said that the U.S. Attorney's Office for the Southern District of New York said the bookseller didn't need to alert customers to the PIN pad fraud until Dec. 24, 2012, so as to not interfere with related investigations.

The list of affected stores includes locations in nine states: California, Connecticut, Florida, Illinois, New Jersey, New York, Massachusetts, Pennsylvania, and Rhode Island.

In its Wednesday data breach notification to customers, Barnes & Noble said that "as a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads" should immediately contact their bank to change the PIN number for their debit card, if one was used. The bookseller also recommended that both credit and debit card users review their account statements for unauthorized charges, and notify their banks if any were found. But it didn't detail--or perhaps simply doesn't yet know--when its PIN terminals were first hacked.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/30/2012 | 5:27:39 PM
re: Barnes & Noble Probes PIN Keypad Hack
If this was an inside job the Barnes and Nobel has way overqualified sales people working the registers. GÇ£A sophisticated criminal effort does not sound like it could be committed by the sales clerk who just directed me to the travel section. Not at all putting down sales clerks but if you have the ability to carry out a sophisticated criminal attack then they are probably in the wrong field. 63 stores that were effected is quite a feat considering the security on these pos terminals, which leaves the obvious, an inside job.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.