Attacks/Breaches
10/25/2012
01:11 PM
50%
50%

Barnes & Noble Probes PIN Keypad Hack

Criminals hacked one PIN keypad in each of 63 stores and have already used the stolen data to commit fraud. Was it an inside job?

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Barnes & Noble Wednesday confirmed that point-of-sale systems in 63 of its stores had been physically hacked as part of what it described as "a sophisticated criminal effort to steal credit and debit card information from our customers who have swiped their cards through PIN pads when they made purchases at certain retail stores."

That information was disclosed to customers Wednesday via a data breach notification, as well as a related press release, both of which were distributed via the website of the California Attorney General.

According to Barnes & Noble, the hacked PIN pads--only one of which was hacked in each of the stores--were capable of "capable of capturing information such as name, card account number, and PIN," but only for in-person purchases in which a card was swiped. The company said that its online customer database hadn't been breached. Still, stolen information from the hacked PIN pads has reportedly already been used by fraudsters.

[ Read Many Identity Theft Protection Services Promise The Impossible. ]

Barnes & Noble said that it detected the PIN pad tampering "during maintenance and inspection of the devices," and said it immediately discontinued the use of all PIN pads across its nearly 700 U.S. stores, disconnected and sent them to an offsite location for inspection, and informed federal authorities, who are now investigating the tampering. Barnes & Noble has now completed physical inspections of every PIN pad for tampering, but hasn't returned them to stores, owing to ongoing concerns over tampering and data theft.

"The PIN pads were removed from stores on September 14, and the transactions are being made now through the register," said Barnes & Noble spokeswoman Mary Ellen Keating via phone. She declined to comment on whether the bookseller might resume using PIN pads at a future date.

A senior Barnes & Noble official told The New York Times, which first reported the story of the data breach Wednesday, that the company did inform credit card companies about the data breach. But the Barnes & Noble didn't immediately disclose the breach to its customers. The company official said that the U.S. Attorney's Office for the Southern District of New York said the bookseller didn't need to alert customers to the PIN pad fraud until Dec. 24, 2012, so as to not interfere with related investigations.

The list of affected stores includes locations in nine states: California, Connecticut, Florida, Illinois, New Jersey, New York, Massachusetts, Pennsylvania, and Rhode Island.

In its Wednesday data breach notification to customers, Barnes & Noble said that "as a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads" should immediately contact their bank to change the PIN number for their debit card, if one was used. The bookseller also recommended that both credit and debit card users review their account statements for unauthorized charges, and notify their banks if any were found. But it didn't detail--or perhaps simply doesn't yet know--when its PIN terminals were first hacked.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/30/2012 | 5:27:39 PM
re: Barnes & Noble Probes PIN Keypad Hack
If this was an inside job the Barnes and Nobel has way overqualified sales people working the registers. GǣA sophisticated criminal effort does not sound like it could be committed by the sales clerk who just directed me to the travel section. Not at all putting down sales clerks but if you have the ability to carry out a sophisticated criminal attack then they are probably in the wrong field. 63 stores that were effected is quite a feat considering the security on these pos terminals, which leaves the obvious, an inside job.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report