Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Barnes & Noble Probes PIN Keypad Hack

Criminals hacked one PIN keypad in each of 63 stores and have already used the stolen data to commit fraud. Was it an inside job?

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Barnes & Noble Wednesday confirmed that point-of-sale systems in 63 of its stores had been physically hacked as part of what it described as "a sophisticated criminal effort to steal credit and debit card information from our customers who have swiped their cards through PIN pads when they made purchases at certain retail stores."

That information was disclosed to customers Wednesday via a data breach notification, as well as a related press release, both of which were distributed via the website of the California Attorney General.

According to Barnes & Noble, the hacked PIN pads--only one of which was hacked in each of the stores--were capable of "capable of capturing information such as name, card account number, and PIN," but only for in-person purchases in which a card was swiped. The company said that its online customer database hadn't been breached. Still, stolen information from the hacked PIN pads has reportedly already been used by fraudsters.

[ Read Many Identity Theft Protection Services Promise The Impossible. ]

Barnes & Noble said that it detected the PIN pad tampering "during maintenance and inspection of the devices," and said it immediately discontinued the use of all PIN pads across its nearly 700 U.S. stores, disconnected and sent them to an offsite location for inspection, and informed federal authorities, who are now investigating the tampering. Barnes & Noble has now completed physical inspections of every PIN pad for tampering, but hasn't returned them to stores, owing to ongoing concerns over tampering and data theft.

"The PIN pads were removed from stores on September 14, and the transactions are being made now through the register," said Barnes & Noble spokeswoman Mary Ellen Keating via phone. She declined to comment on whether the bookseller might resume using PIN pads at a future date.

A senior Barnes & Noble official told The New York Times, which first reported the story of the data breach Wednesday, that the company did inform credit card companies about the data breach. But the Barnes & Noble didn't immediately disclose the breach to its customers. The company official said that the U.S. Attorney's Office for the Southern District of New York said the bookseller didn't need to alert customers to the PIN pad fraud until Dec. 24, 2012, so as to not interfere with related investigations.

The list of affected stores includes locations in nine states: California, Connecticut, Florida, Illinois, New Jersey, New York, Massachusetts, Pennsylvania, and Rhode Island.

In its Wednesday data breach notification to customers, Barnes & Noble said that "as a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads" should immediately contact their bank to change the PIN number for their debit card, if one was used. The bookseller also recommended that both credit and debit card users review their account statements for unauthorized charges, and notify their banks if any were found. But it didn't detail--or perhaps simply doesn't yet know--when its PIN terminals were first hacked.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/30/2012 | 5:27:39 PM
re: Barnes & Noble Probes PIN Keypad Hack
If this was an inside job the Barnes and Nobel has way overqualified sales people working the registers. GǣA sophisticated criminal effort does not sound like it could be committed by the sales clerk who just directed me to the travel section. Not at all putting down sales clerks but if you have the ability to carry out a sophisticated criminal attack then they are probably in the wrong field. 63 stores that were effected is quite a feat considering the security on these pos terminals, which leaves the obvious, an inside job.

Paul Sprague
InformationWeek Contributor
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...