Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Barnes & Noble Probes PIN Keypad Hack

Criminals hacked one PIN keypad in each of 63 stores and have already used the stolen data to commit fraud. Was it an inside job?

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Barnes & Noble Wednesday confirmed that point-of-sale systems in 63 of its stores had been physically hacked as part of what it described as "a sophisticated criminal effort to steal credit and debit card information from our customers who have swiped their cards through PIN pads when they made purchases at certain retail stores."

That information was disclosed to customers Wednesday via a data breach notification, as well as a related press release, both of which were distributed via the website of the California Attorney General.

According to Barnes & Noble, the hacked PIN pads--only one of which was hacked in each of the stores--were capable of "capable of capturing information such as name, card account number, and PIN," but only for in-person purchases in which a card was swiped. The company said that its online customer database hadn't been breached. Still, stolen information from the hacked PIN pads has reportedly already been used by fraudsters.

[ Read Many Identity Theft Protection Services Promise The Impossible. ]

Barnes & Noble said that it detected the PIN pad tampering "during maintenance and inspection of the devices," and said it immediately discontinued the use of all PIN pads across its nearly 700 U.S. stores, disconnected and sent them to an offsite location for inspection, and informed federal authorities, who are now investigating the tampering. Barnes & Noble has now completed physical inspections of every PIN pad for tampering, but hasn't returned them to stores, owing to ongoing concerns over tampering and data theft.

"The PIN pads were removed from stores on September 14, and the transactions are being made now through the register," said Barnes & Noble spokeswoman Mary Ellen Keating via phone. She declined to comment on whether the bookseller might resume using PIN pads at a future date.

A senior Barnes & Noble official told The New York Times, which first reported the story of the data breach Wednesday, that the company did inform credit card companies about the data breach. But the Barnes & Noble didn't immediately disclose the breach to its customers. The company official said that the U.S. Attorney's Office for the Southern District of New York said the bookseller didn't need to alert customers to the PIN pad fraud until Dec. 24, 2012, so as to not interfere with related investigations.

The list of affected stores includes locations in nine states: California, Connecticut, Florida, Illinois, New Jersey, New York, Massachusetts, Pennsylvania, and Rhode Island.

In its Wednesday data breach notification to customers, Barnes & Noble said that "as a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads" should immediately contact their bank to change the PIN number for their debit card, if one was used. The bookseller also recommended that both credit and debit card users review their account statements for unauthorized charges, and notify their banks if any were found. But it didn't detail--or perhaps simply doesn't yet know--when its PIN terminals were first hacked.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/30/2012 | 5:27:39 PM
re: Barnes & Noble Probes PIN Keypad Hack
If this was an inside job the Barnes and Nobel has way overqualified sales people working the registers. GǣA sophisticated criminal effort does not sound like it could be committed by the sales clerk who just directed me to the travel section. Not at all putting down sales clerks but if you have the ability to carry out a sophisticated criminal attack then they are probably in the wrong field. 63 stores that were effected is quite a feat considering the security on these pos terminals, which leaves the obvious, an inside job.

Paul Sprague
InformationWeek Contributor
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...