Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Barnes & Noble Probes PIN Keypad Hack

Criminals hacked one PIN keypad in each of 63 stores and have already used the stolen data to commit fraud. Was it an inside job?

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Barnes & Noble Wednesday confirmed that point-of-sale systems in 63 of its stores had been physically hacked as part of what it described as "a sophisticated criminal effort to steal credit and debit card information from our customers who have swiped their cards through PIN pads when they made purchases at certain retail stores."

That information was disclosed to customers Wednesday via a data breach notification, as well as a related press release, both of which were distributed via the website of the California Attorney General.

According to Barnes & Noble, the hacked PIN pads--only one of which was hacked in each of the stores--were capable of "capable of capturing information such as name, card account number, and PIN," but only for in-person purchases in which a card was swiped. The company said that its online customer database hadn't been breached. Still, stolen information from the hacked PIN pads has reportedly already been used by fraudsters.

[ Read Many Identity Theft Protection Services Promise The Impossible. ]

Barnes & Noble said that it detected the PIN pad tampering "during maintenance and inspection of the devices," and said it immediately discontinued the use of all PIN pads across its nearly 700 U.S. stores, disconnected and sent them to an offsite location for inspection, and informed federal authorities, who are now investigating the tampering. Barnes & Noble has now completed physical inspections of every PIN pad for tampering, but hasn't returned them to stores, owing to ongoing concerns over tampering and data theft.

"The PIN pads were removed from stores on September 14, and the transactions are being made now through the register," said Barnes & Noble spokeswoman Mary Ellen Keating via phone. She declined to comment on whether the bookseller might resume using PIN pads at a future date.

A senior Barnes & Noble official told The New York Times, which first reported the story of the data breach Wednesday, that the company did inform credit card companies about the data breach. But the Barnes & Noble didn't immediately disclose the breach to its customers. The company official said that the U.S. Attorney's Office for the Southern District of New York said the bookseller didn't need to alert customers to the PIN pad fraud until Dec. 24, 2012, so as to not interfere with related investigations.

The list of affected stores includes locations in nine states: California, Connecticut, Florida, Illinois, New Jersey, New York, Massachusetts, Pennsylvania, and Rhode Island.

In its Wednesday data breach notification to customers, Barnes & Noble said that "as a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads" should immediately contact their bank to change the PIN number for their debit card, if one was used. The bookseller also recommended that both credit and debit card users review their account statements for unauthorized charges, and notify their banks if any were found. But it didn't detail--or perhaps simply doesn't yet know--when its PIN terminals were first hacked.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
10/30/2012 | 5:27:39 PM
re: Barnes & Noble Probes PIN Keypad Hack
If this was an inside job the Barnes and Nobel has way overqualified sales people working the registers. GǣA sophisticated criminal effort does not sound like it could be committed by the sales clerk who just directed me to the travel section. Not at all putting down sales clerks but if you have the ability to carry out a sophisticated criminal attack then they are probably in the wrong field. 63 stores that were effected is quite a feat considering the security on these pos terminals, which leaves the obvious, an inside job.

Paul Sprague
InformationWeek Contributor
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...