Criminals Crack and Steal Customer Data From Barnes & Noble Keypads

helix2301 writes with an excerpt from CNet "Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores in the last month. At least one point-of-sale terminal in 63 different stores was compromised recording card details. Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination."

Advantage

[bobstreo]

Amazon?

Well done B&N

Seriously, no irony.

They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

They'll still get my business.

Re:Well done B&N

i liked them when the stood up to MS and didn't take any crap
I hated them when they started taking MS crap

which one is Barnes and which one is Nobles ?

Re:Well done B&N

Yeah, it does seem they did the responsible thing. Nonetheless, they did have hardware that was breached, so while the response is adequate other problems might exist. I'm not as willing to let them off the hook until they explain how they were hacked and if they were aware of the potential.

Re:Well done B&N

[Twillerror]

Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.

The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?

Re:Well done B&N

[Deep+Esophagus]

Why are they storing CCs at all on the terminals? The terminals should be just that, data entry points that transmit data to and from a secure location.

Re:Well done B&N

[Rob+the+Bold]

Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.

The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?

CC numbers are stored in plain text on the magstripe. So the terminal has to deal with that info in unencrypted format at at least one point. And if you've compromised the card reader somehow -- the article doesn't say how -- then you can see, save or transmit that data.

And TFA doesn't say they ignored it. It says they contacted the FBI. I assume from the statement: "The company discovered the breach on September 14 but kept it quiet while the FBI attempted to track the hackers." that it was the FBI who asked BN to sit on it. And who knows, perhaps the vendor was notified in the meantime, that part isn't mentioned either way in TFA.

Re:Well done B&N

The terminals should be just that, data entry points that transmit data to and from a secure location.

Typically POS devices do exactly that. The article and summary are not very specific, but I would guess some sort of software or possibly even hardware keylogger was at work here.

Re:Well done B&N

[rubikscubejunkie]

and idea who the vendor was of the PoS devices?

Re:Well done B&N

[_xeno_]

Why are they storing CCs plain text on the terminals.

They aren't. Well, maybe they aren't, but that's not the problem. The summary is very unclear, but the actual article explains that they were compromising the "PIN pads" and not the cash registers. (The PIN pad presumably being that little thing where you swipe your card, and then either sign it or enter your PIN.) Since those were compromised, even if they weren't storing the data in the register itself, the thieves had access to the data through the compromised PIN pad.

The question then becomes "how were these compromised" and it sounds like the hardware itself was modified, but the actual details are very vague.

Re:Well done B&N

[Dast]

Thank you for pointing that out. Everyone should know that the PAN is indeed stored in plain text on the magstripe. If the hardware was compromised, there's almost no way to stop someone from getting it.

Re:Well done B&N

[tlhIngan]

The question then becomes "how were these compromised" and it sounds like the hardware itself was modified, but the actual details are very vague.

Standard pin=pad fraud actually. What the criminals do is they steal pin-pads, then back at their lair, modify them to include recording hardware (you know, crack open the case, add a magstripe recorder (just an MP3 player with record function) and wires to the keypad to record the PIN.

Then they go to the cashiers, and when no one's looking, swap out the pin-pads.

It usually happens with smaller outfits (fast food outlets and the like) where they don't bolt-down the pin-pad to prevent theft. That's why the big guys have pin-pads that are encased in metal or otherwise bolted down to the counter.

The pin-pads are usually connected to the main unit (where the cashier enters in the amount and gets the printouts) by a simple coiled cable with RJ style jacks on them, making it trivially quick to swap surreptitiously.

It's a pretty standard fraud, actually.

Re:Well done B&N

[The+Snowman]

Why are they storing CCs at all on the terminals? The terminals should be just that, data entry points that transmit data to and from a secure location.

Should be, yes. However, merchants are allowed to store limited CC data on the terminal. This includes the card number and expiration date as long as they are encrypted. CID and raw track data are forbidden from being stored. This means it is possible to reverse transactions without the card present. While most of the time you will need to swipe your card to process a return, this is not required by law or PCI. The only time it is required is for debit, since any debit transaction requires physical possession of the card and PIN entry (although this is changing). By swiping the card, the terminal reads the track data which proves physical possession since it is not allowed to be stored.

Anyway, there is a reason for systems working this way: whether it is a good idea or should be allowed according to any random person is a different issue entirely.

Re:Well done B&N

[ShanghaiBill]

Why are they storing CCs at all on the terminals?

It is common for terminals to store CC numbers for a window of time so that transactions can be voided or refunded even if the network is down. They could be encrypted first, but they usually aren't. But to blame any of this on B&N seems silly, because B&N is not in the "terminal" business. The terminals were supplied by their bank. B&N just put them on the counter and hooked them up to the cash register, just like any other shop would. Blame should be directed at the company that made and programmed the terminals.

Re:Well done B&N

Where does it state that they stored them in plain text. For all we know the hackers didn't even use a software hack, as no details have been released yet.
And even if all proper security measures are taken, in any security chain there is still two points where the data is unencrypted even if only for a short while, a memory dump at that moment in time will give the hacker all the details they want. And even if they cant find that point they can still decrypt the data if they can get the decryption key. There are many avenues for attack, hackers know this. It's not right to add additional details to discredit them before you know.

Re:Well done B&N

[cboslin]

and idea who the vendor was of the PoS devices?

While this would be interesting to know, (per Snowman, VeriFone, Ingenico, Hypercomm are three possibilities) it sounds like most of the pin pad industry, if not all, does not bother hashing the pin number of a user's card at the PoS Pin Device. If the hash was secure enough and combined with a store ID + device ID + IP/network location, it would be much harder (if not impossible) for anyone else to spoof a transaction from some other geographical location, (ie. Brazil). Add to that, that the transaction should ONLY come from a secured (separate) backend financial or banking system (only authorized entities would have access to this network and any store not securing their end would risk losing access) that would also have a unique label/ID...not sure how some cracker could continue to do this without a rootkit or other exploit in that company's IT environment. (How could a transaction from Brazil happen, guess the stores unique network identifiers are not used and/or checked...that's a fail.)

In fact based on this comment from GrandWaz00, it appears the pin pad is NOT the problem and that the cracker has other exploits yet to be revealed or not found by the company's IT System Administrators.

I wonder if the Barnes & Nobles IT Managers allocated budget for the Systems Admins to baseline their systems, network, operating systems, transaction work flows and monitoring of said systems for events that appear strange (outside norms) when compared against those earlier baselines? In my over 33 years of IT experience they (Managers) rarely if ever allow for time spent making their systems safe, including ongoing monitoring in order to catch an exploit before it impacts anyone.

It can not be just the pin pads as the cracker/thieves compromised more than a few dozen pin pads, they could not have swapped out the pin pads as tlhingan suggested in his post in that many locations. That is unless they hooked up with one of the gangs that have a presence in many US cities...it simply would take too many individuals to pull this off in 60 or more stores in multiple geographic locations. In that last scenario too many people would know.

Meaning the real exploit (yet to be revealed / yet to be found) is further up the TCP/IP network + Operating Systems + Software Application food chain from the pin pad, not just that pin pad. Or the thieve is a frequent flier in order to reach 60 plus stores in cities around the USA. A few of the cities ("New York City, San Diego, Miami, and Chicago.") listed would be a long drive from each other.

Its common in our industry, in order to make a company's IT systems to see more secure than they really are, to blame something else, usually some innocent human (human error), at least they blamed a dumb device instead of a person.

Regardless stop calling these people hackers, they are crackers not hackers. Hackers do not do harm. Once someone crosses the line and steals information (or money) they are no longer a hacker, but a cracker. Hacking is an honorable way to learn about technology and with proprietary environments, often the only way for an honest Systems Administrator (White Hat) to discover exploits and plug them in order to protect whoever is paying their paycheck. Of course at most companies, this type of activity is rarely if ever allotted time to pursue...as already stated above.

You think companies would understand that its all about TRUST, once customers lose trust in the company, their systems, their people, their products, that company is close to going under and out of business. Of course talking the game and not walking the walk, is what gets companies into troubl

Re:Well done B&N

[man_the_king]

Seriously, no irony.

They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

They'll still get my business.

Sony had a similar situation.

They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.

In just 7-9 days.

And they still got a lot of flak for it.

This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.

I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end then.

Bunch of hypocrites.

Re:Well done B&N

[mpe]

Why are they storing CCs plain text on the terminals.

A better question would be "Why are these 'terminals' storing anything?" Along with "Why is the 'firmware' upgradable via the user interface?"

Re:Well done B&N

[mpe]

However, merchants are allowed to store limited CC data on the terminal. This includes the card number and expiration date as long as they are encrypted. CID and raw track data are forbidden from being stored. This means it is possible to reverse transactions without the card present.

Is it not possible to do this using transaction ID?
Unless the stored data can only be decrypted via the operator entering a key which is unique per transaction (and not stored in the machine) any encryption is rather pointless. Storing key and cyphertext together is for all practical purposes storing the plaintext.

Re:Well done B&N

The culprits were probably subcontractors hired on behalf of Indian International Business Machines to install and/or update the various Point-of-Sale (POS) terminals.

Re:Well done B&N

[The+Snowman]

However, merchants are allowed to store limited CC data on the terminal. This includes the card number and expiration date as long as they are encrypted. CID and raw track data are forbidden from being stored. This means it is possible to reverse transactions without the card present.

Is it not possible to do this using transaction ID?
Unless the stored data can only be decrypted via the operator entering a key which is unique per transaction (and not stored in the machine) any encryption is rather pointless. Storing key and cyphertext together is for all practical purposes storing the plaintext.

Now you see why despite being technically allowed, it truly is debatable whether or not it is a good idea. I agree with you on this: it is a bad idea. However, the people that make the rules (state/federal governments, and the payment card industry itself) disagree.

Interesting you should mention using an ID unique to the transaction: one of the major pushes right now is to use tokenization. Essentially, the PINpad provides the track data to the POS. The POS then sends this to the payment processor, who returns a token which is a unique character string. Any future actions taken for that card and transaction (i.e. the initial authorization, a return in the future) will use that token. The token is not a credit card number: it is useless to a thief, since it is only useful at that merchant to transfer funds between the combination of card and merchant.

In this scheme the card data is stored at the payment processor, which offloads liability. The processors already have tons of sensitive data, but are better equipped to protect it. Instead of card data being stored on hard drives all over the country, it is physically secure and hopefully secure from electronic intrusion. But it is no less an issue than the banks themselves storing data.

Re:Well done B&N

[gmanterry]

Seriously, no irony.

They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

They'll still get my business.

Sony had a similar situation.

They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.

In just 7-9 days.

And they still got a lot of flak for it.

This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.

I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end then.

Bunch of hypocrites.

I don't think so. Nothing I ever purchased from B & N ever had a root kit. I still own two CDs I bought from Sony with root kit software imbedded. B & N never perpetrated evil on it's customers, Sony did. I loved Sony before that incident and thought they produced superior products. Afterward, I avoid Sony whenever possible. Like 911, I'll never forget.

Re:Well done B&N

This is why I really, really hate the entire "Swipe your own card" type of BS. If you need to enter a PIN, that should be the only thing those terminals do. Having anything that allows the employee to NOT examine the card is crap. But we've softened our laws and the companies have softened their requirements, so they don't even check for a signature any more. Hell, a man can walk up to the terminal at Wal-Mart with a woman's card, run a $500 purchase, sign the screen "Micky Fucking Mouse" and they don't even blink. I know, I've done it with my wife's card all the time.

Re:Well done B&N

[rubikscubejunkie]

thank you for this reply. lots of good info.

Re:Well done B&N

[man_the_king]

Seriously, no irony.

They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

They'll still get my business.

Sony had a similar situation.

They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.

In just 7-9 days.

And they still got a lot of flak for it.

This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.

I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end then.

Bunch of hypocrites.

I don't think so. Nothing I ever purchased from B & N ever had a root kit. I still own two CDs I bought from Sony with root kit software imbedded. B & N never perpetrated evil on it's customers, Sony did. I loved Sony before that incident and thought they produced superior products. Afterward, I avoid Sony whenever possible. Like 911, I'll never forget.

And that rootkit was in 2006, by a company Sony had just acquired.

A lot of water has since passed under the bridge - both bad and good, but if you want to keep on harping about that as justification, be my guest. Just recognize that other, rational people, understand that things change, the Sony of today is different from the Sony of yesteryear, whether it be by design or because of circumstances.

The fact, however, stands that this rootkit in 2006 has nothing to do with the PSN hacking in 2011. There is no logical way that a sane, reasonable, rational human being can conflate the two.

B & N ever had a root kit. I still own two CDs I bought from Sony with root kit software imbedded

Oh sorry, you are not a sane, reasonable, rational human being.

Carry on ranting

Re:Well done B&N

The linked C|Net article is down, here is the direct link to the B&N website where they notify the customers:
http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html

Which stores exactly?

[Culture20]

including locations in New York City, San Diego, Miami, and Chicago.

Doubtlessly including lesser known cities. How to know if we're affected?

Re:Which stores exactly?

[eternaldoctorwho]

The exact list of affected stores can be found here:
http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html

Re:Which stores exactly?

[GrandWaz00]

Thank you for posting this link.

I find it interesting to note that they (claim to) have removed hacked pin pads from stores by close of business on 9/14.
However, I bought a book from my local store last Saturday, 10/20. I recall that no pinpad was available, and I had to hand my card to the cashier.
A few days later, I got a call from my credit card company saying that fraud using my credit card number had been attempted, intercepted, and denied, and that they were mailing me a new set of cards. The fraudulent transaction was apparently attempted in Brazil.

Is this a tea leaf that is indicative of something, perhaps that B&N has been penetrated by multiple hacks, and they haven't discovered all of them yet?

Or is it time for me to consider getting measured for a tinfoil hat?

Re:Which stores exactly?

Inside man?

Re:Which stores exactly?

[MetalliQaZ]

/me checks list. ... DAMMIT!

Re:Which stores exactly?

[rjr162]

or perhaps your card # has been out there for quite some time but the attempt to use it didn't happen until this time

Don't use ATM/Debit cards for purchases

[hawguy]

A local grocery store chain had a similar problem a few months back and that's when I decided to never use my ATM/Debit card for purchases -- once the thieves have your card number and PIN, they can suck money right out of your bank account.

For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card. If you want a credit card, use a credit card, at least if that number is stolen, thieves can't wipe out your bank account balance and cause you to start bouncing checks. Debit cards don't have the same protection as credit cards under the law, they have the same $50 liability cap if you report the loss of theft of the card within 2 business days, but if you don't report the loss or theft of your card within 2 business days, you could be liable for up to $500 of loss. And if you don't report it within 60 days after your bank statement is mailed, there is no cap on liability.

Many banks and debit card issuers offer better liability guarantees, but they aren't required to by law. And even if the bank refunds their own NSF fees for bounced checks, there's no guarantee that they'll refund bounced-check fees charged by all of the merchants you unknowingly sent bad checks to.

Re:Don't use ATM/Debit cards for purchases

[theNetImp]

Great, so what happens when you are denied a credit card. Seriously that is not a solution.

I have 2 checking accounts and a savings account. All money is direct deposited into my savings account. All bills go into checking account #1 which does not have a debit card. Account #2 has a debit card and a minimal balance of $1 to keep it open. If I know I need to buy something with the debit card I move the money to savings. You 1) never bounce a check ever again because you're purposefully put the money in an account that you use for bills, and you have 0 risk if your debit card # is stolen.

Problem solved,

Re:Don't use ATM/Debit cards for purchases

[HereIAmJH]

For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card.

I tried this with my credit union a while back. I tried to pull money out of an ATM only to find that my ATM/Debit card was expired. I never use debit cards (for the reasons you pointed out), and infrequently use ATMs. Next business day I went to the CU and got the card replaced with an ATM only card with no expiration. Then 3 months later they replaced it with another ATM/Debit card (with expiration). When I complained to customer circus that I specifically told them I did not want a debit card because of the expiration date, I was told that my only recourse was to complain to the CU president, because they were no longer issuing ATM only cards. I chose to change credit unions instead.

Re:Don't use ATM/Debit cards for purchases

[TheRealMindChild]

The thing is, if someone grabs your debit info and pin from a keypad, someone really messed up. I spent a few minutes googling for proof of what I know, but I can't find anything right now. Essentially, when a debit transaction is processed, it should be a public/private key transaction between the system and the keypad. If the keypad system doesn't do things it shouldn't like log keystrokes or card strip information, then it is technically impossible for anyone in between to steal your information. Think of it like logging into slashdot over https. If there is javascript on the page recording what you do, the security mechanism doesn't matter.

Re:Don't use ATM/Debit cards for purchases

[hawguy]

The thing is, if someone grabs your debit info and pin from a keypad, someone really messed up. I spent a few minutes googling for proof of what I know, but I can't find anything right now. Essentially, when a debit transaction is processed, it should be a public/private key transaction between the system and the keypad. If the keypad system doesn't do things it shouldn't like log keystrokes or card strip information, then it is technically impossible for anyone in between to steal your information. Think of it like logging into slashdot over https. If there is javascript on the page recording what you do, the security mechanism doesn't matter.

It's the whole credit card/debit system that's messed up - once someone hacks the PIN pad, they have full control over it and can collect whatever data they want (and can even pass the keystrokes to the "real" software to let the transaction complete as normal. No matter what security is in place, once the hacker controls the PIN pad, they can capture anything.

There is a simple answer, move the encryption to the credit card itself by using a smart card, but the banking industry in the USA hasn't caught up to the rest of the world in that regard. Even this isn't foolproof, but it's a lot safer than the current system.

But the bigger problem with banking is that it's ludicrously easy to use a fake check to draw against your bank account, and the "secret" numbers needed to do so are printed right on your checks so everyone you give a check to has the ability to "clone" fake checks for your account.

Re:Don't use ATM/Debit cards for purchases

[Another,+completely]

When the article said the point-of-sale terminals were compromised, I took that to mean the units that scan your card and let you type the PIN. If you can re-wire or replace those, then there is no way to protect against it. The account number is read from the magstripe, and the keypad is right on the terminal.

Now, if you had a smart card, then the information could be encrypted between the card and the bank, and the point-of-sale terminal would just need an OK from the bank that everything is good. The account number wouldn't need to be in clear text anywhere except inside the card and at the bank, and a fake card wouldn't be able to talk with the bank anyhow. So long as magstripes are used, there is no protection from a compromised terminal.

Re:Don't use ATM/Debit cards for purchases

[QuantumRiff]

Umm.. my credit union gives me the same protection for my debit as my credit for loss. but ONLY for usage as a credit card. I pretty much don't do debit transactions anymore with it anyways, I just get my spending money in cash at the start of the month from the bank teller..

Re:Don't use ATM/Debit cards for purchases

[noc007]

Process it as a credit instead. Sure the merchant has to pay a higher transaction fee, but the card holder has all the power. The card issuing bank must honor any chargeback requests from the card holder and it is on the merchant to prove that the transaction is legit.

Re:Don't use ATM/Debit cards for purchases

[ragingbull1965]

The US is a quarter the world's card volume, and half of the world's card fraud. Credit card security is a joke by design. You have to trust every single merchant you buy from with your account details. And even though the cost is hidden from us because the merchants get billed for the fraud, we are the ones paying for this through higher prices. Here's an article about reversible vs non-reversible payment methods and how credit cards aren't even viable in most of the world due to fraud: http://bitcoinmagazine.net/bitcoin-and-consumer-economies-in-the-non-western-world Bitcoin fixes this gaping security hole by the way.

Re:Don't use ATM/Debit cards for purchases

[McKing]

I do the exact same thing. A "billpay" checking account where my direct deposit goes, a "spending" checking account with a debit card, and a savings account. I rarely keep more than $20 in the spending account and when I buy something I transfer what I need using the bank app on my phone.

Re:Don't use ATM/Debit cards for purchases

[hawguy]

Umm.. my credit union gives me the same protection for my debit as my credit for loss. but ONLY for usage as a credit card. I pretty much don't do debit transactions anymore with it anyways, I just get my spending money in cash at the start of the month from the bank teller..

What will your credit union do if someone steals your debit card number and empties your checking account, then you bounce a check to your landlord who charges you a $25 bounced check fee, and a $75 late fee, and requires you to pay via cashier's check for 6 months.

Will your credit union reimburse you for all of those expenses?

Re:Don't use ATM/Debit cards for purchases

[hawguy]

Process it as a credit instead. Sure the merchant has to pay a higher transaction fee, but the card holder has all the power. The card issuing bank must honor any chargeback requests from the card holder and it is on the merchant to prove that the transaction is legit.

Using the debit card as a credit card doesn't give you any more protection under the law, it's still a debit card. Your bank/card issuer may choose to give you better protection than what's required under the law, but they don't have to.

And in the meantime, you've bounced 5 checks because you thought you had $1500 in the bank, but found that thieves drained $1200 of that over a few days.

Re:Don't use ATM/Debit cards for purchases

Overall yours is a nice strategy, but let's keep playing:

• Blackhat gets your account and PIN.
• Blackhat uses that to transfer money from #1 to #2. This happens via phone call, via ATM (she has your PIN) or brazenly just walking into a bank. Whatever means **you** use to casually transfer $, they can use.

How're you preventing transfers between linked accounts? My little local bank shrugged incuriously when I asked if I could restrict ATM transfers or other actions. (Am assuming you misspoke 'to savings' when you talked about your transfer-for-a-debit strategy. 'to #2 from savings' makes sense)

Re:Don't use ATM/Debit cards for purchases

[mcgrew]

For that matter, never use a debit card linked to your bank account

No, never use a debit card, period. I haven't had one for years, ever since I was bitten.

A woman I knew watched me take money out of an ATM, and saw the PIN, and stole the card... along with a box of checks, which were promptky cashed. The bank made good on the forged checks, but the card? If you have the PIN you're automatically authorized to use the card. It cost me a couple thousand bucks. The School of Hard Knox has the highest tuition of anybody.

The only plastic I have now is a single credit card. No PIN, and If it gets stolen my liability is limited to $50. Fuck debit, never again!

Re:Don't use ATM/Debit cards for purchases

[cdrudge]

No, but they will never happen as I have overdraft protection. Subsequent new debit transactions will decline, but checks will be honored up to a point. Presumably by then the fraud would have been discovered and an investigation started. And typically, during that time, again depending on the amount, provisional funds are returned back to the account pending the conclusion of the investigation.

Re:Don't use ATM/Debit cards for purchases

[DCFusor]

I have NO credit rating, which evidently is worse than having a bad one. So, no CC's. But I just keep a separate checking account for the debit card. And I turn off any "bounce proofing" by stealing from other accounts for it. Bingo, no problem, just don't keep any serious amount of money in the debit- card-only account.
.

I've had a debit card hacked. It was the payroll account for a company I ran, and some sucker was stealing $100/day from it. His timing was rotten, as he started 3 days before I got my statement - and what he was buying was prepaid phone cards at a time I was developing VoIP for a large customer and had zero need for such things (probably a junkie selling them at half price on the street). Lucky he had no way of knowing how much was in there...
.

So I pop on down to my small-town small bank. They tell me there's no protection on debit cards. I say, how much do I have with you, half a million or so? Let's just cut me a cashier's check for the entire amount, and I'll go across the street where my money is safe. Short story - they initiated a fraud investigation, caught the guy, and made me whole *immediately* before the investigation got going. Being a big fish in a small pond is cool.

Re:Don't use ATM/Debit cards for purchases

[karnal]

After having my card # stolen, I enabled my bank to send me text messages anytime more than a dollar is taken from my account. Didn't even realize that I had that option until I was a victim. Now I can see everything - including when my wife's card got stolen. 10 charges to amazon.com within 5 minutes? Yeah, that's not us. We're fully aware what happened, and unfortunately it took us twice to figure out who actually took the information and ran with it. That vendor will never ever get my money again.

Re:Don't use ATM/Debit cards for purchases

[neonKow]

The thing is, people have already done this many times in the wild. People aren't sniffing the traffic to steal PINs; they're hacking the end devices to steal PINs, and it's been extremely effective. I don't think proper encryption can help when you have that much access to the hardware.

Re:Don't use ATM/Debit cards for purchases

[neonKow]

Because you reported this crime to the police . . . right? I mean I hope you did more than boycott their business. This is a serious crime and you're probably not the only victim.

Re:Don't use ATM/Debit cards for purchases

[neonKow]

This is quite literally a feature, not a bug.

Re:Don't use ATM/Debit cards for purchases

Great, so what happens when you are denied a credit card.

You take your cash and go get a pre-paid card.

Re:Don't use ATM/Debit cards for purchases

[Disclaimer: I'm not theNetImp]

Well, there's a little bit of security by obscurity, at least for my bank. For your example, the attacker has my PIN and debit card number, but all he can do with that is make debit purchases, which is limited to whatever is in the "DMZ" account. He cannot see my other accounts via the ATM, but only because I had explicitly requested a debit card that could only be used with the one account, so that other accounts, e.g. the joint w/ wife, were "firewalled". For phone banking, the attacker needs the bank account number; the debit card number is useless there; internet banking is not configured, and I would have to appear in meatspace at a branch office to set that up. IIRC, I could also request distinct PINs for the DMZ card and account, but I might be mistaken; if so, that would further reduce the usefulness of the debit PIN, but not by much since it cannot be used with any of the non-DMZ accounts.

- T

Re:Don't use ATM/Debit cards for purchases

[ragingbull1965]

This is quite literally a feature, not a bug.

You can call it a feature. It is a feature that most of the world has rejected because of the huge amount of fraud it invites. It is a feature with a gaping security hole. It is a really expensive feature for consumers.

Re:Don't use ATM/Debit cards for purchases

[n7ytd]

Great, so what happens when you are denied a credit card. Seriously that is not a solution.

I have 2 checking accounts and a savings account. All money is direct deposited into my savings account. All bills go into checking account #1 which does not have a debit card. Account #2 has a debit card and a minimal balance of $1 to keep it open. If I know I need to buy something with the debit card I move the money to savings. You 1) never bounce a check ever again because you're purposefully put the money in an account that you use for bills, and you have 0 risk if your debit card # is stolen.

Problem solved,

This doesn't sound any more convenient than just pulling cash as needed. What is the advantage to this approach? I'm not trying to be snarky, I really am curious.

obAnecdote:
          Last year, I got a phone call from my bank asking me to confirm some transactions that had occurred overnight with my debit card number. There were several on-line purchases, but something about them triggered their fraud detection and they called me. Luckily I was at my desk, so while I was on the phone with them, I pulled up my account on their web site and looked at the charges. We spent about 5 minutes on the phone discussing the last 48 hours worth of transactions, flagging each as valid or fraudulent.
          They cancelled my card while I was on the phone, provisionally credited my account for the disputed charges, and thanked me for my time. Two days later I had a new debit card in my mailbox, and about four weeks later I received a letter asking for my signature affirming that the charges were not mine. Although I was nervous that somehow the fraud would continue or that they had access to my account in some other way, it really was pretty painless and the only inconvenience to me was being without my debit/ATM card for two days.

Re:Don't use ATM/Debit cards for purchases

[n7ytd]

After having my card # stolen, I enabled my bank to send me text messages anytime more than a dollar is taken from my account. Didn't even realize that I had that option until I was a victim. Now I can see everything - including when my wife's card got stolen. 10 charges to amazon.com within 5 minutes? Yeah, that's not us.

We're fully aware what happened, and unfortunately it took us twice to figure out who actually took the information and ran with it. That vendor will never ever get my money again.

Amazon was the security hole?

I don't get it...

So, do these small keypads normally store/cache data? (really bad idea) or were these machines that were tweaked prior to deployment to store/cache data?

Re:I don't get it...

[beschra]

From the B&N statement linked above by eternaldoctorwho

The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers.

I don't know what 'bug' means in this context, but maybe data wasn't cached, but captured in flight?

Why hasn't this been fixed?

[Peter+Simpson]

Seems to be a common thread in these PIN pad hacks: they steal/buy/obtain one, hack it, then swap it with a "live" one, take that home, hack it, and repeat.

So why:
- don't the PIN pads have unique IDs?
- hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
- doesn't the terminal alarm WHENEVER the PIN pad is disconnected?

It's not like this hasn't been happening for a while...

(and I predict the perpetrators, when caught, will have eastern European (FSR) names...)

Re:Why hasn't this been fixed?

[The+Snowman]

So why:
- don't the PIN pads have unique IDs?
- hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
- doesn't the terminal alarm WHENEVER the PIN pad is disconnected?

I work in the payment card industry. PINpads do have unique IDs, but the IDs don't serve much purpose. Furthermore, the POS software and payment processor rarely validate the ID or state of the PINpad. The reason is there is no real encouragement to do so. No laws, banking regulations, PCI standards, etc.

Contrast with other countries such as Canada. Up there, the payment processor does check the ID. Each device has its own key as well, which is checked (similar to PKI but not quite). Tampering is easier to detect.

Aside from that, different devices work differently. The vast majority of PINpads you will encounter at big box stores are from VeriFone or Ingenico: there are a few smaller brands out there as well (e.g. Hypercomm). VeriFone tends to take security very seriously and their devices are typically more difficult to hack. They can be touchy too: I dropped one at work and it refused to process any cards at all. The impact triggered a mechanism which destroys its internal volatile memory that stores the keys: this makes it difficult to perform an offline attack against the device (i.e. power down, disassemble, hook the memory chips up to another device).

This is news?

[certain+death]

People have been warning anyone who would listen for several years about the issues with these things. Do a google search on hacking POS credit card terminals, it will turn up lots of results from several years back. Yay for B&N for coming clean, but why didn't they replace them, or use their purchasing power to get them fixed before this happened?

Re:This is news?

[jafiwam]

I don't recall specifically, but isn't B&N the store that has the terminals right out on the floor where anybody can just walk up to them? That always seemed stupid to me, a kiosk out there on the floor is for customers to use... they apparently wanted the customer service reps to walk up to them and help customers find books... but they LOOK like they are there for everybody to use. Poor security at it's core.

Re:This is news?

Point of sale terminals = cash registers != lookup kiosks

No surprise. Similar issue with chip and pin

[pointyhat]

In the UK, we have to suffer chip and pin which is just as flawed. The pin is copied to the device and validated there rather than hashed and sent off for a Boolean "yes/no" answer. So the chip and pin reader at any point in time may have active memory which references the card id and the pin number. Utterly stupid.

Why are they keeping credit card numbers so long?

[cockpitcomp]

It annoys me that websites and now it seems cash register keeps my credit card info after the transaction. It's like keeping a blank check laying around. Theft is inevitable and avoidable. Why do the CC companies allow this? Why do stores do this? Don't they see the risk to them as well? There has to be a better way because this seems really dumb.

Kudos to BookMaster Admins

[Ryatt]

As one of the developers on the first iteration of the BookMater system, I was always concerned that someone could read the credit card info. These were stored in local, unencrypted files that any of the store terminals could connect with. If you could manage to access any of the PC's hard drive, you'd find a directory full of daily transaction files from each cash register. Parsing through these for the credit card info would not be difficult.

At any rate, the old registers have since been replaced so I'm hoping they've modernized the system in this regard. I'm very glad that they still employ people who can act quickly and are taking responsible measures during this unfortunate event.

Re:Why are they keeping credit card numbers so lon

[TechyImmigrant]

Read the PCI-DSS specifications. They will tell you what the card processors want vendors to adhere to.
However being compliant involves ticking the yes box on the "Yes I am Compliant" tick box on the PCI web site.

Actual compliance is optional.
 

Chip and pin is NOT SECURE !

Anyone who doesn't believe chip and pin is completely broken, should read this research paper (PDF) where the researchers demonstrate practical proof-of-concept for each stage of a couple variants of "pre-play" attack that renders chip and pin useless (it is essentially as strong as being able to clone the cards, when the whole purpose of chip and pin is to prevent the cloning of cards).

Bruce Schneier reported on it in a blog post back in September.

Re:Chip and pin is NOT SECURE !

[pointyhat]

Actually the point of chip and pin is to move the liability of the transaction from the bank to the card holder. It gives the banks plausible deniability when it comes to fraud claims. It is however marketed differently.

that's what you deserve

[v1]

for running XP on your POS system in 2012.

OK maybe not. I'm guessing. But it would be funny, ironic, and very very sad. And you have to admit, it's not that unlikely.

Re:that's what you deserve

I can tell you with some amount of certainty that the PoS systems are running a version of Windows. I can also tell you after RTFA the PoS system was not the problem as the solution has been to swipe the cc directly on the PoS system, this tells me the problem was specific to the pinpad itself, which is probably running a proprietary or even linux/unix based micro-OS.. *ducks*

Re:that's what you deserve

[cboslin]

I can tell you with some amount of certainty that the PoS systems are running a version of Windows. I can also tell you after RTFA the PoS system was not the problem as the solution has been to swipe the cc directly on the PoS system, this tells me the problem was specific to the pinpad itself, which is probably running a proprietary or even linux/unix based micro-OS.. *ducks*

posted by an AC, what else is new...please stop spinning. It could NOT be just the Pin pads, especially in 60 geographically separate stores.

This comment from GrandWaz00 proves its not just that as well:

"I find it interesting to note that they (claim to) have removed hacked pin pads from stores by close of business on 9/14. However, I bought a book from my local store last Saturday, 10/20. I recall that no pinpad was available, and I had to hand my card to the cashier.

A few days later, I got a call from my credit card company saying that fraud using my credit card number had been attempted, intercepted, and denied, and that they were mailing me a new set of cards. The fraudulent transaction was apparently attempted in Brazil."

Re:that's what you deserve

[JDG1980]

that's what you deserve for running XP on your POS system in 2012.

First of all, XP is still reasonably secure if you keep it up-to-date with patches (which will still be available until mid-2014).

Secondly, it doesn't matter what OS the POS terminal was running here; it sounds like the PIN pads themselves (which probably use a small embedded controller) were the targets of the hack.

Re:that's what you deserve

[v1]

First of all, XP is still reasonably secure if you keep it up-to-date with patches (which will still be available until mid-2014).

True, and most likely, completely irrelevant. I service POS systems from time to time, and so far, every single one of them has been running XP-embedded. That means NO updates, ever. Well, until the vendor sends you new rom chips. Which they never bother with.

I forget the hardware vendor, (and that's where the embedded OS is coming from) but I do know the POS software running on them is Aloha, which is a very popular bar/restaurant POS software. Aloha was written for and continues to be developed to run on it.

Re:that's what you deserve

[Kalriath]

Correlation is not causation. There are many possible reasons for that, including: the card number may have been swiped prior to the pinpads being removed, the card number may have been swiped from another vendor entirely.

Automatically assuming that clearly the AC, vendor, law enforcement, and every other commenter is wrong because ONE PERSON had a different experience is reckless and foolish.

Aldi's was compromised last year.

[140Mandak262Jamuna]

To the best of my recollection the brazen hackers came in and added skimmers to Point-of-sale terminals . I could understand unattended lone ATM machines getting a skimmer that grabs ATM cards. But how they managed to do it in a grocery store with a clerk standing by almost all the time, I cant understand. They have cameras too.

My ATM card was compromised, some 5000$ of fraudulent charges. Mercifully my bank reversed all the charges including the hated "foreign ATM" fees. Then, because my bank refunds all the ATM fees charged by other banks at the end of the month, I got some 4 or 5 such fees refunded once again.

This triggered a serious saint on left shoulder devil on the right shoulder situation for me. These banksters stole billions of my tax dollars, so I can keep this 15$ said the devil. The saint said, "nah, it aint your money, you gotta return it". Who won? You guess.

Re:Aldi's was compromised last year.

Aldi cashiers aren't at the registers unless there are customers at the registers, that is one of the many ways they keep prices down.

Re:Aldi's was compromised last year.

[MickLinux]

"...Or know ye not that the unrighteous shall not inherit the kingdom of God? Be not deceived: neither fornicators, nor idolaters, nor adulterers, nor effeminate, nor abusers of themselves with men,"

It doesn't matter what the bankers did, except to them. Neither will they succeed, even if they go hand in hand with the other, powerful and corrupt of the earth.

Don't worry about the bankers. Worry about yourself.

Chip and Pin

So nice being in Canada... chip and pin still means you have to use it, not the mag stripe... but they hand you the reader... yay 2-factor... some day the US will catch-up ;)

Inside job?

I shop at one of the affected stores and have several thoughts:

1. on a recent visit I noted the removed reader and asked the clerk about it... he looked me straight in the eye and lied; instead of saying "it got hacked" he said "oh, it broke and it's being repaired". Note to B&N: When your employees lie to me about something that may have a big impact on my finances you are showing me extreme disrespect and further harm... I shall reciprocate by not shopping in your stores again

2. The design of those units would not permit a skimmer to be added without it being very obvious... so the hack would have to have been internal and that would have required tools and opening the units... rather obvious and a little time consuming.

3. Those readers used to be bolted to the counter at the checkout... there's simply no way somebody could sneak-up and do surgery on those units without being observed by the staff. None. No only not plausible, but not possible. Given that each was at a cash register, the odds of employees not being where they could see these things for any real length of time is nil.

Re:Inside job?

[cboslin]

...there's simply no way somebody could sneak-up and do surgery on those units without being observed by the staff..

On the news yesterday, they decided to spin it that someone nearby was intercepting signals through the air from the readers...total BS #2, first the pin pads were magically replaced in 60 different geographically distributed locations. Second, they want us to believe that there are crackers (people) intercepting signals through the air at each of those locations. What will they say next... Someone did not think their spin through, did they...

Not only outrageous to any thinking person, as you said, such activity would be observed by staff and or the many security cameras in these stores....guess they think we Americans are not very bright. Wrong again.