Slashdot Mirror

← Back to Stories (view on slashdot.org)

Criminals Crack and Steal Customer Data From Barnes & Noble Keypads

Posted by Unknown on from the cash-only dept.

helix2301 writes with an excerpt from CNet "Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores in the last month. At least one point-of-sale terminal in 63 different stores was compromised recording card details. Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination."

3 of 83 comments (clear)

  1. Well done B&N by Anonymous Coward · · Score: 5, Insightful

    Seriously, no irony.

    They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

    They'll still get my business.

    1. Re:Well done B&N by ShanghaiBill · · Score: 5, Insightful

      Why are they storing CCs at all on the terminals?

      It is common for terminals to store CC numbers for a window of time so that transactions can be voided or refunded even if the network is down. They could be encrypted first, but they usually aren't. But to blame any of this on B&N seems silly, because B&N is not in the "terminal" business. The terminals were supplied by their bank. B&N just put them on the counter and hooked them up to the cash register, just like any other shop would. Blame should be directed at the company that made and programmed the terminals.

  2. Why hasn't this been fixed? by Peter+Simpson · · Score: 4, Insightful

    Seems to be a common thread in these PIN pad hacks: they steal/buy/obtain one, hack it, then swap it with a "live" one, take that home, hack it, and repeat.

    So why:
    - don't the PIN pads have unique IDs?
    - hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
    - doesn't the terminal alarm WHENEVER the PIN pad is disconnected?

    It's not like this hasn't been happening for a while...

    (and I predict the perpetrators, when caught, will have eastern European (FSR) names...)