Criminals Crack and Steal Customer Data From Barnes & Noble Keypads

helix2301 writes with an excerpt from CNet "Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores in the last month. At least one point-of-sale terminal in 63 different stores was compromised recording card details. Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination."

Well done B&N

Seriously, no irony.

They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

They'll still get my business.

Re:Well done B&N

i liked them when the stood up to MS and didn't take any crap
I hated them when they started taking MS crap

which one is Barnes and which one is Nobles ?

Re:Well done B&N

[Twillerror]

Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.

The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?

Re:Well done B&N

[Deep+Esophagus]

Why are they storing CCs at all on the terminals? The terminals should be just that, data entry points that transmit data to and from a secure location.

Re:Well done B&N

[Rob+the+Bold]

Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.

The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?

CC numbers are stored in plain text on the magstripe. So the terminal has to deal with that info in unencrypted format at at least one point. And if you've compromised the card reader somehow -- the article doesn't say how -- then you can see, save or transmit that data.

And TFA doesn't say they ignored it. It says they contacted the FBI. I assume from the statement: "The company discovered the breach on September 14 but kept it quiet while the FBI attempted to track the hackers." that it was the FBI who asked BN to sit on it. And who knows, perhaps the vendor was notified in the meantime, that part isn't mentioned either way in TFA.

Re:Well done B&N

[_xeno_]

Why are they storing CCs plain text on the terminals.

They aren't. Well, maybe they aren't, but that's not the problem. The summary is very unclear, but the actual article explains that they were compromising the "PIN pads" and not the cash registers. (The PIN pad presumably being that little thing where you swipe your card, and then either sign it or enter your PIN.) Since those were compromised, even if they weren't storing the data in the register itself, the thieves had access to the data through the compromised PIN pad.

The question then becomes "how were these compromised" and it sounds like the hardware itself was modified, but the actual details are very vague.

Re:Well done B&N

[Dast]

Thank you for pointing that out. Everyone should know that the PAN is indeed stored in plain text on the magstripe. If the hardware was compromised, there's almost no way to stop someone from getting it.

Re:Well done B&N

[tlhIngan]

The question then becomes "how were these compromised" and it sounds like the hardware itself was modified, but the actual details are very vague.

Standard pin=pad fraud actually. What the criminals do is they steal pin-pads, then back at their lair, modify them to include recording hardware (you know, crack open the case, add a magstripe recorder (just an MP3 player with record function) and wires to the keypad to record the PIN.

Then they go to the cashiers, and when no one's looking, swap out the pin-pads.

It usually happens with smaller outfits (fast food outlets and the like) where they don't bolt-down the pin-pad to prevent theft. That's why the big guys have pin-pads that are encased in metal or otherwise bolted down to the counter.

The pin-pads are usually connected to the main unit (where the cashier enters in the amount and gets the printouts) by a simple coiled cable with RJ style jacks on them, making it trivially quick to swap surreptitiously.

It's a pretty standard fraud, actually.

Re:Well done B&N

[The+Snowman]

Why are they storing CCs at all on the terminals? The terminals should be just that, data entry points that transmit data to and from a secure location.

Should be, yes. However, merchants are allowed to store limited CC data on the terminal. This includes the card number and expiration date as long as they are encrypted. CID and raw track data are forbidden from being stored. This means it is possible to reverse transactions without the card present. While most of the time you will need to swipe your card to process a return, this is not required by law or PCI. The only time it is required is for debit, since any debit transaction requires physical possession of the card and PIN entry (although this is changing). By swiping the card, the terminal reads the track data which proves physical possession since it is not allowed to be stored.

Anyway, there is a reason for systems working this way: whether it is a good idea or should be allowed according to any random person is a different issue entirely.

Re:Well done B&N

[ShanghaiBill]

Why are they storing CCs at all on the terminals?

It is common for terminals to store CC numbers for a window of time so that transactions can be voided or refunded even if the network is down. They could be encrypted first, but they usually aren't. But to blame any of this on B&N seems silly, because B&N is not in the "terminal" business. The terminals were supplied by their bank. B&N just put them on the counter and hooked them up to the cash register, just like any other shop would. Blame should be directed at the company that made and programmed the terminals.

Re:Which stores exactly?

[eternaldoctorwho]

The exact list of affected stores can be found here:
http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html

Don't use ATM/Debit cards for purchases

[hawguy]

A local grocery store chain had a similar problem a few months back and that's when I decided to never use my ATM/Debit card for purchases -- once the thieves have your card number and PIN, they can suck money right out of your bank account.

For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card. If you want a credit card, use a credit card, at least if that number is stolen, thieves can't wipe out your bank account balance and cause you to start bouncing checks. Debit cards don't have the same protection as credit cards under the law, they have the same $50 liability cap if you report the loss of theft of the card within 2 business days, but if you don't report the loss or theft of your card within 2 business days, you could be liable for up to $500 of loss. And if you don't report it within 60 days after your bank statement is mailed, there is no cap on liability.

Many banks and debit card issuers offer better liability guarantees, but they aren't required to by law. And even if the bank refunds their own NSF fees for bounced checks, there's no guarantee that they'll refund bounced-check fees charged by all of the merchants you unknowingly sent bad checks to.

Re:Don't use ATM/Debit cards for purchases

[theNetImp]

Great, so what happens when you are denied a credit card. Seriously that is not a solution.

I have 2 checking accounts and a savings account. All money is direct deposited into my savings account. All bills go into checking account #1 which does not have a debit card. Account #2 has a debit card and a minimal balance of $1 to keep it open. If I know I need to buy something with the debit card I move the money to savings. You 1) never bounce a check ever again because you're purposefully put the money in an account that you use for bills, and you have 0 risk if your debit card # is stolen.

Problem solved,

Re:Don't use ATM/Debit cards for purchases

[HereIAmJH]

For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card.

I tried this with my credit union a while back. I tried to pull money out of an ATM only to find that my ATM/Debit card was expired. I never use debit cards (for the reasons you pointed out), and infrequently use ATMs. Next business day I went to the CU and got the card replaced with an ATM only card with no expiration. Then 3 months later they replaced it with another ATM/Debit card (with expiration). When I complained to customer circus that I specifically told them I did not want a debit card because of the expiration date, I was told that my only recourse was to complain to the CU president, because they were no longer issuing ATM only cards. I chose to change credit unions instead.

Re:Don't use ATM/Debit cards for purchases

[QuantumRiff]

Umm.. my credit union gives me the same protection for my debit as my credit for loss. but ONLY for usage as a credit card. I pretty much don't do debit transactions anymore with it anyways, I just get my spending money in cash at the start of the month from the bank teller..

Re:Don't use ATM/Debit cards for purchases

[mcgrew]

For that matter, never use a debit card linked to your bank account

No, never use a debit card, period. I haven't had one for years, ever since I was bitten.

A woman I knew watched me take money out of an ATM, and saw the PIN, and stole the card... along with a box of checks, which were promptky cashed. The bank made good on the forged checks, but the card? If you have the PIN you're automatically authorized to use the card. It cost me a couple thousand bucks. The School of Hard Knox has the highest tuition of anybody.

The only plastic I have now is a single credit card. No PIN, and If it gets stolen my liability is limited to $50. Fuck debit, never again!

Why hasn't this been fixed?

[Peter+Simpson]

Seems to be a common thread in these PIN pad hacks: they steal/buy/obtain one, hack it, then swap it with a "live" one, take that home, hack it, and repeat.

So why:
- don't the PIN pads have unique IDs?
- hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
- doesn't the terminal alarm WHENEVER the PIN pad is disconnected?

It's not like this hasn't been happening for a while...

(and I predict the perpetrators, when caught, will have eastern European (FSR) names...)

Re:Why hasn't this been fixed?

[The+Snowman]

So why:
- don't the PIN pads have unique IDs?
- hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
- doesn't the terminal alarm WHENEVER the PIN pad is disconnected?

I work in the payment card industry. PINpads do have unique IDs, but the IDs don't serve much purpose. Furthermore, the POS software and payment processor rarely validate the ID or state of the PINpad. The reason is there is no real encouragement to do so. No laws, banking regulations, PCI standards, etc.

Contrast with other countries such as Canada. Up there, the payment processor does check the ID. Each device has its own key as well, which is checked (similar to PKI but not quite). Tampering is easier to detect.

Aside from that, different devices work differently. The vast majority of PINpads you will encounter at big box stores are from VeriFone or Ingenico: there are a few smaller brands out there as well (e.g. Hypercomm). VeriFone tends to take security very seriously and their devices are typically more difficult to hack. They can be touchy too: I dropped one at work and it refused to process any cards at all. The impact triggered a mechanism which destroys its internal volatile memory that stores the keys: this makes it difficult to perform an offline attack against the device (i.e. power down, disassemble, hook the memory chips up to another device).

No surprise. Similar issue with chip and pin

[pointyhat]

In the UK, we have to suffer chip and pin which is just as flawed. The pin is copied to the device and validated there rather than hashed and sent off for a Boolean "yes/no" answer. So the chip and pin reader at any point in time may have active memory which references the card id and the pin number. Utterly stupid.

Re:Which stores exactly?

[GrandWaz00]

Thank you for posting this link.

I find it interesting to note that they (claim to) have removed hacked pin pads from stores by close of business on 9/14.
However, I bought a book from my local store last Saturday, 10/20. I recall that no pinpad was available, and I had to hand my card to the cashier.
A few days later, I got a call from my credit card company saying that fraud using my credit card number had been attempted, intercepted, and denied, and that they were mailing me a new set of cards. The fraudulent transaction was apparently attempted in Brazil.

Is this a tea leaf that is indicative of something, perhaps that B&N has been penetrated by multiple hacks, and they haven't discovered all of them yet?

Or is it time for me to consider getting measured for a tinfoil hat?

Re:Which stores exactly?

[rjr162]

or perhaps your card # has been out there for quite some time but the attempt to use it didn't happen until this time

Kudos to BookMaster Admins

[Ryatt]

As one of the developers on the first iteration of the BookMater system, I was always concerned that someone could read the credit card info. These were stored in local, unencrypted files that any of the store terminals could connect with. If you could manage to access any of the PC's hard drive, you'd find a directory full of daily transaction files from each cash register. Parsing through these for the credit card info would not be difficult.

At any rate, the old registers have since been replaced so I'm hoping they've modernized the system in this regard. I'm very glad that they still employ people who can act quickly and are taking responsible measures during this unfortunate event.

Re:Why are they keeping credit card numbers so lon

[TechyImmigrant]

Read the PCI-DSS specifications. They will tell you what the card processors want vendors to adhere to.
However being compliant involves ticking the yes box on the "Yes I am Compliant" tick box on the PCI web site.

Actual compliance is optional.
 

that's what you deserve

[v1]

for running XP on your POS system in 2012.

OK maybe not. I'm guessing. But it would be funny, ironic, and very very sad. And you have to admit, it's not that unlikely.