Criminals Crack and Steal Customer Data From Barnes & Noble Keypads

← Back to Stories (view on slashdot.org)

Criminals Crack and Steal Customer Data From Barnes & Noble Keypads

Posted by Unknown on Wednesday October 24, 2012 @03:31AM from the cash-only dept.

helix2301 writes with an excerpt from CNet "Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores in the last month. At least one point-of-sale terminal in 63 different stores was compromised recording card details. Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination."

9 of 83 comments (clear)

Min score:

Reason:

Sort:

Well done B&N by Anonymous Coward · 2012-10-24 03:33 · Score: 5, Insightful

Seriously, no irony.
They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.
They'll still get my business.
1. Re:Well done B&N by Rob+the+Bold · 2012-10-24 04:12 · Score: 3, Informative
  
  Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.
  The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?
  CC numbers are stored in plain text on the magstripe. So the terminal has to deal with that info in unencrypted format at at least one point. And if you've compromised the card reader somehow -- the article doesn't say how -- then you can see, save or transmit that data.
  And TFA doesn't say they ignored it. It says they contacted the FBI. I assume from the statement: "The company discovered the breach on September 14 but kept it quiet while the FBI attempted to track the hackers." that it was the FBI who asked BN to sit on it. And who knows, perhaps the vendor was notified in the meantime, that part isn't mentioned either way in TFA.
  
  --
  I am not a crackpot.
2. Re:Well done B&N by tlhIngan · 2012-10-24 04:39 · Score: 3, Interesting
  
  The question then becomes "how were these compromised" and it sounds like the hardware itself was modified, but the actual details are very vague.
  Standard pin=pad fraud actually. What the criminals do is they steal pin-pads, then back at their lair, modify them to include recording hardware (you know, crack open the case, add a magstripe recorder (just an MP3 player with record function) and wires to the keypad to record the PIN.
  Then they go to the cashiers, and when no one's looking, swap out the pin-pads.
  It usually happens with smaller outfits (fast food outlets and the like) where they don't bolt-down the pin-pad to prevent theft. That's why the big guys have pin-pads that are encased in metal or otherwise bolted down to the counter.
  The pin-pads are usually connected to the main unit (where the cashier enters in the amount and gets the printouts) by a simple coiled cable with RJ style jacks on them, making it trivially quick to swap surreptitiously.
  It's a pretty standard fraud, actually.
3. Re:Well done B&N by ShanghaiBill · 2012-10-24 04:43 · Score: 5, Insightful
  
  Why are they storing CCs at all on the terminals?
  It is common for terminals to store CC numbers for a window of time so that transactions can be voided or refunded even if the network is down. They could be encrypted first, but they usually aren't. But to blame any of this on B&N seems silly, because B&N is not in the "terminal" business. The terminals were supplied by their bank. B&N just put them on the counter and hooked them up to the cash register, just like any other shop would. Blame should be directed at the company that made and programmed the terminals.
Re:Which stores exactly? by eternaldoctorwho · 2012-10-24 03:40 · Score: 5, Informative

The exact list of affected stores can be found here:
http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html
Don't use ATM/Debit cards for purchases by hawguy · 2012-10-24 03:46 · Score: 5, Informative

A local grocery store chain had a similar problem a few months back and that's when I decided to never use my ATM/Debit card for purchases -- once the thieves have your card number and PIN, they can suck money right out of your bank account.
For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card. If you want a credit card, use a credit card, at least if that number is stolen, thieves can't wipe out your bank account balance and cause you to start bouncing checks. Debit cards don't have the same protection as credit cards under the law, they have the same $50 liability cap if you report the loss of theft of the card within 2 business days, but if you don't report the loss or theft of your card within 2 business days, you could be liable for up to $500 of loss. And if you don't report it within 60 days after your bank statement is mailed, there is no cap on liability.
Many banks and debit card issuers offer better liability guarantees, but they aren't required to by law. And even if the bank refunds their own NSF fees for bounced checks, there's no guarantee that they'll refund bounced-check fees charged by all of the merchants you unknowingly sent bad checks to.
1. Re:Don't use ATM/Debit cards for purchases by theNetImp · 2012-10-24 04:03 · Score: 3, Insightful
  
  Great, so what happens when you are denied a credit card. Seriously that is not a solution.
  I have 2 checking accounts and a savings account. All money is direct deposited into my savings account. All bills go into checking account #1 which does not have a debit card. Account #2 has a debit card and a minimal balance of $1 to keep it open. If I know I need to buy something with the debit card I move the money to savings. You 1) never bounce a check ever again because you're purposefully put the money in an account that you use for bills, and you have 0 risk if your debit card # is stolen.
  Problem solved,
Why hasn't this been fixed? by Peter+Simpson · 2012-10-24 03:52 · Score: 4, Insightful

Seems to be a common thread in these PIN pad hacks: they steal/buy/obtain one, hack it, then swap it with a "live" one, take that home, hack it, and repeat.

So why:
- don't the PIN pads have unique IDs?
- hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
- doesn't the terminal alarm WHENEVER the PIN pad is disconnected?

It's not like this hasn't been happening for a while...

(and I predict the perpetrators, when caught, will have eastern European (FSR) names...)
Re:Which stores exactly? by GrandWaz00 · 2012-10-24 04:15 · Score: 3, Interesting

Thank you for posting this link.
I find it interesting to note that they (claim to) have removed hacked pin pads from stores by close of business on 9/14.
However, I bought a book from my local store last Saturday, 10/20. I recall that no pinpad was available, and I had to hand my card to the cashier.
A few days later, I got a call from my credit card company saying that fraud using my credit card number had been attempted, intercepted, and denied, and that they were mailing me a new set of cards. The fraudulent transaction was apparently attempted in Brazil.
Is this a tea leaf that is indicative of something, perhaps that B&N has been penetrated by multiple hacks, and they haven't discovered all of them yet?
Or is it time for me to consider getting measured for a tinfoil hat?