Forgot your password?
typodupeerror
Crime Security IT

Criminals Crack and Steal Customer Data From Barnes & Noble Keypads 83

Posted by Unknown Lamer
from the cash-only dept.
helix2301 writes with an excerpt from CNet "Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores in the last month. At least one point-of-sale terminal in 63 different stores was compromised recording card details. Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination."
This discussion has been archived. No new comments can be posted.

Criminals Crack and Steal Customer Data From Barnes & Noble Keypads

Comments Filter:
  • Amazon?

  • Well done B&N (Score:5, Insightful)

    by Anonymous Coward on Wednesday October 24, 2012 @11:33AM (#41752789)

    Seriously, no irony.

    They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

    They'll still get my business.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      i liked them when the stood up to MS and didn't take any crap
      I hated them when they started taking MS crap

      which one is Barnes and which one is Nobles ?

    • by Anonymous Coward

      Yeah, it does seem they did the responsible thing. Nonetheless, they did have hardware that was breached, so while the response is adequate other problems might exist. I'm not as willing to let them off the hook until they explain how they were hacked and if they were aware of the potential.

    • Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.

      The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?

      • Why are they storing CCs at all on the terminals? The terminals should be just that, data entry points that transmit data to and from a secure location.
        • Why are they storing CCs at all on the terminals? The terminals should be just that, data entry points that transmit data to and from a secure location.

          Should be, yes. However, merchants are allowed to store limited CC data on the terminal. This includes the card number and expiration date as long as they are encrypted. CID and raw track data are forbidden from being stored. This means it is possible to reverse transactions without the card present. While most of the time you will need to swipe your card to

          • by mpe (36238)
            However, merchants are allowed to store limited CC data on the terminal. This includes the card number and expiration date as long as they are encrypted. CID and raw track data are forbidden from being stored. This means it is possible to reverse transactions without the card present.

            Is it not possible to do this using transaction ID?
            Unless the stored data can only be decrypted via the operator entering a key which is unique per transaction (and not stored in the machine) any encryption is rather pointles
            • However, merchants are allowed to store limited CC data on the terminal. This includes the card number and expiration date as long as they are encrypted. CID and raw track data are forbidden from being stored. This means it is possible to reverse transactions without the card present.

              Is it not possible to do this using transaction ID?
              Unless the stored data can only be decrypted via the operator entering a key which is unique per transaction (and not stored in the machine) any encryption is rather pointless.

        • Re:Well done B&N (Score:5, Insightful)

          by ShanghaiBill (739463) on Wednesday October 24, 2012 @12:43PM (#41753671)

          Why are they storing CCs at all on the terminals?

          It is common for terminals to store CC numbers for a window of time so that transactions can be voided or refunded even if the network is down. They could be encrypted first, but they usually aren't. But to blame any of this on B&N seems silly, because B&N is not in the "terminal" business. The terminals were supplied by their bank. B&N just put them on the counter and hooked them up to the cash register, just like any other shop would. Blame should be directed at the company that made and programmed the terminals.

      • Re:Well done B&N (Score:4, Informative)

        by Rob the Bold (788862) on Wednesday October 24, 2012 @12:12PM (#41753343)

        Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.

        The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?

        CC numbers are stored in plain text on the magstripe. So the terminal has to deal with that info in unencrypted format at at least one point. And if you've compromised the card reader somehow -- the article doesn't say how -- then you can see, save or transmit that data.

        And TFA doesn't say they ignored it. It says they contacted the FBI. I assume from the statement: "The company discovered the breach on September 14 but kept it quiet while the FBI attempted to track the hackers." that it was the FBI who asked BN to sit on it. And who knows, perhaps the vendor was notified in the meantime, that part isn't mentioned either way in TFA.

        • by Dast (10275)

          Thank you for pointing that out. Everyone should know that the PAN is indeed stored in plain text on the magstripe. If the hardware was compromised, there's almost no way to stop someone from getting it.

      • by _xeno_ (155264)

        Why are they storing CCs plain text on the terminals.

        They aren't. Well, maybe they aren't, but that's not the problem. The summary is very unclear, but the actual article explains that they were compromising the "PIN pads" and not the cash registers. (The PIN pad presumably being that little thing where you swipe your card, and then either sign it or enter your PIN.) Since those were compromised, even if they weren't storing the data in the register itself, the thieves had access to the data through the compromised PIN pad.

        The question then becomes "how were

        • Re:Well done B&N (Score:4, Interesting)

          by tlhIngan (30335) <<ten.frow> <ta> <todhsals>> on Wednesday October 24, 2012 @12:39PM (#41753603)

          The question then becomes "how were these compromised" and it sounds like the hardware itself was modified, but the actual details are very vague.

          Standard pin=pad fraud actually. What the criminals do is they steal pin-pads, then back at their lair, modify them to include recording hardware (you know, crack open the case, add a magstripe recorder (just an MP3 player with record function) and wires to the keypad to record the PIN.

          Then they go to the cashiers, and when no one's looking, swap out the pin-pads.

          It usually happens with smaller outfits (fast food outlets and the like) where they don't bolt-down the pin-pad to prevent theft. That's why the big guys have pin-pads that are encased in metal or otherwise bolted down to the counter.

          The pin-pads are usually connected to the main unit (where the cashier enters in the amount and gets the printouts) by a simple coiled cable with RJ style jacks on them, making it trivially quick to swap surreptitiously.

          It's a pretty standard fraud, actually.

      • by mpe (36238)
        Why are they storing CCs plain text on the terminals.

        A better question would be "Why are these 'terminals' storing anything?" Along with "Why is the 'firmware' upgradable via the user interface?"
    • and idea who the vendor was of the PoS devices?
      • by cboslin (1532787)

        and idea who the vendor was of the PoS devices?

        While this would be interesting to know, (per Snowman, VeriFone, Ingenico, Hypercomm are three possibilities [slashdot.org]) it sounds like most of the pin pad industry, if not all, does not bother hashing the pin number of a user's card at the PoS Pin Device. If the hash was secure enough and combined with a store ID + device ID + IP/network location, it would be much harder (if not impossible) for anyone else to spoof a transaction from some other geographical location, (ie. Brazil [slashdot.org]). Add to that, that the transaction s

    • Seriously, no irony.

      They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

      They'll still get my business.

      Sony had a similar situation.

      They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.

      In just 7-9 days.

      And they still got a lot of flak for it.

      This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.

      I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end

      • Seriously, no irony.

        They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

        They'll still get my business.

        Sony had a similar situation.

        They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.

        In just 7-9 days.

        And they still got a lot of flak for it.

        This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.

        I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end then.

        Bunch of hypocrites.

        I don't think so. Nothing I ever purchased from B & N ever had a root kit. I still own two CDs I bought from Sony with root kit software imbedded. B & N never perpetrated evil on it's customers, Sony did. I loved Sony before that incident and thought they produced superior products. Afterward, I avoid Sony whenever possible. Like 911, I'll never forget.

        • Seriously, no irony.

          They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.

          They'll still get my business.

          Sony had a similar situation.

          They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.

          In just 7-9 days.

          And they still got a lot of flak for it.

          This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.

          I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end then.

          Bunch of hypocrites.

          I don't think so. Nothing I ever purchased from B & N ever had a root kit. I still own two CDs I bought from Sony with root kit software imbedded. B & N never perpetrated evil on it's customers, Sony did. I loved Sony before that incident and thought they produced superior products. Afterward, I avoid Sony whenever possible. Like 911, I'll never forget.

          And that rootkit was in 2006, by a company Sony had just acquired.

          A lot of water has since passed under the bridge - both bad and good, but if you want to keep on harping about that as justification, be my guest. Just recognize that other, rational people, understand that things change, the Sony of today is different from the Sony of yesteryear, whether it be by design or because of circumstances.

          The fact, however, stands that this rootkit in 2006 has nothing to do with the PSN hacking in 2011. There is no

  • including locations in New York City, San Diego, Miami, and Chicago.

    Doubtlessly including lesser known cities. How to know if we're affected?

  • by hawguy (1600213) on Wednesday October 24, 2012 @11:46AM (#41752965)

    A local grocery store chain had a similar problem a few months back and that's when I decided to never use my ATM/Debit card for purchases -- once the thieves have your card number and PIN, they can suck money right out of your bank account.

    For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card. If you want a credit card, use a credit card, at least if that number is stolen, thieves can't wipe out your bank account balance and cause you to start bouncing checks. Debit cards don't have the same protection as credit cards under the law, they have the same $50 liability cap if you report the loss of theft of the card within 2 business days, but if you don't report the loss or theft of your card within 2 business days, you could be liable for up to $500 of loss. And if you don't report it within 60 days after your bank statement is mailed, there is no cap on liability.

    Many banks and debit card issuers offer better liability guarantees, but they aren't required to by law. And even if the bank refunds their own NSF fees for bounced checks, there's no guarantee that they'll refund bounced-check fees charged by all of the merchants you unknowingly sent bad checks to.

    • by theNetImp (190602) on Wednesday October 24, 2012 @12:03PM (#41753193)

      Great, so what happens when you are denied a credit card. Seriously that is not a solution.

      I have 2 checking accounts and a savings account. All money is direct deposited into my savings account. All bills go into checking account #1 which does not have a debit card. Account #2 has a debit card and a minimal balance of $1 to keep it open. If I know I need to buy something with the debit card I move the money to savings. You 1) never bounce a check ever again because you're purposefully put the money in an account that you use for bills, and you have 0 risk if your debit card # is stolen.

      Problem solved,

      • by McKing (1017)

        I do the exact same thing. A "billpay" checking account where my direct deposit goes, a "spending" checking account with a debit card, and a savings account. I rarely keep more than $20 in the spending account and when I buy something I transfer what I need using the bank app on my phone.

      • by Anonymous Coward
        Overall yours is a nice strategy, but let's keep playing:
        • Blackhat gets your account and PIN.
        • Blackhat uses that to transfer money from #1 to #2. This happens via phone call, via ATM (she has your PIN) or brazenly just walking into a bank. Whatever means **you** use to casually transfer $, they can use.

        How're you preventing transfers between linked accounts? My little local bank shrugged incuriously when I asked if I could restrict ATM transfers or other actions. (Am assuming you misspoke 'to savin

      • by n7ytd (230708)

        Great, so what happens when you are denied a credit card. Seriously that is not a solution.

        I have 2 checking accounts and a savings account. All money is direct deposited into my savings account. All bills go into checking account #1 which does not have a debit card. Account #2 has a debit card and a minimal balance of $1 to keep it open. If I know I need to buy something with the debit card I move the money to savings. You 1) never bounce a check ever again because you're purposefully put the money in an account that you use for bills, and you have 0 risk if your debit card # is stolen.

        Problem solved,

        This doesn't sound any more convenient than just pulling cash as needed. What is the advantage to this approach? I'm not trying to be snarky, I really am curious.

        obAnecdote:
        Last year, I got a phone call from my bank asking me to confirm some transactions that had occurred overnight with my debit card number. There were several on-line purchases, but something about them triggered their fraud detection and they called me. Luckily I was at my desk, so while I was on the

    • For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card.

      I tried this with my credit union a while back. I tried to pull money out of an ATM only to find that my ATM/Debit card was expired. I never use debit cards (for the reasons you pointed out), and infrequently use ATMs. Next business day I went to the CU and got the card replaced with an ATM only card with no expiration. Then 3 months later t

    • The thing is, if someone grabs your debit info and pin from a keypad, someone really messed up. I spent a few minutes googling for proof of what I know, but I can't find anything right now. Essentially, when a debit transaction is processed, it should be a public/private key transaction between the system and the keypad. If the keypad system doesn't do things it shouldn't like log keystrokes or card strip information, then it is technically impossible for anyone in between to steal your information. Think o
      • by hawguy (1600213)

        The thing is, if someone grabs your debit info and pin from a keypad, someone really messed up. I spent a few minutes googling for proof of what I know, but I can't find anything right now. Essentially, when a debit transaction is processed, it should be a public/private key transaction between the system and the keypad. If the keypad system doesn't do things it shouldn't like log keystrokes or card strip information, then it is technically impossible for anyone in between to steal your information. Think of it like logging into slashdot over https. If there is javascript on the page recording what you do, the security mechanism doesn't matter.

        It's the whole credit card/debit system that's messed up - once someone hacks the PIN pad, they have full control over it and can collect whatever data they want (and can even pass the keystrokes to the "real" software to let the transaction complete as normal. No matter what security is in place, once the hacker controls the PIN pad, they can capture anything.

        There is a simple answer, move the encryption to the credit card itself by using a smart card, but the banking industry in the USA hasn't caught up t

      • When the article said the point-of-sale terminals were compromised, I took that to mean the units that scan your card and let you type the PIN. If you can re-wire or replace those, then there is no way to protect against it. The account number is read from the magstripe, and the keypad is right on the terminal.

        Now, if you had a smart card, then the information could be encrypted between the card and the bank, and the point-of-sale terminal would just need an OK from the bank that everything is good. The

      • by neonKow (1239288)

        The thing is, people have already done this many times in the wild. People aren't sniffing the traffic to steal PINs; they're hacking the end devices to steal PINs, and it's been extremely effective. I don't think proper encryption can help when you have that much access to the hardware.

    • Umm.. my credit union gives me the same protection for my debit as my credit for loss. but ONLY for usage as a credit card. I pretty much don't do debit transactions anymore with it anyways, I just get my spending money in cash at the start of the month from the bank teller..

      • by hawguy (1600213)

        Umm.. my credit union gives me the same protection for my debit as my credit for loss. but ONLY for usage as a credit card. I pretty much don't do debit transactions anymore with it anyways, I just get my spending money in cash at the start of the month from the bank teller..

        What will your credit union do if someone steals your debit card number and empties your checking account, then you bounce a check to your landlord who charges you a $25 bounced check fee, and a $75 late fee, and requires you to pay via cashier's check for 6 months.

        Will your credit union reimburse you for all of those expenses?

        • by cdrudge (68377)

          No, but they will never happen as I have overdraft protection. Subsequent new debit transactions will decline, but checks will be honored up to a point. Presumably by then the fraud would have been discovered and an investigation started. And typically, during that time, again depending on the amount, provisional funds are returned back to the account pending the conclusion of the investigation.

    • by noc007 (633443)

      Process it as a credit instead. Sure the merchant has to pay a higher transaction fee, but the card holder has all the power. The card issuing bank must honor any chargeback requests from the card holder and it is on the merchant to prove that the transaction is legit.

      • by hawguy (1600213)

        Process it as a credit instead. Sure the merchant has to pay a higher transaction fee, but the card holder has all the power. The card issuing bank must honor any chargeback requests from the card holder and it is on the merchant to prove that the transaction is legit.

        Using the debit card as a credit card doesn't give you any more protection under the law, it's still a debit card. Your bank/card issuer may choose to give you better protection than what's required under the law, but they don't have to.

        And in the meantime, you've bounced 5 checks because you thought you had $1500 in the bank, but found that thieves drained $1200 of that over a few days.

        • by karnal (22275)
          After having my card # stolen, I enabled my bank to send me text messages anytime more than a dollar is taken from my account. Didn't even realize that I had that option until I was a victim. Now I can see everything - including when my wife's card got stolen. 10 charges to amazon.com within 5 minutes? Yeah, that's not us. We're fully aware what happened, and unfortunately it took us twice to figure out who actually took the information and ran with it. That vendor will never ever get my money again.
          • by neonKow (1239288)

            Because you reported this crime to the police . . . right? I mean I hope you did more than boycott their business. This is a serious crime and you're probably not the only victim.

          • by n7ytd (230708)

            After having my card # stolen, I enabled my bank to send me text messages anytime more than a dollar is taken from my account. Didn't even realize that I had that option until I was a victim. Now I can see everything - including when my wife's card got stolen. 10 charges to amazon.com within 5 minutes? Yeah, that's not us.

            We're fully aware what happened, and unfortunately it took us twice to figure out who actually took the information and ran with it. That vendor will never ever get my money again.

            Amazon was the security hole?

    • The US is a quarter the world's card volume, and half of the world's card fraud. Credit card security is a joke by design. You have to trust every single merchant you buy from with your account details. And even though the cost is hidden from us because the merchants get billed for the fraud, we are the ones paying for this through higher prices. Here's an article about reversible vs non-reversible payment methods and how credit cards aren't even viable in most of the world due to fraud: http://bitcoinm [bitcoinmagazine.net]
      • by neonKow (1239288)

        This is quite literally a feature, not a bug.

        • This is quite literally a feature, not a bug.

          You can call it a feature. It is a feature that most of the world has rejected because of the huge amount of fraud it invites. It is a feature with a gaping security hole. It is a really expensive feature for consumers.

    • by mcgrew (92797) *

      For that matter, never use a debit card linked to your bank account

      No, never use a debit card, period. I haven't had one for years, ever since I was bitten.

      A woman I knew watched me take money out of an ATM, and saw the PIN, and stole the card... along with a box of checks, which were promptky cashed. The bank made good on the forged checks, but the card? If you have the PIN you're automatically authorized to use the card. It cost me a couple thousand bucks. The School of Hard Knox has the highest tuition o

    • by DCFusor (1763438)
      I have NO credit rating, which evidently is worse than having a bad one. So, no CC's. But I just keep a separate checking account for the debit card. And I turn off any "bounce proofing" by stealing from other accounts for it. Bingo, no problem, just don't keep any serious amount of money in the debit- card-only account.
      .

      I've had a debit card hacked. It was the payroll account for a company I ran, and some sucker was stealing $100/day from it. His timing was rotten, as he started 3 days before I got

  • by Peter Simpson (112887) on Wednesday October 24, 2012 @11:52AM (#41753039)
    Seems to be a common thread in these PIN pad hacks: they steal/buy/obtain one, hack it, then swap it with a "live" one, take that home, hack it, and repeat.

    So why:
    - don't the PIN pads have unique IDs?
    - hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
    - doesn't the terminal alarm WHENEVER the PIN pad is disconnected?

    It's not like this hasn't been happening for a while...

    (and I predict the perpetrators, when caught, will have eastern European (FSR) names...)
    • So why:
      - don't the PIN pads have unique IDs?
      - hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
      - doesn't the terminal alarm WHENEVER the PIN pad is disconnected?

      I work in the payment card industry. PINpads do have unique IDs, but the IDs don't serve much purpose. Furthermore, the POS software and payment processor rarely validate the ID or state of the PINpad. The reason is there is no real encouragement to do so. No laws, b

  • People have been warning anyone who would listen for several years about the issues with these things. Do a google search on hacking POS credit card terminals, it will turn up lots of results from several years back. Yay for B&N for coming clean, but why didn't they replace them, or use their purchasing power to get them fixed before this happened?
    • by jafiwam (310805)
      I don't recall specifically, but isn't B&N the store that has the terminals right out on the floor where anybody can just walk up to them? That always seemed stupid to me, a kiosk out there on the floor is for customers to use... they apparently wanted the customer service reps to walk up to them and help customers find books... but they LOOK like they are there for everybody to use. Poor security at it's core.
  • by pointyhat (2649443) on Wednesday October 24, 2012 @11:59AM (#41753137)
    In the UK, we have to suffer chip and pin which is just as flawed. The pin is copied to the device and validated there rather than hashed and sent off for a Boolean "yes/no" answer. So the chip and pin reader at any point in time may have active memory which references the card id and the pin number. Utterly stupid.
  • It annoys me that websites and now it seems cash register keeps my credit card info after the transaction. It's like keeping a blank check laying around. Theft is inevitable and avoidable. Why do the CC companies allow this? Why do stores do this? Don't they see the risk to them as well? There has to be a better way because this seems really dumb.
    • Read the PCI-DSS specifications. They will tell you what the card processors want vendors to adhere to.
      However being compliant involves ticking the yes box on the "Yes I am Compliant" tick box on the PCI web site.

      Actual compliance is optional.
       

  • As one of the developers on the first iteration of the BookMater system, I was always concerned that someone could read the credit card info. These were stored in local, unencrypted files that any of the store terminals could connect with. If you could manage to access any of the PC's hard drive, you'd find a directory full of daily transaction files from each cash register. Parsing through these for the credit card info would not be difficult.

    At any rate, the old registers have since been replaced so I'm h

  • by v1 (525388) on Wednesday October 24, 2012 @01:50PM (#41754593) Homepage Journal

    for running XP on your POS system in 2012.

    OK maybe not. I'm guessing. But it would be funny, ironic, and very very sad. And you have to admit, it's not that unlikely.

  • To the best of my recollection the brazen hackers came in and added skimmers to Point-of-sale terminals [computerworld.com]. I could understand unattended lone ATM machines getting a skimmer that grabs ATM cards. But how they managed to do it in a grocery store with a clerk standing by almost all the time, I cant understand. They have cameras too.

    My ATM card was compromised, some 5000$ of fraudulent charges. Mercifully my bank reversed all the charges including the hated "foreign ATM" fees. Then, because my bank refunds a

    • by MickLinux (579158)

      "...Or know ye not that the unrighteous shall not inherit the kingdom of God? Be not deceived: neither fornicators, nor idolaters, nor adulterers, nor effeminate, nor abusers of themselves with men,"

      It doesn't matter what the bankers did, except to them. Neither will they succeed, even if they go hand in hand with the other, powerful and corrupt of the earth.

      Don't worry about the bankers. Worry about yourself.

The only thing cheaper than hardware is talk.

Working...