Criminals Crack and Steal Customer Data From Barnes & Noble Keypads 83
helix2301 writes with an excerpt from CNet "Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores in the last month. At least one point-of-sale terminal in 63 different stores was compromised recording card details. Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination."
Advantage (Score:2)
Amazon?
Well done B&N (Score:5, Insightful)
Seriously, no irony.
They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.
They'll still get my business.
Re: (Score:2, Interesting)
i liked them when the stood up to MS and didn't take any crap
I hated them when they started taking MS crap
which one is Barnes and which one is Nobles ?
Re: (Score:1)
Yeah, it does seem they did the responsible thing. Nonetheless, they did have hardware that was breached, so while the response is adequate other problems might exist. I'm not as willing to let them off the hook until they explain how they were hacked and if they were aware of the potential.
Re: (Score:3)
Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.
The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?
Re: (Score:3)
Re: (Score:3)
Should be, yes. However, merchants are allowed to store limited CC data on the terminal. This includes the card number and expiration date as long as they are encrypted. CID and raw track data are forbidden from being stored. This means it is possible to reverse transactions without the card present. While most of the time you will need to swipe your card to
Re: (Score:2)
Is it not possible to do this using transaction ID?
Unless the stored data can only be decrypted via the operator entering a key which is unique per transaction (and not stored in the machine) any encryption is rather pointles
Re: (Score:2)
Re:Well done B&N (Score:5, Insightful)
Why are they storing CCs at all on the terminals?
It is common for terminals to store CC numbers for a window of time so that transactions can be voided or refunded even if the network is down. They could be encrypted first, but they usually aren't. But to blame any of this on B&N seems silly, because B&N is not in the "terminal" business. The terminals were supplied by their bank. B&N just put them on the counter and hooked them up to the cash register, just like any other shop would. Blame should be directed at the company that made and programmed the terminals.
Re:Well done B&N (Score:4, Informative)
Why are they storing CCs plain text on the terminals. Do they really need anything other than the last four digits...or can they store them encrypted locally or even better on a server.
The question is did they realize this threat and ignore it? Could they have forced their software vendor to fix it? Did they just not want to spend the money? If they didn't see the risk why?
CC numbers are stored in plain text on the magstripe. So the terminal has to deal with that info in unencrypted format at at least one point. And if you've compromised the card reader somehow -- the article doesn't say how -- then you can see, save or transmit that data.
And TFA doesn't say they ignored it. It says they contacted the FBI. I assume from the statement: "The company discovered the breach on September 14 but kept it quiet while the FBI attempted to track the hackers." that it was the FBI who asked BN to sit on it. And who knows, perhaps the vendor was notified in the meantime, that part isn't mentioned either way in TFA.
Re: (Score:3)
Thank you for pointing that out. Everyone should know that the PAN is indeed stored in plain text on the magstripe. If the hardware was compromised, there's almost no way to stop someone from getting it.
Re: (Score:3)
Why are they storing CCs plain text on the terminals.
They aren't. Well, maybe they aren't, but that's not the problem. The summary is very unclear, but the actual article explains that they were compromising the "PIN pads" and not the cash registers. (The PIN pad presumably being that little thing where you swipe your card, and then either sign it or enter your PIN.) Since those were compromised, even if they weren't storing the data in the register itself, the thieves had access to the data through the compromised PIN pad.
The question then becomes "how were
Re:Well done B&N (Score:4, Interesting)
Standard pin=pad fraud actually. What the criminals do is they steal pin-pads, then back at their lair, modify them to include recording hardware (you know, crack open the case, add a magstripe recorder (just an MP3 player with record function) and wires to the keypad to record the PIN.
Then they go to the cashiers, and when no one's looking, swap out the pin-pads.
It usually happens with smaller outfits (fast food outlets and the like) where they don't bolt-down the pin-pad to prevent theft. That's why the big guys have pin-pads that are encased in metal or otherwise bolted down to the counter.
The pin-pads are usually connected to the main unit (where the cashier enters in the amount and gets the printouts) by a simple coiled cable with RJ style jacks on them, making it trivially quick to swap surreptitiously.
It's a pretty standard fraud, actually.
Re: (Score:2)
A better question would be "Why are these 'terminals' storing anything?" Along with "Why is the 'firmware' upgradable via the user interface?"
Re: (Score:1)
Re: (Score:1)
and idea who the vendor was of the PoS devices?
While this would be interesting to know, (per Snowman, VeriFone, Ingenico, Hypercomm are three possibilities [slashdot.org]) it sounds like most of the pin pad industry, if not all, does not bother hashing the pin number of a user's card at the PoS Pin Device. If the hash was secure enough and combined with a store ID + device ID + IP/network location, it would be much harder (if not impossible) for anyone else to spoof a transaction from some other geographical location, (ie. Brazil [slashdot.org]). Add to that, that the transaction s
Re: (Score:1)
Re: (Score:1)
Seriously, no irony.
They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.
They'll still get my business.
Sony had a similar situation.
They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.
In just 7-9 days.
And they still got a lot of flak for it.
This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.
I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end
Re: (Score:2)
Seriously, no irony.
They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.
They'll still get my business.
Sony had a similar situation.
They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.
In just 7-9 days.
And they still got a lot of flak for it.
This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.
I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end then.
Bunch of hypocrites.
I don't think so. Nothing I ever purchased from B & N ever had a root kit. I still own two CDs I bought from Sony with root kit software imbedded. B & N never perpetrated evil on it's customers, Sony did. I loved Sony before that incident and thought they produced superior products. Afterward, I avoid Sony whenever possible. Like 911, I'll never forget.
Re: (Score:1)
Seriously, no irony.
They got hacked. They got the Feds. involved to catch the scum. They figured out who was "likely-impacted." Their notifying the banks involved, so hopefully the computers can catch any spending patterns that come from the breach. They pulled the infected equipment. They let the world know.
They'll still get my business.
Sony had a similar situation.
They got hacked. They got law enforcement involved. They figured out who was likely-impacted. They pulled the infected equipment. They let the world know.
In just 7-9 days.
And they still got a lot of flak for it.
This incident with B&N happened on September 14. This was revealed 2 days ago. So...a total of 38 or 39 days.
I can't speak for you specifically, but I find it ironic that a lot of people who side with B&N here will have prayed for Sony to have torn a new rear-end then.
Bunch of hypocrites.
I don't think so. Nothing I ever purchased from B & N ever had a root kit. I still own two CDs I bought from Sony with root kit software imbedded. B & N never perpetrated evil on it's customers, Sony did. I loved Sony before that incident and thought they produced superior products. Afterward, I avoid Sony whenever possible. Like 911, I'll never forget.
And that rootkit was in 2006, by a company Sony had just acquired.
A lot of water has since passed under the bridge - both bad and good, but if you want to keep on harping about that as justification, be my guest. Just recognize that other, rational people, understand that things change, the Sony of today is different from the Sony of yesteryear, whether it be by design or because of circumstances.
The fact, however, stands that this rootkit in 2006 has nothing to do with the PSN hacking in 2011. There is no
Which stores exactly? (Score:2)
including locations in New York City, San Diego, Miami, and Chicago.
Doubtlessly including lesser known cities. How to know if we're affected?
Re:Which stores exactly? (Score:5, Informative)
The exact list of affected stores can be found here:
http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html [barnesandnobleinc.com]
Re: (Score:3, Interesting)
Thank you for posting this link.
I find it interesting to note that they (claim to) have removed hacked pin pads from stores by close of business on 9/14.
However, I bought a book from my local store last Saturday, 10/20. I recall that no pinpad was available, and I had to hand my card to the cashier.
A few days later, I got a call from my credit card company saying that fraud using my credit card number had been attempted, intercepted, and denied, and that they were mailing me a new set of cards. The fraudule
Re: (Score:2)
or perhaps your card # has been out there for quite some time but the attempt to use it didn't happen until this time
Re: (Score:2)
/me checks list. ... DAMMIT!
Don't use ATM/Debit cards for purchases (Score:5, Informative)
A local grocery store chain had a similar problem a few months back and that's when I decided to never use my ATM/Debit card for purchases -- once the thieves have your card number and PIN, they can suck money right out of your bank account.
For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card. If you want a credit card, use a credit card, at least if that number is stolen, thieves can't wipe out your bank account balance and cause you to start bouncing checks. Debit cards don't have the same protection as credit cards under the law, they have the same $50 liability cap if you report the loss of theft of the card within 2 business days, but if you don't report the loss or theft of your card within 2 business days, you could be liable for up to $500 of loss. And if you don't report it within 60 days after your bank statement is mailed, there is no cap on liability.
Many banks and debit card issuers offer better liability guarantees, but they aren't required to by law. And even if the bank refunds their own NSF fees for bounced checks, there's no guarantee that they'll refund bounced-check fees charged by all of the merchants you unknowingly sent bad checks to.
Re:Don't use ATM/Debit cards for purchases (Score:4, Insightful)
Great, so what happens when you are denied a credit card. Seriously that is not a solution.
I have 2 checking accounts and a savings account. All money is direct deposited into my savings account. All bills go into checking account #1 which does not have a debit card. Account #2 has a debit card and a minimal balance of $1 to keep it open. If I know I need to buy something with the debit card I move the money to savings. You 1) never bounce a check ever again because you're purposefully put the money in an account that you use for bills, and you have 0 risk if your debit card # is stolen.
Problem solved,
Re: (Score:2)
I do the exact same thing. A "billpay" checking account where my direct deposit goes, a "spending" checking account with a debit card, and a savings account. I rarely keep more than $20 in the spending account and when I buy something I transfer what I need using the bank app on my phone.
Re: (Score:1)
How're you preventing transfers between linked accounts? My little local bank shrugged incuriously when I asked if I could restrict ATM transfers or other actions. (Am assuming you misspoke 'to savin
Re: (Score:2)
Great, so what happens when you are denied a credit card. Seriously that is not a solution.
I have 2 checking accounts and a savings account. All money is direct deposited into my savings account. All bills go into checking account #1 which does not have a debit card. Account #2 has a debit card and a minimal balance of $1 to keep it open. If I know I need to buy something with the debit card I move the money to savings. You 1) never bounce a check ever again because you're purposefully put the money in an account that you use for bills, and you have 0 risk if your debit card # is stolen.
Problem solved,
This doesn't sound any more convenient than just pulling cash as needed. What is the advantage to this approach? I'm not trying to be snarky, I really am curious.
obAnecdote:
Last year, I got a phone call from my bank asking me to confirm some transactions that had occurred overnight with my debit card number. There were several on-line purchases, but something about them triggered their fraud detection and they called me. Luckily I was at my desk, so while I was on the
Re: (Score:3)
For that matter, never use a debit card linked to your bank account - ask your bank for an ATM-only card and send back the debit card that looks like a credit card.
I tried this with my credit union a while back. I tried to pull money out of an ATM only to find that my ATM/Debit card was expired. I never use debit cards (for the reasons you pointed out), and infrequently use ATMs. Next business day I went to the CU and got the card replaced with an ATM only card with no expiration. Then 3 months later t
Re: (Score:2)
Re: (Score:2)
The thing is, if someone grabs your debit info and pin from a keypad, someone really messed up. I spent a few minutes googling for proof of what I know, but I can't find anything right now. Essentially, when a debit transaction is processed, it should be a public/private key transaction between the system and the keypad. If the keypad system doesn't do things it shouldn't like log keystrokes or card strip information, then it is technically impossible for anyone in between to steal your information. Think of it like logging into slashdot over https. If there is javascript on the page recording what you do, the security mechanism doesn't matter.
It's the whole credit card/debit system that's messed up - once someone hacks the PIN pad, they have full control over it and can collect whatever data they want (and can even pass the keystrokes to the "real" software to let the transaction complete as normal. No matter what security is in place, once the hacker controls the PIN pad, they can capture anything.
There is a simple answer, move the encryption to the credit card itself by using a smart card, but the banking industry in the USA hasn't caught up t
Re: (Score:2)
When the article said the point-of-sale terminals were compromised, I took that to mean the units that scan your card and let you type the PIN. If you can re-wire or replace those, then there is no way to protect against it. The account number is read from the magstripe, and the keypad is right on the terminal.
Now, if you had a smart card, then the information could be encrypted between the card and the bank, and the point-of-sale terminal would just need an OK from the bank that everything is good. The
Re: (Score:2)
The thing is, people have already done this many times in the wild. People aren't sniffing the traffic to steal PINs; they're hacking the end devices to steal PINs, and it's been extremely effective. I don't think proper encryption can help when you have that much access to the hardware.
Re: (Score:3)
Umm.. my credit union gives me the same protection for my debit as my credit for loss. but ONLY for usage as a credit card. I pretty much don't do debit transactions anymore with it anyways, I just get my spending money in cash at the start of the month from the bank teller..
Re: (Score:2)
Umm.. my credit union gives me the same protection for my debit as my credit for loss. but ONLY for usage as a credit card. I pretty much don't do debit transactions anymore with it anyways, I just get my spending money in cash at the start of the month from the bank teller..
What will your credit union do if someone steals your debit card number and empties your checking account, then you bounce a check to your landlord who charges you a $25 bounced check fee, and a $75 late fee, and requires you to pay via cashier's check for 6 months.
Will your credit union reimburse you for all of those expenses?
Re: (Score:2)
No, but they will never happen as I have overdraft protection. Subsequent new debit transactions will decline, but checks will be honored up to a point. Presumably by then the fraud would have been discovered and an investigation started. And typically, during that time, again depending on the amount, provisional funds are returned back to the account pending the conclusion of the investigation.
Re: (Score:2)
Process it as a credit instead. Sure the merchant has to pay a higher transaction fee, but the card holder has all the power. The card issuing bank must honor any chargeback requests from the card holder and it is on the merchant to prove that the transaction is legit.
Re: (Score:2)
Process it as a credit instead. Sure the merchant has to pay a higher transaction fee, but the card holder has all the power. The card issuing bank must honor any chargeback requests from the card holder and it is on the merchant to prove that the transaction is legit.
Using the debit card as a credit card doesn't give you any more protection under the law, it's still a debit card. Your bank/card issuer may choose to give you better protection than what's required under the law, but they don't have to.
And in the meantime, you've bounced 5 checks because you thought you had $1500 in the bank, but found that thieves drained $1200 of that over a few days.
Re: (Score:2)
Re: (Score:2)
Because you reported this crime to the police . . . right? I mean I hope you did more than boycott their business. This is a serious crime and you're probably not the only victim.
Re: (Score:2)
After having my card # stolen, I enabled my bank to send me text messages anytime more than a dollar is taken from my account. Didn't even realize that I had that option until I was a victim. Now I can see everything - including when my wife's card got stolen. 10 charges to amazon.com within 5 minutes? Yeah, that's not us.
We're fully aware what happened, and unfortunately it took us twice to figure out who actually took the information and ran with it. That vendor will never ever get my money again.
Amazon was the security hole?
Re: (Score:1)
Re: (Score:2)
This is quite literally a feature, not a bug.
Re: (Score:1)
This is quite literally a feature, not a bug.
You can call it a feature. It is a feature that most of the world has rejected because of the huge amount of fraud it invites. It is a feature with a gaping security hole. It is a really expensive feature for consumers.
Re: (Score:3)
For that matter, never use a debit card linked to your bank account
No, never use a debit card, period. I haven't had one for years, ever since I was bitten.
A woman I knew watched me take money out of an ATM, and saw the PIN, and stole the card... along with a box of checks, which were promptky cashed. The bank made good on the forged checks, but the card? If you have the PIN you're automatically authorized to use the card. It cost me a couple thousand bucks. The School of Hard Knox has the highest tuition o
Re: (Score:2)
.
I've had a debit card hacked. It was the payroll account for a company I ran, and some sucker was stealing $100/day from it. His timing was rotten, as he started 3 days before I got
Re: (Score:2)
From the B&N statement linked above by eternaldoctorwho
The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers.
I don't know what 'bug' means in this context, but maybe data wasn't cached, but captured in flight?
Why hasn't this been fixed? (Score:5, Insightful)
So why:
- don't the PIN pads have unique IDs?
- hasn't the terminal software been updated to sound an alarm when the stored PIN pad ID doesn't match the ID read from the PIN pad?
- doesn't the terminal alarm WHENEVER the PIN pad is disconnected?
It's not like this hasn't been happening for a while...
(and I predict the perpetrators, when caught, will have eastern European (FSR) names...)
Re: (Score:3)
I work in the payment card industry. PINpads do have unique IDs, but the IDs don't serve much purpose. Furthermore, the POS software and payment processor rarely validate the ID or state of the PINpad. The reason is there is no real encouragement to do so. No laws, b
This is news? (Score:2)
Re: (Score:2)
No surprise. Similar issue with chip and pin (Score:3)
Re: (Score:2)
Why are they keeping credit card numbers so long? (Score:1)
Re: (Score:3)
Read the PCI-DSS specifications. They will tell you what the card processors want vendors to adhere to.
However being compliant involves ticking the yes box on the "Yes I am Compliant" tick box on the PCI web site.
Actual compliance is optional.
Kudos to BookMaster Admins (Score:2)
As one of the developers on the first iteration of the BookMater system, I was always concerned that someone could read the credit card info. These were stored in local, unencrypted files that any of the store terminals could connect with. If you could manage to access any of the PC's hard drive, you'd find a directory full of daily transaction files from each cash register. Parsing through these for the credit card info would not be difficult.
At any rate, the old registers have since been replaced so I'm h
that's what you deserve (Score:3)
for running XP on your POS system in 2012.
OK maybe not. I'm guessing. But it would be funny, ironic, and very very sad. And you have to admit, it's not that unlikely.
Re: (Score:1)
I can tell you with some amount of certainty that the PoS systems are running a version of Windows. I can also tell you after RTFA the PoS system was not the problem as the solution has been to swipe the cc directly on the PoS system, this tells me the problem was specific to the pinpad itself, which is probably running a proprietary or even linux/unix based micro-OS.. *ducks*
posted by an AC, what else is new...please stop spinning. It could NOT be just the Pin pads, especially in 60 geographically separate stores.
This comment from GrandWaz00 proves its not just that as well:
"I find it interesting to note that they (claim to) have removed hacked pin pads from stores by close of business on 9/14. However, I bought a book from my local store last Saturday, 10/20. I recall that no pinpad was available, and I had to hand my card to the cashier. [slashdot.org]
A few days later, I got a call from my credit card company saying that fraud using my credit card number had been attempted, intercepted, and denied, and that they were mailing me a new set of cards. The fraudulent transaction was apparently attempted in Brazil." [slashdot.org]
Re: (Score:2)
Correlation is not causation. There are many possible reasons for that, including: the card number may have been swiped prior to the pinpads being removed, the card number may have been swiped from another vendor entirely.
Automatically assuming that clearly the AC, vendor, law enforcement, and every other commenter is wrong because ONE PERSON had a different experience is reckless and foolish.
Re: (Score:2)
that's what you deserve for running XP on your POS system in 2012.
First of all, XP is still reasonably secure if you keep it up-to-date with patches (which will still be available until mid-2014).
Secondly, it doesn't matter what OS the POS terminal was running here; it sounds like the PIN pads themselves (which probably use a small embedded controller) were the targets of the hack.
Re: (Score:2)
True, and most likely, completely irrelevant. I service POS systems from time to time, and so far, every single one of them has been running XP-embedded. That means NO updates, ever. Well, until the vendor sends you new rom chips. Which they never bother with.
I forget the hardware vendor, (and that's where the embedded OS is coming from) but I do know the POS software running
Aldi's was compromised last year. (Score:2)
My ATM card was compromised, some 5000$ of fraudulent charges. Mercifully my bank reversed all the charges including the hated "foreign ATM" fees. Then, because my bank refunds a
Re: (Score:2)
"...Or know ye not that the unrighteous shall not inherit the kingdom of God? Be not deceived: neither fornicators, nor idolaters, nor adulterers, nor effeminate, nor abusers of themselves with men,"
It doesn't matter what the bankers did, except to them. Neither will they succeed, even if they go hand in hand with the other, powerful and corrupt of the earth.
Don't worry about the bankers. Worry about yourself.
Re: (Score:1)
...there's simply no way somebody could sneak-up and do surgery on those units without being observed by the staff..
On the news yesterday, they decided to spin it that someone nearby was intercepting signals through the air from the readers...total BS #2, first the pin pads were magically replaced in 60 different geographically distributed locations. Second, they want us to believe that there are crackers (people) intercepting signals through the air at each of those locations. What will they say next... Someone did not think their spin through, did they...
Not only outrageous to any thinking person, as you said, s