This one has us scratching our heads. It’s strange enough that Barnes and Noble did not notify customers about the data breach that leaked customers’ credit card information; but the hack itself appears to be an insider job or a coordinated remote or wireless attack against Barnes and Noble credit card pin devices in stores across the United States. 63 stores in California, Florida, New York, New Jersey, Rhode Island, Connecticut, Massachusetts, Illinois, and Pennsylvania were affected as hackers stole credit card information gleaned from the store’s credit card keypads (one point of sale device in each store was breached).
The company discovered that the credit card information had been stolen on September 14, 2012 but did not tell customers per a Justice Department’s request to give the FBI time to investigate the attack. The information was stolen from keypads located in front of the store’s registers – keypads where the customer swipes their credit card and enters their PIN. B&N confirmed that the hackers had subsequently used the stolen credit card numbers to make purchases and that customers were not notified that their credit cards had been breached.
Barnes & Noble defended their decision to not notify customers:
“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied.”
The New York Times pointed out that “as long as companies wrap consumer information in basic encryption, laws do not require them to tell customers about a breach.”
Once the company discovered the breach, they turned off all 7,000 keypads in nearly 700 stores and shipped the keypads to a site where the company could examine them. From this examination, they determined that one keypad in each of the 63 stores had been compromised. The keypads have remained absent from the stores and credit card purchases now require the cashier physically take the card and swipe it for the customer.
RSA commented on the complexity of the attack saying:
“This is no small undertaking. An attack of this type involves many different phases of reconnaissance and multiple levels of exploitation.”
The precise nature of the attack has yet to be revealed – whether it was accomplished via malicious code from a company insider (very possible), some sort of wireless or remote vulnerability (possible), or malware that was somehow installed on the point-of-sale devices (really?). That the news was finally released hints that Barnes and Noble now knows the “who and how” of the breach. That the POS devices have not been reinstalled in the stores hints that they don’t know or cannot patch the vulnerability. If their network was breached, we have to assume they have figured that out by now…
Barnes & Noble said they do not know how many customers were affected by the attack. They did note that internal systems were not breached and online purchases and Nook devices were not affected.
UPDATE: 10/25/12 It is being rumored that the attack was a coordinated effort from a group of hackers. In the official Barnes & Noble press release, the company noted that hackers planted malware in the devices.
In July 2012, a vendor demonstrated how certain Linux based point-of-sale terminals did not require proper authentication for firmware updates. In the demonstration, the vendor used a rogue credit card inserted into the device which caused it to contact a server they controlled, from which they downloaded malware to the device.
Barnes & Noble Official press release
Barnes & Noble Detects Tampering with PIN Pad Devices at Stores | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
October 24, 2012; New York – Barnes & Noble has detected tampering with PIN pad devices used in 63 of its stores. Upon detecting evidence of tampering, which was limited to one compromised PIN pad in each of the affected stores, Barnes & Noble discontinued use of all PIN pads in its nearly 700 stores nationwide. The company also notified federal law enforcement authorities, and has been supporting a federal government investigation into the matter.
Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store. The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases. This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads. The company emphasized that its customer database is secure. Purchases on Barnes & Noble.com, NOOK and NOOK mobile apps were not affected. The member database was also not affected. None of the affected PIN pads was discovered at Barnes & Noble College Bookstores. Barnes & Noble is continuing to assist federal law enforcement authorities in this matter. In addition, the company is working with banks, payment card brands and issuers to identify accounts that may have been compromised, so banks and issuers can employ enhanced fraud security measures on potentially impacted accounts. The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers. Barnes & Noble disconnected all PIN pads from its stores nationwide by close of business September 14, and customers can securely shop with credit cards through the company’s cash registers. Barnes & Noble said it is committed to providing customers with a safe shopping environment. Tampered PIN pads were discovered from stores in the following states: CA, CT, FL, IL, MA, NJ, NY, PA, RI. A complete list of specific stores follows.
As a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads should take the following steps: Debit Card Users:
Credit Card Users:
For additional information and updates, visit the Barnes & Noble website atwww.barnesandnobleinc.com. Customers may also call 1-888-471-7809, between the hours of 8:00 AM and 8:00 PM Eastern Standard Time, with questions. |