Posted on Leave a comment

Baffling Barnes and Noble credit card breach – hacked POS devices discovered in stores across United States [UPDATE]

image thumb2021

Barnes and Noble store frontThis one has us scratching our heads. It’s strange enough that Barnes and Noble did not notify customers about the data breach that leaked customers’ credit card information; but the hack itself appears to be an insider job or a coordinated remote or wireless attack against Barnes and Noble credit card pin devices in stores across the United States. 63 stores in California, Florida, New York, New Jersey, Rhode Island, Connecticut, Massachusetts, Illinois, and Pennsylvania were affected as hackers stole credit card information gleaned from the store’s credit card keypads (one point of sale device in each store was breached).

The company discovered that the credit card information had been stolen on September 14, 2012 but did not tell customers per a Justice Department’s request to give the FBI time to investigate the attack. The information was stolen from keypads located in front of the store’s registers – keypads where the customer swipes their credit card and enters their PIN. B&N confirmed that the hackers had subsequently used the stolen credit card numbers to make purchases and that customers were not notified that their credit cards had been breached.

Barnes & Noble defended their decision to not notify customers:

“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied.”

The New York Times pointed out that “as long as companies wrap consumer information in basic encryption, laws do not require them to tell customers about a breach.”

Once the company discovered the breach, they turned off all 7,000 keypads in nearly 700 stores and shipped the keypads to a site where the company could examine them. From this examination, they determined that one keypad in each of the 63 stores had been compromised. The keypads have remained absent from the stores and credit card purchases now require the cashier physically take the card and swipe it for the customer.

RSA commented on the complexity of the attack saying:

“This is no small undertaking. An attack of this type involves many different phases of reconnaissance and multiple levels of exploitation.”

The precise nature of the attack has yet to be revealed – whether it was accomplished via malicious code from a company insider (very possible), some sort of wireless or remote vulnerability (possible), or malware that was somehow installed on the point-of-sale devices (really?).  That the news was finally released hints that Barnes and Noble now knows the “who and how” of the breach.  That the POS devices have not been reinstalled in the stores hints that they don’t know or cannot patch the vulnerability. If their network was breached, we have to assume they have figured that out by now…

Barnes & Noble said they do not know how many customers were affected by the attack. They did note that internal systems were not breached and online purchases and Nook devices were not affected.

UPDATE: 10/25/12 It is being rumored that the attack was a coordinated effort from a group of hackers.  In the official Barnes & Noble press release, the company noted that hackers planted malware in the devices.

In July 2012, a vendor demonstrated how certain Linux based point-of-sale terminals did not require proper authentication for firmware updates.  In the demonstration, the vendor used a rogue credit card inserted into the device which caused it to contact a server they controlled, from which they downloaded malware to the device.

Barnes & Noble Official press release

Barnes & Noble Detects Tampering with PIN Pad Devices at Stores 
October 24, 2012; New York – Barnes & Noble has detected tampering with PIN pad devices used in 63 of its stores. Upon detecting evidence of tampering, which was limited to one compromised PIN pad in each of the affected stores, Barnes & Noble discontinued use of all PIN pads in its nearly 700 stores nationwide. The company also notified federal law enforcement authorities, and has been supporting a federal government investigation into the matter.

Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store.  The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases.  This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.

The company emphasized that its customer database is secure. Purchases on Barnes & Noble.com, NOOK and NOOK mobile apps were not affected. The member database was also not affected. None of the affected PIN pads was discovered at Barnes & Noble College Bookstores.

Barnes & Noble is continuing to assist federal law enforcement authorities in this matter. In addition, the company is working with banks, payment card brands and issuers to identify accounts that may have been compromised, so banks and issuers can employ enhanced fraud security measures on potentially impacted accounts.

The criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers.  Barnes & Noble disconnected all PIN pads from its stores nationwide by close of business September 14, and customers can securely shop with credit cards through the company’s cash registers.  Barnes & Noble said it is committed to providing customers with a safe shopping environment.

Tampered PIN pads were discovered from stores in the following states: CA, CT, FL, IL, MA, NJ, NY, PA, RI. A complete list of specific stores follows.

Store Address

City

State

Zip

4735 Commons Way

Calabasas

CA

91302
2470 Tuscany Street Suite 101

Corona

CA

92881
2015 Birch Road Suite 700

Chula Vista

CA

91915
313 Corte Madera Town Center

Corte Madera

CA

94925
5604 Bay Street

Emeryville

CA

94608
810 West Valley Parkway

Escondido

CA

92025
1315 E. Gladstone Street

Glendora

CA

91740
5183 Montclair Plaza Lane

Montclair

CA

91763
894 Marsh St Bldg G

San Luis Obispo

CA

93401
2615 Vista Way

Oceanside

CA

92054
72-840 Highway 111 Suite 425

Palm Desert

CA

92260
27460 West Lugonia Ave

Redlands

CA

92374
1150 El Camino Real Space 277

San Bruno

CA

94066
10775 Westview Parkway

San Diego

CA

92126
3600 Stevens Creek Blvd

San Jose

CA

95117
11 West Hillsdale Blvd.

San Mateo

CA

94403
9938 Mission Gorge Road

Santee

CA

92071
40570 Winchester Rd

Temecula

CA

92591
4820 Telephone Road

Ventura

CA

93003
1149 S. Main St.

Walnut Creek

CA

94596
470 Universal Drive North

North Haven

CT

06473
100 Greyrock Place Suite H009

Stamford

CT

06901
60 Isham Road

W. Hartford

CT

06107
18711 NE Biscayne Blvd

Aventura

FL

33180
333 N. Congress Avenue

Boynton Beach

FL

33436
152 Miracle Mile

Coral Gables

FL

33134
1900 W International Spdway

Daytona Beach

FL

32114
2051 N. Federal Highway

Fort Lauderdale

FL

33305
12405 N Kendall Drive

Miami

FL

33186
11380 Legacy Ave

Palm Beach Gardens

FL

33410
14572 SW 5th St Suite 10140

Pembroke Pines

FL

33027
11820 Pines Blvd

Pembroke Pines

FL

33026
5701 Sunset Drive Suite 196

S. Miami

FL

33143
700 Rosemary Ave Unit #104

West Palm Beach

FL

33401
1441 West Webster Avenue

Chicago

IL

60614
1130 North State Street

Chicago

IL

60610
5380 Route 14

Crystal Lake

IL

60014
20600 North Rand Road

Deer Park

IL

60010
728 North Waukegan Road

Deerfield

IL

60015
1630 Sherman Avenue

Evanston

IL

60201
1468 Springhill Mall Blvd

W. Dundee

IL

60118
170 Boylston Street

Chestnut Hill

MA

02467
96 Derby Street Suite 300

Hingham

MA

02043
82 Providence Highway

East Walpole

MA

2032
395 Route 3 East

Clifton

NJ

07014
55 Parsonage Road

Edison

NJ

08837
2134 State Highway 35

Holmdel

NJ

07733
4831 US Hwy 9

Howell

NJ

07731
23-80 Bell Blvd.

Bayside

NY

11360
176-60 Union Turnpike

Fresh Meadows

NY

11366
1542 Northern Blvd

Manhasset

NY

11030
160 E 54th Street (Citicorp)

New York

NY

10022
2289 Broadway

New York

NY

10024
33 East 17th Street (Union Square)

New York

NY

10003
555 Fifth Ave

New York

NY

10017
2245 Richmond Avenue

Staten Island

NY

10314
230 Main St

White Plains

NY

10601
97 Warren Street

New York

NY

10007
100 West Bridge Street

Homestead

PA

15120
800 Settlers Ridge Center Drive

Pittsburgh

PA

15205
1311 West Main Road

Middleton

RI

02842
371 Putnam Pike Suite 330

Smithfield

RI

02917
1350-B Bald Hill Rd

Warwick

RI

02886

As a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads should take the following steps:

Debit Card Users:

  • Change the PIN numbers on their debit cards
  • Review their accounts for unauthorized transactions
  • Notify their banks immediately if they discover any unauthorized purchases or withdrawals

Credit Card Users:

  • Review their statements for any unauthorized transactions
  • Notify their card-issuing banks if they discover any unauthorized purchases or cash advances

For additional information and updates, visit the Barnes & Noble website atwww.barnesandnobleinc.com. Customers may also call 1-888-471-7809, between the hours of 8:00 AM and 8:00 PM Eastern Standard Time, with questions.

 

Sources: The Wall Street Journal, Ziff David, New York Times, Barnes and Noble, Wired Magazine
Leave a Reply

Your email address will not be published. Required fields are marked *