Every day I see stories of criminal activity aimed at stealing information that can they be used in scams or to steal money or goods. Truthfully, I am often amazed at how sophisticated criminals can be, especially in this electronic age.
Take for example what has befallen book retailer Barnes & Noble.
Apparently, sometime in mid-September the company learned that some number of keypads for swiping credit and debit cards and entering personal identification numbers, or PINs, in its retail stories had been hacked. According to company officials, once this was discovered all pin pads in its nearly 700 stores nationwide were shut down while each was individually examined. It was discovered that one pad in each of 63 stores, mainly in the Northeast, had been compromised.
Barnes & Noble says it waited almost a month to notify customers at the specific request of the FBI which said it needed that time to try to find who did this and most importantly, how they did it.
Neither the company nor federal authorities have been very forthcoming on this last crucial point — how were PIN devices in 63 different stores compromised. Did it happen over time or all at once? Did the bad guys (or I guess bad persons to be more gender neutral) have to go to each individual store and somehow tamper with each card reader, or could it have been done by hacking into Barnes & Noble's central computer system and uploading some sort of hacking program.
Many doubt it was a hands-on exercise because of the number of skilled people that would have had to be involved, and why was only one terminal per store involved. So this looks to outside experts like some central computer intrusion of some complexity.
In the industry what happened to B-N is called a point-of-sale attack. These attacks are becoming more common in part say the experts because these systems have grown ever larger and the encryption being used has not kept pace with the hackers' skills.
Tampered PIN pads were discovered from stores in: CA, CT, FL, IL, MA, NJ, NY, PA, RI.
You can find a list of specific stores at: http://www.barnesandnobleinc.com/newsroom/customer_notice.html
If you shopped at one of those stores in the days before September 14 and swiped a credit or debit card Barnes & Noble suggests:
Debit Card Users:
- Change your PIN number
- Review your account for unauthorized transactions
- Notify their banks immediately if you discover any unauthorized purchases or withdrawals
Credit Card Users:
- Review your statements for any unauthorized transactions
- Notify your card issuer if you discover any unauthorized purchases or cash advances