Wed October 24, 2012
Crooks Target Barnes And Noble's PIN Pad Devices
Originally published on Thu October 25, 2012 12:22 pm
MELISSA BLOCK, HOST:
From NPR News, this is ALL THINGS CONSIDERED. I'm Melissa Block.
AUDIE CORNISH, HOST:
And I'm Audie Cornish.
Barnes and Noble did something remarkable last month. It shot down the PIN pad devices at its checkout counters, all of them at its nearly 700 U.S. stores. The reason, it was the victim of a sophisticated scheme to steal customers' credit card information. Instead of hacking the company's online customer database, according to a Barnes and Noble press release, criminals planted bugs in the tempered PIN pad devices, allowing for capture of credit card and PIN numbers. And this caper didn't just affect one or two stores. The company found evidence of tampering in devices at 63 stores.
The story was first reported yesterday by The New York Times. For more on the scheme and its implications for anxious retailers and their customers, we're joined by Kim Zetter, senior writer at Wired. Welcome, Kim.
KIM ZETTER: Thank you.
CORNISH: So let's start with the basics. How exactly would a thief plant a bug in a PIN pad device? I mean, how does that work?
ZETTER: Well, one of the ways that we've seen is actually some hackers demonstrated this at a conference over the summer, where they had malware installed on a rogue credit card, that they basically just slip into the card reader. And that allowed them to then install malware onto the devices.
CORNISH: So they actually pretend to make a purchase?
ZETTER: They pretend to make a purchase, but it actually is a failed purchase. So it will look as if the card didn't work or it didn't go through. And that allows them to basically just sort of open the system up for the vulnerability. Later on, they install the vulnerability from another server - in this particular hack. There are a number of ways of doing this, but in this particular hack, that's the way they did it.
CORNISH: And, Kim, there's also another way of doing this, right, using a skimming device? What's that?
ZETTER: Yeah, a skimming device is an external device that sits on the reader. We've seen this a lot in ATM machines, where it actually resembles very closely the real reader, so that a customer can't tell the difference. And what happens is you insert your card into the opening of the reader, and the skimmer records the card data while the card is going through. And then your card actually does go into the legitimate reader. But you're unaware that the skimmer is recording the data from your card at the same time.
CORNISH: What do you think of Barnes and Noble's response to this, effectively shutting down all their PIN pad devices at the registers?
ZETTER: I thought that was a pretty remarkable and thorough response. It's the right response. They really do need to examine all of the countertop PIN pad devices that they have to make sure that the number of ones that were compromised were actually caught. But, you know, they're not excluding customers from using credit cards at this point. From their press release, they said that customers will actually have to hand over the card to the cashier. And there's a reader on the cash register that the cashiers will scan it themselves.
CORNISH: How unusual it is the crime itself? Is this a new frontier in the fight against the data theft?
ZETTER: No, this is quite common. It's just that the hackers are finding various ways. Each time that authorities find one way to thwart one form of hacking, they'll find another way. So, you know, putting external skimmers on was the popular way for doing it for a long time. It's a lot more sophisticated to install something internally and to the devices though, so this is more serious.
CORNISH: Now, besides the obvious - paying with cash - is there anything customers and retailers can do to actually protect their information?
ZETTER: You know, one of the best things to do is not use a debit card for outside purchases. And so, basically only use a credit card because that gives you more protection. With a debit card, once a thief has your PIN number, they're going basically straight into your account and they can withdraw the funds that way. And then the other thing is basically just to check your statements monthly, to make sure that there are no fraudulent transactions on them.
CORNISH: That's Kim Zetter, senior writer at Wired, talking with us about a massive hack off in pad devices at Barnes and Noble stores. Transcript provided by NPR, Copyright National Public Radio.