
Thieves "bug" debit card PIN pads in 63 Barnes & Noble stores - geekfactor
http://news.yahoo.com/barnes-noble-reports-breach-u-customer-credit-card-032430509--finance.html
======
ghshephard
I sometimes wonder why the United States is lagging the rest of the world in
rolling out a chip standard for their credit cards.

These sort of exploits are significantly more difficult in other parts of the
world that have switched over - the United States use of the outdated
"magnetic stripe" for security is not only putting american consumers at risk
(Yes, I know, you can always challenge a charge, IF you notice it sneak onto
your card, AND if you got to the effort of getting it revoked. Go talk to
someone who's been the victim of identity/credit card theft to see how much
FUN that is) - it's also putting all the other countries that have to continue
to support legacy card systems.

At the very least, the credit card agencies in the United States could start
rolling out the Card Machines to NEW businesses, in preparation for the
eventual upgrade of consumers.

My only guess is that they've done a RISK/REWARD assessment, and decided that
the cost of upgrading all of these systems is more expensive than what they
are losing to fraud.

~~~
gergles
EMV has been trivially broken[1], and it unpopularly pushes the risk of fraud
onto the customer. Customers in the US don't want that (especially since EMV
is broken!). On top of that, there are a hell of a lot more merchants that
would all need to purchase entirely new credit card terminals, which is a much
larger undertaking in this country than it would be elsewhere.

[1]
[http://www.cl.cam.ac.uk/research/security/banking/nopin/oakl...](http://www.cl.cam.ac.uk/research/security/banking/nopin/oakland10chipbroken.pdf)

~~~
ZoFreX
That's not trivial compared to magnetic stripe. I created a credit card reader
with £2 of electronics, my laptop, and a freely available open-source program.
(And I'm pretty dumb, so it's really easy)

~~~
heywire
What about the most vulnerable part of credit cards, the fact that the card
information is printed right on the front (and back) of the card? Someone in
line at the grocery store with a pen camera in their pocket can catch a
glimpse of the front and back of a card. That is generally enough information
to use the card online.

~~~
mikeash
How will you use that card information, though? The printed information isn't
sufficient to create a new magnetic stripe (the CVV1 code in the magstripe
isn't printed on the card). Using the card info online requires knowing the
cardholder's address. If you can find someone still using an imprinter, then
that would work, but so would completely made-up data.

~~~
elithrar
> Using the card info online requires knowing the cardholder's address.

US (and Canada, UK) issued cards are verified against the billing address
(AVS), in most cases. In other countries (e.g. Australia), this is not the
case.

The card number and CVC are typically sufficient; you can put any other
address you would like. My Amazon billing address is my work address, which is
not the address my bank has (my home).

~~~
mikeash
Interesting. Any idea why they don't verify the billing address there? Seems
like it would be no harder than doing it in the US.

------
bcn
"Tampered PIN pads were discovered from stores in the following states: CA,
CT, FL, IL, MA, NJ, NY, PA, RI. A complete list of specific stores follows."

[http://www.barnesandnobleinc.com/press_releases/10_23_12_Imp...](http://www.barnesandnobleinc.com/press_releases/10_23_12_Important_Customer_Notice.html)

------
3JPLW
> Bugs were planted in the PIN pads...

Fascinating. I wonder how these "bugs" worked. More information here would be
great.

~~~
revelation
Lots of juicy pictures here:

<http://krebsonsecurity.com/2010/02/atm-skimmers-part-ii/>

I guess you can learn from these pictures how they work.

~~~
ChuckMcM
The krebsonsecurity site is pretty awesome. I was at a talk where they
discussed the hard part isn't discovering the skimmers, its catching the
crooks when they cash out. So some enterprising folks are noting that the
skimmers are installed and then logging all the customers who use the ATM,
once they have customer records they then flag transactions on all of those
accounts and wait for the crooks to try to cash out. They have caught folks
with literally a bag full of cards with pins written on them trying to pull
$200 - $500 out of each account.

------
ronnier
For the first time since I've had credit cards, I've had my cards cloned and
used to make purcahses twice over the past couple of months. It's a major
hassle because I have auto pay for reoccurring bills (phone, internet,
electric, etc...).

It seems to me that this type of activity is on the uptick.

------
powertower
Recently I had fraudulent charges made on my Wells Fargo debit card. That card
had no history (never used at ATMs or Merchants), and even the lady I talked
to from Wells Fargo fraud dept was surprised.

The only place I've used it was at the local Wells Fargo branch office with
their pads to take out cash out of my checking account.

I bet they have a similar issue. Those pads are networked to their systems,
all running Windows, it wouldn't take much to craft something together to pull
those #s out.

~~~
dsl
Did you go into an ATM vestibule? The readers that let you insert your card to
get to "safe" ATMs inside the bank lobby after hours are often targets of
skimmers too. They look something like this: [http://krebsonsecurity.com/wp-
content/uploads/2010/01/lmskim...](http://krebsonsecurity.com/wp-
content/uploads/2010/01/lmskim3.jpg)

------
MiguelHudnandez
I wonder how long it will take for people to start thinking that shopping
online is actually safer than shopping in person.

I remember how reluctant people were during the "dot com boom" to use their
credit cards online. Now I am reluctant to use public ATMs, even my own bank's
ATM.

------
Zikes
I had to copy & paste the URL for the B&N press release. Why not make it a
link?

------
rc4algorithm
I remember there being a really interesting story about a Turkish criminal
manufacturing tons of ATM number pad overlays in Kingpin:

[http://www.amazon.com/Kingpin-Billion-Dollar-Cybercrime-
Unde...](http://www.amazon.com/Kingpin-Billion-Dollar-Cybercrime-Underground-
ebook/dp/B004IK8Q2M/ref=dp_kinw_strp_1)

That whole book is full of bizarre and amazing stories about hacking and
credit card fraud. It's well written, too; the author was a hacker so the
technical descriptions aren't painfully generalized as they too often are.
Highly suggested.

------
janezhu
Wow I was wondering why Chase randomly sent me a warning and a new debit card
a few weeks ago. I had made no unique purchases aside from coffee and books
from Barnes and Noble and initially thought the new card from Chase was a
fake. At stores like the one at NY's Union Square, the cashiers never leave
their stations from 10am to 10pm. I wonder how this could have been done so
quickly as to not cause suspicion. Perhaps there might have been some internal
cooperation?

------
bitteralmond
Aren't chip-readers the law in the US now? What's the use of getting a PIN if
the only thing you can link it to is impossibly-encrypted chip data?

~~~
tjohns
Almost no cards issued in the US have chips. As a result, almost no terminals
in the US have a chip reader.

A PIN is used to authenticate swiped (magstripe) transactions from a debit
card. That said, swiped transactions from a credit card only require a
signature -- though many terminals have been upgraded to also require the
billing ZIP (postal) code. Most debit cards can also be run as credit cards,
effectively bypassing the PIN check.

NFC-enabled terminals (and the cards to go with them) are slowly starting to
appear, but even those don't require a PIN. Just a signature.

~~~
peteretep
> Almost no cards issued in the US have chips. As a result, almost no
> terminals in the US have a chip reader.

I was in New York state a while ago, and most places had PIN pads with chip
readers. Not a single store person asked me to use it, and the few times I
suggested I could, I got blank stares. I ended up signing for a bunch of
stuff.

Long story short: just because no-one is using them doesn't mean there's no
chip reader.

