POS Breach Highlights Fraud TrendRetail Hacks Expose System Weaknesses
In the latest in a series of point-of-sale attacks plaguing U.S. retailers, Barnes and Noble Booksellers has confirmed a breach hit 63 of its locations from California to Rhode Island.
Card issuers say the incident highlights the card fraud detection and prevention challenges they face. One issuer affiliated with an East Coast institution says connecting the fraud dots in this breach, which issuers have been monitoring since the spring, required high-level cross-channel detection. That issuer, who asked not to be named, says the majority of cards linked to the Barnes & Noble breach were used for fraudulent transactions at nearby ATMs.
Card issuers are usually the first to identify fraud patterns when retailers are breached, as the POS breach at Michaels crafts stores proved in late 2010. They also are the ones left dealing with the repercussions of subsequent fraud.
"When merchants are compromised, that really adversely affects the banks and credit unions," says Wade Baker, managing principal at Verizon Business, where he focuses on data breach analysis. "So many breaches are linked to poorly maintained POS networks and devices. It's a growing problem."
Compliance with Payment Card Industry Data Security standards and adoption of more secure payments technology, such as EMV, also known as the Europay, MasterCard, Visa standard, would help, experts say. But the fundamental problem is that most retailers lack basic fraud-prevention knowledge, they add.
Barnes & Noble Details
Though Barnes & Noble did not say when it discovered its breach, the company announced that it had determined through an internal investigation that the compromise was linked to device tampering at stores in California, Connecticut, Florida, Illinois, Maine, New Jersey, New York, Pennsylvania and Rhode Island. In a statement posted Oct. 24, the bookseller says all PIN pads within its nearly 700 stores nationwide were disconnected and replaced by Sept. 14.
"The tampering, which affected fewer than 1 percent of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," the statement says. "This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads."
Barnes & Noble says its customer database is secure, and purchases made on Barnes & Noble.com, as well as those made with NOOK tablets and NOOK mobile applications have not been affected. The bookseller's member database also was not affected, the company says, and no compromised PIN pads were discovered at Barnes & Noble College Bookstores.
Federal authorities have been notified of the breach and continue to work with the bookseller to investigate the attack. Barnes & Noble says it's also working with card issuers and other banking institutions, as well as the card networks, to identify accounts that may have been compromised. The company says it waited to notify the public of the breach until after its internal investigation was complete.
The Federal Bureau of Investigation and the office of the U.S. Attorney for the Southern District of New York declined additional comment about the investigation.
Retailers: Increasing Points of Compromise
The Michaels breach was one of the first to put a spotlight on POS device fraud. That attack, involved 84 stores in 20 states and affected 94,000 credit and debit cards. Fraudsters swapped out POS devices with compromised terminals that copied and wirelessly transmitted card details as they were swiped or entered.
Barnes & Noble spokeswoman Mary Ellen Keating would not clarify how the bookseller's POS devices were compromised. But the incident seems hauntingly similar to the breach at Michaels, some observers say.
One card issuer on the West Coast, who also asked not to be named, says the compromised POS devices found at Barnes & Noble locations were Bluetooth-enabled, suggesting legitimate devices were swapped with devices set up to transmit stolen details in real-time, similar to what happened in the Michaels breach.
Avivah Litan, a fraud analyst for the consulting firm Gartner, says swapping out POS devices is a common attack method. Fraudsters identify a retail or restaurant chain that uses the same make and model of a POS device at all or most of its locations. The criminals then acquire that make and model, manipulate it and physically swap it out, she says.
"More and more banks are telling me they're seeing online account takeover decline and card fraud increase," Litan told BankInfoSecurity in late July, shortly after a POS network breach at small restaurant in Kentucky (see Micro Attacks: The New Fraud Scheme).
"Most of the increases in card fraud they're seeing are linked to POS attacks, because the systems are so easy to break," she added.
Over the summer, Penn Station reported a payments breach that affected 80 of its franchised locations. Penn Station never revealed the source of the breach, but industry experts say it was most likely linked to a network attack.
In the Subway breach, more than 150 franchised locations were linked to a POS and checkout systems hack that went undetected from 2008 until May 2011. The group that targeted Subway targeted other retailers as well, and investigators suggested that, overall, more than 80,000 U.S. consumers were affected.
The Impact on Card Issuers
Verizon Business, in a just-released analysis of breaches from 2010 and 2011, finds that retailers are often prime targets for card fraud. The use of easily guessed or default passwords for remote access to POS networks and failure to change factory-installed passwords on POS devices puts them at increased risk.
John Buzzard, who monitors card fraud for FICO's Card Alert Service, says a migration toward EMV, a standard card technology used throughout most of the world, also will help. EMV chip cards are inherently more secure than the magnetic-stripe cards still common in the U.S., he says.
"[EMV] essentially means that the transaction at the point of sale would be encrypted and secure," Buzzard says.EMV is more secure, because criminals have not yet identified a way to clone EMV chips, says Mike Urban, a financial fraud expert with core payments processor Fiserv. "EMV would definitely stop these attacks from being profitable," he says.
Both Visa and MasterCard have issued 2013 and 2014 deadlines for EMV migration in the U.S. related to credit cards, POS devices and ATMs. But many observers predict the industry won't see much movement toward EMV until 2015.