On October 24, 2012 it was announced that Barnes & Noble had a credit card breach that was the result of tampered credit card terminals. As a result of the breach, Barnes & Noble pulled all of the credit card terminals out of their stores so that they can be examined. The story published in the New York Times has some points that should be interesting to other large merchants.
“We have acted at the direction of the U.S. government and they have specifically told us not to disclose it, and there we have complied.”
This is probably the most important take away you should have because a lot of incident response plans miss this point. While the credit card companies want to the notified immediately of a breach, law enforcement should be the first outside entity notified and then the card companies, if approved by law enforcement. The reason is that law enforcement may want the breach to continue in an effort to more easily identify and apprehend the perpetrators and that may include allowing the perpetrators to use the stolen cards for purchases.
But the next question that typically comes up is who in law enforcement should be notified? If you are not a large or regional entity, then you should notify your local police department or county sheriff. If you are a regional or large sized merchant in the United States, you should contact the United States Secret Service and/or the Federal Bureau of Investigation. In either case, whatever law enforcement entity you contact should be consulted with before notifying anyone else outside the organization and that includes notifying the card brands.
“The company determined that only one keypad in each of the 63 stores had been hacked. Nevertheless, the company has not reinstalled the devices.”
The 63 stores involved were all across the country from San Diego, Miami, Chicago, New York and other locations in between. This implies either a very organized criminal group that operates in a lot of locations or to a localized group that was able to infiltrate the operation that configures and ships out the terminals for Barnes & Noble. Based on investigations similar to this, it is most likely that a criminal operation infiltrated a centralized location that is responsible for the configuration, repair and replacement of credit card terminals for Barnes & Noble.
So what can a merchant do to minimize this sort of attack? Here are some actions to consider.
- Contract with only a reliable terminal supplier. In this age of lowest cost providers, there is a big temptation to use anyone as a supplier, particularly if their costs are the lowest. However, the old adage of “you get what you pay for” is very relevant in these situations. As part of your vendor selection process, you should be asking a supplier of terminals what they do to ensure that terminals do not get tampered with. If you cannot get an answer or the answer you get is “trust us,” then you should probably not consider them as a vendor. At a minimum, vendors should put their employees through periodic background checks (at least every three to five years), track which employees work on what units, do random physical internal inspections of units and random testing of units to ensure that they are not tampered with before they are sent out. If you are doing this activity in-house, you should also be following this process.
- Lock down your terminals. Anyone that has been into a Barnes & Noble might recall that terminals just sat on the counter. As a result, they were easy to quickly swap out with a doctored unit. I have been involved in a number of situations where merchants had terminals doctored because they were easy to swap out. If terminals are locked in a cradle and only the manager on duty has the key, anyone trying to swap terminals is going to have to have a key to free the device. This prevents swaps that occur after hours when only the cleaning people are present. In addition, the keys to these terminal cradles needs to be different for each location so that one key does not open every cradle at every location. The common key is a lesson the gas station industry has only recently addressed.
- Use tamper-proof serialized security tape or stickers over the seams of the terminal and check them daily. This is a trick that has been used for quite a while with gas pumps. The key is to at least daily (I recommend at each manager shift change); have the stickers checked to make sure that they are still in place and log that activity. If they have been tampered with or are missing, the lane should be immediately taken out of service and your loss prevention unit contacted.
- Confirm a terminal swap. A lot of merchants are very lax in their terminal swap procedures. If a terminal turns up with instructions to swap it with another or a technician appears at the location with a new terminal, the store personnel do it, no questions asked. That is wrong. At a minimum, a good terminal swap procedure should involve the generation of a trouble ticket in a help desk system or similar and having the store manager confirm the swap with the help desk or POS support. No ticket, no swap, no exceptions.
- Put video monitoring on all your POS locations. This does not stop such a swap from occurring, but it does at least record such an event if it does occur. This is particularly important in situations where the customer also acts as cashier as with any self checkout situation.
- Use MAC address filtering on your store location networks. If a device is unplugged and a new device is plugged in with a different MAC address it will not work. Yes, I know for some of you this creates a bad situation. But I always ask people in response, “Why should store personnel be swapping equipment in the first place?”
- Monitor your sensitive devices. If a credit card terminal or POS gets unplugged from your network, you should generate an alert. That alert should then be correlated to a help desk ticket. If there is no ticket, then someone should immediately notify loss prevention and also follow up with store management to find out why the device was unplugged.
- Monitor your network. Terminals or POS should only be communicating with your service provider for transaction authorization and your routers(s) and/or firewall(s) should be configured accordingly. If a terminal or POS attempts to communicate with any other external IP address, that should generate an alert to corporate IT and security that should then be investigated immediately. This will catch those devices that are tampered with and then transfer data to a server outside of your network. It is highly likely that the communication will be encrypted, but the traffic will be directed to an external IP address that should be blocked if your firewall(s) or router(s) are configured properly.
Cross-posted from PCI Guru