My lunch routine is pretty standard and well-known. I go to a Barnes & Noble and pick up a latte over lunch and read magazines that I don’t purchase. I’ve literally done this for years. Clearly I’m a store member and carry a card which I swipe every day for 10% off.
A few weeks ago I took immediate note of the missing card swipe device on the counter and asked if someone had broken their swiper. I got the response that HQ had come in and pulled them all off. Being the savvy person that I am, bells went off, I tuned them down, and went about my business.
As I’m catching up with security news today, sure enough I see word that B&N suffered a POS security breach. Every day that went by without the POS device at the store(s), was further indication that something bad went down and it wasn’t just an upgrade/replacement or glitch.
(Of note, like a good security geek, I don’t use credit cards willy-nilly, especially for tiny purchases like a latte; I’m all about cash for anything but huge purchases, so I wasn’t even at high risk of this.
These breaches always make me curious and I always have the same round of questions that will never be answered, because no one shares the information, not even in professional circles.
1. What did the attack consist of? Taking apart and adding something to the POS device? Skimmer over top? Code update?
2. Only 1 compromised device in each of 63 stores? Why only 1? Did the device/attack store up credit card info? Did it beam it out realtime via an Internet connection? Did it have access to penetrate the internal network/databases?
3. 63 stores affected in varied major metros. Sounds custom and targeted.
4. How did B&N find out about this? Someone else bring it to their attention? Monitoring? Why or why not?
These are questions not intended to cause legal issues or backpedaling or lay blame. They’re more about learning from mistakes so that I can be better informed and do a better job in my own security endeavors. PCI Guru has a nice follow-up piece.