Initially brought to the company’s attention on Sept. 14, the large bookstore chain Barnes & Noble suffered a data breach at the hands of hackers that stole credit cardholder data from 63 stores nationwide. Hackers accessed the customer keypads located in front of the cash registers that customers used to swipe their credit cards and enter PIN numbers. Affected states include California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island.
What makes this breach different from others is the involvement of the Federal Bureau of Investigation (FBI). They had advised the chain to withhold news of the breach until recently to allow for investigation – extending their need-to-notify the public until late December. The U.S. government normally does not get involved in data breaches unless there’s good reason. This may be due to the increase in online attacks that appear to originate from overseas hackers.
Customers that have shopped at Barnes & Nobles in the affected states are advised to change their debit card PINs and review bank statements for unusual activity. The customer database, including the website, mobile apps and member database, is unaffected, meaning only individuals that purchased items in-store may be affected. The New York Times has provided a list documenting each store address that hacking is suspected.
Although PCI DSS requires notification of consumers in the event of a breach, companies aren’t technically required to do so unless their data is unencrypted. State laws do vary – the California Bill 1386 requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database, according to the PCI DSS requirement testing procedure 12.9.1.a.
This testing procedure, under PCI’s requirement to Maintain an Information Security Policy, mandates the implementation of an incident response plan that includes ‘business recovery and continuity procedures,’ also known as a disaster recovery plan; and a data backup process. One way to ensure this requirement is covered is to partner with a PCI compliant hosting provider with audited IT disaster recovery (DR) and offsite backup solutions. If you’re not sure what to look for in a DR provider, read What to Look for in a Michigan Disaster Recovery Provider (applicable to the Midwest as well).
Franchise Point-of-Sales (POS) Systems Targeted by Hackers
Unfortunately, Barnes & Noble did not say how hackers gained access to the credit card data. Attacks on point-of-sale systems are growing exponentially as encryption is no longer a deterrent for skilled hackers, according to Tom Kellermann, VP of Trend Micro, as quoted in the NYTimes.
Last December, the sandwich franchise Subway was hacked when credit and debit cardholder data was stolen from the point-of-sale (POS) systems of more than 150 locations, affecting more than 80,000 individuals. How did they do it? Hackers ran a targeted port scan of blocks of IP addresses to detect systems that used a certain type of remote desktop access software that served as a backdoor to gain entry to their POS systems. Although PCI DSS requires the use of two-factor authentication for remote access, the Subway franchise did not have those in place across all of their locations.
Small businesses are often targeted and known for their lack of security knowledge and implementation of security technology. Although Subway reportedly imparted that security knowledge and requirements to franchisees, many of the franchisees disregarded the requirements. They refused to use point-to-point encryption, and even went as far as to download low-cost remote desktop software available online, according to Arstechnica.com. As a result, the culture of skimping on security resulted in serious data theft – $3 million in fraudulent charges to be exact.
Two-Factor Authentication for Remote Access
The specific PCI requirement 8.3 states:
Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dialin service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)
Two-factor authentication (also known as dual-factor or multi-factor) requires the use of one form of authorization (username/password), and an additional form of authentication to gain access to a network remotely. Two-factor authentication provides an extra layer of protection to ensure the user is truly the one who is allowed access to the network, and to protect against unauthorized entry.
Online Tech’s two-factor method includes the use of a unique username/password. Secondly, the addition of a simple, mobile phone-based authentication method allows users to complete a secondary authentication of their choice to achieve network access. Find out more about two-factor authentication and other technical security services that can help you not only achieve PCI DSS compliance, but also prevent hacker entry and credit cardholder data theft by securing access points and protecting your systems.
Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?
Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.
Michigan Hosting Providers Offer Cost-Effective IT Security for SMBs
Michigan Cyber Initiative Reports ‘People’ As Weakest Link in IT Security
2011 SMBs & Disaster Recovery in the Cloud
PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)
Credit Card Data Breach at Barnes & Noble Stores
Barnes & Noble Reports Breach of U.S. Customer Credit Card Data
How Hackers Gave Subway a $3 Million Lesson in Point-of-Sale Security