Thieves Hack Barnes & Noble Point-of-Sale Terminals at 63 Stores

Photo: daysofthundr46/Flickr

A band of thieves compromised credit card readers in 63 Barnes & Noble stores in nine states, prompting the giant bookseller to remove the readers from all of its stores while an investigation is underway.

Barnes & Noble discovered the compromised readers sometime around Sept. 14, but did not notify customers because the Justice Department asked the store to keep quiet while the FBI investigated the matter, according to The New York Times.

It’s not known how much the hackers got away with in fraudulent transactions, but Barnes & Noble reportedly contacted card issuers at the time to notify them of the breach so that they could be on the lookout for suspicious transactions on customer accounts that were compromised in the breach.

Barnes & Noble didn’t disclose how the breach occurred, but according to a press release from the bookseller, the hackers installed malware on the so-called point-of-sale (POS) card readers to sniff the card data and PINs as customers typed them in.

Barnes & Noble doesn’t indicate how the attacker did this, but it could have occurred a couple of ways, depending on the type of POS system Barnes & Noble uses.

In July, security researchers at Black Hat security conference in Las Vegas showed how they were able to install malware onto POS terminals made by one vendor, by using a vulnerability in the terminals that would allow an attacker to change applications on the device or install new ones in order to capture card data and cardholder signatures.

The researchers found that the terminals, which use an operating system based on Linux, have a vulnerability that didn’t require updates to their firmware to be authenticated. The researchers installed their malware using a rogue credit card inserted into one device, which caused it to contact a server they controlled, from which they downloaded malware to the device.

But this isn’t the only way to tamper with POS terminals.

Last May, Canadian police busted 40 people involved in a sophisticated carding ring that tampered with POS terminals in order to steal more than $7 million. Police said the group, based out of Montreal, seized point-of-sale machines from restaurants and retailers in order to install sniffers on them before returning them to the businesses.

Police said the thieves took the POS machines to cars, vans and hotel rooms, where technicians hacked into the processors and rigged them so that card data could be siphoned from them remotely using Bluetooth. The modifications took only about an hour to accomplish, after which the devices were returned to the businesses before they re-opened for business the next day. The ring is believed to have had inside help from employees who took bribes to look the other way.

Account numbers and PINs from the cards would be encoded to blank cards, which other conspirators then used to conduct a massive and coordinated run against banks to steal about $7.7 million.

In the case of Barnes & Noble, the attackers apparently cast a wide net, installing malware on POS terminals in 63 stores in nine states. The company said the attackers only installed the malware on one device at each store, but as a precaution the company has removed all of the POS terminals from its stores to examine them. In the meantime, customers are being told to hand their bank cards to the cashier, who will scan them via readers embedded in the cash registers.

Technology Architecture Questions for Vendors

As time goes by architects are reviewing less custom / "home grown" solutions and looking at commercial off the shelf (COTS), platforms or cloud based solutions. I thought I would share with you a vendor architecture question template that I have used in the past to fast track my understanding.

Keep in mind that this isn't an RFI / RFP type template. It can be used to augment one but isn't the full view, just technology. I try to work with PMO, procurement and others to include this to the RFI / RFP process.For the sake of this post I will assume that's not the case. 

I use this template as a first pass with the vendor. It serves as a base understanding so I can then ask my level two and three questions of the vendor. Here is the process in which I use:

  1. Modify for the solution - Review the template for any modifications. usually there are tweaks that need to be made based on the type of problem or solution that is needed.
  2. Send to vendor - Send with instructions that it needs to be returned in a timely manner and decisions will be made based on the quality and accuracy of the information. 
  3. Distillation - I use the information to categorize how well the vendor's technology:
    1. Aligns the companies policies and standards
    2. If they are instantly disqualified for some reason
    3. If it meets the non-functionals / quality attributes of the requested solution 
  4. Compile additional questions - The vendor solutions that make it will most certainly have additional questions that will be needed to be answered. Compile the extended questions and send to the vendor.
  5. Deep dive workshop - I like to do a deep dive workshop with the vendor so they can expand on their responses and provide a forum for EA to probe more into the solution. 
Below you will find the questions. Some of the questions are a little dated and need updating. I've been using flavors of this for years, but I think you will find that directionally useful. 

Architecture Domain




What architecture style used to build this application? (ex: Cloud, SOA, SaaS, N-Tier, client server, etc.)


Is there a separation of concerns in the architecture to the effect that solution components have very specific bounds and are applied at the right layers?


What documentation can be provided?(Ex: ERD application API’s, UML diagrams of objects, business process models)


Does the solution support internationalization and localization?


Define the solution roadmap with product version cycles, expected point and major releases of the current version.


Is there usage of proprietary technologies?


Application / Logical

In what languages is the application built?  This includes business logic and presentation tiers.


Has the application been ported into other languages?


Are there a blend of multiple languages and/or versions of languages in you solution?


Is there a mixture of language interpreters?


Is the application customizable? If the application is customizable, what methods, languages and tools are needed to customize? Are these tools bundled in the solution?


Is the source code provided with the solution?


Are there “out of the box adapters”, plug-ins or accelerators provided as productized and supported by the vendor?


Is there a cloud based offering? If so, what service models (IaaS, PaaS, SaaS) and deployment models (Private or Public) are supported?


What client models are supported:

 1. Mobile – What platforms, application type (app vs. web based) and the limitations

 2. Browser – What browsers are supported and what standards are used (ex: HTML 5)

 3. Thick Client – What OS platforms are supported?


Is there a configurable business rules and or workflow engine included?


Are there business process or workflow capabilities built into the solution? If so, what standards does it use?


Are there any open source used in your solution?


How much of the logic is hard coded vs. being data driven or configurable?



Do the solution support integration with its processes and information?


At what level and how deep is integration supported?


Explain how functionality can be extended in the solution


Describe the various protocols supported by the solution. Indicate required, optional and major non-supported protocols.


Describe communication ports and ability to move across the enterprise and outside the company firewall.


Is there support for Enterprise Service Bus (ESB) or middleware technologies?


If ESB or middleware technologies are supported, how is the solution configured to fit within a services framework?


Is the integration supported by services? If so, what types of services? (ex: Web Services, EJB, .Net Remoting, Queues, etc.)


How are the services implemented?


What service standards are used? (Web Services over HTTP, SOAP, REST, etc.)


What services directories (ex: UDDI) can the solution hook into?


Does the solution provide or receive bulk transactions or data feeds?


Does the solution wrap the database with a service or does the solution access the database directly?


How does the solution support synchronous and asynchronous transactions?


Does the solution have publish/subscribe capabilities?


Are there integration adapters that are provided? If so, identify.



OS Platforms


What are all the supported Operating System (OS) platforms and their versions across the solution?


Describe the OS platforms and their configurations at all tiers of the solution.


Has the solution been tested and/or certified with new OS platforms or emerging OS platforms that are in planned release within the year?


If there are multiple OS platforms available (that compete), provide the recommended OS platform(s) with pros and cons contrasted by your solution set.


Are there recommended platform recommendations based on size of the organization and/or the size of the solution? If so describe the recommendations.


Application Platforms


Describe the application platforms that are required in the solution. (ex: Apache, IIS, BizTalk, WebSphere, etc.)


If multiple database platforms are supported, what are the preferred DB platform(s)?



What is the solution licensing model?


What client licensing is required for each end user or desktop?


What is the server licensing model? (ex: per CPU, per CAL, per Core, etc.)


Are there any third party licenses required?



What class of hardware is recommended across the tiers of the solution? (ex: processor, disk, memory, etc.)


Provide a profile of recommended server counts and configurations.


Is virtualization supported? If so, by which vendors?


Provide example physical topologies of the solution.


What is the scaling model for the architecture (Scale-Up / Scale-Out )


Data Communications

Are there any network requirements for this solution?


Are there any solution limitations with implementing network segmentation?


Are there any solution limitations with implementing multiple DMZ tiers?


Are there any solution limitations with implementing VLAN's?


Are there any solution limitations with implementing network appliances such as SSL / XML acceleration or network load balancing?


SaaS Solutions

Is there a solution hosting model? If so, define.


Is a cloud platform provided for optional development or integration?


Is the solution hosted on a third party platform? (ex: Amazon or MSFT?)


What is the solutions connectivity to the internet or to internal systems?


Define the solution inbound and outbound traffic.


Is multi-tenancy supported?


What level of business continuity and disaster recovery supported?


Performance and Scalability

Is load balancing supported and implemented in the solution?


At what level is load balancing supported? (ex: application and/or at the network level)


Describe how high availability is supported.


If available, provide a performance and/or stress test report.


Describe the number of transactions per hour that the solution can handle with the recommended solution implementation.


Describe the number of concurrent user sessions that the solution can handle with the recommended solution implementation.


What is the recommended scaling model? Scale up or out?


What factors determine hardware, OS, database or other system component upgrades?


Describe the algorithm or guidance that you use to determine the solutions configuration and scaling model.


Describe your systems capabilities for automated fail-over and/or error detection and prevention



What is the authentication model?


What is the authorization model?


Does the solution support Single Sign On? If so, is customization required?


Can the security be externalized into an enterprise identity store such as Microsoft Active Directory?


Are trust boundaries defined with users that are authenticated across those trust boundaries.


If security is custom and internal to the system, can the solution support strong passwords?


Is there security API's for application level integration?


What auditing mechanisms are available from within the tool?


If externalization of authentication and authorization is unavailable can identities be provisioned and de-provisioned? If so, elaborate?


How are transaction secured?


What protocols are used to secure the solution?


Are data or message level transactions supported? (ex: ws-security)


Is federated identity supported?


What level of hardening is supported on the platforms and protocols/ports?


Is there unsecured data at rest along the process chain?



What end-user training options are available and at what cost?


What administration training options are available and at what cost?


What application development training options are available and at what cost?



Is an ERD available for the solution?


Is a data dictionary for the solution available and if so what is the format and what metadata does it include?


What databases and versions are supported by the solution?


What database versions have been certified and/or tested?


If multiple databases are supported what is the preferred database?


How is access to the database achieved from the application?


How is access to the database achieved from external applications?


Are there specific database access components or drivers required at any tier in the solution? (ex: client tier)


Identify all the locations in the solution where data may be kept. This can include flat files, cookies, XML files, access databases, etc.


Is referential integrity handled at the application, services, database or not implemented?


What is the typical size, number of transactions and complexity of the database compared to the requirements given by our company?


Under what conditions can the database significantly expand? (ex: increase in customers, employees, assets, transactions, etc.)


What is the largest database implementation that you currently support?


Provide a list of all the database platforms you support.


Does the solution have special fault tolerance mechanisms?


Will the solution support native database fault tolerance mechanisms?


Does the solution allow for SSIS or ETL solution integration?


Are there any special considerations for backup and recovery of the solution?


Are there any batch processing events that occur within the application?


Is the supported solution database schema modifiable?



What is the delay before the solution supports a next release of dependent platform such as OS, database, Web Server, etc.


Describe the instrumentation included in the solution that allows for the health and performance of the application to be monitored.


Is there a defined support model based on technology or platform selection?


How often are new versions released?


How often are patches released?


What is the support model for the solution in relation to the co-existence with OS patch releases?



If you decide to use these questions as a starting point for your evaluations, please tell me about it as I would love to hear how you have changed the questions based on the solutions you are evaluating. 


How a Google Headhunter’s E-Mail Unraveled a Massive Net Security Hole

Mathematician Zach Harris, 35, of Jupiter, Fl., poses for a portrait on Tuesday. Photo: Brynn Anderson/Wired

It was a strange e-mail, coming from a job recruiter at Google, asking Zachary Harris if he was interested in a position as a site-reliability engineer.

“You obviously have a passion for Linux and programming,” the e-mail from the Google recruiter read. “I wanted to see if you are open to confidentially exploring opportunities with Google?”

Harris was intrigued, but skeptical. The e-mail had come to him last December completely out of the blue, and as a mathematician, he didn’t seem the likeliest candidate for the job Google was pitching.

So he wondered if the e-mail might have been spoofed – something sent from a scammer to appear to come from the search giant. But when Harris examined the e-mail’s header information, it all seemed legitimate.

Then he noticed something strange. Google was using a weak cryptographic key to certify to recipients that its correspondence came from a legitimate Google corporate domain. Anyone who cracked the key could use it to impersonate an e-mail sender from Google, including Google founders Sergey Brin and Larry Page.

The problem lay with the DKIM key (DomainKeys Identified Mail) Google used for its e-mails. DKIM involves a cryptographic key that domains use to sign e-mail originating from them – or passing through them – to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.

For security reasons, the DKIM standard calls for using keys that are at least 1,024 bits in length. But Google was using a 512-bit key – which could be easily cracked with a little cloud-computing help.

Harris thought there was no way Google would be so careless, so he concluded it must be a sly recruiting test to see if job applicants would spot the vulnerability. Perhaps the recruiter was in on the game; or perhaps it was set up by Google’s tech team behind the scenes, with recruiters as unwitting accomplices.

Harris wasn’t interested in the job at Google, but he decided to crack the key and send an e-mail to Google founders Brin and Page, as each other, just to show them that he was onto their game.

“I love factoring numbers,” Harris says. “So I thought this was fun. I really wanted to solve their puzzle and prove I could do it.”

In the e-mail, he plugged his personal website:

Hey Larry,

Here’s an interesting idea still being developed in its infancy:

or, if the above gives you trouble try this instead:

I think we should look into whether Google could get involved with this guy in some way. What do you think?


Harris made sure the return path for the e-mails went to his own e-mail account, so that Brin and Page could ask him how he’d cracked their puzzle. But Harris never got a response from the Google founders. Instead, two days later, he noticed that Google’s cryptographic key had suddenly changed to 2,048 bits. And he got a lot of sudden hits to his web site from Google IP addresses.

Oops, Harris thought, it was a real vulnerability he’d found.