0 Kudos

Security Issues!

Status: Open

For the past week I have been dealing with a major issue regarding Nook's password security.

 

I changed my password on Barnes and Noble's website due to a possible email hack. After changing the password, I expected to enter it in to my nook, the nook app and the B&N app. That was not the case. I was able to download and purchase books through my Simple Touch, without being prompted for my new password. I was not asked to add my new password to the apps and they downloaded books as well. I rebooted the device and apps and they still did not require the new, updated password. They recognized the email address and that I had used the app before and functioned normally. This means that any device that may know my email address can upload or purchase books without requiring a password.

 

I have called several times this week only get the run around. I changed passwords (again) on the phone and they all told me that they can see books downloading, regardless of the new passwords. I was told there is nothing they can do and that someone should be working on it.

I ended up talking to three different managers throughout the week and all of them said I would get a call back in 24-48 hours... Each time, after three days of waiting, I ended up having to call back. In the meantime, my account is open to people that may know my email.

 

If you use the apps or have a Nook, I suggest you make sure this isn't happening to you too.

Comments
by on ‎03-01-2013 11:26 PM

That's working as intended.  The Nook knows you changed your password, if you erase and deregister it then you will need to use the new password.

 

If you're concerned about anyone making unauthorized purchases on a Nook or Nook app, you need to contact CS and ask them to check what devices are registered to your account.  They can do this for Nook devices, and possibly for Nook apps (not entirely sure about the apps though).  They can remotely deregister any Nook that you are not using. 

 

I rather suspect that you wont need to do this, since it would be rather fruitless for a thief to steal in this manner. 

 

You can also monitor purchases through the website for anything that wouldn't show up on your NST (Apps, some magazines) by navigating to your Nook library. 

 

If nothing has turned up there that you have not purchased (note that there may be SOME stuff, such as a childrens book, some B&N classics, and a dictionary) then you should be fine.  If things that are there that you did not purchase and aren't any of the above you should contact CS. 

by NookGardener on ‎03-02-2013 02:54 PM

Agree with MG, thats how it's supposed to work.

 

An easy way to test your NST, go to setting, Shop, and make sure that "Require password for pruchases" is checked.  Then go back into the shop, find something you want to buy.  It should require your new password. 

 

Believe as far as the apps are concerned, if you sign ALL the way out of the app, when you go to sign in, it will need your new password.  Of course, you will have to redownload all your content. Since others are reporting problems with B&N servers today on other threads, if you want to read today on those devices, you might want to put that test off for a few days.

by AxlRosa on ‎03-03-2013 02:19 AM

I don't see how not asking for my password is working as intended. Every manager in both the nook data and customer service areas agreed that there was something wrong, said they were working on the problem and that someone would call me back. I haven't heard back.

When re-registering a device and changing a password, I should need to enter my new password. When restarting an app, I should have to enter a password. Therein lies the problem. It didn't ask for my password, even after all of these steps. (These steps were done again with a manager of Nook support on the phone.)

 

Someone that can access a Barnes & Noble account without a password but with just an email is not only able to purchase books, they have access to credit card and billing address information. I wouldn't consider that "fruitless." Unauthorized purchases are not the worst thing a hacker can do. Having anyone who knows my email address being able to access nook and Barnes & Noble apps is not working as it should.

 

I came here to let other people know that there was an issue, just in case this is happening to them. It's a shame that the only two people that felt the need to comment would assume I don't know how to sign "ALL the way" out of an app or think my talking to managers in two departments is me not knowing how site and app security works.

 

I truly hope this is a weird fluke with my account and isn't happening to anyone else. I also hope people on here quit treating others like they're idiots, just for trying to warn fellow book lovers that there may be a big problem.

by Administrator BN_AlexG on ‎03-03-2013 03:20 AM
by NookGardener on ‎03-03-2013 09:27 AM

When re-registering a device and changing a password, I should need to enter my new password. When restarting an app, I should have to enter a password. Therein lies the problem. It didn't ask for my password, even after all of these steps. (These steps were done again with a manager of Nook support on the phone.)

 

No where in your original post did you indicate that you erased, deregister and registered your device.  You said you changed your password.  If you can erase, derister and register your device with an e-mail only and no password, you DO have a serious problem with yor account and/or your device.  (If it was me, would take it into a store and have one of their nook specialist look at it.  In store help is soo much better than the phone.)

 

Did you follow my suggestion about requiring a password for purchases on the NST?  If so, strongly recommend you do for these reasons:

 

1) Will protect you from inadvertent purchases from curious children, nosy friends/relatives that are checking the device out, and slippery owner fingers (yes, I bought a book I didn't intend to one time.)

2) More importantly, the NST doesn't require a passcode to open the device. If someone were to steal your device and you didn't realize it for a few hours, they could take it to someplace with free wifi and go on a book spending spree before you realized it.  Your only hope at this point is that the credit card company has recognized that this is unusual activity and put a stop to it.  Then the person that stole it could just turn off the wi-fi and read to their hearts content. 

 

What apps are you trying to use to access your account?  Please be more specific as to the app, app version, and what type of device you are running it on.  If there is a problem with one of the apps, users DO want to know.  (FYI, just tried it on an iPod (app version 3.3.0.24) and it is working fine.  Requires an email and password to log-in, Logout removed all content and deregistered the device. Re-entering the email only doesn't get me anywhere.  Just keeps asking for the password until it will proceed.)

 

As far as the tone of my original reply, did not mean to imply that you were an idiot and apologize if you took it that way.  But you would be surprised at the number of people that don't realize there is a difference between closing an app and logging out of an app. 

by bugeek on ‎03-07-2013 08:40 AM

Really should be a PIN option for app purchases and/or screen lock with NST....

Would be a good *upgrade*.. Ideally if it was lost and connected to wifi it would pin lock itself..

 

 

by geertm on ‎03-10-2013 07:41 AM

You can already password protect shop purchases on the NST.

Go to settings=>shop.

by bugeek on ‎03-10-2013 02:24 PM

Problem is you have to use the same password and/or pin for all users.. ideally each user could only unlock their own profile.. plus entering a password for every purchase is a PITA.. with a pin code different from the lock screen.. it could be quick and easy with adding a little bit of security...

Welcome to the NOOK Issue Reporting exchange. Post your issue and come back later to check its status, as well as commentary from myself and BN developers. - Alex
Message Statuses
Top Kudoed Authors
User Kudos Count
3