Thieves rig Barnes & Noble PIN pads to steal credit card data

Filed Under: Data loss, Featured, Malware, Security threats, Vulnerability

Barnes & Noble. Image from ShutterstockThieves rigged point-of-sale PIN pads at 63 US Barnes & Noble stores to hijack credit and debit card information and PINs when customers swiped their cards to make purchases, the book seller said on Wednesday.

Customers who have used their cards at affected PIN pads as recently as September may have had their accounts compromised and should check their statements for unauthorised transactions, the retailer said.

Even though its internal investigation revealed that only 1% of devices had been infected with the hacker-planted bug, Barnes & Noble disconnected all of its 7,000 PIN pads in stores nationwide by the close of business on 14 September.

Barnes & Noble statement

CNet reports that the retailer kept the breach hush-hush until now to give the FBI time to track the hackers.

Cash registers weren't affected. Nor were purchases made through Barnes & Noble.com, NOOK or NOOK mobile applications.

Barnes & Noble reported that its customer database was also spared from the breach.

The only purchases affected were those in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads, the retailer said.

It's now safe for customers to continue making purchases without the PIN pads, the company said in a statement:

"Customers can make transactions securely today by asking booksellers to swipe their credit and signature debit cards through the card readers connected to cash registers."

Bugs were found on PIN pads in stores in the states of California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island.

Barnes and Noble posted a list of the specific stores in those states in its news release.

Point-of-sale devices are an attractive target for sophisticated thieves.

Recent hacks have included:

  • The 2011 $10 million Subway POS hack, for which two Romanian hackers have received prison sentences.
  • 500,000 Australian credit cards stolen by what police believe are the same Subway gang.

As Verizon pointed out in its 2012 Data Breach Investigations Report, weak, guessable or default credentials make point-of-sale systems easy to exploit, sometimes through third-party systems.

Barnes and Noble is recommending that customers who believe they may have been affected take these steps:

  • Change the PIN numbers on your debit cards
  • Review accounts for unauthorized transactions
  • Notify banks immediately if you discover any unauthorized purchases or withdrawals
  • Review credit card statements for any unauthorized transactions
  • Notify credit card-issuing banks if you discover any unauthorized purchases or cash advances.

Credit cardDisgruntled customers who have to deal with this rigamarole might well ask why Barnes & Noble didn't warn them as soon as the breach was discovered, but it's clear that investigators requested no publicity to give them time to sniff out the perpetrators of the crime, which the book seller called a "sophisticated criminal effort."

It would be nice if we could trust large retailers like B&N to have secure payment processing systems, but we can't.

That means all we can do is keep an eagle eye on our credit card and debit card statements.

Or then again, we can just pay with cash, antiquated notion that it is.


Barnes & Noble image from Shutterstock.

, , , , , , , , ,

You might like

10 Responses to Thieves rig Barnes & Noble PIN pads to steal credit card data

  1. Brick-n-Mortem · 691 days ago

    This is the second time this has happened with B&N pay point systems. A quick internet search turns up another incident from five years ago. Ironically, the only thing I ever wander into a B&N for is to pick up a copy of the latest 2600.

  2. Anon · 691 days ago

    Change: "It would be nice it we could trust" to "It would be nice IF we could trust"

  3. @undefined · 691 days ago

    my local B&N had told us that the pinpads were so old & unreliable that they had been removed from service. So,.... B&N not only delayed/sat on this, but they also lied to us as well....guess maybe its time to switch back to amazon

  4. Mad World · 691 days ago

    As a naked security follower, I am extremely careful online with passwords and credit card information. I was recently a victim of identity theft in early October. I couldn't understand how somebody in a state across the country was purchasing stuff on my dime while I was running around trying to make what little money I can. Luckily my bank notified me but the thieves had already drained my bank account. I have never been through this before but all I can say is that it is a nightmare. I shop or just browse Barnes and Noble frequently and am almost sure this is how this happened. I understand that they are trying to investigate the situation, but you think that in respect to their customers they could at least warn them before it's too late! I guess in this day and age, it's every man for themselves. Be careful out there.

  5. Readsalot · 690 days ago

    I think B&N was under a "gag order" from the FBI not to release any information. Why isn't anyone blaming the criminals? They are certainly much smarter than any retailer! I think it was smart of BN to shut down 7,000 pinpads for their customer's sake.

  6. joe · 690 days ago

    can someone tell me if thieves have to physically handle the pin pads or are they compromised electronically? I can't understand how a so many clerks could not notice strange behavior, not can I understand why thieves would randomly select such a small percentage of available pads if they had access over the internet.

    • Readsalot · 689 days ago

      Watch the YouTube video on how a criminal can change out a pinpad in less than 10 seconds.

  7. stu · 690 days ago

    how can they be PCI compliant if those POS are so old?

  8. MasterofOne · 690 days ago

    I received a letter from my bank several months ago that my debit card information may have been compromised, and they sent me a new card. I wonder if it was related to this B&N deal?

  9. lukeclayhill · 603 days ago

    This is a constant battle, set to get worse before it gets better, Online business is growing and security holes are constantly found and patched.,
    users must be constantly aware of threats that are in the public domain.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.