Thieves rigged point-of-sale PIN pads at 63 US Barnes & Noble stores to hijack credit and debit card information and PINs when customers swiped their cards to make purchases, the book seller said on Wednesday.
Customers who have used their cards at affected PIN pads as recently as September may have had their accounts compromised and should check their statements for unauthorised transactions, the retailer said.
Even though its internal investigation revealed that only 1% of devices had been infected with the hacker-planted bug, Barnes & Noble disconnected all of its 7,000 PIN pads in stores nationwide by the close of business on 14 September.
CNet reports that the retailer kept the breach hush-hush until now to give the FBI time to track the hackers.
Cash registers weren't affected. Nor were purchases made through Barnes & Noble.com, NOOK or NOOK mobile applications.
Barnes & Noble reported that its customer database was also spared from the breach.
The only purchases affected were those in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads, the retailer said.
It's now safe for customers to continue making purchases without the PIN pads, the company said in a statement:
"Customers can make transactions securely today by asking booksellers to swipe their credit and signature debit cards through the card readers connected to cash registers."
Bugs were found on PIN pads in stores in the states of California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island.
Barnes and Noble posted a list of the specific stores in those states in its news release.
Point-of-sale devices are an attractive target for sophisticated thieves.
Recent hacks have included:
- The 2011 $10 million Subway POS hack, for which two Romanian hackers have received prison sentences.
- 500,000 Australian credit cards stolen by what police believe are the same Subway gang.
As Verizon pointed out in its 2012 Data Breach Investigations Report, weak, guessable or default credentials make point-of-sale systems easy to exploit, sometimes through third-party systems.
Barnes and Noble is recommending that customers who believe they may have been affected take these steps:
- Change the PIN numbers on your debit cards
- Review accounts for unauthorized transactions
- Notify banks immediately if you discover any unauthorized purchases or withdrawals
- Review credit card statements for any unauthorized transactions
- Notify credit card-issuing banks if you discover any unauthorized purchases or cash advances.
Disgruntled customers who have to deal with this rigamarole might well ask why Barnes & Noble didn't warn them as soon as the breach was discovered, but it's clear that investigators requested no publicity to give them time to sniff out the perpetrators of the crime, which the book seller called a "sophisticated criminal effort."
It would be nice if we could trust large retailers like B&N to have secure payment processing systems, but we can't.
That means all we can do is keep an eagle eye on our credit card and debit card statements.
Or then again, we can just pay with cash, antiquated notion that it is.
Barnes & Noble image from Shutterstock.