Sophos Cloud Optix
Thieves rigged point-of-sale PIN pads at 63 US Barnes & Noble stores to hijack credit and debit card information and PINs when customers swiped their cards to make purchases, the book seller said on Wednesday.
Customers who have used their cards at affected PIN pads as recently as September may have had their accounts compromised and should check their statements for unauthorised transactions, the retailer said.
Even though its internal investigation revealed that only 1% of devices had been infected with the hacker-planted bug, Barnes & Noble disconnected all of its 7,000 PIN pads in stores nationwide by the close of business on 14 September.
CNet reports that the retailer kept the breach hush-hush until now to give the FBI time to track the hackers.
Cash registers weren’t affected. Nor were purchases made through Barnes & Noble.com, NOOK or NOOK mobile applications.
Barnes & Noble reported that its customer database was also spared from the breach.
The only purchases affected were those in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads, the retailer said.
It’s now safe for customers to continue making purchases without the PIN pads, the company said in a statement:
"Customers can make transactions securely today by asking booksellers to swipe their credit and signature debit cards through the card readers connected to cash registers."
Bugs were found on PIN pads in stores in the states of California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island.
Barnes and Noble posted a list of the specific stores in those states in its news release.
Point-of-sale devices are an attractive target for sophisticated thieves.
Recent hacks have included:
- The 2011 $10 million Subway POS hack, for which two Romanian hackers have received prison sentences.
- 500,000 Australian credit cards stolen by what police believe are the same Subway gang.
As Verizon pointed out in its 2012 Data Breach Investigations Report, weak, guessable or default credentials make point-of-sale systems easy to exploit, sometimes through third-party systems.
Barnes and Noble is recommending that customers who believe they may have been affected take these steps:
- Change the PIN numbers on your debit cards
- Review accounts for unauthorized transactions
- Notify banks immediately if you discover any unauthorized purchases or withdrawals
- Review credit card statements for any unauthorized transactions
- Notify credit card-issuing banks if you discover any unauthorized purchases or cash advances.
Disgruntled customers who have to deal with this rigamarole might well ask why Barnes & Noble didn’t warn them as soon as the breach was discovered, but it’s clear that investigators requested no publicity to give them time to sniff out the perpetrators of the crime, which the book seller called a “sophisticated criminal effort.”
It would be nice if we could trust large retailers like B&N to have secure payment processing systems, but we can’t.
That means all we can do is keep an eagle eye on our credit card and debit card statements.
Or then again, we can just pay with cash, antiquated notion that it is.
Barnes & Noble image from Shutterstock.
This is the second time this has happened with B&N pay point systems. A quick internet search turns up another incident from five years ago. Ironically, the only thing I ever wander into a B&N for is to pick up a copy of the latest 2600.
Change: "It would be nice it we could trust" to "It would be nice IF we could trust"
my local B&N had told us that the pinpads were so old & unreliable that they had been removed from service. So,…. B&N not only delayed/sat on this, but they also lied to us as well….guess maybe its time to switch back to amazon
As a naked security follower, I am extremely careful online with passwords and credit card information. I was recently a victim of identity theft in early October. I couldn't understand how somebody in a state across the country was purchasing stuff on my dime while I was running around trying to make what little money I can. Luckily my bank notified me but the thieves had already drained my bank account. I have never been through this before but all I can say is that it is a nightmare. I shop or just browse Barnes and Noble frequently and am almost sure this is how this happened. I understand that they are trying to investigate the situation, but you think that in respect to their customers they could at least warn them before it's too late! I guess in this day and age, it's every man for themselves. Be careful out there.
I think B&N was under a "gag order" from the FBI not to release any information. Why isn't anyone blaming the criminals? They are certainly much smarter than any retailer! I think it was smart of BN to shut down 7,000 pinpads for their customer's sake.
can someone tell me if thieves have to physically handle the pin pads or are they compromised electronically? I can't understand how a so many clerks could not notice strange behavior, not can I understand why thieves would randomly select such a small percentage of available pads if they had access over the internet.
Watch the YouTube video on how a criminal can change out a pinpad in less than 10 seconds.
how can they be PCI compliant if those POS are so old?
I received a letter from my bank several months ago that my debit card information may have been compromised, and they sent me a new card. I wonder if it was related to this B&N deal?
This is a constant battle, set to get worse before it gets better, Online business is growing and security holes are constantly found and patched.,
users must be constantly aware of threats that are in the public domain.