flight
Sign in with
Sign up | Sign in

Barnes & Nobile Says 63 PIN Pads Hacked Nationwide

By - Source: Barnes & Noble | B 8 comments

63 PIN pads at Barnes & Noble have been hacked to steal credit card information.

Book retailer Barnes & Noble said on Wednesday that it has detected tampering with PIN pad devices that are used in 63 of its stores nationwide. The tampering was limited to just one device in each of the affected stores, but the company has decided to discontinue use of all PIN pads in every store in the United States.

None of the affected PIN pads were discovered at Barnes & Noble College Bookstores, the company said.

"Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store," Barnes & Noble stated. "The tampering, which affected fewer than 1-percent of pin pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases.  This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads."

Barnes & Noble said it has notified federal law enforcement authorities, and is actively supporting the federal government's investigation. The company is also currently working with banks, payment card brands and issuers to identify accounts that may have been compromised. However fear not, valued patron: the company's customer and member database is secure, meaning that purchases made on Barnes & Noble.com, NOOK and NOOK mobile apps were not affected by the villainous scheme.

So the big question is this: how were the book chain's PIN pad devices altered to steal credit card information? Wouldn't that take some kind of internal effort? Barnes & Noble didn't say, but merely reported that the criminals planted bugs in the tampered PIN pad devices, allowing for the capture of credit card and PIN numbers.

The company also noted that the treacherous scheme only encompassed nine states, including California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. This could have been an organized group effort spanning from coast-to-coast, or a car full of crooks taking a joyride across the country.

To find out what cities were affected by the tampering, head here. As a precaution, customers and employees who have swiped their cards at any of the Barnes & Noble stores should change their PIN numbers, review their bank/credit card accounts, and notify said parties of possible fraud.

Contact Us for News Tips, Corrections and Feedback           

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 2 Hide
    alexmx , October 25, 2012 4:20 PM
    Sounds more like an internal job than a hack to B&N servers
  • 0 Hide
    frombehind , October 25, 2012 4:21 PM
    Its really nice of them to come clean and not sweep this crap under the rug...

    The federal government really needs to come down hard on people that do this kind of stuff, since cash is more or less becoming obsolete, and people are using electronic payments more and more, this stuff really needs to be as secure as it can be.
  • 0 Hide
    sliem , October 25, 2012 4:33 PM
    That picture is so old...
  • Display all 8 comments.
  • 0 Hide
    ddpruitt , October 25, 2012 4:38 PM
    A more important question is if the affected PIN pads are only at Barnes and Noble or if other retailers have compromised PIN pads. This could be much wider than one retailer.

    I don't know about anyone else but I use these things all the time for groceries, hardware stores, gas, etc.
  • 0 Hide
    mavroxur , October 25, 2012 4:47 PM
    I'm curious as to how this was pulled off. I know pin pads / credit card terminals include several layers of security, from physical mechanisms such as firmware wipe / chip destruct from case switches to epoxy potted cipher chips and firmware chips with anti-probe mechanisms, to software mechanisms such as run time CRC checks to prevent memory address tampering, memory address randomization, etc. Someone knew their stuff to pull this off.
  • 1 Hide
    bllue , October 25, 2012 5:44 PM
    More reasons to pay cash
  • 0 Hide
    Anonymous , October 25, 2012 6:56 PM
    All other states don't read at all or read bible.
  • 0 Hide
    bmerigan , October 26, 2012 1:25 AM
    Maybe it was the installation contractor.
    Seems to me it would have to be dismantled and modified offsite rather than while the staff are distracted for a few seconds.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS