Digital Transactions Authoritative, insightful and timely information for payments professionals
Calling it a “sophisticated criminal effort,” Barnes & Noble Inc. on Wednesday reported tampering occurred on PIN pads at 63 of its stores in nine states. The company on Sept. 14 disconnected every PIN pad in all of its nearly 700 stores but indicated that in addition to personal identification numbers, debit and credit card account data may have been compromised.
The New York City-based chain discovered the breach more than a month ago but didn’t disclose it until today on advice of federal authorities, who are investigating, according to The New York Times. Security experts say immediate disclosure in data breaches can make it harder for investigators to find the perpetrators.
“Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store,” the company said in a news release. “The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases. This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”
Hackers typically sell their stolen card data to fraudsters who can then make fake cards that they use for purchases or ATM withdrawals. The New York Times reported that a senior company executive whom it didn’t name said some customers had unauthorized purchases on their credit card accounts. The total amount wasn’t disclosed. Most of the fraud occurred in September and has declined in recent weeks. The newspaper also said Barnes & Noble sent the PIN pads, which were self-swipe keypads in front of cash registers, to a central facility for inspection.
Barnes & Noble did not specifically say how the fraudsters tampered with the PIN pads, and a spokesperson did not return a Digital Transactions News call for comment. “The criminals planted bugs in the tampered PIN-pad devices, allowing for the capture of credit card and PIN numbers,” the release says. Each affected store had only one compromised PIN pad.
Those “bugs” might have been what Gartner Inc. technology analyst Avivah Litan calls a “razor-thin device with a chip and an antenna, and they captured the PINs as they were entered on terminals.”
Criminals, often Eastern European gangs, have used such devices before after first studying the payment terminals their target merchants use, Litan says. It’s not all that hard to plant them, she adds. “It’s pretty easy to distract a clerk or find an unattended terminal.”
Steve Elefant, a payments-industry consultant, venture capitalist, and former chief information officer at merchant processor Heartland Payment Systems Inc., says that since much of today’s payment hardware is tamper resistant, a likely scenario is that the Barnes & Noble fraudsters replaced PIN pads with what he calls “malicious PIN pads” that captured card data. Fraudsters often do this by sending someone out to a store dressed as technician claiming that the company is repairing, replacing, or upgrading terminals. “The $7-an-hour [clerk] says ‘fine,’” he says.
While Barnes & Noble isn’t accepting PIN-debit transactions, at least for the time being, it continues to accept credit and signature-debit cards. Barnes & Noble said its customer database was unaffected, and that none of the compromised PIN pads were at its college bookstores. Nor did the breach affect customers who bought online or through company’s Nook e-reader and Nook mobile app.
In addition to law enforcement, Barnes & Noble said it is working the payment card networks, banks, and card issuers to identify accounts that may have been compromised. If current post-breach industry practices continue, the bank card networks already have declared or soon will declare Barnes & Noble to be out of compliance with the Payment Card Industry data-security standard (PCI), even if it was PCI-compliant in its last annual assessment. Because of that, the networks almost certainly will fine its merchant acquirer, which likely will pass any fines on to the bookseller in addition to bills for breach-related fraud and card re-issuance sustained by credit and debit card issuers. The company also will have to go through a re-validation process before it again is deemed to be PCI-compliant.
Other compromises involving PIN pads include a breach at craft-store chain Michaels Stores Inc., which replaced more than 7,000 PIN pads in 2011 after discovering skimmers on fewer than 90 devices, and a breach at Aldi grocery stores in 2010.
