Barnes & Noble has yanked PIN pads from all of its nearly 700 stores nationwide after discovering that scammers tampered with the devices at 63 locations to carry out card skimming fraud.
The company disconnected the point-of-sale devices Sept. 14, it announced on Tuesday in a news release, but waited to notify customers of the breach while the FBI began looking into the matter.
The retailer confirmed that the compromised PIN pads were discovered at stores across the country – in New York, New Jersey, California, Connecticut, Florida, Illinois, Massachusetts, Pennsylvania and Rhode Island.
The company said that “criminals planted bugs” in the devices, “allowing for the capture of credit card and [ATM] PIN numbers.”
“Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store,” according to the release, which the company emailed to SCMagazine.com. “The tampering, which affected fewer than one percent of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases.”
The company said its member database was not affected by the breach, nor were purchases made on its website. Nook products and apps, which are offered by Barnes & Noble, were not impacted, and the tampered PIN pads were not found at any of Barnes & Noble's college bookstores.
Barnes & Noble has not confirmed whether customers reported fraud as a result of the breach. But the company advised customers potentially affected to change their debit card PIN numbers and to watch for suspicious activity in their accounts or statements, including unauthorized transactions or cash advances.
Gunter Ollmann, vice president of research at security vendor Damballa, said the skimming incident was likely the work of insiders, given the time needed to set the stage for the attack.
Fraudsters could have switched out the card readers with tampered devices, or tinkered with the original devices, he said.
“It requires physical access to it to make the change,” Ollmann told SCMagazine.com on Wednesday. “It isn't like some breaches that make use of malware or insecure wireless access networks. One question that comes to mind is that while they have notified law enforcement, it's not clear whether this Barnes & Noble [incident] was part of a larger threat that targeted other retailers.”A breach similar to this one occurred at crafts store chain Michaels in July 2011. Eduard Arakelyan and Arman Vardanyan have been among those charged with planting skimming devices on point-of-sale terminals in 84 Michaels stores across the country, then withdrawing tens of thousands of dollars from ATMs using the stolen credit card information.
In July, the two men were sentenced in Oakland, Calif., to 36 months in prison for bank fraud and identity theft.
UPDATE: Barnes & Noble has made available (read down) a list of the affected stores. H/T to @PogoWasRight.