Barnes & Noble Pin Pads Compromised in 'Sophisticated' Fraud Scheme

Dozens of PIN pad devices used by consumers were compromised in a scheme to defraud consumers using their debit and credit card information.

Federal authorities are investigating a massive fraud scheme uncovered at 63 Barnes & Noble stores across the country in which PIN pad devices are believed to have been tampered with.

The devices are used by customers seeking to pay with debit or credit cards. According to Barnes & Noble, an internal investigation has revealed that one PIN pad in each of the affected stores was compromised. In response, the company contacted law enforcement and as of Sept. 14 has discontinued use of all PIN pads in its nearly 700 stores nationwide. Customers can still shop safely with credit cards through cash registers, the company said.

According to the company, bugs were planted in the tampered PIN pad devices that allowed credit card and PIN numbers to be captured. Tampered PIN pads were discovered at stores in California, Connecticut, Florida, Illinois, New Jersey, Massachusetts, New York, Pennsylvania and Rhode Island.

"The tampering … was a sophisticated criminal effort to steal credit card information, debit card information and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," the company said in a statement. "This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads."

In their 2012 Data Breach Investigations Report, Verizon noted that it is far from unheard of for point-of-sale (POS) systems to be targeted by scam artists.

"In many cases, criminals swap legitimate PIN entry devices and POS terminals with counterfeit replacements," according to the report. "These devices are identical in appearance to and designed to continue performing the intended functions of legitimate devices, but are also rigged to capture payment card data. They discreetly collect input from the swipe reader and/or the PIN entry keypad. This can be done with the assistance of an insider recruited for the purpose or, as we have seen in some cases, by individuals masquerading as POS vendors, claiming a need to upgrade systems."

In September, two Romanian nationals pleaded guilty to federal charges of hacking into point-of-sale terminals as part of a multimillion dollar scheme to steal credit card and debit card data. According to the U.S. Department of Justice, one of the men scanned the Internet to find vulnerable POS systems in the U.S. with remote desktop software applications installed.

Using those applications, he was able to log onto the targeted system over the Internet, and after cracking any password protection, would remotely install keystroke loggers onto the systems to record all data entered by consumers.

“Attackers will get access to data where a weak link exists,” said Mark Bower, data protection expert and vice president at Voltage Security. “Without protecting at the data level through methods such as data-centric encryption, data will remain vulnerable. Leading organizations today are already embracing the data-centric model–not just to protect from the risks from external threats, but to meet privacy compliance goals more easily and to protect from insiders who are equally interested in data that can be exploited for harm, profit or company brand damage.”

Barnes & Noble noted that purchases made online or using the Nook tablet and Nook mobile apps were not affected and none of the compromised PIN pads were located at Barnes & Noble College Bookstores.