UPDATE – America’s largest book retailer, Barnes & Noble, announced this morning it has detected evidence of tampering in 63 PIN-pad devices used in as many stores by criminals trying to steal payment card information. Barnes & Noble claims to have disconnected all the affected devices from service on Sept. 14. The retailer did not disclose how many customers may have been affected by the tampered devices.
The devices in question were deployed in fewer than 700 stores located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. Despite the bookseller’s claim that criminals had only compromised 63 devices, Barnes & Noble discontinued use of the affected PIN pad make and model in all locations after executing an internal audit of each point-of-sale terminal at every Barnes & Noble worldwide.
In a press release, the company called the incident, which affected less than one percent of its terminals, “a sophisticated criminal effort” designed to steal debit and credit card information and debit card PIN numbers from Barnes & Noble customers. The company said “criminals planted bugs in the tempered PIN pad devices” that allowed them to siphon off credit card and PIN numbers.
The press release fails to address a number of concerns. It does not name the manufacturer of the affected PIN pads, whether they came out of the box affected, or if someone physically walked into the 63 locations and hacked the devices on site. It does not describe the ways in which the devices were manipulated nor does it go into any detail regarding the number of affected consumers. The press release also does not provide information regarding how long the affected PIN pads were in use before they were disabled.
Gunter Ollmann, an independent security researcher and VP of research at Damballa with no official connection to Barnes & Noble told us via email that he believes, based on the information disclosed by the bookseller, that this attack has all the trademarks of an insider attack perpetrated by individuals with repeated access to the company’s card-reading systems or supporting computer systems.
“This latest breach appears to be a physical manipulation of the card readers in order to gain both debit card details and their accompanying PINs,” said Ollman. “It has been stated that only one reader per store was affected – which doesn’t smell of a supply chain problem (i.e. that a batch of card readers were compromised at the manufacturers or distribution center).”
Barnes & Noble spokesperson Mary Ellen Keating refused to comment on the situation outside of what was written in the company press release, citing the continuing investigation. The U.S. Attorney’s Office for the Southern District of New York also declined to comment on the case nor would they confirm an investigation was under way.
Jim Margolin, a press contact at the FBI’s New York office, confirmed that an investigation is ongoing, but would not comment beyond that.
The company is emphasizing that its customer database is secure and that online purchases from Barnes&Noble.com, NOOK, and NOOK mobile applications are unaffected by the compromise.
“This situation,” they wrote in the press release, “involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”
The press release, which you can find here, names all affected locations.