Barnes and Noble Reports PIN Pad Fraud at 63 Locations

Barnes and Noble Inc. reported Wednesday that a "sophisticated criminal effort" was able to tamper with 63 PIN pads in nine states. The company indicated that in addition to personal identification numbers, debit and credit account data may have been compromised.

The chain discovered the breach more than a month ago and promptly disconnected every PIN pad in all of it's nearly 700 stores. They said the held of disclosing the breach on the advice of federal authorities, who are investigating.

"Barnes and Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store," the company said in a press release. "The tampering, which affected fewer than 1% of PIN pads in Barnes and Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from the customers that swiped their cards through PIN pads when they made purchases."

The New York Times reported a senior company executive said some customers had unauthorized purchases on their credit card accounts.

Barnes and Noble did not say specifically how the pads were tampered with. "The criminals planted bugs in the tampered devices, allowing for the capture of card and PIN numbers," the release said. The bugs might have been razor thin devices with a chip and an antenna that captured the PIN numbers as they were entered on the pads.

Criminals have used such methods before, according to technology analyst Avivah Litan. "Its not that hard to plant them." she added. "Its pretty easy to distract a clerk or find an unattended terminal."

Steve Elefant, a credit card industry consultant, theorized another way the fraudsters could gain access to the PIN pads. Since much of today's payment hardware is tamper resistant a likely scenario is the criminals replaced PIN pads with what he called "malicious PIN pads" that captured customer data. Fraudsters often do this by sending someone dressed as a technician out to a store claiming that the company is repairing, replacing or upgrading terminals.

However the fraud occurred, there is no doubt Barnes and Nobles has a hard road before it. In addition to law enforcement the company said it is working with payment card networks, banks and card issuers to identify accounts that may have been compromised. Most certainly Barnes and Noble has already been or will soon be declared out of compliance with the Payment Card Industry (PCI) data security standards even if it was compliant on its last quarterly assessment. They are looking at non-compliance fines in addition to breach related fraud and card re-issuance reimbursements sustained by card issuers. They will also have to go through a re-validation process to regain PCI compliance.