One of the largest security stories this month came from the goliath book retailer, Barnes & Noble. In September, they found some of their credit card scanners – limited to one PIN pad at each of 63 stores in nine states – had been “bugged” and used to steal card numbers and PINs from unsuspecting customers. In response, Barnes and Noble removed all PIN pads from all of the stores in the US, and instituted a policy for credit cards to be scanned by cashier at the register using verified readers. They have also been working with the FBI to investigate the theft.
No information has been released yet on who is responsible, how many customers fell victim, or how much was stolen. However, Barnes & Noble has been working with card issuers to mitigate damage.
You can view the full press release from Barnes & Noble here with a list of stores found to have a compromised PIN pad – none are in Oregon.
This is a new form of what is known as card skimming, the duplication of credit card data obtained via a seemingly legitimate transaction. In more primitive forms, most commonly seen at ATM machines, there is physical tampering on the outside to detect, like a visible card reader or camera attached to the unit. What makes this different is the attackers were able to insert the bug inside the device, making detection very difficult, and they did it on a very large scale. Wired magazine cited only one other similar instance on this scale in Canada. Where retailers were paid to look the other way while hackers removed ATM machines, altered the device, and replaced it.