Barnes and Noble reported today that PIN pads at their registers had been tampered with at 63 stores across nine states.
Even though only one pad per store was compromised, this clearly represents an organized effort to target the chain. B&N has advised customers to change their PIN numbers, and keep a watchful eye for fraudulent charges on cards used at their stores. At this time, the retailer reports that the perpetrator(s) did not gain access to their customer database, and that online/mobile transactions are secure.
All existing PIN pads were disconnected on September 14th until the situation could be addressed.
Some POS vendors have begun supervising the connection between the PIN pad and POS terminal in an effort to detect device substitution. It will be interesting to learn more about the approach used here, and whether such a feature would have prevented the hack. The official statement references a “bug” being placed in the devices, but it is unclear whether the bugs were installed “hot” in the field, or if the PIN pads were swapped out with matching devices that were modified elsewhere.
Here is the company’s press release.