A band of thieves compromised credit card readers in 63 Barnes & Noble stores in nine states, prompting the giant bookseller to remove the readers from all of its stores while an investigation is underway.
Barnes & Noble discovered the compromised readers sometime around Sept. 14, but did not notify customers because the Justice Department asked the store to keep quiet while the FBI investigated the matter, according to The New York Times.
It’s not known how much the hackers got away with in fraudulent transactions, but Barnes & Noble reportedly contacted card issuers at the time to notify them of the breach so that they could be on the lookout for suspicious transactions on customer accounts that were compromised in the breach.
Barnes & Noble didn’t disclose how the breach occurred, but according to a press release from the bookseller, the hackers installed malware on the so-called point-of-sale (POS) card readers to sniff the card data and PINs as customers typed them in.
Barnes & Noble doesn’t indicate how the attacker did this, but it could have occurred a couple of ways, depending on the type of POS system Barnes & Noble uses.
In July, security researchers at Black Hat security conference in Las Vegas showed how they were able to install malware onto POS terminals made by one vendor, by using a vulnerability in the terminals that would allow an attacker to change applications on the device or install new ones in order to capture card data and cardholder signatures.
The researchers found that the terminals, which use an operating system based on Linux, have a vulnerability that didn’t require updates to their firmware to be authenticated. The researchers installed their malware using a rogue credit card inserted into one device, which caused it to contact a server they controlled, from which they downloaded malware to the device.
But this isn’t the only way to tamper with POS terminals.
Last May, Canadian police busted 40 people involved in a sophisticated carding ring that tampered with POS terminals in order to steal more than $7 million. Police said the group, based out of Montreal, seized point-of-sale machines from restaurants and retailers in order to install sniffers on them before returning them to the businesses.
Police said the thieves took the POS machines to cars, vans and hotel rooms, where technicians hacked into the processors and rigged them so that card data could be siphoned from them remotely using Bluetooth. The modifications took only about an hour to accomplish, after which the devices were returned to the businesses before they re-opened for business the next day. The ring is believed to have had inside help from employees who took bribes to look the other way.
Account numbers and PINs from the cards would be encoded to blank cards, which other conspirators then used to conduct a massive and coordinated run against banks to steal about $7.7 million.
In the case of Barnes & Noble, the attackers apparently cast a wide net, installing malware on POS terminals in 63 stores in nine states. The company said the attackers only installed the malware on one device at each store, but as a precaution the company has removed all of the POS terminals from its stores to examine them. In the meantime, customers are being told to hand their bank cards to the cashier, who will scan them via readers embedded in the cash registers.