Credit/Debit Card Breach at Barnes & Noble Exposes Holes in Point of Sale Systems

Hackers gained access to credit card information from customers at 63 Barnes & Noble stores.  Although the incident was first discovered in September, the FBI requested that Barnes & Noble delay publicly reporting the incident so as not to impede the investigation.

Somehow, and the exact methodology has not been revealed, hackers were able to capture information from PIN pads used by customers to swipe credit and debit cards.    Barnes & Noble stated that only one PIN pad in each of the 63 affected stores was compromised.  The number of affected customers has not been revealed.

By accessing the PIN pads, the criminals were able to capture credit card numbers and PIN numbers.  As a temporary measure, Barnes & Noble removed all PIN pads from its stores.  Although Barnes & Noble has not yet notified individuals that may be impacted, it has been working with banks and credit card companies with respect to fraudulent transactions that have occurred in the wake of the breach.

This incident demonstrates the security issues inherent  with credit card swiping hardware that is made available to the public at the point of sale .  While self-service in such transactions has become the norm, including at gas stations and many retail outlets, it also provides a vulnerability for criminals into the point of sale system.   However, it is unknown if the intruders in this instance used employees (unsuspecting or not) to gain access to the system or somehow hacked into the network themselves.  As the arms race between hackers and security experts continues, attacks on POS systems will likely become more prevelant.