Michaels Breach Bigger than Reported

Stores in 20 States Struck by PIN Swap Scheme

By , May 12, 2011.
Michaels Breach Bigger than Reported

T

See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security

he Michaels debit breach is much bigger than the company initially thought. [See Michaels: Patterns Showed Fraud.]

Michael Stores initially reported that a scheme, in which point-of-sale pads customers use to key in their personal identification numbers, was isolated to Chicago, but on Tuesday the arts and crafts supplies retailer issued a statement that said nearly 90 stores in 20 states, stretching from Rhode Island to Washington, were affected.

The breach was first linked to a select group of Chicagoans who reported dings to bank accounts after their debit cards were allegedly copied during recent transactions at area Michaels craft stores. The Secret Service is investigating. Investigators believe legitimate PIN pads were traded or swapped out for PIN pads that skim and collect card details.

As a precautionary measure, Michaels has removed some 7,200 PIN pads from most of its 964 U.S. stores and expects replacements to be completed within the next 15 days. As a precautionary measure, PIN pads in Michaels Canadian locations are being screened as well.

Michaels first learned of the breaches on May 2, when it was contacted about debit fraud linked to numerous Michaels customers in the Chicago area. [See 3 Tips to Foil POS Attacks.]

Card details may have been skimmed as far back as December, but fraudulent ATM withdrawals, typically for $500 each, are just starting to hit banking customers.

Until Michaels completes its PIN pad upgrade, the chain advises customers to have credit and debit purchases processed by store clerks at the register.

Illinois is thought to have been hit the hardest, according to a May 11 article in the Chicago Tribune. PIN pads reportedly were compromised in 14 Michaels Chicago area stores.

Many banks in the area froze customer bank accounts thought to be vulnerable. Marquette Bank, which has 24 branches in the Chicago region, told the Chicago Tribune that 1,900 of its customers were identified as potential victims. And Chicago's Credit Union 1 posted a warning on its website, saying members should be on the lookout for fraudulent ATM transactions from California.

A Growing Trend?

News of the Michaels breach comes on the heels of a similar scam in Ontario, which Waterloo police quickly foiled, after a customer reported seeing two men handling a checkout counter's card reader. [See POS Skimming Scam Stopped.]

Despite Canada's migration away from the mag-stripe and toward the EMV chip and PIN standard, the so-called PIN pad swap scheme is still effective. "[Fraudsters] get around EMV by disabling the part of the POS device that reads the chip," says Jerry Silva, a financial-security consultant. "So, then the customer is forced to swipe the mag stripe to make the transaction."

Julie McNelley, an analyst at the research and advisory firm Aite, says the Michaels scheme illustrates a trend. "It is definitely a highly targeted effort by organized crime, who did their homework, identified vulnerable hardware; and swooped in, in a coordinated effort to maximize their window of opportunity," she says. "It's a pretty audacious effort, when you consider that the equipment needed to be physically tampered with, which is certainly a bit higher risk than a remote breach attempt. It also sends a clear signal that even though PCI has certainly reduced exposure at Level 1 merchants, there is still vulnerability there."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Data Theft Prevention Emerges

DLP remains a critical security element, but increasingly organizations are investing in the...

Latest Tweets and Mentions

ARTICLE Data Theft Prevention Emerges

DLP remains a critical security element, but increasingly organizations are investing in the...

The ISMG Network