Michael Stores initially reported that a scheme, in which point-of-sale pads customers use to key in their personal identification numbers, was isolated to Chicago, but on Tuesday the arts and crafts supplies retailer issued a statement that said nearly 90 stores in 20 states, stretching from Rhode Island to Washington, were affected.
The breach was first linked to a select group of Chicagoans who reported dings to bank accounts after their debit cards were allegedly copied during recent transactions at area Michaels craft stores. The Secret Service is investigating. Investigators believe legitimate PIN pads were traded or swapped out for PIN pads that skim and collect card details.
As a precautionary measure, Michaels has removed some 7,200 PIN pads from most of its 964 U.S. stores and expects replacements to be completed within the next 15 days. As a precautionary measure, PIN pads in Michaels Canadian locations are being screened as well.
Card details may have been skimmed as far back as December, but fraudulent ATM withdrawals, typically for $500 each, are just starting to hit banking customers.
Until Michaels completes its PIN pad upgrade, the chain advises customers to have credit and debit purchases processed by store clerks at the register.
Illinois is thought to have been hit the hardest, according to a May 11 article in the Chicago Tribune. PIN pads reportedly were compromised in 14 Michaels Chicago area stores.
Many banks in the area froze customer bank accounts thought to be vulnerable. Marquette Bank, which has 24 branches in the Chicago region, told the Chicago Tribune that 1,900 of its customers were identified as potential victims. And Chicago's Credit Union 1 posted a warning on its website, saying members should be on the lookout for fraudulent ATM transactions from California.
A Growing Trend?News of the Michaels breach comes on the heels of a similar scam in Ontario, which Waterloo police quickly foiled, after a customer reported seeing two men handling a checkout counter's card reader. [See POS Skimming Scam Stopped.]
Despite Canada's migration away from the mag-stripe and toward the EMV chip and PIN standard, the so-called PIN pad swap scheme is still effective. "[Fraudsters] get around EMV by disabling the part of the POS device that reads the chip," says Jerry Silva, a financial-security consultant. "So, then the customer is forced to swipe the mag stripe to make the transaction."
Julie McNelley, an analyst at the research and advisory firm Aite, says the Michaels scheme illustrates a trend. "It is definitely a highly targeted effort by organized crime, who did their homework, identified vulnerable hardware; and swooped in, in a coordinated effort to maximize their window of opportunity," she says. "It's a pretty audacious effort, when you consider that the equipment needed to be physically tampered with, which is certainly a bit higher risk than a remote breach attempt. It also sends a clear signal that even though PCI has certainly reduced exposure at Level 1 merchants, there is still vulnerability there."
Though POS swap attacks are rare, they are effective. The same method of attack was against Hancock Fabrics, which led to card fraud that affected more than 140 Hancock customers in three states.
The Michaels breach is positioned to be much larger, though the full scope of the breach could take time to unravel. Michaels says its working with payment card brands and issuers to better understand the breadth of the breach and identify accounts that may have been compromised.