The Michaels card breach is now believed to have affected stores in 20 states. The mode of card fraud: Point-of-sale PIN pad tampering, also known as PIN pad swapping. [See 3 Tips to Foil POS Attacks.]
Brian Riley, senior research director of bank cards at TowerGroup, says as details about the breach are gradually revealed, it's clear that financial institutions, as card-issuers, picked up on the common fraud link - Michaels. "The behavioral scoring in this was really high," he says. "The pattern of transactions showed that all of these affected accounts had Michaels' purchases in their history. Behavioral scoring is really where it's at in card transactions."
Even advanced card technology, such as the Europay, MasterCard, Visa chip and PIN standard, which takes the skimmable magnetic-stripe out of the equation, would not have helped in the Michaels' case, Riley notes. "With a tampered POS device, you can get around EMV," he says. "A good, robust scoring system is the only way to really pick up on this. That's why behavioral scoring is so important. That's, quite often, how these things are discovered."
EMV's vulnerability to fraud perpetrated by PIN pad tampering came to light last month, when an unnamed retail location in Waterloo, Ontario, fell victim to the so-called PIN pad swap. [See POS Skimming Scam Stopped.]
Despite Canada's migration away from the mag-stripe and toward the EMV standard, the swap scheme was effective. "[Fraudsters] get around EMV by disabling the part of the POS device that reads the chip," says Jerry Silva, a financial-security consultant. "So, then the customer is forced to swipe the mag- stripe to make the transaction."
A Growing Trend?How concerned should the industry be about incidents of PIN pad swapping? "It's happened several times in the last couple of years," Riley says. "In that regard, it is a trend. But banks and retailers can pick up on things like this by knowing their portfolios and having good business practices, such as knowing their employees."
Julie McNelley, an analyst at Aite, says, while the Michaels scheme clearly had some organization and forethought behind it, "I'd be very surprised if we saw anything on this scale again anytime soon."
"I think the criminal element is nothing if not opportunistic," she says. "While we'll certainly see these types of attacks continue as long as there are vulnerabilities in the payments data flow, I think this will continue to be more the exception than the rule, because of the elevated exposure risk that the in-person tampering represents."
Doug Johnson, vice president of risk management policy at the American Bankers Association, says he does not expect PIN pad tampering to become an overly concerning trend. "I'm disappointed that Michaels is turning out to be a bigger breach than we initially thought," he says. "This was a particularly audacious move, to take out those point-of-sale terminals and replace them. It's risky. Usually, the more anonymous the criminals can be, the better they feel. So, we don't see this sort of fraud being a trend, really."
How Banks Can RespondEven if PIN pad swapping does not grow to become a trend, Johnson says banking institutions should continue investing in behavioral analytics.
"At the end of the day, it's always the bank customer who's at the end of the line when fraud occurs," Johnson says. "That's why we are very desirous of ensuring there is security in the POS chain. Though banks cannot directly control this kind of fraud, they can pick up on it with behavioral or transactional analytics that allow you to see anomalies in transactions. That's something that's been done in the AML [anti-money-laundering] space for years. Merging AML and fraud tools could be beneficial here."
Some institutions with customers and members affected by the Michaels breach took proactive action, such as freezing accounts and posting notices on their websites. But Riley says that was not really a necessity in this case.
Another community bank ($134 million in assets), based in one of the affected states, North Dakota, said it was monitoring accounts for anomalous behavior, but was not taking action to notify customers. "We have communicated the situation to all staff," says a bank representative, who asked not to be identified. "Stores in our area are apparently not affected by the Michaels PIN pad tampering, so we are not going to post anything our webpage at this time."
From a liability standpoint, Michaels is holding the bag on this one, Riley says, since banks and credit unions will charge fraudulent transactions associated with breach back to the retailer. "The issuer liability will be extremely limited on this kind of breach, but the sponsoring bank for the merchant needs to constantly be monitoring their clients," he adds.