Michaels Breach Bigger than Reported

Stores in 20 States Struck by PIN Swap Scheme
Michaels Breach Bigger than Reported
The Michaels debit breach is much bigger than the company initially thought. [See Michaels: Patterns Showed Fraud.]

Michael Stores initially reported that a scheme, in which point-of-sale pads customers use to key in their personal identification numbers, was isolated to Chicago, but on Tuesday the arts and crafts supplies retailer issued a statement that said nearly 90 stores in 20 states, stretching from Rhode Island to Washington, were affected.

The breach was first linked to a select group of Chicagoans who reported dings to bank accounts after their debit cards were allegedly copied during recent transactions at area Michaels craft stores. The Secret Service is investigating. Investigators believe legitimate PIN pads were traded or swapped out for PIN pads that skim and collect card details.

As a precautionary measure, Michaels has removed some 7,200 PIN pads from most of its 964 U.S. stores and expects replacements to be completed within the next 15 days. As a precautionary measure, PIN pads in Michaels Canadian locations are being screened as well.

Michaels first learned of the breaches on May 2, when it was contacted about debit fraud linked to numerous Michaels customers in the Chicago area. [See 3 Tips to Foil POS Attacks.]

Card details may have been skimmed as far back as December, but fraudulent ATM withdrawals, typically for $500 each, are just starting to hit banking customers.

Until Michaels completes its PIN pad upgrade, the chain advises customers to have credit and debit purchases processed by store clerks at the register.

Illinois is thought to have been hit the hardest, according to a May 11 article in the Chicago Tribune. PIN pads reportedly were compromised in 14 Michaels Chicago area stores.

Many banks in the area froze customer bank accounts thought to be vulnerable. Marquette Bank, which has 24 branches in the Chicago region, told the Chicago Tribune that 1,900 of its customers were identified as potential victims. And Chicago's Credit Union 1 posted a warning on its website, saying members should be on the lookout for fraudulent ATM transactions from California.

A Growing Trend?

News of the Michaels breach comes on the heels of a similar scam in Ontario, which Waterloo police quickly foiled, after a customer reported seeing two men handling a checkout counter's card reader. [See POS Skimming Scam Stopped.]

Despite Canada's migration away from the mag-stripe and toward the EMV chip and PIN standard, the so-called PIN pad swap scheme is still effective. "[Fraudsters] get around EMV by disabling the part of the POS device that reads the chip," says Jerry Silva, a financial-security consultant. "So, then the customer is forced to swipe the mag stripe to make the transaction."

Julie McNelley, an analyst at the research and advisory firm Aite, says the Michaels scheme illustrates a trend. "It is definitely a highly targeted effort by organized crime, who did their homework, identified vulnerable hardware; and swooped in, in a coordinated effort to maximize their window of opportunity," she says. "It's a pretty audacious effort, when you consider that the equipment needed to be physically tampered with, which is certainly a bit higher risk than a remote breach attempt. It also sends a clear signal that even though PCI has certainly reduced exposure at Level 1 merchants, there is still vulnerability there."

Though POS swap attacks are rare, they are effective. The same method of attack was against Hancock Fabrics, which led to card fraud that affected more than 140 Hancock customers in three states.

The Michaels breach is positioned to be much larger, though the full scope of the breach could take time to unravel. Michaels says its working with payment card brands and issuers to better understand the breadth of the breach and identify accounts that may have been compromised.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.