Michaels Breach: Fraudsters Sentenced

Two Calif. Men Linked to Fraudulent Transactions
Michaels Breach: Fraudsters Sentenced

Two men were sentenced this week in connection with fraudulent transactions they made with compromised debit cards tied to the Michaels point-of-sale breach.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

In 2011, banking institutions reported tens of thousands of fraudulent transactions linked to consumers who had visited Michaels craft stores that were affected by the breach. POS and PIN-entry devices at 84 locations in 20 states were later found to have been swapped out with devices manipulated to collect card numbers and PINs. Investigators say 94,000 debit and credit cards were affected by the breach.

On June 25, a judge in the U.S. District Court for the Northern District of California sentenced Eduard Arakelyan, 21, and Arman Vardanyan, 23, to 36 months in prison on charges of conspiracy to commit bank fraud. Each also was sentenced to an additional 24 months for aggravated identity theft and five years of supervised release. The court has ordered both to pay $42,000 in restitution.

The two men, who were charged March 5, pleaded guilty on March 20, according to a statement issued this week by the Department of Justice. Arakelyan and Vardanyan admitted that in the summer of 2011, they used card numbers stolen from Michaels to create nearly 1,000 counterfeit cards they later used at ATMs in Northern California to withdraw funds from bank accounts. Authorities say 952 debit accounts were affected by Arakelyan and Vardanyan.

Court records reveal that at the time of their arrest, Arakelyan and Vardanyan possessed two loaded firearms, a GPS device pre-programmed with ATM locations and eight mobile phones. But Arakelyan and Vardanyan only executed one aspect of the Michaels scheme, authorities say.

No other arrests or charges were noted in the Justice Department's release, and the California U.S Attorney's Office says it cannot confirm or deny whether other charges had been filed or arrests made in the breach case.

The Michaels Breach

The Michaels incident is one of the biggest breaches involving POS-device manipulation ever reported. By targeting Michaels, which used the same POS equipment at the majority of its U.S. locations, fraudsters involved in the scheme were able to swap legitimate devices with devices reprogrammed to collect card data and PINs.

"By employing an identity theft and bank fraud scheme, the defendants in this case attempted to make a fast buck at the expense of hard-working, law-abiding citizens," U.S. Attorney Melinda Haag said in the statement. "Hopefully, the sentences in this case will serve as a deterrent to individuals who may be considering a similar scheme - you will be caught and you will be prosecuted to the fullest extent of the law."

In addition to the Secret Service and police departments in Pleasant Hill and Glendale, Calif., police in Beaverton, Ore., in June 2011 revealed they, too, were investigating the breach. Beaverton police said they had 50 fraud reports linked to Michaels (see Michaels Breach: 4 Suspects Sought).

"This case represents a clear example of the successful cooperation between federal, state and local law enforcement authorities to aggressively investigate and hold accountable criminal organizations and individuals who target our financial payment systems," Special Agent Andrew Adelmann said in the release.

POS-Related Card Fraud Grows

Since the Michaels breach, other fraud incidents linked to POS devices have grabbed headlines. Last week, a small point-of-sale attack in Kentucky highlighted an emerging trend in POS schemes that rely on localized attacks that target independently owned businesses in small communities.

Gartner analyst Avivah Litan says these "micro attacks" often elude detection, giving fraudsters more time to drain bank accounts (see Micro Attacks: The New Fraud Scheme).

Micro attacks involve remote access to POS networks that are connected to the Internet. The attacks are usually waged against a certain type of POS device or system model, Litan says. Hackers access the networks with default passwords installed by the original equipment manufacturers - passwords many smaller retailers fail to change.

Another POS attack, which hit restaurant chain Penn Station in March, also is suspected of involving a remote-access attack. Though the investigation into the Penn Station breach is ongoing, industry experts suggest the scale of the attack points to a systems breach, similar to the one that hit 100 Subway locations between 2008 and May 2011, or a well-organized POS swap scheme, like the one that targeted Michaels.

The number of restaurants affected by the POS breach at Penn Station continues to grow. Earlier this month, Penn Station upped its number of affected franchised locations to 91; originally, only 43 restaurants were believed to have been affected. So far, restaurants in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania, Virginia, North Carolina and Tennessee have been identified as sources of fraud.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network