Michaels Breach: How the Fraudsters Pulled it OffIndictment Reveals How Attackers Compromised 80 U.S. Stores
More than four years after the point-of-sale attack that struck 80 Michaels craft stores throughout the U.S., compromising nearly 100,000 payment cards, details about how the attackers pulled off their scheme have finally emerged.
On Nov. 17, Crystal Banuelos of California, a lead defendant named in the 2011 Michaels debit breach, pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft (see Michael's Breach: What We've Learned).
Banuelos' sentencing date has not yet been set. She faces a maximum sentence of 32 years in prison and a $1 million fine.
In her plea filed with a New Jersey District Court, Banuelos notes that she conspired to steal credit and debit card data, as well as PINs, from Michaels' customers, and knowingly used counterfeit cards created from that stolen data to conduct fraudulent cash withdrawals at ATMs.
In all, authorities believe Banuelos and Angel Angulo, a co-defendant named in the indictment whose case is still pending, stole $420,000 from banks through fraudulent ATM withdrawals. Banks defrauded in the scheme, according to the indictment, include U.S. Bank, BMO Harris, Bank of America, JPMorgan Case, TD Bank, Beneficial Bancorp and Wells Fargo.
To perpetrate their crime, prosecutors allege Banuelos, Angulo and other unnamed conspirators swapped out 88 legitimate POS devices at 80 different Michaels locations across 19 states with manipulated terminals that were used to capture and store card data and PINs.
"Each counterfeit POS device was equipped with wireless technology, whereby conspirators wirelessly retrieved the stolen account information without having to retrieve the counterfeit POS devices," the indictment claims. "In or about February 2011 and in or about April 2011, conspirators compromised approximately 94,000 debit and credit card account numbers from customers at a number of Michaels' locations across the United States, including in the District of New Jersey."
In May 2011, authorities say Banuelos and Angulo had 179 counterfeit cards in their possession and were attempting to defraud an additional $129,000 from ATMs owned by the banks they had already targeted.
A Crime for Cash
Financial fraud expert Mike Urban says the Michaels POS attack was an attack waged for cash, not cards. Unlike the massive data breaches waged against leading U.S. retailers, such as Target and Home Depot, which aimed to steal credit and debit card numbers that could be sold on the Dark Web, the Michaels attack was focused on compromising debit numbers and PINs that could be used for fraudulent ATM withdrawals.
"Michaels is very different from the Target- and Home-Depot-style of attacks, which involved a very savvy cyber group," he says. "At Michaels, the attackers went in and physically attacked the terminals because they wanted PINs, and you can't get those through a breach. They don't get as many cards as they would with a data breach, but they weren't focused on the number of cards. They wanted the PINs for cash."
Because PINs are encrypted at the point-of-sale - whether that be a merchant POS device or a self-service terminal, such as a pay-at-the-pump gas terminal or ATM - attackers interested in compromising PINs have to capture that information before it is processed, Urban says.
"They have to attack the PIN at the terminal, because once it gets through the terminal, it's almost impossible to get the PIN; the encryption is that strong," he says. "In big retail breaches, the PIN offset is in the transaction record data, but the hackers don't know the key for each transaction to be able to decrypt it. That's why you don't see ATM fraud from Target or Home Depot."
While the Michaels POS swap may sound like a low-tech scheme, Urban says several similarly styled attacks have cropped up in recent years, including the 2012 POS-swap attack that targeted Barnes & Noble Booksellers.
"They will target a merchant based on the type of terminal they have," Urban says. "Once they find a POS terminal they know how to manipulate, it's relatively easy to pull the scheme off."
That said, this type of attack won't be possible with new EMV terminals, he adds. That's because the attackers have to have magnetic-stripe data, not chip card data, to create counterfeit mag-stripe cards. They also need the PINs. What's more, Urban says newer EMV POS devices won't be so easily manipulated.
"In the new EMV terminals, encryption should be stronger, so it will be almost impossible to come up with an overlay you could put in the terminal to capture the PINs. Besides, even if they could figure out how to capture the PIN, they won't get the mag-stripe data," Urban says.
John Buzzard, a fraud specialist at core banking processor FIS Global, says the Michaels case confirms attack tactics that many in the industry had suggested but had previously not been able to pinpoint definitively.
"The method of swapping out the POS devices was widely speculated, especially when you consider that at least 80 devices across multiple states were involved," Buzzard says. "Some felt that the fraudsters were literally posing as POS service techs in order to gain access to the devices, while others insisted that all of the swaps were carried out by way of diversion at each location. It would not surprise me to learn that the criminals called ahead to each store and informed them that a technician would be onsite at a specific time to service the POS devices in order to quickly build a legitimate reason for their presence in the stores."
Buzzard says he doesn't believe all defrauded banking institutions and the total dollars lost during the Michaels' fraud spree were named in this indictment, adding that more details could yet emerge.
Jim Mortensen, vice president identity and card payment solutions at security solutions provider Early Warning, says the Michaels breach highlights some of the challenges banking institutions face when it comes to tracking fraud back to a common point of compromise.
"While many issuers have systems in place to efficiently detect potential common points-of-purchase compromises at retailers and ATMs, identifying data compromises that impact small- and medium-sized merchants, like Michaels, has been a challenge for the industry," he says. "Card data compromised at smaller merchants can go undetected for longer periods, and fraudsters know this."
Mortensen says cross-bank credit and debit payment data is helping issuing institutions detect schemes sooner, however. "The ability to identify more potential common points-of-purchase events with greater precision will enable the industry to tailor remediation strategies and accelerate card fraud notification as well as the investigation processes. Minimizing the window of exposure for compromised cards across all channels will mitigate financial losses from exposed cards, reduce the incurred reputational risks and improve the overall experience for impacted consumers."