January 25, 2014

Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.

michaelsOn Friday morning, I put a call in to SPM Communications, the public relations company listed as the press contact on michaels.com. After explaining why I was calling, I was referred to a Michael Fox of ICR Inc. When asked what line of business ICR was in, the SPM representative replied that it was a crisis communications firm. Mr. Fox replied via email that he would inquire with Michaels, but so far the company has declined to comment.

Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

The statement continues:

“The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred.”

“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.”

Their full statement is here (PDF).

Original story:

Sources with four different financial institutions have over the past few days said hundreds of customer cards that recently had been used for fraudulent purchases all traced back to Michaels stores as the common point of purchase.

On Friday, KrebsOnSecurity heard from a fraud analyst at a large credit card processor that was seeing fraud on hundreds of cards over the previous two days that all been recently used at Michaels. The fraudulent purchases on those cards, the source said, took place at the usual big box stores like BestBuy and Target.

“What’s interesting is there’s another [arts and framing] store called Aaron Brothers, and within past week or two there was a lot of activity talking about Aaron Brothers,” said the source, who asked to remain anonymous because he was not authorized to speak to the media. “One of the things I learned the other day is that Aaron Brothers is wholly owned by Michael’s. It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place.”

Assuming my sources are correct and Michaels did have some kind of breach involving payment cards, this would not be the first time. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

It remains unclear what type of compromise may have prompted several banks to identity Michaels as the breached entity. But recent breaches at Target and Neiman Marcus both involved highly sophisticated malicious software that stole credit and debit card information from point-0f-sale registers at those stores. Target has said the breach may have affected more than 40 million customer credit and debit cards, and name, address, email address and phone numbers for at least 70 million customers. Earlier this week, Neiman Marcus revealed that the breach at its stores extended from July 16, 2013 to Oct. 30, 2013, and may have impacted more than 1.1 million customer cards.

According to Fox, ICR Inc. was brought in by Michaels to handle the retailer’s planned transition to a public company. Last month, the company filed paperwork for a potential public offering of its common stock. According to those filings, Michaels generated revenue of $4.41 billion in 2012. Michaels has said the timing, number of shares to be sold and the price range for the proposed offering have not yet been determined.


82 thoughts on “Sources: Card Breach at Michaels Stores

  1. Tom

    I’m surprised these retailers keep calling in the secret service. That action would cause a ton of chaos within company operations. A lot of cyber insurance policies don’t require this to happen.

  2. BrianKrebs Post author

    I’m surprised how few people know the original mission of the Secret Service was not protecting the president: It was protecting the integrity of the US currency from counterfeiters. It is still a big part of their job, as card fraud is essentially counterfeiting currency and undermining the banking system.

    Only after the assassination of President William McKinley did protecting presidents and other dignitaries become a major priority for them.

      1. Tom

        I understand that is one of the roles of the secret service. That is different than the question I asked which is WHY do companies bring the secret service in. I would think this would cause a tremendous about of increased work but I don’t see the benefits.

        1. BrianKrebs Post author

          In some cases a victim organization may be required to notify law enforcement. It all comes down to relationships and who gets the call first. Why would calling the Service be any different than calling in the FBI?

          I have heard from many a breached organization that they get more from working with the Service than they do the FBI. The latter has a reputation of being sort of a black hole from which no information escapes. Not nearly as true with the Service, which very often does share information back with the victim organization.

          1. TheHumanDefense

            Brian,
            You are correct about the 2 organizations. I have been involved with both during investigations. However, the more you work with a particular FBI agent the better the information flows. However, the Secret Service has many years of experience with this type of work and frankly can work circles around many of the credit card fraud investigators out there.

            I guess at this point, I would imagine that the FBI Cyber Crime unit and Secret Service are working a lot closer on these then before the Target breach. Just hopeful thinking, but it’s time that everyone starts bridging the gap to better thwart these breaches.

            With regards to the comments on this piece and all the other pieces around PIN and Chip. Bottom line, this will only mitigate the crime, it will not stop the crime. Just like when ATM’s came into the mainstream and people stopped carrying as much cash, the bad guys adjusted their MO. If they held you at gun point and you didn’t have cash or not enough cash, they would force you to give them your card and pin, or take you to an ATM and withdraw cash. This got out of control quickly and people started getting shot and killed during the commission of these crimes.
            There is always a way to get the money. Always!!! I’ve said it before and I will say it again, theft is the oldest crime in this world and education of how it is committed is how people can avoid it.
            Laws are made for when the bad guy is caught, education is how you provide the people the way to thwart crime.

            1. Francine R.

              In 2012 I had my Social Security number stolen (income tax fraud) In 2013 I pumped gas at a Hess station and found out someone stole my ATM pin number from the pump. I no longer pay for gas outside and now since I shop at Michael’s have to keep a vigilant eye on my banking account (which I have always done) What more can we do other than putting an alarm system on our credit cards, atm cards and social security number ?

              1. voksalna

                Use cash. Do you really need to use your debit card to pay for 10$ worth of yarn? Start thinking of your debit cards as a way to get cash. Pay for larger purchases with a credit card or a separate debit card with only enough money for large transactions (transferring between cards is largely able to take place in a manner of minutes (and almost always less than 60 minutes) anyway). Use limited stored value cards or phone apps for stores you use often (Starbucks gift cards, if you like coffee in the morning from Starbucks, for instance).

          2. SeymourB

            Indeed, at my last employer we actually hired someone who had previously worked at the FBI to act as a liaison, so that we could get decent cooperation with them as well as a realistic flow of information back and forth.

            Before he came on board they would just take the information and leave, never to be seen again. After he came on board we actually heard progress updates and actually participated in helping them get some convictions. Crazy that that’s what it took.

    1. Andrew Sherman

      Interestingly enough, signing the bill creating the Secret Service as an anti-counterfeiting force was Lincoln’s last piece of business before going to the theater.

  3. JD

    I know I’m preaching to the choir here in this forum, but when will the Secret Service, Congress, or anyone -start doing something to address the real underlying problem?

    These breaches are crimes of opportunity, and the rest of
    the world has already addressed the classic card-number replay-attack *years* ago. Remove *that* opportunity by hardening the card itself (and/or its number), and adopt
    one-time-use card number technology.

    One perceived roadblock to a wider acceptance of “one time use” credit card technology is that merchant Point-of-Sale (POS) systems would need to change significantly, and
    therefore it’s “too costly”. This is not entirely true.

    Check out a company named Dynamics Inc. based in Pennsylvania that has a product that can encode [one-time-use card] numbers onto the magnetic stripe(s) on the back of the card. This enables standard, existing POS card readers to work seamlessly with the newer technology.
    A card number that is only good for one transaction at a time, cannot be [re-]sold by criminals.

    Again- whether or not card data is stored at (or scrapped from) the POS terminal is irrelevant, if the data itself (the card number) changes with every transaction.

    See Dynamics Inc.’s webpage (/Corporate/Products) and their “Dynamics Inc. – Enabling Payments 2.0®” Dynamic Credit Card via archive.org [http://www.dynamicsinc.com/Corporate/products_dynamic_cc.php]
    Here: http://bit.ly/19fbXKb
    (last archived by archive.org on Oct. 1st, 2013).

    The single most frightening thing anyone could say that should be the catalyst for the card industry to move toward enhancing the 1950’s card technology that we currently endure
    is “I’m just going to pay cash and stop using credit cards”. Of course that’ll never happen and as long as everyone continues to believe the myth that “all we can do” is to cancel compromised cards and pay extra for “account monitoring”, recover from identity theft best we can, yada, yada, yada.

    The news story that consumers should be hearing is that card skimming fraud could have been eliminated years ago. I believe any merchants that get compromised, are victims themselves, victims of our current card technology that hasn’t evolved significantly since it was first introduced in the 1950’s.

    Target, Neiman Marcus, Michael’s, Aaron Brothers, every merchant, and every consumer that has ever suffered financial, personal-data, or identity theft losses due to the inherent security flaws in (U.S.) credit card transactions, should hold the Payment Card Industry (including issuing banks) responsible.

  4. Vern Stilson

    There is no question, Michaels was hacked.
    Last night, Sunday, 1/26, we were notified of 2 charges in Charlotte by our bank. Our card was cancelled at 5:42 PM then more came through, 6 more, and although I tried to cancel the card it was another family card which eventually was cancelled by the bank at 6:30 PM. 6 charges at Kmart and 2 at Walmart. Our only use of both cards was at Michaels. We should have been notified before the hack took our money and now we effectively have no account. Why was no action taken by Michaels?

  5. David T

    All these huge data breaches, all this theft. After reading a lot of coverage, I’m still scratching my head. What is the lesson here? Many actors might have protected against this: merchants, banks, the credit-card companies, the POS -system vendors, Microsoft. Which is a better explanation:

    Nobody is to blame – security is just very hard and some clever miscreants wrote some malware that is better than the state-of-the-art POS systems.

    The merchants (Target, Michael’s…) are to blame. They weren’t willing to spend the money to get the best POS systems, or to pay their portion of chip-and-pin systems. They didn’t follow their security best practices.

    The POS-system vendors are to blame. They charged top dollar for their wares, but shipped them out with inexcusable holes, like leaving RTS and other unnecessary webservices open.

    The credit card companies are to blame. They resisted implementing chip-and-pin controls because of the short term cost because those costs would fall on them, while the costs of the breaches would fall mostly on the consumers and merchants.

    The government is to blame – the Durbin amendment to Dodd-Frank dried up the money which the system would have used to upgrade to a better security model.

    1. TheHumanDefense

      David,
      Interesting perspective, and I agree there are many entities to possibly blame, but crime is crime, and criminals are mostly to blame here. But, the all mighty dollar is in play. What to spend versus what to implement to the cost of doing business. The gorilla is always the ROI.
      The real question here should be, how did the software get into these networks. Blame is always the first place we, as humans instinctually go. Nothing wrong with that, as it’s how most of us are wired. I would say that we may want to examine the root cause and then identify how that root cause can be mitigated.
      Ultimately, I think we are inline with each other, however, I believe the security community must start looking for the source of the fire and move to eliminate as much oxygen to the source.
      Thank you for letting me pontificate, but I was raised by a pastor and tend to get fairly wordy.

    2. Wombat94

      “The government is to blame – the Durbin amendment to Dodd-Frank dried up the money which the system would have used to upgrade to a better security model.”

      I agree with most of the points of this post – there is plenty of blame to go around – but this point is almost laughable.

      The Durbin amendment is one of the catalysts that finally got the banks and card brands to start to serious consider moving to chip cards in order to reduce the cost of fraud.

      Prior to the limits on interchange fees and the revenue that came from those fees, the banks simply passed on the costs of the fraud back to the retailers in the form of increased fees. They didn’t care how much fraud there was in the system because they could set the fees where they wanted and there was no real alternative in the US for a payment authorization system.

      The EMV liability shift is, in my opinion, almost a direct response to Dodd-Frank and the Durbin amendment. I believe it would have been many more years before any real sort of hard date was created by the card brands to prompt merchants to move to the more secure system.

    3. Bill

      While the banks may be many things, one thing they are not is “computationally challenged.” The best estimates I could find regarding digital fraud (CC, ID..ect) is well near $200 billion/ YEAR ($ 200,000,000,000) That’s one frigging huge elephant in the room, wouldn’t you say?
      I rather think that banks and other financial institutions would welcome any real and lasting solution to the problem. With that as a given, where does the real inertia to change really lie? Is it at the corporate/lobbying level? Is it perceived to be at the consumer level (resistance to institutional intrusion?)
      While some have proposed some pretty novel and interesting ideas to thwart CC fraud in particular. I can’t help but think (as others have also pointed out) that, while these alternatives to an antiquated system are interesting, all _could_ be eventually gamed.
      Which brings me to what the ultimate security end game must be for banks. Biometric ID.
      Yes, I said it. BioID. After all, it’s the only true way to prove ones identity. But who will be the central “registrar” of Biometric data? And what metrics will be collected? Most people I know are _not_ ready for this, but it is coming, and I believe it’s what the banks are ultimately “holding out” for.
      And before anybody jumps me for it, yes, I know that simple fingerprint scanners can be defeated (although it’s a pretty clumsy process.) Additional levels, such as adding an IR component to the scanner (to grab the unique pattern of vessels just under the skin,) can easily be added.
      Would you be willing to entrust your finger/retinal metrics with a central authority to thwart ID theft and CC fraud? Until you are, I wouldn’t expect much to change aside from small, stopgap measures deployed by banks (like new and improved PCI compliance! WooHooo!)

      1. chaz

        Bill,

        Your post regarding the benefits of Bio-I. D is a heads-up and promising reprieve for everyone using plastic. Well written and understandable for those of us from back when playing catch-up with the ever expanding world of computer tech. Thanks

        1. Bill

          Chaz,

          Thank you for the kind words. If you (or anyone else) is interested in large scale , national level, BioID rollouts, check out Aadhaar in India. –> http://en.wikipedia.org/wiki/Aadhaar

          It already has an authenticated user base larger than the population of the U.S. Admittedly, it serves to address somewhat different problems than we discuss here. However it certainly is proof of concept. We already have much of the infrastructure in place and the cost to bank and merchants would more than be recouped within a year given the current free-for-all of fraud.
          The main hurdle to this will be ourselves. We fret and worry about government intrusion into our personal affairs (while at the same time carrying around personal tracking devices…ahem) and maybe rightly so. Abuse of any identity pool is practically guaranteed if history is any guide. Oddly enough, though, this type of “Aadhaareque” system would actually increase transparency in the financial/Government benefit arena. Can you imagine how many rats a system like Aadhaar would smoke out of the woodpile in the U.S.? It would practically be a revolution of truth.

      2. Jen

        Bill,

        The idea of biometrics is neat and innovative, but like you said, it’s really not as accurate as it needs to be to protect sensitive info. There are alternatives that financial institutions could implement to prevent credit card fraud for their customers. There are some solutions which offer out of band 2fa, which defeats man in the middle attacks. Duo Security, Toopher and Authentify are a few I know of. I prefer Toopher because it is the most convenient to use because it only “bothers” me when something out of the ordinary occurs. The problem is that banking clients need to vocalize their concerns so that the financial institutions take serious action. There are good solutions to this problem out there…but lack of awareness plays a big factor as to why these products aren’t being taken advantage of.

        1. Bill

          Jenn,
          Thanks for the ideas. I really like Toopher, combined with lastpass and Noscript, you’re online stuff is almost bullet-proof. Though for CC transactions, and proving your identity in order to securely make such a transaction, these don’t really come into play. Not to mention ID theft ect.

          Those of us who make a living in the world of technology have no problem using these tools. Just for fun, install NoScript on you’re Mothers/Grandmothers machine. Set a timer and count just how long they can use it without having to call you because they can’t log into their online banking account 🙂 Good times.

          I am going to set up a few clients with Toopher just as a controlled experiment. Thanks again for the tip.

  6. Jinx

    I just checked the Michael’s website for an update; I clicked on the link at the top of the homepage and came to the six page announcement; it was disappointing to see how few details about the breach were shared. Maybe they really don’t know the timeframe that the security was compromised but when this information is finally known I hope they share it. I would like to lay to rest the question of where my debit card was hijacked. At least the bank restored the $503.00 to my bank account already.

  7. voksalna

    Brian, why can I view your site with SSL but comments are not submitted via SSL? Thanks.

  8. rob

    I’m not suprised at all, in canada I had told the local store it was wide open, and promptly
    ignored….you can still walk around the parking lot and get into their local lan with ease…….you get the dhcp, doesn’t take much to go after the swap file from there……but I find most retailers don’t have any security at all really…just go to the local gas station and ask when the last time they rebooted the POS…..you will get a blank look….

    1. Bill

      Yup.. Just because i’m something of a geek, I always have a set of pen-test tools on whatever device i’m using at the moment (like Fing…ect) I don’t know why i’m shocked, but badly configured networks are pretty commonplace. And like yourself, bringing it to the attention of even management is usually totally futile. Either that or they look at you as a criminal.

  9. echoinvestigations

    Fraud can happen any time with anyone. Noone knows that who is playing game with them. fraud people are very sharp they make the second party easily fool. So i must say to all people always be strong with all your documents.

  10. opetajad.ee

    You can view the latest weather updates simply by taking a look into your phone’s home screen, where it
    automatically posts weather info, and without having to launch the application.
    Just must be link is on Piratebay does not necessarily mean that the users are installing, thus, the flawed data.
    Typically, the My Documents folder could be the best someone to use.

  11. QHoster

    … fraud on hundreds of cards over the previous two days that all been recently used at Michaels. So it is obvious that the credit card info already leaked, what they are still investigating is happened or not.

  12. jonypyro

    I had bank of america a few years back and I would get a few fraud check up calls every now and then. For some reason the bank always asked me if I had shopped at Michaels as of late. Something to think about.

Comments are closed.