Earlier this month, arts & crafts chain Michaels Stores disclosed that crooks had tampered with some point-of-sale devices at store registers in the Chicago area in a scheme to steal credit and debit card numbers and associated PINs. But new information on the investigation shows that many Michaels stores across the country have discovered compromised payment terminals.
Investigators close to the case, but who asked to remain anonymous because they did not have permission to speak publicly, said that at least 70 compromised POS terminals have been discovered so far in Michaels stores from Washington D.C. to the West Coast.
In an alert (PDF) sent to customers, Irving, Texas based Michaels Stores said it learned of the fraud after being contacted by banking and law enforcement authorities regarding fraudulent debit card transactions traced back to specific stores. The Beacon-News, a Chicago Sun-Times publication, last week cited local police reports from several victims, describing the typical fraud as multiple unauthorized withdrawals of up to $500 made from ATMs at banks on the West Coast. It remains unclear when affected stores were compromised.
It also is not clear yet how the fraudsters compromised the POS devices, or whether the devices were tampered with in-place, or were replaced with pre-compromised look-alikes. But investigators say the fraudsters have used the stolen data to create counterfeit cards that are used in tandem with stolen PINs to withdraw funds from ATMs.
Detective Jeff Stolzenburg of the Libertyville Police Department just north of Chicago, said most of the fraudulent withdrawals have taken place at cash machines in Las Vegas and other parts of the West. Stolzenburg estimates that actual card losses from the fraud are now in the millions of dollars, and said that the investigation has since been turned over to the U.S. Secret Service.
“The scope of this thing has been pretty wide, coast-to-coast,” Stolzenburg said. “We’re dealing with thousands and thousands of victims,” Stolzenburg said.
Stolzenburg added that the attacks on Michaels Stores are similar to the fraud perpetrated last year against Batavia, Ill. based discount grocer Aldi Inc., which operates 1,110 stores in 31 states. Aldi disclosed on Oct. 1 that hackers tampered with payment terminals at stores in 11 states from June to August. A consultant who worked on that incident described the fraud as the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices.
Officials from Michaels Stores and the U.S. Secret Service declined to comment.
If you have purchased items from a Michaels store with a debit or credit card, you should watch your statements and account activity closely and report any suspicious or unauthorized activity.
Update, May 11, 11:31 a.m. ET: Michaels just released a statement (PDF) acknowledging that it has “identified less than 90 individual PIN pads (or approximately 1% of the total devices) in its 964 U.S. stores that showed signs of tampering. Suspicious PIN pads were disabled and quarantined immediately. Out of an abundance of caution, Michaels has removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads from its U.S. stores.”
My wife’s debit card was hit by this. She used at it a Michaels store in Skokie, IL(outside of Chicago) on April 18th. $500 was withdrawn from an ATM in L.A. on April 30th.
I am unhappy to report that POS compromising is not a new phenomena. It has happened in the past with other retailers.
Dataloss reports the interesting detail that Michaels sends out info, and uses a link tracking service to see who clicks through to their FTC.gov link.
It seems here Brian has the true facts before he wrote about this breach not knocking datalose it a group of O.S.I.people sending articles to them and they send to there subscribers what was already posted on the internet. Great work Brian.
Not just a few retailers… nationwide several a week are discovered… this knowledge is never made public.
It would be nice to have a list of the recently affected stores/chains so that those who have shopped there would consider it an alert to double check their accounts and be sure nothing is awry.
~Chelle in OKC
@Chelle, and @Roland.. PDF statement gives the listing for the stores.. not positive on how CURRENT this is, but at least it gives you an idea.
There was a situation some years ago, where the POS devices were compromised in the supply chain before they got installed, where the installers had no way of knowing they were already compromised.
There was a break-in at a factory which manufactured the devices, initially believe to be a mere burglary, until later determined that the burglary was a coverup of the compromise of a large volume of the factory’s shipments.
TIME FOR A REMINDER:
It’s much safer to use a credit card than a debit card. If you have enough money in your bank account to cover your purchases, then you have enough to pay the credit card balance in full every month and avoid interest charges.
Ideally, you should use a credit card issued by a different bank than the one where you keep your $$$. Unauthorized credit card purchases are fully covered against loss when reported in writing, but usually a phone call will suffice to remove fraudulent charges from an account.
“It’s much safer to use a credit card than a debit card.”
For criminals, you mean?
Creditcards can be easily sold & used online, whereas debit cards in most cases involve physical contact (with an ATM for example).
Debit cards are almost worthless without a PIN code, credit cards are not.
Will they be publishing a list of the 70 or so stores that were affected?
@Roland – yes, debit cards may be “almost worthless with a PIN code”, but note the part in the article that says the criminals replaced the PIN pads with retrofitted devices.
Using a credit card is safer for consumers who want to protect their bank accounts from unauthorized entry. Consumer protection laws are a lot stronger for credit cards than for debit cards. Unauthorized transactions on a credit card are simple to report and reverse.
Resolving unauthorized withdrawals of $$$ that used a debit card requires a lot of time and paper work. Many banks require that you file a police report before they will investigate an unauthorized withdrawal.
I’m guessing you haven’t had much experience with this problem, and no, I don’t mean it’s safer for criminals. It isn’t always easier for them, either. See, for example:
Absolutely. I’ll add a few more reasons credit cards are lower risk.
1. It’s the banks money, not yours. You won’t be missing bill payments or bouncing checks during a theft.
2. Using debit on subverted POS devices or ATM’s gives your PIN number, allowing them to clean out the account at another ATM. This attack is simple, costly to the victim and low risk in eyes of most crooks.
3. Stolen debit cards with PIN sell for more online. Sites that sell credit cards for $25 a piece usually sell cards w/ PIN for $300-500. Crooks have incentives to go for those cards first or sell them quickest. They often sit on credit cards for longer.
Note that not all credit cards are just credit cards.
a Discover Card is only a credit card, and thus should be protected. I believe the same probably applies to American Express and Diner’s cards.
I have bank issued Visa (and at times Master)-cards, these are able to speak both the Credit and Debit protocols.
Unfortunately this means that if I use my Visa card as a Credit card at a compromised PoS terminal, and my pin is captured, criminals can later use my card’s details as a standard Debit card and I do not get the protection of the Credit protocol/laws.
“Unfortunately this means that if I use my Visa card as a Credit card at a compromised PoS terminal, and my pin is captured, criminals can later use my card’s details as a standard Debit card and I do not get the protection of the Credit protocol/laws.”
If you’re using your PIN, your running a debit transaction, not credit. Credit transactions are signature based, and MAY be covered under VISA/Mastercard protections. Either way, it’s a major hassle to a customer who doesn’t have access to the funds during the dispute process and the bank that will most likely take the loss in the end.
While cards w/PINs and CVV are certainly more valuable, cards w/out PINs and track info only can do just as much damage for a criminal who has figured out how easy it is to make counterfeit cards or buy 20 giftcards from a merchant.
You talk about giving signature or pin #.
In an earlier thread I shared about a common practice at many chains in my area, where we give neither. Borders Books for example.
Each time I am in a retail store, where we are checking out and they have not asked for my signature or pin #, I ask why.
So far, the reply has been identical at many different retail chains.
The clerk points to my signature on the back of the card, saying that once I have signed there, my signature is not needed again. This tells me there is some brain dead training program out there for retail clerks, being used by many different chains, whose leadership does not understand that this system cannot tell the difference between valid card usage, stolen card usage, or cloned card usage.
I asked about this at my bank. The teller told me that retailers can use any system they please, the bank has no authority over retailer security practices.
I would be interested to know if this behavior is consistent with PCI standards, and if some of the stores which have suffered breaches, used the same brain dead training program for their staff.
And Oh Yes, at many of these places you don’t need social engineering for customers to access the POS, because they are unstaffed while customers wait for a clerk to come check them out.
Lots of merchants (McDonald’s for example) have a threshold where neither a signature nor PIN is needed. As long as the purchase is under that limit, they won’t ask for a signature, and probably won’t even ask if you want “debit or credit”.
As an aside, if you have a merchant that actually looks at a signature you’re probably lucky. I haven’t had a signed check card in 5 years and it has never come up. They are only required to get a signature when needed, not prove that it’s yours.
no, the clerks are correct. signatures never provided any real security against fraudulent transactions (it’s not hard to come up with something that looks close enough to what’s on the back of the card–clerks aren’t expert handwriting analysts); the only practical security of the credit card comes from the anti-fraud algorithms that try to identify unusual spending patterns (not that this is anywhere near 100% reliable). in real life a stolen credit card is almost never used for an attended transaction, it’s far more likely to be used at a self-service terminal or online (where the signature is irrelevant anyway).
and don’t get me started on “see ID”–it’s equally useless in practice as well as being a violation of the cardholder agreement for most cards.
So I guess you are opposed in principle to a scanner of the signed receipt which compares signature to what is on back of credit card, passing the buck to dumb software to decide if it is good enough.
yes. it’s darn near impossible to use those stupid signature tablets anyway. either the algorithm would need to be so forgiving that it’s useless, or it would reject legitimate users on a regular basis. and again, this isn’t how stolen cards are generally used anyway.
Signature captures are not for authentication but really for aiding prosecution of fraud/theft after the fact.
A physical action links the suspected individual to the time & place of the fraud.
“Somebody” had to sign; if an innocent suspect has a vetted alibi they are exonerated because they we not there at the time & place of the crime.
…But somebody did sign… and they haven’t been linked to the scene yet.
I was advised years ago on the vulnerabilities of VISA/MC enabled Debit Cards. In response, I’ve made it a habit to reject Debit cards issued by my bank in favor of an ATM card which I only use on Bank owned ATM machines.
However, banks (Including my own) do not comprehend this and will occassionally reissue me a Debit card. They mistakenly believe they are doing me a favor by disabling my ATM and automatically issuing me a feature rich Visa labelled Debit card. Every 2-3 years, I go through the frustrating process of rejecting the debit card and requesting a simple ATM card. Bank staff is dumbfounded that a customer would reject a debit card and do not understand the vulnerabilities they pose to their retail customers by issuing such a card. Furthermore, they are not trained nor are policies and procedures in place to issue ATMs which further complicates the matter for customers who do not want debit cards.
Thanks for the reminder!!!! No more debit charges for me.
I’m consistently dismayed by the corporate response to these incidents. The customer alert deflects any responsibility by the organization to provide an assured payment solution and places it on the customer to do all of the work in response to the incident. Also, since the customer banks will likely return any lost funds, there will be little pressure on Michael’s or its POS provider to make any real changes.
If anyone has a Michael’s nearby, I think that it would be great if you could determine the POS provider.
The problem exists on several levels. The banks use a setup they know is insecure and force it on users, both people and businesses. Their system is profitable enough that it covers losses pretty well. Businesses know their liability is minimal in the event of a breach and without any incentives they just don’t care. For instance, Sony’s breach affected 101+ million accounts and they didn’t have a firewall or updated software. Who doesn’t have a firewall during a time when they are free or built-in to most routers? Insurance companies provide another fallback mechanisms for companies that let’s them dodge responsibility.
The truth is that the main responsibility is on consumers. It’s our assets that are compromised and we place them in the hands of untrustworthy companies. People give companies so much information these days and do so little to push legislation holding companies financially accountable for carelessness.
An alternative is to do business with companies that don’t ask for much information, accept cash payments, etc. You won’t get those coupons in the mail or loaded on your loyalty card, but the crooks won’t get your personal information either. Security is always a tradeoff and these losses indicate consumers as a whole regularly trade against security.
“Debit cards are almost worthless without a PIN code, credit cards are not.”
Totally false. Both credit card and debit card magstripe data is equally valuable, both can be cloned and used anywhere. One is only limited by the amount of funds available on the credit card or funds in the checking account attached to the debit card . In order to pull out cash from either, you need a pin number.
What JBV is true in my opinion, that it is always safer to use a credit card for all transactions. If you must use a debit card at a POS terminal use it as a credit card and do not put your pin number in.
Be careful about simply not entering pins.
The history of pins is depressing. From memory, there are two PIN fields, one can be used for chip and one for the mag strip. The problem is that getting a customer to remember and correctly use two pins is essentially impossible. As such, banks generally ask for a single pin and use it for both.
Some cards don’t have a pin encoded on the mag strip, some do (odds are you have no idea if your card’s mag strip has a pin on it, I certainly don’t). Technically that pin is “encrypted” (I think it’s actually more of a one way hash). I believe that given computational resources available and the limited range of possible inputs, it’s probably trivial for someone to compute the pin based on the “encrypted” value if it’s present in the mag strip. Remember that a card can easily retrieve 50$ from an ATM, so if the computation costs are under say 10$, it’s possibly worth it to rent the computation power for it (my guess is that the cost is <<0.10$, but I really don't know, I don't rent CPU time and haven't looked at the actual inputs).
Basically: if you care about your money you want to ensure you're using a Credit Card which is *not* a debit card, and you want to ensure that your issuer has a good system for recognizing fraudulent transactions.
It's much better to assume that all information on your card will be stolen and be able to trust that your card issuer will detect fraud than to try to rely on your card's information not being stolen.
I'm actually about to change countries and credit cards, so I'm going to actually get to spend some time investigating this stuff shortly (I do not look forward to it).
Am I the only one who looks at POS and thinks it stands for something other than “point of sale”?
It would seem that the crooks (aka hackers) are becoming far more organized. The tactic that surfaces for me is that they are targeting the poor and retired as a way of enhancing the success of the crime and minimizing the probability of being caught. For those who have never shopped at Aldi’s, it is a lower-end grocery store, equivalent to Big Lots, and most shoppers are at or below poverty level. Michaels’ shoppers are mostly retirees, single parents, others who are looking for creative gift-giving or supplies for a project that they hope to sell at a flea market to help make ends meet – essentially uneducated in the technologies hackers are using against them.
Our best strategy is to de-glamorize hacking and educate our family and friends on the techniques and tactics deployed against us and our families.
That seems to be a rather broad and insulting view. They are targeting merchants with lax protocols, plain and simple.
I agree with Woody’s strategy: educating our family members regarding what to look for and then enlightening them on the possibilities of tampered cash registers will help them protect themselves.
When we witness a place with lax security, we need a better way to complain, than a conversation with a manager, or trying to report them to our bank, since neither the merchant nor the bank personnel seem to give a damn about security. I’d like to report them to a consumer protection organization, which can put them on the list for testing, to verify my experiences were typical behavior for the outfit.
Once our info is stolen, it can be used at an infinity of places operating with brain dead security.
Info can be stolen where we have no direct contact with the transactions which were breached:
• I have cited employer shopping around for health insurance, gives our info to dozens of insurance companies, one of which gets breached.
• I cited case of having e-commerce where your bank routing info needs to go into the records of everyone you do business with, each of which uses hardware and software which is targeted by malware. One business partner is breached, bank info on everyone they do business with is now at risk of being hijacked.
Current breach notification laws give bad PR to the place from which the info was stolen, but no problem for the places from which the money was stolen. Perhaps if the laws could be altered to require divulging those places, like Borders Books or Best Buy, whose systems seem very friendly to crooks, there would be incentive for them to improve security.
With Borders Books, no identification (signature at time of check out) is needed with paying via credit card.
With Best Buy, they recently fired an employee, for the crime of stopping a shop lifter.
I’m living in Western Europe and a sizeable number of POSes here were already converted away from magnetic stripe to chip (debit cards with embedded chip are distributed by default since 2000 and credit cards with chip since around 2004, therefore by now all cards have a chip). I’m looking forward to replace all remaining magnetic stripe POSes (still about 70% remaining at the time, I’m estimating). I think I read on the comments section on this site that chips are not that much more secure which is disheartening, if true.
I haven’t personally heard or read of any single case when chip-only POSes were skimmed, would be glad if Brian or anyone else with knowledge on the matter would “chip-in” comments confirming or denying the above.
Not quite sure if this will count for you but check out the article http://en.wikipedia.org/wiki/EMV#Vulnerabilities and look specifically at the sections “2010: Hidden hardware disables PIN checking on stolen card” and “Successful attacks”.
The problem is that smart chip cards are still vulnerable to CNP (card not present) transactions such as purchases through Amazon.
This was done at Shell gas stations in Britain several years ago
Chip is considerably more secure. The problem is that there is still a legacy magnetic stripe on chip cards, which isn’t. If the cards were chip only (as is planned in Europe) skimming is practically impossible, as the chip uses cryptographic authentication methods. Most fraud on chip cards in now occurs by skimming the legacy magnetic stripe data and using the details on-line or making cloned cards to use in less advanced markets that still only have magnetic stripe
What happens to the credit card devices after hours? Are they locked up, or do the cleaning staff and vendors stocking shelves potentially have access? (I don’t know about Michael’s, but some stores — like supermarkets — just devote particular shelves to particular vendors and let those vendors’ delivery people stock and rotate their own items.)
@Woody – I don’t see too many poor people in Michael’s. It’s about the enjoyment of crafting, not saving money. And people who craft often enough to make gifts that are worth significantly more than the raw materials can probably find cheaper sources for supplies in bulk. Having money doesn’t protect many people from this type of scam, though.
Supposedly the placement of the devices in some stores, are such that a customer can insert a no-no while the clerk’s attention is distracted with another customer.
With the people who have been caught so far, are there any statistics on how they got the job done? … inside job, social engineering, Manchurian chip, break-in, no pattern.
Hi Al Mac,
Not sure what a Manchurian chip would be in this context, but in Europe I’m aware of individual cases falling in this categories:
1. inside job (especially in larger shops where tracking back the deed to an individual employee would be harder)
2. thieves hiding and letting themselves locked overnight in superstores (no 24×7 program here). They generally tape over PIR and door sensors so that they can move undisturbed after hours.
3. Social engineering – distracting the attention of shop clerk while an accomplice tampers with the POS. The cases I know about in this category to be frank, actually involved stealing the POS, not replacing it, but I suspect their goal was to rebuild it and replace a similar model elsewhere.
4. tampering with devices in public places (train ticket automates, unsupervised gas pumps)
I’m sorry I don’t have precise numbers statistics.
Manchurian Chip means that a person who is an authorized technician, doing an inspection of the hardware, is not going to be able to detect it.
There was a European situation with ATMs made in Russia. The factory was broken into, other stuff stolen to make it look like that was all they were interested in. Many ATMs got shipped with more electronics inside than should have been there. The ATMs did ALL the stuff they supposed to do, passed all factory testing.
But in addition, crooks could go to the ATM, key in a special code, and get printed on the ATM paper a list of customer accounts, PIN #s, other info, on people who had used that ATM. There was no skimmer.
There have been cases in USA, with ATMs and Gas Pumps, where the skimmers are mocked up to look so much like authorized hardware, that they cannot be detected by local technicians or the police.
I am in contact with a manufacturer of some of this hardware, where I have made suggestions for next generation fighting the spoofing, where it would be inappropriate to state in public what I have suggested.
There is a problem with the judicial system … they catch some guys, and it has to come out in court what the evidence was against them, then the other crooks learn from that how to do a better job of the spoofing.
And again Brian excellent investigating on this breach. I now see the Chicago Tribune did a story on this. Hmmm what was Michaels waiting for the SUN to burn out or maybe everyone will forget about this massive breach. 🙂
It’s easily fixed if the banks were willing to fix. When Canadian banks are posting Q1 profits of $1.5 billion dollars, I don’t think they care!!!
What should banks do differently? Keep in mind that the compromise was at a retail terminal, not a bank.
Banks should conduct more frequent security audits of the places authorized to accept their credit cards, based on volume of business, or exposure.
But remember that it’s the banks that will suffer the loss for these ATM withdrawals. I agree that it’s in their interest, but there’s no means to force this.
How much have they paid to secure their corporate systems to consulting firms and software vendors? Another example of the illusion of security, behind the ball analysis doesn’t apparently help at all because there is little to learn from past experience.
This is in reply to Robin, but for some reason the comment system is preventing me from threading it correctly….
Robin, while I am an American, the credit-debit card I have is not a US card. It happens to be Finnish — Visa is thankfully a worldwide brand.
For your convenience, here I’ve excerpted the relevant bits from Wikipedia’s article about chip-and-pin cards (the article about “Chip_and_PIN” is about a UK branding and not the standard — joy):
* EMV stands for Europay, MasterCard and VISA, a .. standard for … “chip cards”, … POS … terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions.
* … the majority of implementations of EMV cards and terminals confirm the identity of the cardholder by requiring the entry of a PIN (Personal Identification Number) rather than signing a paper receipt.
And yes, I know that in the US it’s possible for me to charge w/o signing if the value is below a certain threshold (this tends to work in US airports and certain other places). Sadly this enlightened view is less commonly found Europe.
grr, I wish the comment system would warn me about html markup. it will merrily reject my comment entirely claiming i already posted, but it won’t warn me if i write [less-than]url[greater-than] that it will eat the entire section.
the Wikipedia article is http://en.wikipedia.org/wiki/EMV
Surely this is a lot bigger than Michaels. Which vendors PIN pads have been compromised (VeriFone, Ingenico..??). It seems to point to a security problem with the PinPad, and if that PinPad is used in other retailers then there could be a much bigger problem out there….
I think that we have to deal with the real problem that is right in front of us: human engineering. The compromise was executed by using an unauthorized device that was convincing enough to fool several retailers and customers that there was nothing amiss for an impressively long period of time. In fact, many customers (victims) don’t even know that they’ve been robbed yet since they haven’t checked their statements.
I don’t know what banks can do about this on the front end, but it’s in their interest to make the retailers exercise better security over their payment devices. However, only the merchant bank has a direct relationship with Michaels and they are not liable for the losses.
The actual losses are being absorbed by hundreds of banks who issued debit cards to their customers. The merchant bank has no liability at this point and I don’t see how they can be held liable. It seems to me that the merchant had a security breach and yet will they be made to pay for the losses? No. There’s no legal means to force them to do so. Maybe there should be.
It depends what was ‘unathorised’ about the device. If the device was PCI approved, and yet it was possible to install a PIN disclosing bug, then there is a problem with the device and he device vendor should be liable. If there was a problem with the retailer allowing a plainly and obviously compromised device to be used then yes the liability lies with the retailer
We live in Las Vegas and have not been in a Michaels store in 6 + months…We lost $1000 this weekend ; 5 withdrawals @ $200 each….all from a bank in California…We were fortunate to have had our bank fraud dept catch it and lock our accts down–will have $$ back within 5-7 days — THANK GOD— There were 13 other customers in the bank this morning with same issue—NOTHING is safe nor secure in this world…..very sad testiment to what the world has become……
to all : this would not happen if our US banks would give us those “chip” cards that are used almost everyplace else in the world ! They are much more secure and almost impossible to counterfeit. Seems like we in the US have stayed in the 20th payment century !
Last night I went to use my debit card & it was declined. Annoying since I knews there was money in the account. Wound up writing a check. Turns out I was one of Michael’s compromised customers, but here’s the kicker I was at Michaels May 19th! Appears they didn’t get all the bad terminals! I was lucky though since they didn’t get any money out of my account. Makes me think twice about using good old All-american CASH!!
My wife used her debit card at a Michaels in Coralville, IA on 7/8/2011 and our checking account was just drained this morning. The thief hit us from an ATM in martinez Ca. Are they based out of the bay area??? My wife contacted Michaels and they said this store was already on the list of know stores. What is being done to stop this??? ATM machines have cameras. Federal agencies have resources. Do I need to bring in some 5th graders to finish putting two and two together here?
well, now you know to only use credit cards, never debit cards. don’t be fooled by the banks into using something which is only better for them. (Just pay the credit card off each month–same fiscal outcome, more consumer protection.)
I’ve know this for years, but after the housing market crashed my CC companies raised all my fixed rates from 8% to 25% and 30%. I had to sell everything and almost claimed bankruptcy over that legal crime. The only answer now is to say screw the system and deal in strictly cash base operations.
The rate doesn’t matter if you don’t carry a balance. If you just want to opt out of the system and pay cash, then do that–and turn off the debit card.