25
Jan 14

Sources: Card Breach at Michaels Stores

Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.

michaelsOn Friday morning, I put a call in to SPM Communications, the public relations company listed as the press contact on michaels.com. After explaining why I was calling, I was referred to a Michael Fox of ICR Inc. When asked what line of business ICR was in, the SPM representative replied that it was a crisis communications firm. Mr. Fox replied via email that he would inquire with Michaels, but so far the company has declined to comment.

Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”

The statement continues:

“The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred.”

“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.”

Their full statement is here (PDF).

Original story:

Sources with four different financial institutions have over the past few days said hundreds of customer cards that recently had been used for fraudulent purchases all traced back to Michaels stores as the common point of purchase.

On Friday, KrebsOnSecurity heard from a fraud analyst at a large credit card processor that was seeing fraud on hundreds of cards over the previous two days that all been recently used at Michaels. The fraudulent purchases on those cards, the source said, took place at the usual big box stores like BestBuy and Target.

“What’s interesting is there’s another [arts and framing] store called Aaron Brothers, and within past week or two there was a lot of activity talking about Aaron Brothers,” said the source, who asked to remain anonymous because he was not authorized to speak to the media. “One of the things I learned the other day is that Aaron Brothers is wholly owned by Michael’s. It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place.”

Assuming my sources are correct and Michaels did have some kind of breach involving payment cards, this would not be the first time. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

It remains unclear what type of compromise may have prompted several banks to identity Michaels as the breached entity. But recent breaches at Target and Neiman Marcus both involved highly sophisticated malicious software that stole credit and debit card information from point-0f-sale registers at those stores. Target has said the breach may have affected more than 40 million customer credit and debit cards, and name, address, email address and phone numbers for at least 70 million customers. Earlier this week, Neiman Marcus revealed that the breach at its stores extended from July 16, 2013 to Oct. 30, 2013, and may have impacted more than 1.1 million customer cards.

According to Fox, ICR Inc. was brought in by Michaels to handle the retailer’s planned transition to a public company. Last month, the company filed paperwork for a potential public offering of its common stock. According to those filings, Michaels generated revenue of $4.41 billion in 2012. Michaels has said the timing, number of shares to be sold and the price range for the proposed offering have not yet been determined.

Tags: , , , , , , ,

82 comments

  1. Yikes! So everyone should be checking their charge statements often, no matter where you shop. And I suspect that these disclosures will continue.

    Would be interesting to know what was in common in all of these breaches, whether in the payment processors, or common POS systems.

    Another great story!

    • Good point, no matter how much you encrypt, data is entered in the clear when entering the system – and all systems are connected through a network or the internet directly. Only mitigation against replaying intercepted account info is to make the data dynamic (and thus of no replay use)…this is the basic security concept behind EMV / Chip transactions.

    • Yes, you can expect this pattern of attack to continue for some time…probably years in my estimation. Michael’s is the latest example. The Target and Neiman Marcus attacks, respectively, are high profile news makers but were not the first breaches. The problem is huge for retailers.

    • Thanks, Rick. I wanted to share something a follower on Twitter (@SynAckPwn) put together which made me laugh out loud.

      http://krebsonsecurity.com/wp-content/uploads/2014/01/bkcycle.png

    • It’s time for the US to catch up with the rest of us that use Chip & PIN.

      The costs to consumers for these breaches are now an order of magnitude _higher_ than any costs associated with changing out the POS terminals and backend for Chip & PIN as well as RFID (Tap&Pay).

      I was very surprised and quite disappointed on a recent trip to L.A. and then on to FL that we were always prompted to swipe our cards. 🙁

      At what point will the costs of these breaches finally shake some folks up enough to move on from swipe?

      Oh, and as far as Target, even we in the SMB/SME consulting field lock down the edge devices and switches to block all traffic. It’s a shame that Enterprise class networks are operating in what seems to be a backward manner in comparison.

      • This is already on its way. But until nobody at all accepts a magstripe card without a chip/pin, those magstripe cards will always exist and be useable — you will just be less likely to be swiped and ‘swiped from’ if you have control of the card (an important distinction).

        Complaining about this at this point is like mocking fat woman who is taking a walk. She is doing something already — pointing out the flaw will not make the process happen faster.

        Changes take time to implement over large systems that require large changes. Even the (largely uneventful) Y2K changes took years in some places. They are already working towards making the US chip & pin. They have a so-called deadline. Complain if it is not reached. 🙂

  2. At this point, the only thing protecting cards is the fact that the huge volume of stolen cards is probably so big they can’t sell them/find mules/ways to buy stuff fraudulently fast enough.

    At this rate, by the end of 2014, all cards in circulation will have been copied!

    • Unfortunately I must disagree. I have 2 friends, roomates, that already had fraudulent charges, believed to be related to the Target breach. (Thanks Brian Krebs for bring that one to light). Just because there’s so much quantity it doesn’t mean that by grabbing a handful or 2 or 100, there won’t be a significant, even wide-spread theft of cash from the accounts associated with these cards. And with the price of the numbers being so low, just about any criminal with a few pennies can grab one and make a little cash using the vast technical advances in “privacy” that we have now. It’s a double-edged sword. We create more privacy, the criminals learn to bust ours and then use it for their own devices. So yes, replying to Rick…*always* check your statements. If it’s a debit card, check it daily. The sooner you catch something that doesn’t belong, the better.

      • Oh, I agree with you, I didn’t mean it as in “we’re protected” but more in a “last hope” kind of way.

        I wish my bank offered push notifications when purchasing something with a credit card. It would be even better if I had to click “Proceed” before the POS got the approval.

        • Visa’s http://www.v.me site allows you to register cards and receive notifications for all charges processed through the Visa network. You define the parameters. The site is designed as a payment site as competition for paypal, but I only use the notifications portion of the site.

  3. So here’s a question… If you were a financial institution looking to provide a high level of service to your clients, would you start replacing credit and debit cards every 6 to 8 months (with new account numbers) every 6 to 8 months instead of every three to four years as a means of protecting your client base…

    • I would submit that if a financial institution was looking to provide a high level of service they would be building a better barn, rather that closing the barn door randomly hoping the bad guys are on the other side of it.

      • Banks no longer own any part of the retail payment system… Checks and cash standards are in the hands of the Federal Reserve, and credit cards are controlled by MasterCard, Visa, Discover and American Express. These four companies are now all public, and no longer controlled by the banks.

        Yes, it would be great to have a more secure system (EMV cards would be a big step forward, Chip and PIN would be even better), but it’s not under control of the banks anymore.

    • Carl 'SAI' Mitchell

      What I want is a smartphone app for payments that works as follows:
      The phone reads the attempted charge and a unique code, either via a QR code (online purchase) or NFC (in-store). The user approves or denies the charge. If the user approves the charge, a code is generated that the user types in to the computer (online purchase) or sends via NFC (in-store).

      The code is created by signing the amount of the charge and unique code with the user’s private key. The private key is also held by the credit card company/issuing bank, just as a credit card number is. The user never has to directly know the key, it can be stored encrypted and protected with a password.

      It’s still vulnerable to malware on the phone, but not to malware at the merchant. It’s much less vulnerable to social engineering, since the charge authorization codes are one-time use.

  4. I am surprised Michael Stores did not have an integrated fraud detection and prevention ecosystem. Fraud analytics is today an inseparable component of retail management.

    • Isn’t fraud analytic meant to protect against people using stolen cards to buy stuff in your store, causing chargebacks and a whole bunch of issues?

      How would it help in a case where cards are being stolen from your POS and used at Target after that?

    • Michael’s IT infrastructure is a joke. The hardware and software used at the store level was outdated 5 years ago. I’m amazed they haven’t had a major breach before now.

  5. TheOreganoRouter.onion

    This is a huge wake up call to banks , retail, Visa , MasterCard , Discover and American Express to start moving to chip and pin credit cards in the United States

    • I go up to Canada a few times a year, and get that, sigh, when are you guys going to start using a chip card. My answer is that US banks are too cheap to switch over to technology that the rest of the world has had for years. It would take a massive push to get them to spend the money.

      Would all these massive breaches be enough of a push..

  6. This is real. My card got compromised and a dozen fraudulent charge showed up on Jan 21. I used jt at Michael’s on Dec 13. Never used it online, mostly small local shops.

    • Just because you used your card at Michael’s does not mean this was where your card information was stolen. Nor can you be sure it wasn’t, obviously. If you are using local stores, the odds are probably higher that it was stolen at or through one of them (most small store POS systems are far more likely to get breached, and most breaches involving small store POS systems are more likely to have the breached cards used). Where were the charges? Get a new card.

  7. EMV and C-n-Pin generally mean the same thing and don’t necessarily solve all the attack vectors. I don’t know how non-EMV chipped cards work. There are known flaws that are being exploited today http://krebsonsecurity.com/2012/09/researchers-chip-and-pin-enables-chip-and-skim/ . It is harder than signature-based authorization, but still possible.

    It is tough to design a secure, but useable system for world-wide use. Some places only work with signature-based CCs and others only work with EMV type cards. A few places support either, but more and more the retailers there are refusing to accept signatures overseas. I doubt the Oct 2014 deadline for EMV in the USA will happen.

    • My understanding is that the flaws you cite are bugs in some POS terminals (improper random number generation), and not flaws in EMV itself.

  8. Here we go again

    Krebs,you picked good topic for a blog its a never ending story:)

  9. There will be more companies to follow. I believe by the end of February we will see the real impact.

  10. I just saw a headline about a security breach at Michael’s and rushed here to read about it. My debit card and pin were recently hijacked and $503.00 withdrawn from checking from an ATM in Mpls – I knew it couldn’t be due to the TGT security breach because I’ve never used my debit card there (and all I use is CASH now) but I had recently shopped at Michael’s and entered my pin at the register. Ugh. Please keep updating the story as details come in; the more facts I learn about these crimes the less I feel victimized for some reason. I hope I see the day when the people behind all of these data breaches are behind bars.

    • That can only mean one thing – they have all the pin numbers as well .

    • “because I’ve never used my debit card there (and all I use is CASH now) but I had recently shopped at Michael’s”

      If you are using this much cash are you getting it at bank cashier? ATM inside of bank? Or is it not more possible that you had your card and pin skimmed at an ATM? I am not saying it is not Michael’s, but I am suggesting you evaluate what is more likely. 🙂

  11. I haven’t been to a Michael’s in years. A couple of weeks ago I needed a frame, and guess where I went. So far there’s no indication as to the time frame of this latest breach. I called–probably within 10 minutes of the report on abc.com– and all she could tell me was to watch Michael’s website.

    About a week ago I heard that there were six other known breaches. When do they plan to let their customers know?

    • Good thing I signed up for alerts from my credit card companies and banks, years ago. I’ve actually caught fraudulent charges before they have. Daily balance alerts, on-line charges, gas station charges, international charges, and more–I love those lightening fast alerts. If that’s not enough, I still check my accounts a few times a week, and look at my credit reports regularly.

      Despite all that, I know I can still get hit for something.

      • I set up alerts on Bank of the West but the alerts are only sent when the banks does it’s batch processing, so if you lose money on a Saturday, the bank does not send the alert till the following Monday night. Really crappy service, and hardly worth while.

        I wonder how many other banks offer phoney alerts like this?

        We should get better service to protect our accounts.

    • Was in a Michael’s today – the POS unit attached to the checkout counter had a handwritten sign taped to it saying, “Hand Card to Cashier.” Does that count as notification?

  12. Oh, this is just great. I shopped at Michael’s for the first time last week now I’ll be a wreck worrying and watching my account every day. From now on I’m gonna use cash.

  13. The more this goes on, the more likely I am to start using cash for all in person purchases.

    As for Internet purchases, well, I’ll make purchases only when there is sufficient financial motive to do so.

    This is going to hurt.

  14. I just went through this with Target and had to ask for 2 new debit cards for 2 different accounts, and now this.

    I called the bank and talked to them about using my debit card as a debit vs. credit payment. Even if you change your pin number you are not safe. You must get a new card.

    I asked about a pin number allowed for the card when using it as a credit purchase, and they don’t allow a pin for the credit purchase on a debit card. This would save them and us a lot of money by not having to send out new cards if they would implement pin numbers for credit purchases as well, then all we would have to do is change our pin number and that would protect our debit card all the way around.

    Straight up credit cards should apply the same procedure.

    I am sick of the thieves!!!

  15. At what point does this pervasive feeling of you’re not safe anywhere using a credit card get big enough / strong enough that people start not spending so much and it snowballs into a bit of a crisis (i.e. an identifiable drop in consumer spending with associated economic effects).

    Keep digging Brian – the credit card companies and the govt (when it realizes the health of the economy could be effected) will want to keep the information on this stuff behind the curtain.

  16. All the of the targeted companies had refused to invest in modern PCI (Payment Card Industries) compliant POS (Point of Sale) systems. They willingly traded reduced infrastructure cost against risk to their customers. Notice that no Canadian stores have been affected, as PCI/EMV compliance is mandatory.

    PCI systems immediately encrypt at card reader upon swipe and upon PIN entry, whereas the affected corporations’ systems allowed unencrypted card and PIN data to flow freely through their Windows-based PC network, an environment where the malicious software has free reign to scan memory and steal customer data.

    As fewer of these PCI holdouts remain, the criminals will target these lazy negligent corporations all the more. It is your data at risk, not theirs, after all.

  17. I suspect other retailers have been affected. One of my cards is being automatically replaced by the bank *after* I ordered a new one after the Target breach.

  18. For the time being, it is best to pay in cash for all day-to-day in person shopping. There is no need to expose your personal information to hackers and the NSA each time you buy a pair of pants!

  19. Scum! Michael’s ? Why? This sickens me! I am unemployed and my husband is retired. Yes! We live on his Social Security income! I use my creative abilities to create gifts from the heart! Gifts given to those we love! Something else to worry about because of of someone else’s greed …

  20. Michaels.ca runs on a separate network from Michaels Stores. All eCommerce transactions on michaels.ca are secure and PCI compliant. You may rest assured that your credit card numbers and personal information are safe with Michaels.ca.

  21. Banks can’t afford to replace cards sooner than 3-4 years out or with EMV technology because of all the money they’re eating due to signature-based fraud. Not to mention the $20,000+ (per ATM) they’re spending upgrading and replacing ATMs so that they’re compliant and EMV certified. One step at a time is the best they can do. It’s never any one person’s fault, but rather a consequence of our time. If anyone should blame someone, blame the hackers and fraudsters that are blowing their intelligence on a prison sentence when they’re caught instead of getting a real job.

    • Well, its a little more cloudy than that. The banks lobbied our federal legislators so they deduct 1/2 of their credit card theft losses from their tax bill – the other 1/2 they can pass on directly to customers in their fees etc..

      The one downside to them is if this because pervasive enough that people start not using credit/debit cards – we’re approaching that inflection point and then a crisis atmosphere might get the legislators to do what’s better for the population (rather than who lobbies them) with regards to this stuff (till things blow over).

  22. Chip and pin in the UK was implemented but as far as I know encryption was not always used between the keypad and the device it is connected to where they are separate devices which has led to card data and pins being compromised. So it is more secure but needs to have encryption every step of the way. If the banks are all tight and greedy they will no doubt do the absolute minimum that they can get away with. It’s all down to greed and profit. Greed will be the downfall of the human race if we don’t do something about it. Look at all the scandals that have come to light over the past few years. And all these retailers that have had data breaches. No doubt more will come to light in due course.

  23. irony of the day:

    When you go to michaels.com, a popup is displayed that exclaims, “”Give us your email. We’ll show you some love.”

  24. Chip and Pin will be coming soon ( now that the public is starting to realize how vulnerable they are). The part that irks me is that the CC companies will expect a Silver Star for jumping on the grenade, even though they pulled the pin and threw it at the consumers.

  25. Good afternoon !

    Is there a connection between the malware that has struck US Retailers and the Dexter virus ? Dexter isn’t new , but seems to have returned recently ( in particular India . ) Also seems to do some of the same things the malware that hit Target , et al has been shown to have done. I don;t now if this has been previously discussed , but was wondering if there is a perceived connection .

    Thank for your insight in advance !

  26. Brian, your Michael’s diligence has promoted recognition of your efforts on page 22 of the National Section in the 1/26 Sunday, NY Times . It includes your name and title. The article is just short of the Obits on the next page, or should i say just short of the beginning column of the Obits… advertising dollars have a persuasive way of burying, or should i say obscuring bad press. Michael’s grudging mia culpa believes it is appropriate its customers know that a “POTENTIAL ISSUE MAY have occurred”. So lets all sit tight and agonize in perplexed wonderment about what life will be like using only cash or bit-coins for all our future purchases.
    One flickering point of light in this ever expanding mess is that many of us can thank our lucky stars we’re not a part of the small but growing group of customers who have unfortunately shopped at all three of the breached retailers.
    Brian won’t receive any stock options from the business community and he hasn’t won the lottery… His efforts are invaluable… support what matters and do the right thing…
    send a donation….

  27. One thing to think about — if you have a credit card account jointly with a spouse, it makes it more difficult to fight fraudulent charges. You have to both go to a notary public TOGETHER to sign the form declaring the charges unauthorized. That might mean taking off work in some families, often the same families where the lost income would be greatly missed.

    It’s also harder to notice charges you don’t recognize if two people are using the account.

  28. Yikes! My card was fraudulently used a week ago and now I’m not sure if it is from Neiman Marcus or Michaels! What a mess.

  29. I have not received any notifications from Michael’s outside of the press release on their site and news reports.

  30. TheHumanDefense

    Brian,
    Still nothing on the point of entry on target or NM? This all smells like a spear phishing deliver of malware, but I could be wrong.