Robbery at Michaels Stores Register Involving Card Data Explained

Jay Decenella, IT audit expert
May 23, 2011 /

A major card data theft that occurred in Chicago-area stores of Michaels Stores Inc. earlier this month may just have been the tip of the iceberg as the home decoration retailer has confirmed that some PIN pads in selected stores all over USA have also been tampered with.

After a preliminary screening of PIN pads in all US stores, Michaels found out that less than 90 individual PIN pads (or approximately 1% of the total devices) in its 964 US stores have been compromised and were immediately disabled and quarantined.

But “out of an abundance of caution” it removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads from its US stores.

Although Michaels discovered that the machines used by the thieves included point of sale (POS) technology capable of siphoning customer payment card data and PINs, little information was provided specifying the device.

POS skimmers are typically marketed and sold in one of three ways according to independent security expert Brian Krebs, who provided details of the POS modification devices.

The devices can include pre-compromised POS terminals that can be installed at the cash register; fake POS devices that do not process transactions but are designed to record data from swiped cards and PIN entries; or Do-it-yourself kits that include all parts, wiring and instructions needed to modify an existing POS terminal.

Citing the POS modification devices which a skimmer he had spoken to sells on an exclusive underground fraud forum, Krebs noted that the skimmer kit includes a PIN pad skimmer and two small circuit boards, one is a programmable board with specialized software designed to interact with the real card reader and to store purloined data, while the other is a Bluetooth-enabled board that allows the thief to wirelessly download the stolen card data from the hacked device using a laptop or smartphone.

“Buyers specify the make and model of the POS equipment they want to compromise,” Krebs said, adding that the skimmer specializes in hacking VeriFone devices, with feedbacks left on his profile indicating that many customers had been “satisfied”.

“The PIN pad skimmer is an ultra-thin membrane that is inserted underneath the original silicon PIN pad. It records every button pressed with a date and time stamp. The thief must also solder the two boards to the existing PIN pad device to hijack the machine’s power and data processing stream,” Krebs explained.

POS manufacturers maintain the original function and form of the devices by including tamper-proof seals and other security devices. This will make it difficult for would-be thieves to modify the machines since the makers of POS skimmer kit furnish instructions for bypassing these protections.

The card data theft is used to produce counterfeit cards that can be used in combination with the victim’s PIN to withdraw cash from ATMs.

Given the consumer protection laws providing stronger protection for credit cards, using debit cards is riskier when exposed to unauthorized transactions, Krebs noted.

The card data theft that was brought to the attention of Michaels Stores involved debit cards reported by banking and law enforcement authorities.

The retailer has already coordinated with payment card brands and issuers to further identify accounts that may have been compromised and alert card users to a possible card data theft involving their cards.

 

Share your opinion