Forgot your password?
typodupeerror
Security Businesses Crime

Michaels Stores Investigating Possible Data Breach 106

Posted by timothy
from the switching-targets dept.
tsu doh nimh writes "Michaels Stores Inc., which runs more than 1,250 crafts stores across the United States, said Saturday that it is investigating a possible data breach involving customer cardholder information. According to Brian Krebs, the journalist who broke the story [and, previously] news of the Target and Neiman Marcus breaches, the U.S. Secret Service has confirmed it is investigating. Krebs cited multiple sources in the banking industry saying they were tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc. In response to that story, Michaels issued a statement saying it 'recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.' In 2011, Michaels disclosed that attackers had physically tampered with point-of-sale terminals in multiple stores, but so far there are no indications what might be the cause of the latest breach. Both Target and Neiman Marcus have said the culprit was malicious software designed to steal payment card data, and at least in Target's case that's been shown to be malware made to infect retail cash registers."
This discussion has been archived. No new comments can be posted.

Michaels Stores Investigating Possible Data Breach

Comments Filter:
  • Credit cards (Score:2, Insightful)

    by Anonymous Coward

    Way too easy to commit fraud. Pay cash for small purchases. And stop giving stores your name for loyalty cards or marketing

    • by Nerdfest (867930) on Sunday January 26, 2014 @12:06AM (#46070629)

      I'm not even sure that will help. These guys have proven that they're quite ... crafty.

  • Chip & Pin (Score:5, Insightful)

    by beelsebob (529313) on Saturday January 25, 2014 @09:53PM (#46070047)

    Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

    • by khasim (1285)

      This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

      Maybe, maybe not. Criminals usually take the easiest way into a system. So replacing one flawed system may be sufficient. Or there might be more flawed implementations at their data center.

      I think the real issue here is how the companies seem to have no idea how to do computer security.

    • Just wait (Score:5, Interesting)

      by ArchieBunker (132337) on Saturday January 25, 2014 @10:24PM (#46070231) Homepage

      As soon as the cost of chip and pin is less than the cost of security breaches they will switch. My US credit cards have problems in Canada now because everything there expects chip and pin.

      • The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

        (Royal Bank of Canada)

        • by Mashiki (184564)

          Yeah that's not legal in Canada, just a FYI. The feds cracked down hard on them for trying that one. Doubly true since there are now chip skimmers out there that can duplicate the chip. Though they're very rare at the moment. Even with that, you'll find that most of the banks in Canada are now partnering with either Visa or MC for loss coverage on chip&pin cards.

          • Not legal to have the customer eat the losses? I'll have to look further into it, I already contacted the ombudsman about that. Does it apply to ATM cards or just credit cards?

        • by ScentCone (795499)

          The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

          And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.

          • by Rich0 (548339)

            The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

            And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.

            Well, the chip doesn't guarantee that it wasn't cloned. It just guarantees that if it was cloned it becomes the consumer's problem. It also makes it much harder to clone.

            • That's my point. Their argument is since the card was used with the chip, and that it can't be cloned (not entirely true), it's *my* problem, not theirs. So, as you said, it's a way to put the losses on the customer.

      • by Solandri (704621)

        As soon as the cost of chip and pin is less than the cost of security breaches they will switch.

        That's just it. The credit card companies have shifted the cost of fraud to the merchants, so chip and pin will probably never be cheaper than the cost of a security breach to them.

        That's the real fundamental problem here. The credit card companies have made the merchants pay for fraud, and the merchants have no leverage to improve the security of credit card machines or networks. Heck, most merchants don'

      • by Dunbal (464142) *
        Cost of breaches? My dear sir, haven't you noticed that banks are now too big to fail? There is no cost to anything for a bank. If there is a cash flow problem simply go talk to uncle Ben and he'll hand you another few interest free billions - much easier than actually having to work (gasp) for your money. Consequences are for the little guy. When he gets in trouble we buy him up cheap. But seriously do you know how HARD it would be to actually secure the network? It's not like the card holder is responsibl
      • by Muad'Dave (255648)

        Bank Of America is planning to support [bankofamerica.com] Chip & Signature [wikipedia.org], not chip & PIN.

    • If Chip & Pin were the answer, the financial incentives of having it in place would make it the obvious choice.

      Clearly externalizing loss to the merchants and consumers is financially more attractive. And there's your answer to "Why?" No need for useless rhetoric because there is a simple answer.

      If you want a more complicated answer, the merchants basically have no say and the consumers don't care, so the issue rarely gets pushed.

      Re-wiring all of the point-of-sale machines would be a major expense, ev

      • by Mashiki (184564)

        The US banks have waffled on it for nearly 6 years and getting terminals upgraded. We've been fully chip & pin in Canada for that long now, and if you're wondering why it hasn't been done it's because the cost of upgrading millions of terminals is expensive.

        • by Dunbal (464142) *

          Yeah those poor banks, only earning an up to 3% "cut" of every single transaction, billing most of their customers for regular "transaction" fees, hardly paying out interest at all to savers, getting money for free from the government (because you know, they're too big to fail) and charging their debtors usurious interest. Poor, poor banks. Changing the terminals is so EXPENSIVE.

          Seriously, they pass a regulation saying all terminals must be changed by x date and surprise, you the merchant are going to hav

    • The data was stolen from the POS device's ram during the brief amount of time it was there. Would Chip and Pin prevent using any of that data later on? Seems like the pin would have to be in mem at some point also, but I don't really know.
      • by beelsebob (529313)

        Yes, it would. The pin is given to the chip without it ever interacting with firmware or RAM (it's transmitted from keypad to chip).

        Even if that weren't so though, the terminal never knows what account is processing the transaction. It simply sends the transaction details to the chip, which produces a signed transaction (with the pin, and some secured data stored on it). The signed transaction is sent to the bank, who can then use it to extract money from the correct account.

        • by Rich0 (548339)

          Yeah, I'd think they could steal the PIN, or tamper with the amount of the current transaction, but they couldn't actually create new transactions without having the chip present.

          I think a better design would be putting the keypad and display on the card itself as that eliminates just about every way to tamper with a transaction I can think of, but as long as each transaction is individually signed and the chip throttles signature requests (one per insertion/removal) then the potential for abuse is pretty l

    • by EvilSS (557649)
      October 2015. At least the Chip part. The PIN part will be optional (unfortunately). The national retailer association wants it to be mandatory but MasterCard and Visa don't for some reason.
      • by Rich0 (548339)

        October 2015. At least the Chip part. The PIN part will be optional (unfortunately). The national retailer association wants it to be mandatory but MasterCard and Visa don't for some reason.

        Mastercard and Visa get paid by the transaction I imagine. They really don't care if they're legit or not - if they aren't then the members of the national retailer association pay the bill. I can't imagine why there is a difference of opinion... :)

    • Chip and Pin has already been comprimised in the wild:

      http://www.telegraph.co.uk/new... [telegraph.co.uk]

      • by rfunches (800928)

        Chip and Pin has already been comprimised in the wild:

        http://www.telegraph.co.uk/new... [telegraph.co.uk]

        Nothing in the article states that the fraudulent charges were run as Chip+[Sig/PIN] transactions, though. They were processed in a way that bypass the chip:

        1. 1) Card not present transactions (mail/phone/internet)
        2. 2) Cloned magstripe-only card on a non-chip terminal (I had a chipped Visa fraudulently used in the US with this method)
        3. 3) Same as #2 but with a PIN at a merchant terminal for cash back or at an ATM for cash withdrawal or advance

        I've yet to hear of a case where a fraudulent chip transaction came fro

        • by plover (150551)

          The Vasco DIGIPASS device is a small smart-card reader that resembles a pocket calculator. It allows the cardholder to insert their card, enter the transaction details, and produce a one-time authorization code that can be entered into a web page (like a CVV2 code, but cryptographically secure.) It's a sealed device that is electrically air-gapped from everything apart from the batteries and the card, so it is unhackable from on-line threats. Such devices are used to secure on-line banking transactions.

        • by Rich0 (548339)

          But there's still the issue of card not present transactions. Until you find a viable solution for that, the scammers will always have an avenue for fraud.

          I'd put the console on the card itself (keypad and small LCD display). Then I'd include USB and acoustic modem interfaces. Now you can handle card not present just fine. The "card" would cost more, but it would make sense to make it a generic device that can support any number of payment accounts. It could still be easily pocket sized - probably smaller than a PCMCIA card.

    • by badzilla (50355)
      Chip and PIN has seen widespread use for years now and would probably stop this kind of attack. Remember you have hardware-based encryption happening not only in the card reader but also in the card itself. An amazing amount of crypto happens at step one just so that the card can satisfy itself that it is indeed inside a valid reader. Then some more so that the reader can be confident it has a real card. Once all the authorisation and monetary amounts are complete then the reader finally dumps out an encryp
    • by elistan (578864)

      Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

      It's not costing the banks anything - the costs of the refunded transactions are the responsibility of the merchants. I don't see any financial incentive for banks to do anything different. It'll have to be either a legal regulation or a consumer backlash, and I don't see either happening right away.

  • by Luthair (847766) on Saturday January 25, 2014 @10:22PM (#46070215)
    There is an easy solution to this problem - don't put point of sale systems on a network with external access. At the minimum one should limit the network addresses these systems are allowed to access.
    • by beelsebob (529313)

      Who says external access was required?

      • by Luthair (847766)
        If network access isn't required then all of these PoS attacks are either inside jobs or involve break-ins which hasn't been indicated for any of them.
    • Sadly until breaches like this occur the more MBAs will listen to those annoying cost centers and view them with value and listen. Reason they are on internet is because the suits said so and the accountants whined about having real time access.

      Maybe if congress is involved they can make regulation requiring secure operating systems with ASLR which scramble ram. Windows 7 and MacOSX have it and I think can support it via a patch with 3.0 or higher. Crosses fingers for redhat 7.Also POS equipment is SUPPOSED

    • by Anonymous Coward

      As someone who worked in one of Targets data centers, I can assure you those cash registers did not have direct internet access.

      From what I read the hackers gained access to a server which they then setup an ftp server on. A netbios share was activated at a certain time of the day and information was then sent to that ftp server.

  • by formfeed (703859) on Saturday January 25, 2014 @11:03PM (#46070385)

    Put a block on your card to issue a warning as soon as someone buys anything with your credit card other than scrap-booking supplies or boxed wine.

  • Are there any credit cards in the US that actually offer the "newer" CHIP/PIN cards? I am also assuming that the readers have to recognize these cards as well.....

    • nope. BUT, in light of the money lost on Target, I am guessing that is about to change.
    • by wkk2 (808881)

      I asked Chase and they didn't seem to know what I was talking about. Citi was able to replace my card with a chip/pin card. Get one before you travel or you might need to leave your stuff a a restaurant while going to an ATM.

    • by Muad'Dave (255648)

      Bank of America is doing Chip & Signature [bankofamerica.com].

Vax Vobiscum

Working...