Michaels Stores Investigating Possible Data Breach 106
tsu doh nimh writes "Michaels Stores Inc., which runs more than 1,250 crafts stores across the United States, said Saturday that it is investigating a possible data breach involving customer cardholder information. According to Brian Krebs, the journalist who broke the story [and, previously] news of the Target and Neiman Marcus breaches, the U.S. Secret Service has confirmed it is investigating. Krebs cited multiple sources in the banking industry saying they were tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc. In response to that story, Michaels issued a statement saying it 'recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.' In 2011, Michaels disclosed that attackers had physically tampered with point-of-sale terminals in multiple stores, but so far there are no indications what might be the cause of the latest breach. Both Target and Neiman Marcus have said the culprit was malicious software designed to steal payment card data, and at least in Target's case that's been shown to be malware made to infect retail cash registers."
Re: (Score:2, Insightful)
CONservatives vs LIEberals or REPTILEcans vs DEMONcrats; you make the call.
Re: (Score:2, Insightful)
Re: (Score:2)
There's a reason Germany has a surging economy and Somalia doesn't...
Re: This is because CONservatives... (Score:1)
Because I worked damn hard for that money? Whose right is it for you to tell me what to spend it on?
Re: (Score:1)
Been there, seen it already (Score:2)
This is because CONservatives... don't give a damn about security. They never have. They don't care about us peons that are their customers. I bet their upper management is celebrating how they've screwed-over the average Joe. Those GOPpers always enjoy that.
... and ...
the U.S. Secret Service has confirmed it is investigating
I know where this is leading. The attack will be likened to "9/11 on retail", and: ... the "Retail Security Agency" will be created under the DHS; it will buy and operate (on public funds, of course), "nude scanners
* the "Providing Appropriate Tools Required to Intercept and Obstruct Tampering of POS bill of 2014" - also know as "the PATRIOT-POS v2014 act";
* it will be required those POS-es be operated from behind reinforced doors, but since the retail industry will complain about the cost...
*
Re: (Score:3)
Re: (Score:2)
And at the end of the day, it's always... ALWAYS... about those in power vs. those who are not.
Those in power love those who aren't to be fighting internally over conservative vs. liberal issues. Those in power know it's important to appear to be hostile towards each other, but when the TV cameras are off you'll find them sleeping in the same bed.
Credit cards (Score:2, Insightful)
Way too easy to commit fraud. Pay cash for small purchases. And stop giving stores your name for loyalty cards or marketing
Re:Credit cards (Score:4, Funny)
I'm not even sure that will help. These guys have proven that they're quite ... crafty.
Re: (Score:2)
The main reasons for storing CC information is to handle recurring payment services (subscriptions) or to have a method for refunding a customer without requiring them to enter all their information again.
Re:Credit cards (Score:4, Informative)
In the case of Target and Michaels it's the latter. You have up to 90 days to return some merchandise at Target, and the entire transaction record will be stored for that long and then dumped.
Having said that, the AC somehow seems to have completely missed every article that even dips a toe into the technical details of the attacks. It's a RAM scraper, not a database capture, that is picking up the transaction. The POS terminal only stores the transaction for the amount of time it takes to contact the credit card company and get approval, and that's all the time necessary to carry out that type of attack.
Chip & Pin (Score:5, Insightful)
Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.
Re: (Score:2)
Maybe, maybe not. Criminals usually take the easiest way into a system. So replacing one flawed system may be sufficient. Or there might be more flawed implementations at their data center.
I think the real issue here is how the companies seem to have no idea how to do computer security.
Re: (Score:3)
Re:Chip & Pin (Score:4, Funny)
Unfortunately, it looks like Target and Michaels went with ISA compliance testing instead :(
Re: (Score:2)
and the IRQ jumpers are all wrong, too!
Just wait (Score:5, Interesting)
As soon as the cost of chip and pin is less than the cost of security breaches they will switch. My US credit cards have problems in Canada now because everything there expects chip and pin.
Re: (Score:3, Informative)
Do you even know how smart cards work? I'll summarize it for your lazy ass since you cannot be bothered to educate yourself: you upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys
Re: Just wait (Score:4, Informative)
For those of you who don't see Anonymous Coward posts, here's some good info about how smart cards work from the AC parent:
You upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.
Re: (Score:3)
Some one is going to have to explain how chips are more secure than a mag strip. If it can be read it can be copied.
It can't be read. It can only be queried. You give it an input, it gives you an output.
In the same way as you can't get from a hash (the output) to the actual stored contents, you can't get from the output of a credit card chip, to the stored contents of the chip.
Re: (Score:2)
Re: (Score:3)
The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.
(Royal Bank of Canada)
Re: (Score:2)
Yeah that's not legal in Canada, just a FYI. The feds cracked down hard on them for trying that one. Doubly true since there are now chip skimmers out there that can duplicate the chip. Though they're very rare at the moment. Even with that, you'll find that most of the banks in Canada are now partnering with either Visa or MC for loss coverage on chip&pin cards.
Re: (Score:2)
Not legal to have the customer eat the losses? I'll have to look further into it, I already contacted the ombudsman about that. Does it apply to ATM cards or just credit cards?
Re: (Score:2)
The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.
And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.
Re: (Score:2)
The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.
And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.
Well, the chip doesn't guarantee that it wasn't cloned. It just guarantees that if it was cloned it becomes the consumer's problem. It also makes it much harder to clone.
Re: (Score:2)
That's my point. Their argument is since the card was used with the chip, and that it can't be cloned (not entirely true), it's *my* problem, not theirs. So, as you said, it's a way to put the losses on the customer.
Re: (Score:2)
That's just it. The credit card companies have shifted the cost of fraud to the merchants, so chip and pin will probably never be cheaper than the cost of a security breach to them.
That's the real fundamental problem here. The credit card companies have made the merchants pay for fraud, and the merchants have no leverage to improve the security of credit card machines or networks. Heck, most merchants don'
Re: (Score:2)
Re: (Score:2)
Bank Of America is planning to support [bankofamerica.com] Chip & Signature [wikipedia.org], not chip & PIN.
Re: (Score:1)
If Chip & Pin were the answer, the financial incentives of having it in place would make it the obvious choice.
Clearly externalizing loss to the merchants and consumers is financially more attractive. And there's your answer to "Why?" No need for useless rhetoric because there is a simple answer.
If you want a more complicated answer, the merchants basically have no say and the consumers don't care, so the issue rarely gets pushed.
Re-wiring all of the point-of-sale machines would be a major expense, ev
Re: (Score:2)
The US banks have waffled on it for nearly 6 years and getting terminals upgraded. We've been fully chip & pin in Canada for that long now, and if you're wondering why it hasn't been done it's because the cost of upgrading millions of terminals is expensive.
Re: (Score:2)
Yeah those poor banks, only earning an up to 3% "cut" of every single transaction, billing most of their customers for regular "transaction" fees, hardly paying out interest at all to savers, getting money for free from the government (because you know, they're too big to fail) and charging their debtors usurious interest. Poor, poor banks. Changing the terminals is so EXPENSIVE.
Seriously, they pass a regulation saying all terminals must be changed by x date and surprise, you the merchant are going to hav
Would Chip and Pin Have Prevented This? (Score:2)
Re: (Score:2)
Yes, it would. The pin is given to the chip without it ever interacting with firmware or RAM (it's transmitted from keypad to chip).
Even if that weren't so though, the terminal never knows what account is processing the transaction. It simply sends the transaction details to the chip, which produces a signed transaction (with the pin, and some secured data stored on it). The signed transaction is sent to the bank, who can then use it to extract money from the correct account.
Re: (Score:2)
Yeah, I'd think they could steal the PIN, or tamper with the amount of the current transaction, but they couldn't actually create new transactions without having the chip present.
I think a better design would be putting the keypad and display on the card itself as that eliminates just about every way to tamper with a transaction I can think of, but as long as each transaction is individually signed and the chip throttles signature requests (one per insertion/removal) then the potential for abuse is pretty l
Re: (Score:2)
Re: (Score:2)
October 2015. At least the Chip part. The PIN part will be optional (unfortunately). The national retailer association wants it to be mandatory but MasterCard and Visa don't for some reason.
Mastercard and Visa get paid by the transaction I imagine. They really don't care if they're legit or not - if they aren't then the members of the national retailer association pay the bill. I can't imagine why there is a difference of opinion... :)
Re: (Score:1)
Chip and Pin has already been comprimised in the wild:
http://www.telegraph.co.uk/new... [telegraph.co.uk]
Re: (Score:2)
Chip and Pin has already been comprimised in the wild:
http://www.telegraph.co.uk/new... [telegraph.co.uk]
Nothing in the article states that the fraudulent charges were run as Chip+[Sig/PIN] transactions, though. They were processed in a way that bypass the chip:
I've yet to hear of a case where a fraudulent chip transaction came fro
Re: (Score:2)
The Vasco DIGIPASS device is a small smart-card reader that resembles a pocket calculator. It allows the cardholder to insert their card, enter the transaction details, and produce a one-time authorization code that can be entered into a web page (like a CVV2 code, but cryptographically secure.) It's a sealed device that is electrically air-gapped from everything apart from the batteries and the card, so it is unhackable from on-line threats. Such devices are used to secure on-line banking transactions.
Re: (Score:2)
But there's still the issue of card not present transactions. Until you find a viable solution for that, the scammers will always have an avenue for fraud.
I'd put the console on the card itself (keypad and small LCD display). Then I'd include USB and acoustic modem interfaces. Now you can handle card not present just fine. The "card" would cost more, but it would make sense to make it a generic device that can support any number of payment accounts. It could still be easily pocket sized - probably smaller than a PCMCIA card.
Re: (Score:1)
No Chip & Pin? Carry Cash. (Score:1)
Re: (Score:2)
Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.
It's not costing the banks anything - the costs of the refunded transactions are the responsibility of the merchants. I don't see any financial incentive for banks to do anything different. It'll have to be either a legal regulation or a consumer backlash, and I don't see either happening right away.
Re: (Score:3)
You might not, but the rest of us have mothers, aunts, sister-in-laws, girlfriends, wives, daughters (and all their male counterparts in some cases) that require us to shop at Michael's at least once a year. Typically around either the first week or two of May, or in the few days running up to Dec. 25.
There was a time, though, that Michael's was a fun place to shop. If you didn't have a Hobby Lobby or the like, it was the best place to buy model rockets and the like.
Point of Sale Network Access (Score:3)
Re: (Score:2)
Who says external access was required?
Re: (Score:2)
Re: (Score:3)
They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.
Re: (Score:2)
They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.
Sounds like it was a ghost town before the breach too. In my case, I've been to the nearest store about a dozen times and it has been no different than before the news broke. I always use cash so it made no difference to me.
Re: (Score:2)
Target has a system where you can return anything without a receipt if you can show the credit card the item was purchased with. Plus Target makes heavy use of data to track customers. Not that that's a good thing.
I would have to guess that Target views these things as strategic advantages over their competitors and they may have a culture which views IT infrastructure only as a means to further develop these advantages. In that kind of environment, "what we can do if we hold onto this data" is going to tru
Re: (Score:2)
I've had the receipt for the few times I've had to return things at target.
I was amazed how fast it can be done. from when you get to the counter with your item to the time you leave, its often less than 1 minute, sometimes as short as 10 seconds. I kid you not! I've never seen anything like that before. walk in, 10 seconds and you're out.
gotta give them credit for how fast they can process returns, assuming you have the receipt and your credit card or license (the magstrip does speed things along).
Re: (Score:1)
That's not how the hack worked. The hackers had software on the POS machines that read the RAM of the machines and when the card info was briefly in RAM during the transaction the hackers grabbed it.
A better question is one of why these POS machines don't have a more locked down OS that allows only signed processing from running. XBox, Playstation, and iPhone have been doing this successfully for years, so surely commercial POS machines could.
Re: (Score:2)
It's a RAM scraper attack on the POS machines, not a database dump off the mainframe. It's hard to believe that people don't know the difference. Oh, you're too dumb/lazy to actually figure out how to log in with an account, I guess that explains it.
Re: (Score:2)
There's an even easier solution: don't store cardholder information in a database
There is no need to save credit card numbers, expiration dates, CVV2 codes, and personally identifiable information once the authorization of charge has been obtained. None whatsoever.
Getting an auth code means you're getting your money. You don't need to store my entire credit card number.
Go read the analysis of the BlackPOS malware at Krebs. He says that the attack that hit Target was done with a RAM scraper. It wouldn't matter if Target stored the data or not, or if they used SSL or not, the malware read the card data as soon as it was in the memory of the register.
Re:SCADA is next (Score:1)
Sadly until breaches like this occur the more MBAs will listen to those annoying cost centers and view them with value and listen. Reason they are on internet is because the suits said so and the accountants whined about having real time access.
Maybe if congress is involved they can make regulation requiring secure operating systems with ASLR which scramble ram. Windows 7 and MacOSX have it and I think can support it via a patch with 3.0 or higher. Crosses fingers for redhat 7.Also POS equipment is SUPPOSED
Time for TECH / IT UNIONS (Score:3)
So the tech workers have the power to get stuff done and the MBAs take the blame for there mess ups.
Re: Point of Sale Network Access (Score:1)
As someone who worked in one of Targets data centers, I can assure you those cash registers did not have direct internet access.
From what I read the hackers gained access to a server which they then setup an ftp server on. A netbios share was activated at a certain time of the day and information was then sent to that ftp server.
Easy one to catch (Score:4, Funny)
Put a block on your card to issue a warning as soon as someone buys anything with your credit card other than scrap-booking supplies or boxed wine.
Re: (Score:2)
Chip/PIN (Score:1)
Are there any credit cards in the US that actually offer the "newer" CHIP/PIN cards? I am also assuming that the readers have to recognize these cards as well.....
Re: (Score:2)
Re: (Score:2)
I asked Chase and they didn't seem to know what I was talking about. Citi was able to replace my card with a chip/pin card. Get one before you travel or you might need to leave your stuff a a restaurant while going to an ATM.
Re: (Score:2)
Bank of America is doing Chip & Signature [bankofamerica.com].