Slashdot Mirror

← Back to Stories (view on slashdot.org)

Michaels Stores Investigating Possible Data Breach

Posted by timothy on from the switching-targets dept.

tsu doh nimh writes "Michaels Stores Inc., which runs more than 1,250 crafts stores across the United States, said Saturday that it is investigating a possible data breach involving customer cardholder information. According to Brian Krebs, the journalist who broke the story [and, previously] news of the Target and Neiman Marcus breaches, the U.S. Secret Service has confirmed it is investigating. Krebs cited multiple sources in the banking industry saying they were tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc. In response to that story, Michaels issued a statement saying it 'recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.' In 2011, Michaels disclosed that attackers had physically tampered with point-of-sale terminals in multiple stores, but so far there are no indications what might be the cause of the latest breach. Both Target and Neiman Marcus have said the culprit was malicious software designed to steal payment card data, and at least in Target's case that's been shown to be malware made to infect retail cash registers."

19 of 106 comments (clear)

  1. Credit cards by Anonymous Coward · · Score: 2, Insightful

    Way too easy to commit fraud. Pay cash for small purchases. And stop giving stores your name for loyalty cards or marketing

    1. Re:Credit cards by Nerdfest · · Score: 3, Funny

      I'm not even sure that will help. These guys have proven that they're quite ... crafty.

    2. Re:Credit cards by cusco · · Score: 3, Informative

      In the case of Target and Michaels it's the latter. You have up to 90 days to return some merchandise at Target, and the entire transaction record will be stored for that long and then dumped.

      Having said that, the AC somehow seems to have completely missed every article that even dips a toe into the technical details of the attacks. It's a RAM scraper, not a database capture, that is picking up the transaction. The POS terminal only stores the transaction for the amount of time it takes to contact the credit card company and get approval, and that's all the time necessary to carry out that type of attack.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  2. Chip & Pin by beelsebob · · Score: 4, Insightful

    Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

    1. Re:Chip & Pin by fuzzyfuzzyfungus · · Score: 2

      Are you saying that passing your PCI compliance testing isn't all the computer security you need to do?

    2. Re:Chip & Pin by binarylarry · · Score: 3, Funny

      Unfortunately, it looks like Target and Michaels went with ISA compliance testing instead :(

      --
      Mod me down, my New Earth Global Warmingist friends!
  3. Point of Sale Network Access by Luthair · · Score: 2

    There is an easy solution to this problem - don't put point of sale systems on a network with external access. At the minimum one should limit the network addresses these systems are allowed to access.

    1. Re:Point of Sale Network Access by penix1 · · Score: 2

      Are they held responsible for any problems and costs with their carelessness?

      They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
  4. Just wait by ArchieBunker · · Score: 4, Interesting

    As soon as the cost of chip and pin is less than the cost of security breaches they will switch. My US credit cards have problems in Canada now because everything there expects chip and pin.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:Just wait by Hamsterdan · · Score: 2

      The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

      (Royal Bank of Canada)

      --
      I've got better things to do tonight than die.
    2. Re: Just wait by Anonymous Coward · · Score: 3, Informative

      Do you even know how smart cards work? I'll summarize it for your lazy ass since you cannot be bothered to educate yourself: you upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.

      fuck /.
      the astrophysicists are long gone
      and you least common denominator assholes are worthless

    3. Re: Just wait by TheloniousToady · · Score: 3, Informative

      For those of you who don't see Anonymous Coward posts, here's some good info about how smart cards work from the AC parent:

      You upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.

    4. Re: Just wait by beelsebob · · Score: 2

      Some one is going to have to explain how chips are more secure than a mag strip. If it can be read it can be copied.

      It can't be read. It can only be queried. You give it an input, it gives you an output.

      In the same way as you can't get from a hash (the output) to the actual stored contents, you can't get from the output of a credit card chip, to the stored contents of the chip.

  5. Easy one to catch by formfeed · · Score: 4, Funny

    Put a block on your card to issue a warning as soon as someone buys anything with your credit card other than scrap-booking supplies or boxed wine.

  6. Re:thank god by pspahn · · Score: 2

    You might not, but the rest of us have mothers, aunts, sister-in-laws, girlfriends, wives, daughters (and all their male counterparts in some cases) that require us to shop at Michael's at least once a year. Typically around either the first week or two of May, or in the few days running up to Dec. 25.

    There was a time, though, that Michael's was a fun place to shop. If you didn't have a Hobby Lobby or the like, it was the best place to buy model rockets and the like.

    --
    Someone flopped a steamer in the gene pool.
  7. Time for TECH / IT UNIONS by Joe_Dragon · · Score: 2

    So the tech workers have the power to get stuff done and the MBAs take the blame for there mess ups.

  8. Re: This is because CONservatives... by Anonymous Coward · · Score: 2, Insightful

    CONservatives vs LIEberals or REPTILEcans vs DEMONcrats; you make the call.

  9. Re: This is because CONservatives... by Anonymous Coward · · Score: 2, Insightful

    Turning a Russian mafia crime scheme into an American political party debate. Do you both have any idea of how stupid you sound? This would not even be relevant if there was an actual difference between party A or party B, which time has shown there is none. Fine, go at each other's throats while your house burns down.

  10. Re:Been there, seen it already by Dunbal · · Score: 2

    You're in the right direction but not thinking radically enough. The US will want all financial transaction data everywhere. Cos, you know, "terrorists". Go on, let Uncle Sam into your wallet. Surely you have nothing to fear if you have nothing to hide, citizen. Oh by the way we've noticed you have too much money, more than your "fair share". Somewhere buried in the 13,000 odd pages of US tax code there's something you or your accountant missed, your money is ours now. Hand it over quietly and maybe we don't throw you in jail.

    --
    Seven puppies were harmed during the making of this post.