Michaels Stores Investigating Possible Data Breach

tsu doh nimh writes "Michaels Stores Inc., which runs more than 1,250 crafts stores across the United States, said Saturday that it is investigating a possible data breach involving customer cardholder information. According to Brian Krebs, the journalist who broke the story [and, previously] news of the Target and Neiman Marcus breaches, the U.S. Secret Service has confirmed it is investigating. Krebs cited multiple sources in the banking industry saying they were tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc. In response to that story, Michaels issued a statement saying it 'recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.' In 2011, Michaels disclosed that attackers had physically tampered with point-of-sale terminals in multiple stores, but so far there are no indications what might be the cause of the latest breach. Both Target and Neiman Marcus have said the culprit was malicious software designed to steal payment card data, and at least in Target's case that's been shown to be malware made to infect retail cash registers."

Chip & Pin

[beelsebob]

Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

Re:Chip & Pin

[binarylarry]

Unfortunately, it looks like Target and Michaels went with ISA compliance testing instead :(

Just wait

[ArchieBunker]

As soon as the cost of chip and pin is less than the cost of security breaches they will switch. My US credit cards have problems in Canada now because everything there expects chip and pin.

Re: Just wait

Do you even know how smart cards work? I'll summarize it for your lazy ass since you cannot be bothered to educate yourself: you upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.

fuck /.
the astrophysicists are long gone
and you least common denominator assholes are worthless

Re: Just wait

[TheloniousToady]

For those of you who don't see Anonymous Coward posts, here's some good info about how smart cards work from the AC parent:

You upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.

Easy one to catch

[formfeed]

Put a block on your card to issue a warning as soon as someone buys anything with your credit card other than scrap-booking supplies or boxed wine.

Re:Credit cards

[Nerdfest]

I'm not even sure that will help. These guys have proven that they're quite ... crafty.

Re:Credit cards

[cusco]

In the case of Target and Michaels it's the latter. You have up to 90 days to return some merchandise at Target, and the entire transaction record will be stored for that long and then dumped.

Having said that, the AC somehow seems to have completely missed every article that even dips a toe into the technical details of the attacks. It's a RAM scraper, not a database capture, that is picking up the transaction. The POS terminal only stores the transaction for the amount of time it takes to contact the credit card company and get approval, and that's all the time necessary to carry out that type of attack.