Michaels’ Breach Fallout: Now It’s Up To Local Banks To Catch Card Fraud That Visa and MasterCard Miss
Written by Frank HayesThe thieves who sabotaged PIN pads at Michaels Stores in 20 states managed to stay below the radar of fraud-spotters by sorting the card numbers they collected by bank, not using them at random. That kept Visa and MasterCard from catching on in the usual way, reports Gartner Security Analyst Avivah Litan.
But in a perverse twist, that was also what finally blew the cover off the theft. A local Chicago-area bank spotted the connection between ATM fraud that victimized its depositors and the fact that they were Michaels customers. If that’s the new pattern thieves are likely to use, it may be time for card companies to take a lot more interest in smaller banks—especially if those banks are stuck doing Visa and MasterCard’s job.
Litan noted that the Michaels attackers appeared to have figured out the card companies’ techniques and adjusted their tactics accordingly. “How did they do this? By attacking one bank at a time, instead of using the stolen card information simultaneously across multiple card issuing banks as they typically have done in past card-skimming heists. The fraudsters sorted the stolen card data by BIN number (the first four digits of the 16-digit cardnumber), which told them which bank issued the card. They then figured out which banks to attack, one by one,” Litan wrote.
That also kept the number of affected banks small at any one time, thus avoiding another fraud-detection trigger. “By using this tactic, it took longer for the payment-card networks (i.e., Visa, MasterCard) to figure out the point-of-compromise, i.e., Michaels, as the fraudsters bypassed the normal network-level monitoring these firms perform by looking across banks and their fraudulent transactions,” Litan added.
But the one-bank-at-a-time approach ultimately was the thieves’ undoing. It was a local bank (not Visa or MasterCard) that noticed many of its customers who had been hit by fraudulent ATM withdrawals in California and Nevada had also shopped at Michaels with their debit cards, according to local news reports.
That’s why, initially, Michaels thought the PIN pad tampering was limited to the Chicago area—but it’s also why the chain started checking PIN pads in other stores, and eventually replaced POS hardware across the U.S. Visa and MasterCard, which would normally be the first to spot the fraud pattern, were on the sidelines this time.
For retailers, that’s something to worry about. The big card companies have the most experience—and the biggest budgets—for spotting patterns of card fraud. Smaller local banks would seem to be the least well-equipped to handle that job. But the new approach on the part of thieves drops that task squarely in their laps.
This could require a big shift in fraud-spotting resources for the card companies.
-Marc
June 10th, 2011 at 10:13 am
This raises the question of why are local banks and the Secret Service getting to the scene of the crime before the acquirers and the card brands. Not knowing all the specifics of how CAMS works, it is easy to imagine that the local bank issuers have a much lower threshold for reacting to reported fraud. They have to, considering they don’t have the fraud funds of larger national and regional banks. Local banks may also not be fully informed of what to do in the case of fraud and who to involve.
In many of these cases, it is never determined how the hackers executed their crime, since forensic investigations don’t happen. While this is good for the merchant in avoiding a big expense, we aren’t able to learn from the breach to try to prevent it in the future.
Just as level 4 merchants have been failed by the system, is the system failing smaller banks as well?