Michaels Breach Convictions Point To The Most Sophisticated PIN Pad Attack Yet

Written by Frank Hayes
August 1st, 2012

More than a year after the 1,100-store Michaels chain was breached after PIN pad tampering, the feds have their first convictions: two Los Angeles street gang members, who were apparently recruited just to collect money from debit-card victims’ bank accounts. But the crooks who actually executed the attack are still on the loose—and, apparently, still completely unknown.

But we now know more about the breach, which involved physically replacing PIN pads in 84 stores across the country to capture at least 94,000 card numbers. And with those new details, chains have more reason than ever to be worried.

On July 25, a federal judge in California sentenced Eduard Arakelyan and Arman Vardanyan to five years in prison for bank fraud and identity theft after they were caught in March using counterfeit payment cards to get money from ATMs, using account numbers and PINs acquired during the Michaels breach.

But according to court documents, the two men had nothing to do with the breach itself. They were recruited by an ethnic Los Angeles gang called Armenian Power just to collect cash from ATMs in the Las Vegas and San Francisco areas. They also weren’t the first to start using the stolen numbers—they started in May 2011, after Chicago-area banks first reported what was then thought to be a breach only at local Michaels stores.

And they were well equipped for the job. When they were caught, “defendants Arakelyan and Vardanyan possessed 952 blank gold and silver counterfeit access devices [cards] reencoded with at least 943 real persons’ financial institution account numbers. On each counterfeit card was a four-digit PIN handwritten in pen, corresponding to each person’s true PIN. Both the PINs and the account numbers had been previously stolen along with the account numbers,” according to the San Francisco U.S. Attorney’s office. They also had eight cell phones, a laptop, a GPS device loaded with ATM locations, two handguns and $56,599 in cash.

Understand, that was just for the cash collection part of the operation, which was apparently outsourced to the street gang. There’s no indication of how many other cash-collecting teams were involved or whether more than one gang participated.

That’s on top of the unusual sophistication of the breach. Court documents also confirm what Michaels wouldn’t say last year: At the 84 Michaels stores hit in the breach, thieves replaced at least one PIN pad per store with an apparently identical PIN pad that had been rigged to capture card numbers and PINs. The thieves could then collect that info using a Bluetooth device in the rigged PIN pad, so they could continue to collect numbers until the breach was discovered.

Even when banks (and it was the banks, not Visa’s or MasterCard’s antifraud systems) identified the breach after customer complaints, they assumed it was just a problem at Chicago-area Michaels stores. The thieves had sorted the cards by bank and initially only used Chicago-area account numbers and PINs. It wasn’t until the chain investigated thoroughly that it became clear the stores hit were spread across the U.S., from Georgia to Oregon.

In other words, this isn’t the type of breach chains would have expected even three years ago.


2 Comments | Read Michaels Breach Convictions Point To The Most Sophisticated PIN Pad Attack Yet

  1. Biff Matthews Says:

    Do not literally “screw down, a pin pad as it will cause a TAMPER ERROR. Switching PEDs is not an easily accomplished without employee complicity or failure to follow best practices. Train and retrain then hold accountable employees who don’t follow procedures. You don’t leave a cash register unattended nor a POS terminal, period!

  2. Vidya Swamy Says:

    Hackers are always steps ahead. But, it is shocking to read it takes a long time to spot the breaches. Also, is it that easy to swap a PIN pad? I thought Aldi does not accept credit cards. Maybe they changed to cash only after the breach.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.