Michaels’ Breach Fallout: Now It’s Up To Local Banks To Catch Card Fraud That Visa and MasterCard Miss

Written by Frank Hayes
June 8th, 2011

The thieves who sabotaged PIN pads at Michaels Stores in 20 states managed to stay below the radar of fraud-spotters by sorting the card numbers they collected by bank, not using them at random. That kept Visa and MasterCard from catching on in the usual way, reports Gartner Security Analyst Avivah Litan.

But in a perverse twist, that was also what finally blew the cover off the theft. A local Chicago-area bank spotted the connection between ATM fraud that victimized its depositors and the fact that they were Michaels customers. If that’s the new pattern thieves are likely to use, it may be time for card companies to take a lot more interest in smaller banks—especially if those banks are stuck doing Visa and MasterCard’s job.

Litan noted that the Michaels attackers appeared to have figured out the card companies’ techniques and adjusted their tactics accordingly. “How did they do this? By attacking one bank at a time, instead of using the stolen card information simultaneously across multiple card issuing banks as they typically have done in past card-skimming heists. The fraudsters sorted the stolen card data by BIN number (the first four digits of the 16-digit cardnumber), which told them which bank issued the card. They then figured out which banks to attack, one by one,” Litan wrote.

That also kept the number of affected banks small at any one time, thus avoiding another fraud-detection trigger. “By using this tactic, it took longer for the payment-card networks (i.e., Visa, MasterCard) to figure out the point-of-compromise, i.e., Michaels, as the fraudsters bypassed the normal network-level monitoring these firms perform by looking across banks and their fraudulent transactions,” Litan added.

But the one-bank-at-a-time approach ultimately was the thieves’ undoing. It was a local bank (not Visa or MasterCard) that noticed many of its customers who had been hit by fraudulent ATM withdrawals in California and Nevada had also shopped at Michaels with their debit cards, according to local news reports.

That’s why, initially, Michaels thought the PIN pad tampering was limited to the Chicago area—but it’s also why the chain started checking PIN pads in other stores, and eventually replaced POS hardware across the U.S. Visa and MasterCard, which would normally be the first to spot the fraud pattern, were on the sidelines this time.

For retailers, that’s something to worry about. The big card companies have the most experience—and the biggest budgets—for spotting patterns of card fraud. Smaller local banks would seem to be the least well-equipped to handle that job. But the new approach on the part of thieves drops that task squarely in their laps.

This could require a big shift in fraud-spotting resources for the card companies.


One Comment | Read Michaels’ Breach Fallout: Now It’s Up To Local Banks To Catch Card Fraud That Visa and MasterCard Miss

  1. Ernie Floyd Says:

    This raises the question of why are local banks and the Secret Service getting to the scene of the crime before the acquirers and the card brands. Not knowing all the specifics of how CAMS works, it is easy to imagine that the local bank issuers have a much lower threshold for reacting to reported fraud. They have to, considering they don’t have the fraud funds of larger national and regional banks. Local banks may also not be fully informed of what to do in the case of fraud and who to involve.

    In many of these cases, it is never determined how the hackers executed their crime, since forensic investigations don’t happen. While this is good for the merchant in avoiding a big expense, we aren’t able to learn from the breach to try to prevent it in the future.

    Just as level 4 merchants have been failed by the system, is the system failing smaller banks as well?


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.