This is page 2 of:
Michaels’ Breach Fallout: Now It’s Up To Local Banks To Catch Card Fraud That Visa and MasterCard Miss
This could require a big shift in fraud-spotting resources for the card companies. No doubt they’ll make some adjustments to the patterns they watch for, but the organizations best suited to watch for this type of bank-specific fraud are the banks themselves. And small banks seem to be the ones most likely to be targeted by thieves with this new tactic.
Or is it all that new? In April, a small Illinois bank warned its customers that their payment-card data may have been compromised by the Heartland Payment Systems breach in 2008. That could be just chance: fraudsters using a card number or two from the same small bank at the same time.
Then again, it could be that thieves figured out this sort-by-bank technique years ago, and card companies and banks are only now discovering they have to deal with it.
Of course, that clever one-bank-at-a-time tactic wouldn’t have worked at all if thieves hadn’t been able to tamper with the Michaels PIN pads undetected. That may be the most critical weak point—and it’s not getting any stronger.
For example, the U.S. Attorney’s office in New York City this week announced that four men had been indicted for installing skimmers on PIN pads at branches of Chase and Citibank in New York, Miami and Chicago. But they didn’t just allegedly sneak skimmers onto bank ATM machines. No, they’re also accused of disconnecting PIN pads at teller windows and replacing them with doctored PIN pads that would capture magstripe information and PINs and then transmit that data wirelessly to the thieves, who eventually used the numbers to steal at least $1.5 million from customer accounts.
Now that’s brazen. It also shouldn’t have been possible. As StorefrontBacktalk PCI Columnist Walter Conway pointed out last year after the Aldi grocery chain had its own multi-state rash of PIN-pad-based data thefts, the pads should be triggering a network activity alert the moment they’re disconnected.
But they didn’t. The teller-window PIN pads could apparently be easily and quickly removed without triggering any alarms. And apparently the banks didn’t audit the equipment regularly, either. According to the indictment, these thieves swapped out PIN pads right in front of tellers, and neither the humans nor the electronic systems caught them at it.
To retailers, it may seem like cold comfort that even big banks haven’t secured their PIN pads. As thieves keep getting cleverer, that’s going to be no comfort at all. Locking down PIN pads and monitoring them and auditing them is no longer an option—it’s a necessity. If you count on either Visa or banks to spot fraud, it’s already too late.
-Marc
June 10th, 2011 at 10:13 am
This raises the question of why are local banks and the Secret Service getting to the scene of the crime before the acquirers and the card brands. Not knowing all the specifics of how CAMS works, it is easy to imagine that the local bank issuers have a much lower threshold for reacting to reported fraud. They have to, considering they don’t have the fraud funds of larger national and regional banks. Local banks may also not be fully informed of what to do in the case of fraud and who to involve.
In many of these cases, it is never determined how the hackers executed their crime, since forensic investigations don’t happen. While this is good for the merchant in avoiding a big expense, we aren’t able to learn from the breach to try to prevent it in the future.
Just as level 4 merchants have been failed by the system, is the system failing smaller banks as well?