The PIN pad-tampering attack Michaels Stores Inc. revealed earlier this month is far more widespread than it originally believed, affecting at least 90 payment terminals in stores in 20 states, the retailer announced May 11.
The geographic reach of the intrusion suggests the work of a sophisticated organized-crime group, and it may serve as a wake-up call for merchants to take additional precautions to close other gaps that could allow PIN-pad tampering, Julie Conroy McNelley, a senior risk and fraud analyst at Boston-based Aite Group LLC, tells PaymentsSource.
“It is surprising that a large merchant like this was attacked, when most big merchants say they have taken steps to secure their terminals and are required to go through a great deal of security certification,” she says. “But it shows you that there are still a lot of gaps out there.”
The national crafts-supply retailer on May 5 began notifying customers that fraudsters had tampered with payment terminals in the Chicago area (
Michaels has since disabled and quarantined all suspicious PIN pads and has removed approximately 7,200 additional ones from its U.S. stores, the Irving, Texas-based company said in a press release. The company also expects to finish replacing PIN pads in all affected stores with upgraded terminals within the next 15 days.
As an additional precaution, Michaels said it also is screening all PIN pads in its Canadian stores.
Until it installs the upgraded PIN pads, the company said it is processing only credit and signature-debit transactions on store registers. The company did not return calls for further comment.
Besides 14 stores in the Chicago region, fraudsters tampered with PIN pads at stores in Colorado, Delaware, Georgia, Iowa, Massachusetts, Maryland, North Carolina, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington, according to Michaels.
Dozens of consumers in Chicago, where the intrusion was first identified, reportedly have contacted police to report that funds has been stolen from their bank accounts after making a PIN-debit card purchase in recent months from Michaels stores in the region.
Michaels has not released further details, but the attack “has all the fingerprints” of an organized-crime ring, given the diverse regions involved in the attacks, McNelley says. “The shape of the attack suggests there were several operatives working at the same time.”
Though when the PIN pads were compromised and the type of devices that were affected has not been released, McNelley says there are numerous possibilities regarding the fraudsters’ strategy. (Stores in Arizona deploy PIN pads from VeriFone Systems Inc.)
“The path of fraud moves quickly, so it could be that while Michaels had PCI-certified terminals, fraudsters identified some vulnerabilities and exploited it very quickly to maximize their window of opportunity,” she says.
Advanced data-encryption systems that terminal makers and processors are beginning to distribute that often include tamper-resistant payment terminals may prevent fraudsters from capturing sensitive card data at the point of sale, some experts say (
But while advanced encryption of payment card data may represent another bulwark against fraud, many merchants have been reluctant to switch to new payment terminals because of the cost, which can run into the millions depending on the retailer’s size and scope, McNelley says.
“This incident will certainly serve as a wake-up call for some merchants who are going to be looking at how they can avoid being the next company in the headlines,” she says.
What do you think about this? Send us your feedback.
