Michaels Stores Investigating Possible Data Breach

tsu doh nimh writes "Michaels Stores Inc., which runs more than 1,250 crafts stores across the United States, said Saturday that it is investigating a possible data breach involving customer cardholder information. According to Brian Krebs, the journalist who broke the story [and, previously] news of the Target and Neiman Marcus breaches, the U.S. Secret Service has confirmed it is investigating. Krebs cited multiple sources in the banking industry saying they were tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc. In response to that story, Michaels issued a statement saying it 'recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.' In 2011, Michaels disclosed that attackers had physically tampered with point-of-sale terminals in multiple stores, but so far there are no indications what might be the cause of the latest breach. Both Target and Neiman Marcus have said the culprit was malicious software designed to steal payment card data, and at least in Target's case that's been shown to be malware made to infect retail cash registers."

Re:

[Anonymous Coward]

CONservatives vs LIEberals or REPTILEcans vs DEMONcrats; you make the call.

Re:

[Anonymous Coward]

Turning a Russian mafia crime scheme into an American political party debate. Do you both have any idea of how stupid you sound? This would not even be relevant if there was an actual difference between party A or party B, which time has shown there is none. Fine, go at each other's throats while your house burns down.

Re:

[CohibaVancouver]

Because social and infrastructure programs create an environment where capitalism can thrive - When you have a healthy, educated workface along with roads, airports, telecommunications and all the trappings of a modern society you create a scenario that, at its most basic level, creates a culture of people who can actually buy your stuff and at a more advanced level creates a place that fosters entrepreneurship.

There's a reason Germany has a surging economy and Somalia doesn't...

Re: This is because CONservatives...

[Anonymous Coward]

Because I worked damn hard for that money? Whose right is it for you to tell me what to spend it on?

Re:

[maharvey]

You have more than you need. I know because you have a computer and free time to post on Slashdot. Why aren't you donating 90% of your pay to hunger relief? Why don't you donate it to the Federal Government for healthcare? After all, failure to do so is murder. I guarantee they'll take your check! Don't know where to send it because you're too lazy to ask? Still murder. You could at least donate it to a local shelter. You don't need more than one set of clothes either. Or a car. You don't need the computer

Been there, seen it already

[c0lo]

This is because CONservatives... don't give a damn about security. They never have. They don't care about us peons that are their customers. I bet their upper management is celebrating how they've screwed-over the average Joe. Those GOPpers always enjoy that.

... and ...

the U.S. Secret Service has confirmed it is investigating

I know where this is leading. The attack will be likened to "9/11 on retail", and:
* the "Providing Appropriate Tools Required to Intercept and Obstruct Tampering of POS bill of 2014" - also know as "the PATRIOT-POS v2014 act";
* it will be required those POS-es be operated from behind reinforced doors, but since the retail industry will complain about the cost...
* ... the "Retail Security Agency" will be created under the DHS; it will buy and operate (on public funds, of course), "nude scanners

Re:

[Dunbal]

You're in the right direction but not thinking radically enough. The US will want all financial transaction data everywhere. Cos, you know, "terrorists". Go on, let Uncle Sam into your wallet. Surely you have nothing to fear if you have nothing to hide, citizen. Oh by the way we've noticed you have too much money, more than your "fair share". Somewhere buried in the 13,000 odd pages of US tax code there's something you or your accountant missed, your money is ours now. Hand it over quietly and maybe we don'

Re:

[bondsbw]

And at the end of the day, it's always... ALWAYS... about those in power vs. those who are not.

Those in power love those who aren't to be fighting internally over conservative vs. liberal issues. Those in power know it's important to appear to be hostile towards each other, but when the TV cameras are off you'll find them sleeping in the same bed.

Credit cards

[Anonymous Coward]

Way too easy to commit fraud. Pay cash for small purchases. And stop giving stores your name for loyalty cards or marketing

Re:Credit cards

[Nerdfest]

I'm not even sure that will help. These guys have proven that they're quite ... crafty.

Re:

[pspahn]

The main reasons for storing CC information is to handle recurring payment services (subscriptions) or to have a method for refunding a customer without requiring them to enter all their information again.

Re:Credit cards

[cusco]

In the case of Target and Michaels it's the latter. You have up to 90 days to return some merchandise at Target, and the entire transaction record will be stored for that long and then dumped.

Having said that, the AC somehow seems to have completely missed every article that even dips a toe into the technical details of the attacks. It's a RAM scraper, not a database capture, that is picking up the transaction. The POS terminal only stores the transaction for the amount of time it takes to contact the credit card company and get approval, and that's all the time necessary to carry out that type of attack.

Chip & Pin

[beelsebob]

Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

Re:

[khasim]

This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

Maybe, maybe not. Criminals usually take the easiest way into a system. So replacing one flawed system may be sufficient. Or there might be more flawed implementations at their data center.

I think the real issue here is how the companies seem to have no idea how to do computer security.

Re:

[fuzzyfuzzyfungus]

Are you saying that passing your PCI compliance testing isn't all the computer security you need to do?

Re:Chip & Pin

[binarylarry]

Unfortunately, it looks like Target and Michaels went with ISA compliance testing instead :(

Re:

[TheGratefulNet]

and the IRQ jumpers are all wrong, too!

Just wait

[ArchieBunker]

As soon as the cost of chip and pin is less than the cost of security breaches they will switch. My US credit cards have problems in Canada now because everything there expects chip and pin.

Re:

[Anonymous Coward]

Do you even know how smart cards work? I'll summarize it for your lazy ass since you cannot be bothered to educate yourself: you upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys

Re: Just wait

[TheloniousToady]

For those of you who don't see Anonymous Coward posts, here's some good info about how smart cards work from the AC parent:

You upload details of a transaction to the smart card which signs that specific transaction with a unique, card specific key that cannot be (cost effectively) read without destroying the card. This changes the economics of hacking credit card transactions greatly, meaning the average hacker would rather give up and get a day job than waste the effort required to obtain the secret keys guarding a significant number of credit cards.

Re:

[beelsebob]

Some one is going to have to explain how chips are more secure than a mag strip. If it can be read it can be copied.

It can't be read. It can only be queried. You give it an input, it gives you an output.

In the same way as you can't get from a hash (the output) to the actual stored contents, you can't get from the output of a credit card chip, to the stored contents of the chip.

Re:

[Dunbal]

You are trying to secure something that is inherently insecure. Currency is not art. It is DESIGNED to be given to someone else. That's its function. Be it a coin or a cheque or a magnetic strip or a bunch of TCP/IP packets, there will always be a way to hijack currency simply because currency has to move from person A to person B. All you need to do is figure out how to stand between them. Theft is the ultimate "man in the middle".

Re:

[Hamsterdan]

The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

(Royal Bank of Canada)

Re:

[Mashiki]

Yeah that's not legal in Canada, just a FYI. The feds cracked down hard on them for trying that one. Doubly true since there are now chip skimmers out there that can duplicate the chip. Though they're very rare at the moment. Even with that, you'll find that most of the banks in Canada are now partnering with either Visa or MC for loss coverage on chip&pin cards.

Re:

[Hamsterdan]

Not legal to have the customer eat the losses? I'll have to look further into it, I already contacted the ombudsman about that. Does it apply to ATM cards or just credit cards?

Re:

[ScentCone]

The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.

Re:

[Rich0]

The chip is not there to protect customers interests. It's there so the store (or bank in my case) can say: Nope, your card wasn't copied, the chip was used at the ATM.

And being able to know that and prevent use of a cloned card IS in the customer's interest. You're making it sound like those two things are mutually exclusive.

Well, the chip doesn't guarantee that it wasn't cloned. It just guarantees that if it was cloned it becomes the consumer's problem. It also makes it much harder to clone.

Re:

[Hamsterdan]

That's my point. Their argument is since the card was used with the chip, and that it can't be cloned (not entirely true), it's *my* problem, not theirs. So, as you said, it's a way to put the losses on the customer.

Re:

[Solandri]

As soon as the cost of chip and pin is less than the cost of security breaches they will switch.

That's just it. The credit card companies have shifted the cost of fraud to the merchants, so chip and pin will probably never be cheaper than the cost of a security breach to them.

That's the real fundamental problem here. The credit card companies have made the merchants pay for fraud, and the merchants have no leverage to improve the security of credit card machines or networks. Heck, most merchants don'

Re:

[Dunbal]

Cost of breaches? My dear sir, haven't you noticed that banks are now too big to fail? There is no cost to anything for a bank. If there is a cash flow problem simply go talk to uncle Ben and he'll hand you another few interest free billions - much easier than actually having to work (gasp) for your money. Consequences are for the little guy. When he gets in trouble we buy him up cheap. But seriously do you know how HARD it would be to actually secure the network? It's not like the card holder is responsibl

Re:

[Muad'Dave]

Bank Of America is planning to support [bankofamerica.com] Chip & Signature [wikipedia.org], not chip & PIN.

Re:

[Bite The Pillow]

If Chip & Pin were the answer, the financial incentives of having it in place would make it the obvious choice.

Clearly externalizing loss to the merchants and consumers is financially more attractive. And there's your answer to "Why?" No need for useless rhetoric because there is a simple answer.

If you want a more complicated answer, the merchants basically have no say and the consumers don't care, so the issue rarely gets pushed.

Re-wiring all of the point-of-sale machines would be a major expense, ev

Re:

[Mashiki]

The US banks have waffled on it for nearly 6 years and getting terminals upgraded. We've been fully chip & pin in Canada for that long now, and if you're wondering why it hasn't been done it's because the cost of upgrading millions of terminals is expensive.

Re:

[Dunbal]

Yeah those poor banks, only earning an up to 3% "cut" of every single transaction, billing most of their customers for regular "transaction" fees, hardly paying out interest at all to savers, getting money for free from the government (because you know, they're too big to fail) and charging their debtors usurious interest. Poor, poor banks. Changing the terminals is so EXPENSIVE.

Seriously, they pass a regulation saying all terminals must be changed by x date and surprise, you the merchant are going to hav

Would Chip and Pin Have Prevented This?

[raftpeople]

The data was stolen from the POS device's ram during the brief amount of time it was there. Would Chip and Pin prevent using any of that data later on? Seems like the pin would have to be in mem at some point also, but I don't really know.

Re:

[beelsebob]

Yes, it would. The pin is given to the chip without it ever interacting with firmware or RAM (it's transmitted from keypad to chip).

Even if that weren't so though, the terminal never knows what account is processing the transaction. It simply sends the transaction details to the chip, which produces a signed transaction (with the pin, and some secured data stored on it). The signed transaction is sent to the bank, who can then use it to extract money from the correct account.

Re:

[Rich0]

Yeah, I'd think they could steal the PIN, or tamper with the amount of the current transaction, but they couldn't actually create new transactions without having the chip present.

I think a better design would be putting the keypad and display on the card itself as that eliminates just about every way to tamper with a transaction I can think of, but as long as each transaction is individually signed and the chip throttles signature requests (one per insertion/removal) then the potential for abuse is pretty l

Re:

[EvilSS]

October 2015. At least the Chip part. The PIN part will be optional (unfortunately). The national retailer association wants it to be mandatory but MasterCard and Visa don't for some reason.

Re:

[Rich0]

October 2015. At least the Chip part. The PIN part will be optional (unfortunately). The national retailer association wants it to be mandatory but MasterCard and Visa don't for some reason.

Mastercard and Visa get paid by the transaction I imagine. They really don't care if they're legit or not - if they aren't then the members of the national retailer association pay the bill. I can't imagine why there is a difference of opinion... :)

Re:

[pcr_teacher]

Chip and Pin has already been comprimised in the wild:

http://www.telegraph.co.uk/new... [telegraph.co.uk]

Re:

[rfunches]

Chip and Pin has already been comprimised in the wild:

http://www.telegraph.co.uk/new... [telegraph.co.uk]

Nothing in the article states that the fraudulent charges were run as Chip+[Sig/PIN] transactions, though. They were processed in a way that bypass the chip:

1. 1) Card not present transactions (mail/phone/internet)
2. 2) Cloned magstripe-only card on a non-chip terminal (I had a chipped Visa fraudulently used in the US with this method)
3. 3) Same as #2 but with a PIN at a merchant terminal for cash back or at an ATM for cash withdrawal or advance

I've yet to hear of a case where a fraudulent chip transaction came fro

Re:

[plover]

The Vasco DIGIPASS device is a small smart-card reader that resembles a pocket calculator. It allows the cardholder to insert their card, enter the transaction details, and produce a one-time authorization code that can be entered into a web page (like a CVV2 code, but cryptographically secure.) It's a sealed device that is electrically air-gapped from everything apart from the batteries and the card, so it is unhackable from on-line threats. Such devices are used to secure on-line banking transactions.

Re:

[Rich0]

But there's still the issue of card not present transactions. Until you find a viable solution for that, the scammers will always have an avenue for fraud.

I'd put the console on the card itself (keypad and small LCD display). Then I'd include USB and acoustic modem interfaces. Now you can handle card not present just fine. The "card" would cost more, but it would make sense to make it a generic device that can support any number of payment accounts. It could still be easily pocket sized - probably smaller than a PCMCIA card.

Re:

[badzilla]

Chip and PIN has seen widespread use for years now and would probably stop this kind of attack. Remember you have hardware-based encryption happening not only in the card reader but also in the card itself. An amazing amount of crypto happens at step one just so that the card can satisfy itself that it is indeed inside a valid reader. Then some more so that the reader can be confident it has a real card. Once all the authorisation and monetary amounts are complete then the reader finally dumps out an encryp

No Chip & Pin? Carry Cash.

[!-!appy_!!arnian]

Until chip and pin, I guess I'll have to carry cash. That waitress at the restaurant taking my card and coming back with it a few minutes later - has always unnerved me.

Re:

[elistan]

Seriously... Why have the US banks not rolled Chip & Pin out yet? This wouldn't be an issue if they had, and it's almost certainly costing them a lot more in refunded transactions than a roll out would have.

It's not costing the banks anything - the costs of the refunded transactions are the responsibility of the merchants. I don't see any financial incentive for banks to do anything different. It'll have to be either a legal regulation or a consumer backlash, and I don't see either happening right away.

Re:

[pspahn]

You might not, but the rest of us have mothers, aunts, sister-in-laws, girlfriends, wives, daughters (and all their male counterparts in some cases) that require us to shop at Michael's at least once a year. Typically around either the first week or two of May, or in the few days running up to Dec. 25.

There was a time, though, that Michael's was a fun place to shop. If you didn't have a Hobby Lobby or the like, it was the best place to buy model rockets and the like.

Point of Sale Network Access

[Luthair]

There is an easy solution to this problem - don't put point of sale systems on a network with external access. At the minimum one should limit the network addresses these systems are allowed to access.

Re:

[beelsebob]

Who says external access was required?

Re:

[Luthair]

If network access isn't required then all of these PoS attacks are either inside jobs or involve break-ins which hasn't been indicated for any of them.

Re:

[penix1]

Are they held responsible for any problems and costs with their carelessness?

They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.

Re:

[Jah-Wren Ryel]

They sure are... Have you been in a Target since their breech? It is a ghost town in the one here.

Sounds like it was a ghost town before the breach too. In my case, I've been to the nearest store about a dozen times and it has been no different than before the news broke. I always use cash so it made no difference to me.

Re:

[NonSequor]

Target has a system where you can return anything without a receipt if you can show the credit card the item was purchased with. Plus Target makes heavy use of data to track customers. Not that that's a good thing.

I would have to guess that Target views these things as strategic advantages over their competitors and they may have a culture which views IT infrastructure only as a means to further develop these advantages. In that kind of environment, "what we can do if we hold onto this data" is going to tru

Re:

[TheGratefulNet]

I've had the receipt for the few times I've had to return things at target.

I was amazed how fast it can be done. from when you get to the counter with your item to the time you leave, its often less than 1 minute, sometimes as short as 10 seconds. I kid you not! I've never seen anything like that before. walk in, 10 seconds and you're out.

gotta give them credit for how fast they can process returns, assuming you have the receipt and your credit card or license (the magstrip does speed things along).

Re:

[TwoBit]

That's not how the hack worked. The hackers had software on the POS machines that read the RAM of the machines and when the card info was briefly in RAM during the transaction the hackers grabbed it.

A better question is one of why these POS machines don't have a more locked down OS that allows only signed processing from running. XBox, Playstation, and iPhone have been doing this successfully for years, so surely commercial POS machines could.

Re:

[cusco]

It's a RAM scraper attack on the POS machines, not a database dump off the mainframe. It's hard to believe that people don't know the difference. Oh, you're too dumb/lazy to actually figure out how to log in with an account, I guess that explains it.

Re:

[plover]

There's an even easier solution: don't store cardholder information in a database

There is no need to save credit card numbers, expiration dates, CVV2 codes, and personally identifiable information once the authorization of charge has been obtained. None whatsoever.

Getting an auth code means you're getting your money. You don't need to store my entire credit card number.

Go read the analysis of the BlackPOS malware at Krebs. He says that the attack that hit Target was done with a RAM scraper. It wouldn't matter if Target stored the data or not, or if they used SSL or not, the malware read the card data as soon as it was in the memory of the register.

Re:SCADA is next

[Billly Gates]

Sadly until breaches like this occur the more MBAs will listen to those annoying cost centers and view them with value and listen. Reason they are on internet is because the suits said so and the accountants whined about having real time access.

Maybe if congress is involved they can make regulation requiring secure operating systems with ASLR which scramble ram. Windows 7 and MacOSX have it and I think can support it via a patch with 3.0 or higher. Crosses fingers for redhat 7.Also POS equipment is SUPPOSED

Time for TECH / IT UNIONS

[Joe_Dragon]

So the tech workers have the power to get stuff done and the MBAs take the blame for there mess ups.

Re: Point of Sale Network Access

[Anonymous Coward]

As someone who worked in one of Targets data centers, I can assure you those cash registers did not have direct internet access.

From what I read the hackers gained access to a server which they then setup an ftp server on. A netbios share was activated at a certain time of the day and information was then sent to that ftp server.

Easy one to catch

[formfeed]

Put a block on your card to issue a warning as soon as someone buys anything with your credit card other than scrap-booking supplies or boxed wine.

Re:

[rueger]

Damn. You had me right up to "boxed."

Chip/PIN

[Gigadafud]

Are there any credit cards in the US that actually offer the "newer" CHIP/PIN cards? I am also assuming that the readers have to recognize these cards as well.....

Re:

[WindBourne]

nope. BUT, in light of the money lost on Target, I am guessing that is about to change.

Re:

[wkk2]

I asked Chase and they didn't seem to know what I was talking about. Citi was able to replace my card with a chip/pin card. Get one before you travel or you might need to leave your stuff a a restaurant while going to an ATM.

Re:

[Muad'Dave]

Bank of America is doing Chip & Signature [bankofamerica.com].