Michaels Retailer Loses 3 Million Credit Cards

What is Brian Krebs looking at this week?  The newspapers and tech blogs usually turn to the former Washington Post reporter first, because he has a wide network of contacts who usually inform him of current security issues before anyone else.  So I look there too for news.

This week, as in many occasions in the past, there is news of a massive theft of credit card data.  This time it is the retailer Michaels, who lost 3 million credit cards.  I don’t say “stolen,” I say “lost,” because anyone still using magnetic card readers (i.e., most of America) has only themselves to blame for that.  Cards protected with a pin or chip are worthless on the black market, because the card number by itself is not sufficient to make a purchase. Because of the disaster at Target, that retailer is moving to the European and Latin American type card readers, which are much more secure, because they authenticate using a pin or the chip on the card.

Michael’s released a press release that reads in part:

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms.”

The malware was undetected about a year.  Michaels has hired two security firms to investigate the attack and remove the malware.  In the company’s press release they say “…we have received limited reports of fraud” suggesting, like the Target case, credit card processors and banks must have correlated credit card fraud with people who had shopped at that retailer or its subsidiary Aaron Brothers to show there was an ongoing attack there.

The company, like Target, is offering affected customers a free credit monitoring subscription for a year.  As Brian Krebs points out, that is not of much use, unless someone opens a card in your name.  These thieves already have your card.  The victims here will be the banks, who pay for fraudulent charge, or the customer themselves, if the loss including debit cards together with their pin, since banks do not cover that kind of cash theft. (The company is not saying if both were stolen.)

Cnet says that the security researchers investigating this have not said what malware was involved, similar to what happened at Target.  That is bad practice, because if they revealed the details of that then other retailers could check their systems.  The only thing is known is that the malware was installed on POS terminals in the stores.  It is not known if that malware was pushed out from a central location, thus allowing it to affect many POS terminals, nor what security weakness it exploited.

In the past Michaels has been the victim of actual thieves tampering with the POS card readers to record card information.  Of course that kind of manually-installed attack can only work on small scale.