Early last week, a story appeared in the Chicago Tribune about scores of customers of the Michaels Arts & Craft Stores complaining that their debit cards were being used to make unauthorized withdrawals. The article said that numerous customer debit cards were being charged $503 dollars at out-of-state ATMs: $500 in withdrawals and $3 dollars for the ATM fee. The transactions were frequently taking place in California.
Michaels suspected that thieves had somehow tampered with the PIN pads used at checkout, but the company wasn't positive. The Tribune story reported that Michaels also did not know how much money had been stolen from its customers.
At the time, the fraud appeared to be localized to the 35 Chicago-area Michaels stores, the company's press release (PDF) stated. The chain, based out of Irving, Texas, has 1,045 stores operating in 49 states and Canada.
Well, on Tuesday of this week, Michaels announced that it had discovered that 90 PIN pads in 80 stores in 20 states had indeed been tampered with. The list of individual Michaels stores and states where the tampering took place can be found here (PDF). Apparently 14 of the 35 Chicago area stores were involved. In addition, the company's latest press release (PDF) states:
"Suspicious PIN pads were disabled and quarantined immediately. Out of an abundance of caution, Michaels has removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads from its US stores."
The company is also examining the PIN pads used at its Canadian stores for signs of tampering.
Michaels naturally tried to play down the breach in its press release ("Michaels has identified less than 90 individual PIN pads (or approximately 1% of the total devices) in its 964 US stores...") but the geographic breath of the tampering is a bit unusual. The largest incident that I know of that is similar in nature is when customers' debit/credit cards used at the Aldi's grocery store chain in 11 states were skimmed last year. Anyone know of one larger?
Usually skimming involves an individual store, restaurant or gas station, or a couple of bank ATMs, or even several stores in an area, like what happened to McDonalds' in Perth, Australia a few years ago. In the latter case, some A$5 million was skimmed from at least 4,000 customer accounts by what was later identified as an international organized crime syndicate.
A Chicago Tribune story from yesterday said that one way that so many PIN pads might have been tampered with is that the thieves could have posed as keypad repair contractors and then be given access to the PIN pads by an unknowing employee. Once they gain access, the Tribune says, they can "... swap existing pads for ones that record account numbers from the magnetic stripe as well as PIN codes from the keypad. Once loaded with card data, the swipe device then could broadcast the information via a cellular network to waiting fraudsters."
Given the number of states involved, either those phony repairmen spent most of their time driving from state to state, or there is a fairly sizable group of criminals involved.
I suspect that Michaels and the police in several states are scrambling to see whether store security cameras recorded any unauthorized PIN pad repairmen. I also suspect that employees are being sternly instructed to check with the main or regional office to determine whether any PIN repairmen who might show up at their store are legit, as well.
How much money has been taken and how many customers have been hit will take awhile to sort out.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.