BOSTON/NEW YORK (Reuters) - Thieves who stole payment card data from Michaels Stores Inc appear to have used a new method to maximize their take, a prominent data security expert said.
Thieves apparently organized the scams they ran with stolen payment card numbers based on the banks that issued the cards, said Gartner Inc analyst Avivah Litan. By sorting the cards by their “BIN number” digits that indicate the issuing financial institution, they were able to concentrate fraudulent purchases on cards that were issued by individual banks, before moving on, she said.
“They would knock the hell out of a bank. They’ve never done this before,” said Litan, who frequently consults with companies on security matters and said she has spoken with banking executives about the Michaels case.
“It’s not good news for the banks because they don’t have good armor against it,” Litan said.
Usually thieves do not make a distinction among which banks have issued the cards, meaning that the fraud is unlikely to be as concentrated at certain financial institutions.
Litan added that the tactic might have given thieves more time to abuse the data, because not all banks would have wanted to call attention to the abuse.
Closely held Michaels, of Irving, Texas, a retailer selling crafts merchandise, first disclosed the breach on May 4 and urged customers to keep a close eye on their accounts to spot fraud.
Later it said it appeared the breach lasted from Feb. 8 through May 6 and that unidentified parties were able to tamper with some of the PIN pads that customers use to type in secret codes when using payment cards as the cash register.
Michaels has said that less than 90 PIN pads, or about 1 percent of its total devices, were affected — but it also said it has removed another 7,200 PIN pads from its stores and will replace them.
Doug Marker, the retailer’s vice president of loss prevention, on Wednesday would not discuss the reasons for replacing so much equipment or say how old the devices are.
Data breaches remain a vexing problem for retailers and the banking system despite ongoing efforts by payment processing networks Visa Inc (V.N) and MasterCard Inc to guard against them.
The card processors have attempted to crack down on data breaches by requiring their partner retailers to upgrade their equipment more regularly. But both camps — and the banks that issue payment cards — are reluctant to take on the extra costs of upgrades and additional security.
“Companies often have to go to very extraordinary lengths to justify replacing their equipment in the field,” said Davi Ottenheimer, a payments security expert who works with the technology consultancy K3DES LLC.
“If you have a device that’s five years old, it probably doesn’t have the protections that it would need” to ward off fraud, he said.
Ottenheimer estimated that Michaels was likely facing tens of thousands or even hundreds of thousands of dollars in costs related to replacing the 7,200 PIN pads, including training employees to regularly check that the equipment has not been compromised.
Tom Chew, vice president of Hingham Institution for Savings (HIFS.O) and a security official with trade group the Massachusetts Bankers Association, said the bank has identified over 300 compromised payment cards so far.
That’s a smaller number than his bank faced in major breaches in the past such as those involving card numbers taken from TJX Companies (TJX.N) several years ago.
But in some ways the Michaels breach appears more serious, Chew said, as thieves found new ways to use the stolen data. His bank first began noticing unauthorized purchases cropping up in California and Las Vegas, far from the small bank’s home base in southeastern Massachusetts. Eventually thieves were also using stolen cards to make purchases of up to $600 from supermarkets, plus getting ‘cash back’ at the register.
“They were really ramping things up,” he said.
Chew said the charges will not affect the bank’s earnings.
Reporting by Ross Kerber in Boston and Maria Aspan in New York; Editing by Lisa Shumaker