 |
| A typical Michaels retail store |
Another credit card security breach again. If you happened to shop at any of the Michaels local stores recently that are located at the following states, your credit transactions may have been compromised:
Illinois, Colorado, Delaware, Gerogia, Iowa, Massachussets, Maryland, North Carolina, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Pennsylvania, Rhode Islands, Utah, and the State of Washington.
Few days ago, many Michaels' stores have found have been hacked on their PIN readers/Credit Card readers at checkout. The Texas-based arts and crafts supplier has determined that the hacked could have been perpetuated between February 8 through May 6 according to the latest law enforcement investigation. The hack was initiated from PIN pads that are attached to credit card readers where customers use to key in their personal identification numbers upon checkout.
These scam artists were able to steal credit card information including personal PINs. The first discovery of the breach was at a Michael stores in Salt Lake City and Midvale in Utah. As a result, the arts supplier has removed more than 7,200 PIN pads from all its US stores.
I got interested with the story not only because the company is a customer of RGIS LLC, but because I wanted to know how in the world one can hack PIN pads in a busy store at busy checkouts. What is their modus operandi? Was there any collusion between scammers and employees?
Honestly, the trick is quite simple, but with calculated risk.
 |
| A VeriFone PIN pad and Credit Card reader combo. Image courtesy of VeriFone. |
FIRST, there was a careful planning. These criminals pose as legitimate customers of Michaels. At checkout, they then observe several things such as the models/make of Michaels PIN pads, standard cable connectors, etc. Since many Michaels art products sell in less than a dollar range, they can come back as many times as they want and master how the plan works, how many seconds would it take to deinstall and reinstall a new PIN reader, when is the best time to to do it, and how to do it clandestinely without much effort and detection.
SECOND, scheduled activity. Scammers come back in packs of two or three posing as customers not knowing each other. The first act as the customer/installer, the second as a legitimate buyer, the third as customer/distractor. While the second or third scammer busy distracting the unsuspecting cashier with questions related to their purchase, it will take no more than 10 seconds for the first buyer to unplug the old PIN reader and replace it with a reprogrammable RFID chip when the PIN pad is not in use.
THIRD, leave without a trace. After a successful installation, scammers leave the store. Since many newer PIN reader models have built-in RF chips (meaning, it can read your RF-enabled credit card), scammers can easily install PIN readers with a reprogrammed chip. But just outside the store, with the use of a laptop, high frequency RF proximity scanner, and a customized software, they were able to monitor/ skim credit card transactions complete with PIN numbers for the installed compromised PIN reader from a vehicle within dozens feet away from the store.
 |
| A typical PIN Reader with a bult-in RF technology. Photo Courtesy of VeriFone. |
That is the basic idea of a detectionless PIN reader skimming. But you know it is illegal, right?
Poor Michaels. But how many times I've heard from credit card companies, from POS solutions providers and software vendors that their systems are secured, and reliable. But when things are happening on the contrary, you realized that they themselves need some serious reality check.
For more information on RF-enabled smart cards, read my previous post on RF technology and The ABC of Hacking
Cheers!
You May Like These:
Banks need to move over to Chip and PIN technology. RFID or Magstripe is insecure and putting our financial infrastructure at risk.
ReplyDeleteIt will also tell you when it is time to change your brushing direction and all the other
ReplyDeletethings that those LCD's used to do. The electric toothbrush can help remove the bacteria more easily from your mouth and the sanitizer can help keep the bacteria from consistently infecting you over and over again. If yours does not and your bristles tend to wear out quickly, ask your dentist to show you the proper pressure you should be using while brushing your teeth.
My web blog: Best Electric Toothbrushes
Also see my website: electric toothbrush reviews
My coder is trying to persuade me to move to .net from PHP.
ReplyDeleteI have always disliked the idea because of the costs. But he's tryiong none the less. I've been using WordPress
on various websites for about a year and am concerned about switching to another platform.
I have heard very good things about blogengine.net. Is there a way I can transfer all my wordpress content
into it? Any help would be greatly appreciated!
Also visit my blog post :: www.gloriouslinks.com