Saturday, May 14, 2011

Michaels Stores' Checkout Terminals Hacked

A typical Michaels retail store

Another credit card security breach again. If you happened to shop at any of the Michaels local stores recently that are located at the following states, your credit transactions may have been compromised:

Illinois, Colorado, Delaware, Gerogia, Iowa, Massachussets, Maryland, North Carolina, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Pennsylvania, Rhode Islands, Utah, and the State of Washington.

Few days ago, many Michaels' stores have found have been hacked on their PIN readers/Credit Card readers at checkout. The Texas-based arts and crafts supplier has determined that the hacked could have been perpetuated between February 8 through May 6 according to the latest law enforcement investigation. The hack was initiated from PIN pads that are attached to credit card readers where customers use to key in their personal identification numbers upon checkout.

These scam artists were able to steal credit card information including personal PINs. The first discovery of the breach was at a Michael stores in Salt Lake City and Midvale in Utah. As a result, the arts supplier has removed more than 7,200 PIN pads from all its US stores.

I got interested with the story not only because the company is a customer of RGIS LLC, but because I wanted to know how in the world one can hack PIN pads in a busy store at busy checkouts. What is their modus operandi? Was there any collusion between scammers and employees?

Honestly, the trick is quite simple, but with calculated risk. 
A VeriFone PIN pad and Credit Card reader combo.
Image courtesy of VeriFone.

FIRST, there was a careful planning. These criminals pose as legitimate customers of Michaels. At checkout, they then observe several things such as the models/make of Michaels PIN pads, standard cable connectors, etc. Since many Michaels art products sell in less than a dollar range, they can come back as many times as they want and master how the plan works, how many seconds would it take to deinstall and reinstall a new PIN reader, when is the best time to to do it, and how to do it clandestinely without much effort and detection.

SECOND, scheduled activity. Scammers come back in packs of two or three posing as customers not knowing each other. The first act as the customer/installer, the second as a legitimate buyer, the third as customer/distractor. While the second or third scammer busy distracting the unsuspecting cashier with questions related to their purchase, it will take no more than 10 seconds for the first buyer to unplug the old PIN reader and replace it with a reprogrammable RFID chip when the PIN pad is not in use.

THIRD, leave without a trace. After a successful installation, scammers leave the store. Since many newer PIN reader models have built-in RF chips (meaning, it can read your RF-enabled credit card), scammers can easily install PIN readers with a reprogrammed chip. But just outside the store, with the use of a laptop, high frequency RF proximity scanner, and a customized software, they were able to monitor/ skim credit card transactions complete with PIN numbers for the installed compromised PIN reader from a vehicle within dozens feet away from the store.


A typical PIN Reader with a bult-in RF
technology. Photo Courtesy of VeriFone.
The idea that these scammers pose as repairmen may not be suitable in this case because to be able to that you need to appear as repairmen which include having tools and equipment, with uniforms and all that, not mentioning the fact that they need to obtain a clearance from the Store manager FIRST before any repair can be initiated which is not a good idea. Because the lesser people detect your activity, the better your chances.

That is the basic idea of a detectionless PIN reader skimming. But you know it is illegal, right?

Poor Michaels. But how many times I've heard from credit card companies, from POS solutions providers and software vendors that their systems are secured, and reliable. But when things are happening on the contrary, you realized that they themselves need some serious reality check.

The arts supplier is closely monitoring fraudulent transactions with credit card companies while advising all their customers to take precautionary measures. So, if you live in the States I just mentioned, and need to buy your next quilting, embroidery, or arts projects for yourself or for your kids from your local Michaels store, I suggest that you use cash for payment transactions...for now.

For more information on RF-enabled smart cards, read my previous post on RF technology and The ABC of Hacking


Cheers!



You May Like These:

First Data FD-10C PIN Pad w/ Card Reader Verifone Omni 3750 Credit Card Processing Terminal & Pin Pad Combo Ingenico, Inc. i3070 Pin Pad with Smart Card, Magnetic Stripe Reader and USB Cable

3 comments:

  1. AnonymousMay 22, 2011

    Banks need to move over to Chip and PIN technology. RFID or Magstripe is insecure and putting our financial infrastructure at risk.

    ReplyDelete
  2. It will also tell you when it is time to change your brushing direction and all the other
    things that those LCD's used to do. The electric toothbrush can help remove the bacteria more easily from your mouth and the sanitizer can help keep the bacteria from consistently infecting you over and over again. If yours does not and your bristles tend to wear out quickly, ask your dentist to show you the proper pressure you should be using while brushing your teeth.

    My web blog: Best Electric Toothbrushes
    Also see my website: electric toothbrush reviews

    ReplyDelete
  3. My coder is trying to persuade me to move to .net from PHP.
    I have always disliked the idea because of the costs. But he's tryiong none the less. I've been using WordPress
    on various websites for about a year and am concerned about switching to another platform.
    I have heard very good things about blogengine.net. Is there a way I can transfer all my wordpress content
    into it? Any help would be greatly appreciated!

    Also visit my blog post :: www.gloriouslinks.com

    ReplyDelete

Everyone is free to comment. Currently, comments are not moderated from this blog. However, Google SPAM and customized filtering are active for this blog. Be civil and polite when responding or placing your own.