But we now know more about the breach, which involved physically replacing PIN pads in 84 stores across the country to capture at least 94,000 card numbers. And with those new details, chains have more reason than ever to be worried.
On July 25, a federal judge in California sentenced Eduard Arakelyan and Arman Vardanyan to five years in prison for bank fraud and identity theft after they were caught in March using counterfeit payment cards to get money from ATMs, using account numbers and PINs acquired during the Michaels breach.
But according to court documents, the two men had nothing to do with the breach itself. They were recruited by an ethnic Los Angeles gang called Armenian Power just to collect cash from ATMs in the Las Vegas and San Francisco areas. They also weren't the first to start using the stolen numbers—they started in May 2011, after Chicago-area banks first reported what was then thought to be a breach only at local Michaels stores.
And they were well equipped for the job. When they were caught, "defendants Arakelyan and Vardanyan possessed 952 blank gold and silver counterfeit access devices [cards] reencoded with at least 943 real persons' financial institution account numbers. On each counterfeit card was a four-digit PIN handwritten in pen, corresponding to each person's true PIN. Both the PINs and the account numbers had been previously stolen along with the account numbers," according to the San Francisco U.S. Attorney's office. They also had eight cell phones, a laptop, a GPS device loaded with ATM locations, two handguns and $56,599 in cash.
Understand, that was just for the cash collection part of the operation, which was apparently outsourced to the street gang. There's no indication of how many other cash-collecting teams were involved or whether more than one gang participated.
That's on top of the unusual sophistication of the breach. Court documents also confirm what Michaels wouldn't say last year: At the 84 Michaels stores hit in the breach, thieves replaced at least one PIN pad per store with an apparently identical PIN pad that had been rigged to capture card numbers and PINs. The thieves could then collect that info using a Bluetooth device in the rigged PIN pad, so they could continue to collect numbers until the breach was discovered.
Even when banks (and it was the banks, not Visa's or MasterCard's antifraud systems) identified the breach after customer complaints, they assumed it was just a problem at Chicago-area Michaels stores. The thieves had sorted the cards by bank and initially only used Chicago-area account numbers and PINs. It wasn't until the chain investigated thoroughly that it became clear the stores hit were spread across the U.S., from Georgia to Oregon.
In other words, this isn't the type of breach chains would have expected even three years ago.In other words, this isn't the type of breach chains would have expected even three years ago. That 19-state, 3,000-mile swath of breaches might have been a few fraudsters on one very long road trip. But in light of the fact that the thieves outsourced the cashing-in to at least one street gang, it's more likely this is a well-organized effort at every level.
At this point, it's still not clear whether the 80-plus PIN pads were actually stolen from Michaels stores progressively, as the thieves worked their way across the country, or were purchased separately by the thieves. If it's the second case, that's a large investment—and a bigger, more coordinated operation.
The possibility that this breach involved so much organization would be worrisome enough. But in retrospect, it almost looks like the 2010 Aldi breach—a year before Michaels—was a dress rehearsal. Like the Michaels breach, it involved a single chain, with rigged PIN pads installed in stores across the geographical extent of the chain (in Aldi's case, from Georgia to Illinois).
Also like Michaels, the PIN pads seem to have collected a relatively small number of account numbers per store—a few hundred with Aldi, just over a thousand with Michaels. And in both cases, the center of the cash collection from ATMs was Los Angeles.
That doesn't mean both breaches are from the same thieves, or that they're connected in any way. But which is worse: the idea that a single gang has done this in two successive years (and has probably done it again, but the breach hasn't yet been spotted), or that completely unrelated gangs have figured out how to do it and only two bottom-rung cash-collectors have been caught—and then only because bank employees reported them to police for loitering near an ATM?
The baseline advice for avoiding PIN pad tampering remains the same: Screw down the PIN pads so they can't easily be physically swapped out. Log their connection status and set up alarms to flag any disconnects. And audit the devices regularly—which includes encouraging store managers to examine them carefully on a regular basis. If anything looks funny, taking a picture with a mobile phone and sending it to IT is an easy way to at least give IT a better idea of whether anything is likely wrong.
That may not sound like much as a last line of defense. But if PIN pad thieves really have grown this sophisticated—and distributed—it could be the only hope chains have.