But in a perverse twist, that was also what finally blew the cover off the theft. A local Chicago-area bank spotted the connection between ATM fraud that victimized its depositors and the fact that they were Michaels customers. If that's the new pattern thieves are likely to use, it may be time for card companies to take a lot more interest in smaller banks—especially if those banks are stuck doing Visa and MasterCard's job.
Litan noted that the Michaels attackers appeared to have figured out the card companies' techniques and adjusted their tactics accordingly. "How did they do this? By attacking one bank at a time, instead of using the stolen card information simultaneously across multiple card issuing banks as they typically have done in past card-skimming heists. The fraudsters sorted the stolen card data by BIN number (the first four digits of the 16-digit cardnumber), which told them which bank issued the card. They then figured out which banks to attack, one by one," Litan wrote.
That also kept the number of affected banks small at any one time, thus avoiding another fraud-detection trigger. "By using this tactic, it took longer for the payment-card networks (i.e., Visa, MasterCard) to figure out the point-of-compromise, i.e., Michaels, as the fraudsters bypassed the normal network-level monitoring these firms perform by looking across banks and their fraudulent transactions," Litan added.
But the one-bank-at-a-time approach ultimately was the thieves' undoing. It was a local bank (not Visa or MasterCard) that noticed many of its customers who had been hit by fraudulent ATM withdrawals in California and Nevada had also shopped at Michaels with their debit cards, according to local news reports.
That's why, initially, Michaels thought the PIN pad tampering was limited to the Chicago area—but it's also why the chain started checking PIN pads in other stores, and eventually replaced POS hardware across the U.S. Visa and MasterCard, which would normally be the first to spot the fraud pattern, were on the sidelines this time.
For retailers, that's something to worry about. The big card companies have the most experience—and the biggest budgets—for spotting patterns of card fraud. Smaller local banks would seem to be the least well-equipped to handle that job. But the new approach on the part of thieves drops that task squarely in their laps.
This could require a big shift in fraud-spotting resources for the card companies.This could require a big shift in fraud-spotting resources for the card companies. No doubt they'll make some adjustments to the patterns they watch for, but the organizations best suited to watch for this type of bank-specific fraud are the banks themselves. And small banks seem to be the ones most likely to be targeted by thieves with this new tactic.
Or is it all that new? In April, a small Illinois bank warned its customers that their payment-card data may have been compromised by the Heartland Payment Systems breach in 2008. That could be just chance: fraudsters using a card number or two from the same small bank at the same time.
Then again, it could be that thieves figured out this sort-by-bank technique years ago, and card companies and banks are only now discovering they have to deal with it.
Of course, that clever one-bank-at-a-time tactic wouldn't have worked at all if thieves hadn't been able to tamper with the Michaels PIN pads undetected. That may be the most critical weak point—and it's not getting any stronger.
For example, the U.S. Attorney's office in New York City this week announced that four men had been indicted for installing skimmers on PIN pads at branches of Chase and Citibank in New York, Miami and Chicago. But they didn't just allegedly sneak skimmers onto bank ATM machines. No, they're also accused of disconnecting PIN pads at teller windows and replacing them with doctored PIN pads that would capture magstripe information and PINs and then transmit that data wirelessly to the thieves, who eventually used the numbers to steal at least $1.5 million from customer accounts.
Now that's brazen. It also shouldn't have been possible. As StorefrontBacktalk PCI Columnist Walter Conway pointed out last year after the Aldi grocery chain had its own multi-state rash of PIN-pad-based data thefts, the pads should be triggering a network activity alert the moment they're disconnected.
But they didn't. The teller-window PIN pads could apparently be easily and quickly removed without triggering any alarms. And apparently the banks didn't audit the equipment regularly, either. According to the indictment, these thieves swapped out PIN pads right in front of tellers, and neither the humans nor the electronic systems caught them at it.
To retailers, it may seem like cold comfort that even big banks haven't secured their PIN pads. As thieves keep getting cleverer, that's going to be no comfort at all. Locking down PIN pads and monitoring them and auditing them is no longer an option—it's a necessity. If you count on either Visa or banks to spot fraud, it's already too late.