Compromised ATM Keypads at Michaels Stores Nationwide

Earlier this month the nationwide arts and crafts chain Michaels announced that from February 8, 2011 to May 6, 2011 the checkout counter ATM PIN pads at some of their stores in the Chicago area may have been compromised. Subsequent reports from Michaels stated that the company had identified 90 ATM PIN pads that had been physical replaced by an unknown party to collect customer financial information. Michaels later released further information that customers had contacted them reporting fraudulent account withdrawals of up to $500.00.

This replacement or tampering with ATM PIN pads is a type of credit card fraud known as “skimming”. Traditional skimming involved a thief photocopying credit card receipts or using a small portable device to swipe and store victim’s credit card information. Advancements in skimming technology have led to criminals placing skimming hardware over the top of card swipe hardware at ATM machines or by placing keypad overlays on ATM machines to collect PIN numbers. The best way for merchants to prevent this type of cred card fraud is to maintain good physical security procedures on their credit card terminals. In case of Michaels, it still has not been publically released how the fraudsters managed to replace so many Point-of-Sale (POS) pin pads without the company detecting the switch.

Fortunately for consumers, US Federal law guarantees that the card holder does not have any liability to the credit card issuer if the credit card number, not the physical credit card, is stolen.   Unfortunately much of the responsibility for monitoring their bank accounts and alerting various credit reporting, credit card and law enforcement agencies falls directly in the consumer’s lap. The Federal Trade Commission is trying to raise consumer awareness of their responsibility for securing Personally Identifying Information (PII) through their Deter-Detect-Defend program at http://www.ftc.gov/idtheft/.

While all of the FTC’s deterrences are excellent ideas none of them would have protected a Michaels customer from a compromised ATM PIN pad. While Michaels was using Payment Application Data Security Standard (PA DSS)-certified POS terminals and PIN pads that are supposed to prevent exactly these type of attacks on consumers, Michaels did not employ full end-to-end encrypted ATM PIN pads that discontinue service if they detect an attempted modification. Michaels is currently in the process of replacing the ATM PIN pads in all their US and Canadian stores.

For a complete list of the Michaels stores involved in the keypad compromised go to http://demandware.edgesuite.net/aaeo_prd/on/demandware.static/Sites-Michaels-Site/Sites-Michaels-Library/default/v1305885699261/documents/press-releases/051311-Michaels-Stores-Impacted-by-PIN-Pad-Tampering.pdf

Submit to Delicious Submit to Digg Submit to Facebook Submit to Google Bookmarks Submit to Stumbleupon Submit to Twitter Submit to LinkedIn
© 2012 Jones Dykstra & Associates, Inc.
5850 Waterloo Rd, Suite 140, Columbia, MD 21045
P:(410) 480-7190 F:(410) 480-7191
contact@jonesdykstra.com