Crafty 20 State PIN Pad Attack

Michaels Stores, with over 1,000 locations, calls itself North America’s “largest speciality retailer”. Their website, which shows the slogan “Where Creativity Happens”, has just posted three Consumer Notices on PIN Pad tampering at their stores. Their CEO John Menzer joined in 2009 (after twelve years at WalMart) and today issued a statement:

We are confident Michaels stores are a safe place to shop.

The Chicago Tribune offers this perspective on the PIN Entry Device (PED) breach.

The crafts-store chain identified 90 keypads in 80 stores that were compromised in Colorado, Delaware, Georgia, Iowa, Massachusetts, Maryland, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington.

Michaels has removed the suspicious swipe pads and over the next two weeks plans to replace about 7,200 similar PIN keypads from its stores. Until those pads are replaced with upgraded models, the company said customers must use cash, credit cards or signature-based debit cards.

Moving to signature-based cards is a reasonable response. A survey by First Data Corporation in 2008 said only 22% prefer PIN debit while 17% prefer signature, so removing PIN probably is not disruptive to the consumer. It also is not any more secure. A signature can obviously be forged more easily than a PIN can be stolen.

Although I see some speculation about how hard it is for attackers to have coordinated an attack on 90 keypads in 80 stores (about 1%) I can’t help but compare it to the store’s plan to deploy over 7,000 keypads in just two weeks. It may be a great effort and expense, or it could beg the question of supply chain security as well as ease of replacement — where does authorisation fit in? How hard is it really, to swap the keypads?

The big clue to the story is in the Tribune phrase “replaced with upgraded models”.

There is a chance that Michaels was using old PED that the Payment Card Industry (PCI) wanted replaced anyway. Visa explains the risk in their Compromised PIN Entry Device Listing.

Although some of the recently identified devices are newer devices, many are over 10 years old and were never evaluated by an independent lab or approved by Visa or the Payment Card Industry (PCI).

[…]

Evidence indicates that these devices were physically removed from their locations and replaced with modified devices designed to skim account and PIN data. Surveillance footage shows that the suspects in most cases were able to remove and install a POS PED in less than one minute.

Thus, it’s not hard to imagine an attack on 90 devices even at 80 stores.

To prevent this attack PED are meant to be authenticated and verified regularly with three levels of security — technical, physical, and administrative. With that in mind, there are basically three PED security types in the industry:

  1. Non-Approved Devices (Pre 2004)
  2. VISA PED Approved Devices (2003 – 2006)
  3. PCI PED Approved Devices (2006 onwards)

If all the keypads at Michaels were of the 3rd category, a technical review and the upgrade will be most interesting. Anything from the 1st category will be a “we-warned-you” moment for Visa and the PCI.

July 1, 2010 was supposed to be the last date that pre-Visa PED Approved devices were allowed. Visa originally threatened fines for violations but they caved to industry pressure and moved the enforcement deadline out two years.

Visa agreed to back off its earlier PIN pad compliance deadline originally set for July 1, 2010, to the new date of Aug. 1, 2012. […] The changes were mostly fueled by strong retail lobbying efforts, even beyond convenience retailers — including at least one major department store. Retailers threatened to abruptly cut off PIN debit at the deadline, possibly switching to signature debit to temporarily sidestep the issue, according to the report.

Was Michaels running old PEDs? And if so did they miss the July 1, 2010 deadline due to cost concerns?

Physical review is also an essential factor in this case. Investigators will pore over audit trails related to PED service technicians, shift schedules, service logs, terminal inventory, surveillance video, etc. to see if there were physical warning signs of tampering.

Above all, Michaels customer transactions were exposed from February 8 to May 6, 2011. About 100 now have reported fraud on their accounts. The PCI PED requirements include a weekly review for tampering so (even if they had PCI-compliant technical and physical security) a three month exposure will definitely generate some tough administrative questions for Michaels.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.