Michaels Breach: What We've LearnedCharges in POS Swap Scheme Show How Times Have Changed
News that charges were filed last week against two California residents for their alleged roles in the 2011 Michaels crafts stores breach is a reminder of how much hackers have improved their techniques in just four years.
The news is also a reminder that we have to stay vigilant and continue focusing resources on cyberthreat intelligence sharing. Imagine how much further along we would be in our fraud detection and prevention measures today had we been doing more information sharing four years ago?
"Hackers and identity thieves will always try to attack the payment chain at the weakest point."
Today, payments breaches have become so commonplace, we forget that there used to be a time when point-of-sale attacks and card compromises surprised us.
Let's take a look back, as we review the charges filed July 30 against Angel Angulo and Crystal Banuelos, two of four individuals who've now been charged for alleged involvement with the Michaels breach.
New Jersey U.S. Attorney Paul Fishman last week announced Angulo and Banuelos had been indicted on charges of conspiracy to commit bank fraud and aggravated identity theft for their alleged connection to the Michaels POS terminal tampering scheme that involved the compromise of some 94,000 credit and debit cards between February and April 2011.
Angulo was arrested; Banuelos remains at large. If found guilty, both face a maximum prison sentence of 30 years and a $1 million fine.
In July 2012, Eduard Arakelyan and Arman Vardanyan, two others charged for connection to the Michaels breach, pleaded guilty and were sentenced to 36 months in prison (see Michaels Breach: Fraudsters Sentenced).
Looking back, it's amazing that this type of bold, risky scheme was attempted; the hands-on POS attack involved physically replacing devices at cashiers' checkout lanes at 80 Michaels locations in 19 states.
And Michaels wasn't alone. We saw the same type of attack hit Barnes & Noble Booksellers in September 2012. And it appeared that the payments compromise that in May 2012 put the spotlight on restaurant chain Penn Station was likely a POS swap attack, too. Penn Station never revealed exactly how its POS devices were compromised.
These breaches linked to POS device tampering were big news, and we all anxiously watched the tallies for compromised stores and cards creep higher and higher with each passing day as more compromised POS terminals were discovered by these retailers and more fraud was reported by card issuers.
My, how things change. Back then, I was writing about how card issuers were the first to detect POS breaches, because they traced the fraud back to a common point of purchase for cardholders.
Today, hackers wouldn't want to risk exposure by physically swapping out POS devices. Instead, they're using RAM-scraping malware, which is typically installed via a compromised remote-access portal or network intrusion waged directly or through a third party.
What types of attacks will I be writing about four years from now?
The advent of the EMV chip - which will eventually replace the magnetic stripe and, thus, make physical POS card payments much more secure - will definitely make POS attacks less attractive to fraudsters. But we all have to be bracing for something new around the corner.
As cybersecurity attorney Chris Pierson, chief security officer at payments network provider Viewpost, rightly points out, it's fraud from the corners we aren't watching that will catch us off-guard.
"Hackers and identity thieves will always try to attack the payment chain at the weakest point," he says. "Targeting the entry to the payment network at the POS is and will remain one of those exploited attack vectors. ... The sheer number of entry points has and will always make this an attractive target. Whether it is an actual card swipe or NFC [near-field communication] card reader, or biometric or tokenized system, the entry points will always be targeted because they are open to the public, accessible, largely unmonitored and cannot be effectively watched 24x7."
NFC payments, for instance, will pose new challenges. "With NFC and proximity readers, we will see this morph into hackers capturing PAN [payment account number] data over the air, depending on the mechanism employed," Pierson predicts.
So, as we think back to how relatively low-tech the Michaels POS swap breach seems now, think about how low-tech the so-called "sophisticated" payments breaches we're writing about today will seem four years from now.