PIN Pads Hacked at Michaels Stores Nationwide
This story was updated at 1:00 p.m. EDT Wednesday.
The arts-and-crafts chain Michaels Stores, which last week notified customers in the Chicago area that some of their in-store PIN pads had been tampered with, may be facing a nationwide problem.
Independent security blogger Brian Krebs says anonymous law-enforcement contacts have told him that "at least 70 compromised POS terminals have been discovered so far in Michaels stores from Washington D.C. to the West Coast."
Point-of-sale terminals, also called PIN pads, are those paperback-sized gizmos attached to cash registers that you swipe your credit or debit card through, and then type your personal identification number (PIN) into.
"The scope of this thing has been pretty wide, coast-to-coast," Detective Jeff Stolzenburg of the Libertyville, Ill., police department told Krebs. "We're dealing with thousands and thousands of victims."
Investigators told Krebs that the stolen information was used to create counterfeit cards, which were then used to make ATM withdrawals in Nevada and California.
Stolzenburg estimated the losses were already in the millions of dollars. He told Krebs the U.S. Secret Service had taken over the investigation.
"Your heart stops the minute your card is declined at the ATM machine," Mary Allen of Libertyville told the Chicago Tribune in a story published last Thursday. "You think someone has stolen your ID and that's your worst nightmare."
Allen shopped at the Michaels in neighboring Vernon Hills in early April. She found out only last week, when her debit card was declined at an ATM, that two $503 withdrawals had been made on her account. Her bank is refunding her the money.
"Consumers who have purchased items from a Michaels store with a debit or credit card are encouraged to monitor their statements, report any suspicious account activity, and change any PIN numbers and other account security settings," the chain advised Chicago-area customers in last week's advisory. "Consumers who believe their accounts were used without authorization should contact the card issuer directly."
It's not clear how the Michaels PIN pads were tampered with, but crooks usually either modify existing PIN pads in stores, adding card "skimmers" or other extra hardware, or swap out old units with new ones.
The tampering is often done quickly to avoid attention. In some instances, store employees are paid to look the other way.
Michaels Stores, Inc., based in Irving, Texas, operates 1,045 retail outlets in the U.S. and Canada.
UPDATE: Michaels has issued a new press release confirming that tampered PIN pads had been found in stores nationwide.
"Michaels has identified less than 90 individual PIN pads (or approximately 1% of the total devices) in its 964 US stores that showed signs of tampering. Suspicious PIN pads were disabled and quarantined immediately," the statement said. "Out of an abundance of caution, Michaels has removed approximately 7,200 PIN pads comparable to the identified tampered PIN pads from its US stores."
The press release listed dozens of stores in which tampered PIN pads had been found. As expected, the largest single-state grouping was in Illinois, but there were clusters in Colorado, Maryland, North Carolina, New Jersey, New York's Long Island, Oregon and Washington state. Twelve other states also had at least one affected store.
Customers were urged to visit the Michaels website or to call 1-800-MICHAELS (642-4235) for further information.