BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Michaels Breach: Patterns Showed Fraud

From: security curmudgeon <jericho () attrition org>
Date: Mon, 16 May 2011 00:33:01 -0500 (CDT)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.bankinfosecurity.com/articles.php?art_id=3639

By Tracy Kitten
Managing Editor
Bank Info Security
May 13, 2011

Card issuers were quick to link incidents of debit and credit fraud to the 
Michaels retail chain, experts say - a sign that strong transaction 
monitoring and behavioral analytics are the best ways to curb growing 
card-fraud schemes.

The Michaels card breach is now believed to have affected stores in 20 
states. The mode of card fraud: Point-of-sale PIN pad tampering, also 
known as PIN pad swapping. [See 3 Tips to Foil POS Attacks.]

Brian Riley, senior research director of bank cards at TowerGroup, says as 
details about the breach are gradually revealed, it's clear that financial 
institutions, as card-issuers, picked up on the common fraud link - 
Michaels. "The behavioral scoring in this was really high," he says. "The 
pattern of transactions showed that all of these affected accounts had 
Michaels' purchases in their history. Behavioral scoring is really where 
it's at in card transactions."

Even advanced card technology, such as the Europay, MasterCard, Visa chip 
and PIN standard, which takes the skimmable magnetic-stripe out of the 
equation, would not have helped in the Michaels' case, Riley notes. "With 
a tampered POS device, you can get around EMV," he says. "A good, robust 
scoring system is the only way to really pick up on this. That's why 
behavioral scoring is so important. That's, quite often, how these things 
are discovered."

[...]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/
Previous By Date Next
Previous By Thread Next

Current thread: