Michaels Breach: The Saga Continues

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/michaels-breach-saga-continues-p-1910

News that charges were filed last week against two California residents for
their alleged roles in the 2011 Michaels crafts stores breach is a reminder
of how much hackers have improved their techniques in just four years.

The news is also a reminder that we have to stay vigilant and continue
focusing resources on cyberthreat intelligence sharing. Imagine how much
further along we would be in our fraud detection and prevention measures
today had we been doing more information sharing four years ago?

"Hackers and identity thieves will always try to attack the payment chain
at the weakest point."

Today, payments breaches have become so commonplace, we forget that there
used to be a time when point-of-sale attacks and card compromises surprised
us.

Let's take a look back, as we review the charges filed July 30 against
Angel Angulo and Crystal Banuelos, two of four individuals who've now been
charged for alleged involvement with the Michaels breach.

Michaels' Breach

New Jersey U.S. Attorney Paul Fishman last week announced Angulo and
Banuelos had been indicted on charges of conspiracy to commit bank fraud
and aggravated identity theft for their alleged connection to the Michaels
POS terminal tampering scheme that involved the compromise of some 94,000
credit and debit cards between February and April 2011.

Angulo was arrested; Banuelos remains at large. If found guilty, both face
a maximum prison sentence of 30 years and a $1 million fine.

In July 2012, Eduard Arakelyan and Arman Vardanyan, two others charged for
connection to the Michaels breach, pleaded guilty and were sentenced to 36
months in prison (see Michaels Breach: Fraudsters Sentenced).

Low-Tech Attack

Looking back, it's amazing that this type of bold, risky scheme was
attempted; the hands-on POS attack involved physically replacing devices at
cashiers' checkout lanes at 80 Michaels locations in 19 states.

And Michaels wasn't alone. We saw the same type of attack hit Barnes &
Noble Booksellers in September 2012. And it appeared that the payments
compromise that in May 2012 put the spotlight on restaurant chain Penn
Station was likely a POS swap attack, too. Penn Station never revealed
exactly how its POS devices were compromised.

These breaches linked to POS device tampering were big news, and we all
anxiously watched the tallies for compromised stores and cards creep higher
and higher with each passing day as more compromised POS terminals were
discovered by these retailers and more fraud was reported by card issuers.

My, how things change. Back then, I was writing about how card issuers were
the first to detect POS breaches, because they traced the fraud back to a
common point of purchase for cardholders.

Today, hackers wouldn't want to risk exposure by physically swapping out
POS devices. Instead, they're using RAM-scraping malware, which is
typically installed via a compromised remote-access portal or network
intrusion waged directly or through a third party.

What types of attacks will I be writing about four years from now?

The advent of the EMV chip - which will eventually replace the magnetic
stripe and, thus, make physical POS card payments much more secure - will
definitely make POS attacks less attractive to fraudsters. But we all have
to be bracing for something new around the corner.

As cybersecurity attorney Chris Pierson, chief security officer at payments
network provider Viewpost, rightly points out, it's fraud from the corners
we aren't watching that will catch us off-guard.

"Hackers and identity thieves will always try to attack the payment chain
at the weakest point," he says. "Targeting the entry to the payment network
at the POS is and will remain one of those exploited attack vectors. ...
The sheer number of entry points has and will always make this an
attractive target. Whether it is an actual card swipe or NFC [near-field
communication] card reader, or biometric or tokenized system, the entry
points will always be targeted because they are open to the public,
accessible, largely unmonitored and cannot be effectively watched 24x7."

NFC payments, for instance, will pose new challenges. "With NFC and
proximity readers, we will see this morph into hackers capturing PAN
[payment account number] data over the air, depending on the mechanism
employed," Pierson predicts.

So, as we think back to how relatively low-tech the Michaels POS swap
breach seems now, think about how low-tech the so-called "sophisticated"
payments breaches we're writing about today will seem four years from now.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!