Michaels Breach: How the Fraudsters Pulled it Off

[InfoSec News <alerts () infosecnews org>]

http://www.bankinfosecurity.com/michaels-breach-how-fraudsters-pulled-off-a-8696

By Tracy Kitten
@FraudBlogger
Bank Info Security
November 20, 2015

More than four years after the point-of-sale attack that struck 80 
Michaels craft stores throughout the U.S., compromising nearly 100,000 
payment cards, details about how the attackers pulled off their scheme 
have finally emerged.

On Nov. 17, Crystal Banuelos of California, a lead defendant named in the 
2011 Michaels debit breach, pleaded guilty to conspiracy to commit bank 
fraud and aggravated identity theft (see Michael's Breach: What We've 
Learned).

Banuelos' sentencing date has not yet been set. She faces a maximum 
sentence of 32 years in prison and a $1 million fine.

In her plea filed with a New Jersey District Court, Banuelos notes that 
she conspired to steal credit and debit card data, as well as PINs, from 
Michaels' customers, and knowingly used counterfeit cards created from 
that stolen data to conduct fraudulent cash withdrawals at ATMs.

In all, authorities believe Banuelos and Angel Angulo, a co-defendant 
named in the indictment whose case is still pending, stole $420,000 from 
banks through fraudulent ATM withdrawals. Banks defrauded in the scheme, 
according to the indictment, include U.S. Bank, BMO Harris, Bank of 
America, JPMorgan Case, TD Bank, Beneficial Bancorp and Wells Fargo.

To perpetrate their crime, prosecutors allege Banuelos, Angulo and other 
unnamed conspirators swapped out 88 legitimate POS devices at 80 different 
Michaels locations across 19 states with manipulated terminals that were 
used to capture and store card data and PINs.

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/