* Thieves focus card abuse on individual banks-expert
* Texas retailer replacing thousands of PIN pads
* Fraud could extend beyond disclosed devices-expert
By Ross Kerber and Maria Aspan
BOSTON/NEW YORK, June 1 Thieves who stole
payment card data from Michaels Stores Inc [MCHST.UL] appear to
have used a new method to maximize their take, a prominent data
security expert said.
Thieves apparently organized the scams they ran with stolen
payment card numbers based on the banks that issued the cards,
said Gartner Inc analyst Avivah Litan. By sorting the cards by
their "BIN number" digits that indicate the issuing financial
institution, they were able to concentrate fraudulent purchases
on cards that were issued by individual banks, before moving
on, she said.
"They would knock the hell out of a bank. They've never
done this before," said Litan, who frequently consults with
companies on security matters and said she has spoken with
banking executives about the Michaels case.
"It's not good news for the banks because they don't have
good armor against it," Litan said.
Usually thieves do not make a distinction among which banks
have issued the cards, meaning that the fraud is unlikely to be
as concentrated at certain financial institutions.
Litan added that the tactic might have given thieves more
time to abuse the data, because not all banks would have wanted
to call attention to the abuse.
Closely held Michaels, of Irving, Texas, a retailer selling
crafts merchandise, first disclosed the breach on May 4 and
urged customers to keep a close eye on their accounts to spot
Later it said it appeared the breach lasted from Feb. 8
through May 6 and that unidentified parties were able to tamper
with some of the PIN pads that customers use to type in secret
codes when using payment cards as the cash register.
Michaels has said that less than 90 PIN pads, or about 1
percent of its total devices, were affected -- but it also said
it has removed another 7,200 PIN pads from its stores and will
Doug Marker, the retailer's vice president of loss
prevention, on Wednesday would not discuss the reasons for
replacing so much equipment or say how old the devices are.
Data breaches remain a vexing problem for retailers and the
banking system despite ongoing efforts by payment processing
networks Visa Inc (V.N) and MasterCard Inc (MA.N) to guard
The card processors have attempted to crack down on data
breaches by requiring their partner retailers to upgrade their
equipment more regularly. But both camps -- and the banks that
issue payment cards -- are reluctant to take on the extra costs
of upgrades and additional security.
"Companies often have to go to very extraordinary lengths
to justify replacing their equipment in the field," said Davi
Ottenheimer, a payments security expert who works with the
technology consultancy K3DES LLC.
"If you have a device that's five years old, it probably
doesn't have the protections that it would need" to ward off
fraud, he said.
Ottenheimer estimated that Michaels was likely facing tens
of thousands or even hundreds of thousands of dollars in costs
related to replacing the 7,200 PIN pads, including training
employees to regularly check that the equipment has not been
CARDS FROM HINGHAM, MASS
Tom Chew, vice president of Hingham Institution for Savings
(HIFS.O) and a security official with trade group the
Massachusetts Bankers Association, said the bank has identified
over 300 compromised payment cards so far.
That's a smaller number than his bank faced in major
breaches in the past such as those involving card numbers taken
from TJX Companies (TJX.N) several years ago.
But in some ways the Michaels breach appears more serious,
Chew said, as thieves found new ways to use the stolen data.
His bank first began noticing unauthorized purchases cropping
up in California and Las Vegas, far from the small bank's home
base in southeastern Massachusetts. Eventually thieves were
also using stolen cards to make purchases of up to $600 from
supermarkets, plus getting 'cash back' at the register.
"They were really ramping things up," he said.
Chew said the charges will not affect the bank's earnings.
(Reporting by Ross Kerber in Boston and Maria Aspan in New
York; Editing by Lisa Shumaker)