[Nfb-krafters-korner] Michael's stores

[Becky Frankeberger]

Michaels crafts stores customers warned about credit card breaches
Friday, May 13, 2011
Last updated: Friday May 13, 2011, 9:28 AM
BY JOAN VERDON
The Record
STAFF WRITER
Customers who used debit and credit cards to make purchases at Michaels
craft stores
in
Paramus
,
Clifton
 and four other New Jersey locations are being warned to watch their bank
and card
statements for fraudulent withdrawals, after news of a data breach at the
retail
chain.
The New Jersey State Police said Thursday that it has not received any
complaints
from state residents about fraudulent activity, but a New Jersey resident
reported
on the Michael's Facebook page that her debit card had been used to make a
purchase
in California. Other New Jersey residents commenting on the Michael's page
said they
had been notified that they will need to change their cards or their PINs
(personal
identification numbers).
The Irving, Texas-based crafts chain said last week that PIN-pad tampering
had occurred
at its stores in the Chicago area, and credit and debit-card data had been
compromised.
On Tuesday, Michaels said PIN pads in 20 states had been tampered with. The
New Jersey
stores where manipulated PIN pads were found are in
Clifton
,
Paramus
, East Hanover, Flemington, Princeton and Watchung. Managers at the Clifton
and Paramus
stores Thursday referred all questions to Michaels' corporate offices.
The company did not release details of how the PIN-pad system was breached.
Steve
Elefant, chief information officer of Heartland Payment Systems in
Princeton, the
nation's fifth-largest processor of credit and debit cards, said one way
criminals
collect card data is through "skimming," or putting a reader in the card
slot of
a PIN pad. "They can skim the card number before the reader gets to read
it," Elefant
said.
Heartland itself was a victim of one of the first large-scale data breaches
in 2008,
when hackers broke into the company's computer network and accessed card
information.
Elefant is a member of the U.S. Secret Service Electronic Crimes Task Force
and the
FBI's InfraGard Electronic Crimes Task Force. He said the Michaels breach
highlights
the need for retailers to ensure that PIN pads are protected both from
physical tampering
and from hacking.
Asked how breaches could have occurred throughout so many states, Elefant
said, "Unfortunately
there are organized criminal gangs, both in the U.S. and overseas, that are
very
sophisticated. They're the 21st-century bank robbers who are not the
14-year-old
hacker kids."
Heartland recently launched what it calls E3 or "end-to-end encryption" to
prevent
data breaches. The system encrypts, or codes, card information as soon as a
consumer
swipes a card, and it stays encrypted through the transaction lifecycle, as
the information
is transmitted via computer. Elefant said more than 13,000 merchants use
that system.
Michaels said in a statement that it has begun replacing 7,200 PIN pads in
stores
and expects that work to be completed within the next 15 weeks.
E-mail: verdon at northjersey.com
Customers who used debit and credit cards to make purchases at Michaels
craft stores
in Paramus, Clifton and four other New Jersey locations are being warned to
watch
their bank and card statements for fraudulent withdrawals, after news of a
data breach
at the retail chain.
The New Jersey State Police said Thursday that it has not received any
complaints
from state residents about fraudulent activity, but a New Jersey resident
reported
on the Michael's Facebook page that her debit card had been used to make a
purchase
in California. Other New Jersey residents commenting on the Michael's page
said they
had been notified that they will need to change their cards or their PINs
(personal
identification numbers).
The Irving, Texas-based crafts chain said last week that PIN-pad tampering
had occurred
at its stores in the Chicago area, and credit and debit-card data had been
compromised.
On Tuesday, Michaels said PIN pads in 20 states had been tampered with. The
New Jersey
stores where manipulated PIN pads were found are in Clifton, Paramus, East
Hanover,
Flemington, Princeton and Watchung. Managers at the Clifton and Paramus
stores Thursday
referred all questions to Michaels' corporate offices.
The company did not release details of how the PIN-pad system was breached.
Steve
Elefant, chief information officer of Heartland Payment Systems in
Princeton, the
nation's fifth-largest processor of credit and debit cards, said one way
criminals
collect card data is through "skimming," or putting a reader in the card
slot of
a PIN pad. "They can skim the card number before the reader gets to read
it," Elefant
said.
Heartland itself was a victim of one of the first large-scale data breaches
in 2008,
when hackers broke into the company's computer network and accessed card
information.
Elefant is a member of the U.S. Secret Service Electronic Crimes Task Force
and the
FBI's InfraGard Electronic Crimes Task Force. He said the Michaels breach
highlights
the need for retailers to ensure that PIN pads are protected both from
physical tampering
and from hacking.
Asked how breaches could have occurred throughout so many states, Elefant
said, "Unfortunately
there are organized criminal gangs, both in the U.S. and overseas, that are
very
sophisticated. They're the 21st-century bank robbers who are not the
14-year-old
hacker kids."
Heartland recently launched what it calls E3 or "end-to-end encryption" to
prevent
data breaches. The system encrypts, or codes, card information as soon as a
consumer
swipes a card, and it stays encrypted through the transaction lifecycle, as
the information
is transmitted via computer. Elefant said more than 13,000 merchants use
that system.
Michaels said in a statement that it has begun replacing 7,200 PIN pads in
stores
and expects that work to be completed within the next 15 weeks.
E-mail: verdon at northjersey.com