Feeds

back to article Arts and crafts store Michaels says 3 million credit cards exposed in breach

As the officials investigating the Target data breach are settling in for what they believe will be a long and complex process of catching the hackers behind the heist, another US retailer is admitting that it lost millions of customer payment card details. Arts and crafts store chain Michaels said that it has confirmed the …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

As much as I hate more government control; the time has come for it in this case. From the POS terminal all the way to the back-end servers, they should never ever have access to the outside world. Even if they were able to get infected, they wouldn't be able to report back. With no outside access, the likelihood that they would even get infected is vastly reduced. 802.1AE and 802.1x should be used on the switch ports, the L-3 point in the store should be a firewall with VPN capability. This would prevent the POS from being accessible from the rest of the store network and then it would be encrypted all of the way from the POS terminal to the back-end servers at the DC. The servers the POS terminals communicate with also are isolated from the rest of the DC and they do not have outside access. The communication from the POS terminal to the back-end servers should also have its own encryption.

7
1
Silver badge
Holmes

You never, ever want government to mandate technical details. That's how it's possible that I own a fully functional .50 BMG mobile antiaircraft emplacement and have a complete set of 12 matching dueling pistols negotiating aids displayed in my office but have to file a permit to shoot whistle pigs with a sporting rifle, but not an antique antiaircraft. I have mail my man portable weapons to the gun dealer near my fortress of solitude, but I can run around the Beltway and down I-81 with a small cannon capable of destroying any traffic snarls that impede my progress.

But that never happens because even though my big truck is a commercial vehicle that weighs 19,500 pounds, has solid rubber tires and gets about 4MPG (Highway) it's registered as a private vehicle and as long as the weapon crew wife or any other individual is riding with me I get to drive in the HOV lanes which usually don't get stopped up too bad. Because the trailer for the .50 has four axles I have to file a permit and get pilot vehicles to escort me on the road to my fortress the that cuts across a corner of the Great Smoky Mountains National Park. But the costs of that are offset because the Tennessee Department of Transportation inspects the small bridges outside the park for free before I cross them as long as I give them 10 days lead time. It's a private, street legal, vehicle you see.

It's cool when I get to my fortress it's cool because through wonderful land trust property tax incentives in Tennessee and the North Carolina part of the property combined with state and Federal sustainable energy tax incentives I made $1,131 in 2013 because of the micro hydroelectric turbines and solar panels I had installed and the fact the tax breaks on the 2,100 acre property because of the land trust breaks mean the States pay me a few dollars every year not to build any more than six domestic residences not to exceed a total square footage allotment of 18,000 sq ft in addition to the above ground portion of my fortress. I am allowed to log the property though, but no more than 50 acres per 7 year time frame. But when I legally cut the trees off protected 'Southern Highland preserve' property my for the wood for the new floors in my Virginia home I was able to make $8,000 selling the excess to a sawyer and another $1,800 for replanting new trees and the labor was provided free by the Department of Agriculture Internship program.

None of it makes a lick of fucking sense, and that's what you're always going to get if a government is getting into details. You'll have 70 agencies all coming up with their own rules and if you're savvy you'll be able to at least make drinking money by playing them against each other by complying completely with their contradictory rules. 'Michael's today announced that they had suffered a breach of security and early reports indicate that the problem was solved after they were able to confirm that at least 11 and no more than 17 3/5 Native Americans had been victimized. This gives Michael's immunity from prosecution thanks to their being awarded 'Protector of Indian Heritage' by the Bureau of Indian Affairs for their heroic actions in stopping the targeted attacks on the Native Americans before damage was too great. We certainly don't want to repeat the sins of our fathers against the remainder of those most noble people's. Stay tuned for the televised coverage of the extraction of a 10 ton armored vehicle towing an antiaircraft cannon that fell into a ravine after a small bridge in Eastern Tennessee collapsed. The National Guard has dispatched specialized equipment to assist and it appears that TNDOT is accepting responsibility for the estimated $7,000,000 operation'. Now, here's Tom with the weather.

It's not that I disagree with you, something needs to be done. But I'm kind of leaning towards an FDIC style arrangement where rules are straightforward (bank robbed or collapses, no worries, it's covered by payments to the FDIC) and they don't fuck around. Being a slacker with normal people's money? Ok. You're no longer a bank. Stuff like that is about as far as I want the government into details. Otherwise they'll fuck it up royally.

7
3
Bronze badge
Windows

HST

"...I own a fully functional .50 BMG mobile antiaircraft emplacement..."

Hunter S Thompson worthy rant there, but it is in this case a large retailer that has ended up leaking a sizeable percentage of all the credit cards in the United States we are talking about not a private venture or personal redoubt. It should be possible to frame regulations that sift out the low impact concerns but are binding on the big ones...

2
0
Silver badge

Re: HST

Have you ever been in a Michael's? There are more people in your closest McDonalds at any given moment than inside an entire Michael's all day. It's absolutely impossible that a 'sizable percentage of credit cards in the US' were lost by Michael's.

If my abnormally great estimation skills aren't enough, I have more observational data to back my case. I go into Michael's a few times a month to get stuff for Wife and I am, without a doubt, the only Human with a penis who is over the age of nine in there. Ever. If I was remotely self conscious I would feel extra pervy, but I'm not. I tell wife all the time if she dies before me I'm going to troll for women at Michael's in her honor. Like I used to tell Jefe v2 when I made him go to ballroom dancing classes he would appreciate it one day. I was right.

At any rate, I didn't say nothing needed to be done. I said letting the government get into implementation details is suicidal because all they do is fuck it up when they get down to that level. I know at least six agencies who would be involved, and that's not even thinking about it hard. Hence my earlier example.

They can, occasionally, do high level law making without disastrous, something like the FDIC for example. There are broad rules, and penalties, and if you break those rules you are penalized. You put the onus for compliance on the merchant, not the clowns here in DC.

0
4
Bronze badge
Coat

Re: HST

From the OA

"....has confirmed the exposure of as many as 2.6 million customer payment cards..."

"...the attacks occurred between May 8 of last year and February 27, 2014, and impacted roughly 7 per cent of all cards used in the US at Michaels and affiliated Aaron Brothers stores over that period."

By the back of my (tax) envelope, using a thick carpenter's pencil, that implies around 37 million unique(?) credit card numbers placed at risk over a 10 month period. Quite a few I'd say...

Coat: I'm avoiding trailers equipped with fire-arms. And their drivers.

0
0
Silver badge

They should offer money.

"The company said that it will provide customers who were impacted by the breach with fraud monitoring and identity protection services."

Not good enough.

5
0
Bronze badge

Re: They should offer money.

Gee, we know that we caught your house on fire, burning it to the ground. Here's a fire extinguisher.

Bloody hell, *over* a year of breach and it went utterly unnoticed until fraudulent activities were reported.

I guess Helen Keller was dug up and made CIO.

7
1
Silver badge

Re: They should offer money.

The smart money seems to be investing in credit monitoring services doesn't it. I've never looked at the economics of the thing, but I wonder if card processors could offer the monitoring service to the stores bundled with everything else. I suspect it would be cheaper, kind of like insurance, and not doing business with a processor that offered it by default would just look like greed driven negligence by the merchant so it becomes a PR requirement.

2
1
Silver badge

Re: They should offer money.

I think there'd be a raft of privacy issues there since you're talking about the store instead of the card issuer. I'd think it would be hard to anonymize that and still make it useful to the store. Especially since I'd think the fraud would be via other merchants. If you move it to the card issuer, the privacy issues go away and the same PR dynamics would apply.

At one point in time my finances were a sufficient mess that I felt the need to use one of the services for a while. I think it was about $12.95/month which is sort of pricey for just in case insurance. Yes you should be able to get a bulk discount as the card issuer, not sure how much. I have noticed Discover is now including one of you credit scores on each statement. Not as useful as the full report, but maybe the first piece of what you're looking for.

There's also a certain sense in which I think we need to shift our expectations. We've seen enough of these types of incidents that we should now expect them. Which means the credit issuing agencies need to step up with better process monitoring and fraud detection methods. The problem from our standpoint as the consumer is that there are too many of these systems with which we interact and all of the critical controls are outside our ability to affect let alone control. And we have to maintain perfect vigilance while the bad guys only have to compromise one system. While I'll grant they can't control it, the processing agencies are the only ones who can affect the whole chain.

0
0
Silver badge

Re: *over* a year of breach

Spear phishing is notoriously hard to stop, and this seems to be something similar. The notice specifies that neither independent investigator had ever seen similar malware before so expecting Michael's to catch it is expecting too much. I've also checked the list of specific stores since I do sometimes buy from them as does my roomie. There are various date ranges for the malware so it wasn't continuously infected.

The store I use is on the list and I'm likely to have shopped there during one of the listed periods. I don't recall seeing a notice from them about potential issues so I will be double checking. Good news is, I know which account it is and I haven't seen anything I didn't recognize in the statements.

0
0
Bronze badge
Happy

Re: They should offer money.

Charge some amount say $1000.00, or pounds, for each credit card owner data stolen IF reported.

Charge 10,000 for each not reported when found out.

Result is a very good incentive to both report and pay attention to data security.

2
0
Anonymous Coward

Re: They should offer money.

"Which means the credit issuing agencies need to step up with better process monitoring and fraud detection methods."

Our UK credit card company has already done this. It is very successful NOT. I purchased a product for $30 one evening 15 months ago, and the next day found out that the card had been blocked. No notification to us whatsoever. 6 months later, (we have spent 3-4 months a year in the US for many years and have notified the card company that we are traveling), we buy petrol and 20 minutes later spend $90 ln a shop and the card is refused. Fortunately we have a debit card backup. Yet another call to the card issuer. Last month the card issuer states, "You do not need to notify us if your card is being used abroad" , my wife is ill and I go to spend $400 in a chemist so the card is refused again, yet another call to the issuer! Who states " We phoned you on your UK number and left a message for you" . They had managed to lose the US fixed line phone number and the US mobile number which we had supplied them with. They also came up with a set of security questions which it was not possible to answer when 2 people are using the card. When we get back to the UK, there are going to be some very succinct letters to the Boardroom of the issuer involved, I doubt it will do any good, but it will give me great pleasure writing them!

2
0
Silver badge

Re: They should offer money.

You can save yourself a lot of emotional distress and instead of writing a letter that'll never get reds just use the proven Don Jefe Gift of Strife System.

Find the name of a woman employee (must be a woman) of your target company and start sending her gifts with the CEO's initials on the card. Nothing extravagant, but something noticeable. The magic is in the card. Put some very simple, ominous, but not openly threatening, and completely incongruos with the gift, message on the cards.

I find one or two word messages are the best. Things like 'soon', 'tonight', 'Tuesday' (hint; if you go with the day of the week you've always got to use the same day, but never send a gift on whatever day you choose).

For gifts I like flowers, carnivorous potted plants, fruit baskets, one of those balloons with an anatomically correct baby doll dressed in designer baby clothes inside instead of a stuffed bear, a stuffed bear (real bear, preferably dead, or heavily sedated) or one of those nice wicker picnic baskets with a mystery bottle inside it. You can buy Human and animal teeth on etsy and they make a cool sound in a glass bottle.

I like to order the gifts from an airport, strip club or bar in a terrible part of town. That way when the lady finally sues the CEO it will come out in court, or settlement talks, that the CEO is up to some shady shit anyway and the lady will get more money after the dust settles.

Anyway, if letters are your thing that's cool. But most company leaders have a SpamDroid that reads all the incoming letters and gets rid of any that don't have nudie pics of a pretty lady, drugs or cash enclosed so it'll probably never get read by your target. But for about 25% of the cost of a lawsuit you can cook up a batch of Discord by Courier and send one gift a month for 7-8 months. It's much more fun, as you get to at least imagine something entertaining is happening instead of knowing your missive is now bedding material in the enclosure of someone's pet stoat.

1
0
Silver badge
Devil

Fiddling while Chrome burns!

Yes, this is a William Gibson reference.

1
0
Silver badge

Re: Fiddling while Chrome burns!

One of his best and a very appropriate reference.

Upvoted.

1
0

Great.....

My wife shops at Target and Michaels. We already have had to cancel and replace her bank card once this year due to attempted fraud but at least it shows the bank fraud departments appear to be on their toes.

2
0
Silver badge

Re: Great.....

You and your wife should figure out something artsy with the dead cards. Like glue them over the faces of male porn stars in pictures so that all you can see is a big cock. Call the pieces something like 'Stolen Innocence in Aisle 5' and do a series of them!

0
1
Silver badge

How odd

How odd that it has become safer to shop on-line than at the brick and motor.

Well, somewhat, anyway.

1
0
Silver badge
Thumb Up

Re: How odd

You could probably make a fortune if you founded a marketing company based on your, quite astute, observation. 'Concerned about identity theft? Shop Smart, Shop Safely and Shop Securely. Shop Online'.

0
0
Facepalm

Analyzing and detecting Kaptoxa POS malware ..

"A few days ago, I was tasked to look at the Kaptoxa/BlackPOS malware, a malware which is believed to be used in the massive Target data breach" ref

0
0
Bronze badge

Credit cards? Yes, I’ve heard of them.

Am I the only antediluvitard here who still uses cash to buy things?

1
0
Silver badge

Re: Credit cards? Yes, I’ve heard of them.

Not for long, my friend. Not for long. Hold still, this won't hurt a bit...

The International War on Cash

0
0
Anonymous Coward

Re: Credit cards? Yes, I’ve heard of them.

I regard with significant suspicion any "war on" anything other than a sovereign state, particularly when the was is declared by the supporters of said thing.

Also, while I have not read the conspiracy theorizing linked above, I am willing to bet that it ascribes far too much organizational capability and internal political cohesion to whatever shadowy cabal it accuses of carrying on the war in question.

I would also like to point out the odd dichotomy wherein crazyballs doomsaying right wingers who are convinced that the government could never competently run a health care system or a financial institution can nevertheless carry out, with 100% success, numerous astronomically complex conspiracies spread over many generations and political dynasties. As a dyed-in-the-wool big-government liberal, I must say I find this overwhelming vote of confidence in the abilities of government bureaucracy to be heartening.

1
0
Gimp

Computer Generated Greed Rules! HAL 2014.

This merchant point of sale information theft is HAL 2014 out of control. And, HAL is smugly out of control because the reach for corporate profit trumps all...all. Th' Computer Rules. All prostrate themselves before Th' Computer! [Remember that delicious Pat Oliphant cartoon of some years back?]

If more corporate cash were to be allocated to R&D to create the necessary firewalls at all of the steps of purchase from Customer card scan to bank and return to vendor, rather than permitting that odious "it's not my problem" to rule all phases of accepting responsibility, we'd have noticeable security. [note cap "C" for Customer]

This is a tradeoff and/or choice which apparently no Corporate Board wants to decide to dilute profits, or divert cash to Security R&D on a change in priorities. Computers and cash flow are now in jeopardy.

Something has to give.

Captain Google has yet another example of a very smart Canadian teenager .....

"RCMP charge London, Ont. 19-year-old in Heartbleed theft ...

business.financialpost.com/.../rcmp-heartbleed-cha...‎

Financial Post

by Matt Hartley - in 727 Google+ circles

4 days ago - RCMP charge London, Ont. 19-year-old in Heartbleed theft of 900 SINs ... Arthuro Solis-Reyes was charged with unauthorized use of a computer ... from the Canada Revenue Agency's Website, a 19-year-old London, Ont.

Missing: scammer...." End Paste.

We're permitting Teenagers to exploit computer weaknesses, and all we hear is "We at the [...fill in the blank...] Company take computer security very seriously, and have taken all steps necessary to prevent further occurances....blah blah blah."

Close! Those! Doors! HAL!

Close these openings, HAL!

0
0
Anonymous Coward

Re: Computer Generated Greed Rules! HAL 2014.

If I ever run a multinational accused of a data breach, I hereby promise to respond, "We at DavidW International regard computer security with a mixture of callous disregard and reckless contempt, and since economic inertia and the apathy of our stiflingly stupid customer base assure continued cristal showers in the executive washroom, we're pretty much gonna shovel all this crap under the rug and wait until the next mass transit accident distracts the plebes."

Better?

0
0
Anonymous Coward

great, not again

just got all the bill pay accounts fixed after the Target breach. Having the wife as supporting of my "build cool stuff" hobby means no one keeps either of us away from Michaels which is within walking distance from the apartment.

I suspect we'll be getting "new" cards again.

0
0
This topic is closed for new posts.