The PIN Debit card skimming at Michaels Stores is causing havoc and lots of fraud at many U.S. banks. Already, class action suits against Michaels are being filed, although I don’t see much damage to U.S. consumers since they are likely to get their stolen funds back. The damage in this case accrues to the card issuing banks whose fraud detection systems weren’t tuned finely enough to stop the fraudulent transactions.
It seems to me that the gang that carried out the attacks against Michaels are savvy criminals using tactics that we haven’t seen before. Not only did they manage to skim card data AND the sacrosant PINs that belong to them, but they also managed to stay under the payment card brands’ radar for a relatively long time (longer than usual).
How did they do this? By attacking one bank at a time, instead of using the stolen card information simultaneously across multiple card issuing banks as they typically have done in past card skimming heists. The fraudsters sorted the stolen card data by BIN number (the first four digits of the 16 digit card number) which told them which bank issued the card. They then figured out which banks to attack, one by one.
By using this tactic, it took longer for the payment card networks (i.e. Visa, MasterCard) to figure out the point-of-compromise, i.e. Michaels, as the fraudsters bypassed the normal network level monitoring these firms perform by looking across banks and their fraudulent transactions. Also the fraudsters avoided the heat and microscopic attention generated via bank communications with the card networks that takes place when a breach affects a larger group of card issuers at once.
The Michaels breach will just fuel the fire of the bank lobbyists opposing the Durbin Amendment which threatens to drastically cut debit card interchange fees so that banks don’t reap such large profits off the merchants backs. Banks will now have a stronger argument that they need these higher fees to cover the increasing costs of fraud.
Meanwhile, 77 U.S. retailers that Gartner just surveyed are spending an average of $1.7 million to become PCI compliant over a time period of 2.4 years. (The costs vary widely and can go north of $10 million at some of the largest merchants).
At some point, the U.S. card industry will likely figure out that it’s cheaper to move away from inherently insecure magnetic stripe payment card technology to more secure chip cards than it is to spend billions on PCI compliance and millions on recovering from breaches like this one. That day can’t come soon enough for retailers like Michaels.