The news: Craft store Michaels appears to be the latest victim of a massive security breach after "hundreds" of credit cards used at its locations were subsequently used to make fraudulent purchases. The stolen cards were typically used at big box stores like Best Buy and Target, where the thieves made off with thousands of dollars of retail goods.
If confirmed, Michaels would be the latest large retailer to fall before a dedicated attack. In November, criminals stole the credit card numbers of over 40 million customers and personal information for over 70 million. And malware on point-of-sale systems caused retailer Nieman Marcus to expose 1.1 million payment cards to hackers.
A fraud analyst at a large credit processor told security journalist Brian Krebs that "What’s interesting is there’s another [arts and framing] store called Aaron Brothers, and within past week or two there was a lot of activity talking about Aaron Brothers."
"One of the things I learned the other day is that Aaron Brothers is wholly owned by Michael’s. It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place."
CEO Chuck Rubin issued the following statement:
"The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred."
How it works: Data can be stolen in any number of ways ranging from direct theft to sophisticated technical operations. Last week, massive fraud hit 40% of the entire population of South Korea after an employee at the Korea Credit Bureau copied data onto an external hard drive over the course of a year and a half. The Target breach "appears to have resulted from Windows-compatible BlackPOS (a.k.a. Kaptoxa) malware running on payment processing servers, and siphoning 11 GB of card data from POS terminals, via FTP, to a server in Russia." In other words, the hackers managed to infect the terminals that read credit cards. And then there's classic phishing techniques like sending spam emails that look remarkably like actual retailer communications in order to obtain credit card data.
"You now can receive e-mails that will look a lot like an e-mail from Target or an e-mail from your bank that will lead you to a website that will ask for your log-n credentials including your password. And those sites could potentially be from he hackers who stole your e-mail address," said Yaron Samid, who runs a fraud protection service.
Generally, the ones pulling off the heists aren't the ones who make fraudulent purchases. Often, the stolen cards are auctioned off in lots, sometimes at low prices. Data can go through several parties before reaching your typical run-of-the-mill petty criminals, so it's often very difficult to trace organized theft back to the original hackers.
What companies are doing to prevent fraud: Obviously, not enough. Major tech companies are now encrypting your data, as surveyed by IT World:
But direct theft from corporate servers or malware installed on physical hardware within the stores themselves wouldn't be prevented by encryption, which only makes it more difficult for third parties like criminals or more ominously the NSA to access private data. Vigilance, common sense, and a constant eye for protecting your personal data is the only surefire way to lower your risk of identity theft.