By Ann Zimmerman
Thieves tampered with debit-card processing equipment at Michaels arts-and-crafts stores as early as Feb. 8, nearly three months before customers who had used their bank cards at the chain first reported that their bank accounts had been looted, the retailer said.
The company began removing the compromised equipment, which it found at 80 stores in 20 states, on May 6. It says that fewer than 100 customers have reported fraudulent transactions.
Earlier in the week, Michaels Stores Inc. of Irving, Texas, reported that crooks had subverted its equipment and collected customers' debit-card data, including personal identification numbers. The gang created duplicate cards and, using the stolen PINs, withdrew cash from victims' bank accounts, in some cases more than once.
The company said that it uncovered almost 90 improperly altered debit-card processing devices. The U.S. Secret Service is investigating the incident.
Michaels said it has since learned from law enforcement that thieves may target older devices, known as PIN pads. The company was in the process of upgrading its equipment when the attack occurred, it said.
"Those pads have all been removed from every U.S. Michaels store, and are being replaced with tamper-proof equipment within the next two weeks," the company said, adding, "We have adopted additional security measures to prevent future tampering."
While Michaels has not revealed details of how its equipment was compromised, retail experts say that the thieves probably installed devices called skimmers, which can read and copy information in the magnetic strips on the backs of debit cards. PINs can be collected using tiny cameras or by membranes installed over keypads to collect keystrokes.
Retailers and banks expressed concern about the attack on Michaels, which resembles a similar assault on debit card readers at grocer Aldi Inc.'s stores in 11 states last fall. Banks generally reimburse customers for unauthorized withdrawals reported within 60 days.
Retailers said similar frauds could be prevented if the card networks would issue safer chip and PIN cards, which are expensive to produce but harder to copy.
"But banks and credit card networks want to keep the status quo, so they can justify the fees they charge retailers" to process transactions, said Brian Dodge, a spokesman for trade group Retail Industry Leaders Association.
The banking industry says it is not to blame. Retailers would have to spend money on equipment capable of reading the new cards. "It's a cost that small and mid-size retailers are balking at," said Doug Johnson, vice president of risk management policy at trade group American Bankers Association.
