3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

April 17, 2014 in Security News by News Bot

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

michaelsThe disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

The Michaels breach first came to light just weeks after retail giant Target Corp. said that cyber thieves planted malware on cash registers at its stores across the nation, stealing more than 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013. That malware was designed to siphon card data when customers swiped their cards at the cash register.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”

This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection, credit monitoring and fraud assistance services through AllClear ID to affected Michaels and Aaron Brothers customers in the U.S. for 12 months at no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at www.michaels.com and www.aaronbrothers.com.

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.

As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.

Facebook adds new Nearby Friends feature to engage mobile users

April 17, 2014 in Security News by News Bot

http://www.cnet.com/news/facebook-launches-nearby-friends/#ftag=CAD590a51e

Facebook has spent a lot of time recently talking about anything but Facebook. Instead, the company has spent billions buying technology and developing new apps separate from the Facebook service. But on Thursday, the social network announced the first significant feature for its core product in over a year.

Called Nearby Friends, it lets users see which of their Facebook friends are in physical proximity to them.

Critical Java Update Plugs 37 Security Holes

April 17, 2014 in Security News by News Bot

http://en.wikipedia.org/wiki/Java_%28programming_language%29

Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update (or to ditch the program once and for all).

Top Chinese hacking team reveals members’ identities

April 17, 2014 in Security News by News Bot

http://en.wikipedia.org/wiki/China

The Keen, a top hacking team which took down Windows 8.1. Adobe Flash in just 15 seconds and Apple’s Safari Mac OS X Mavericks system in only 20 seconds during a Pwn2Own Vancouver event in March, has divulged the identity of its members, a Chinese newspaper reported on 13 April 2014.

“50 percent of us are the top scoring students in the national college entrance examination. 50 percent are majored in mathematics, and 50 percent are from Microsoft,” said Lv Yiping, key member of the Keen and co-founder and chief operating officer of the team’s Shanghai-based parent company.

Single step authentication on Galaxy S5 leaves PayPal accounts open to abuse say German researchers.

April 17, 2014 in Security News by News Bot

http://cdn.i.haymarket.net.au/Utils/ImageResizer.ashx?n=http%3a%2f%2fi.haymarket.net.au%2fNews%2fcrn-samsung-galaxy-s5.jpg&h=480&w=640

PayPal was left fighting a rear-guard action last night after it emerged the fingerprint scanner seen on the Samsung Galaxy 5 smartphone can easily be bypassed.

Germany's Security Research Labs says the spoofing system allows access to a user's PayPal account, which is an important issue since a key feature of the scanner is one-step access to the PayPal money payment system - effectively replacing the user's ID and password with a fingerprint swipe.

Singapore broker urges ‘light touch’ Bitcoin regulation

April 17, 2014 in Security News by News Bot

http://en.wikipedia.org/wiki/Singapore

Singapore should adopt a light touch approach in regulating virtual currencies such as Bitcion, and instead allow technology to do most of the "governing" to safeguard against illegal activities. 

According to David Moskowitz, director of Singapore-based Bitcoin broker, Coin Republic, regulation alone will not necessarily achieve its goal of addressing concerns such as money laundering or the failure of a Bitcoin exchange.