The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
[Article: Bin Phishin’?]
Within those same few days, Michaels Stores—the popular arts and crafts retailers—announced it had discovered that in at least 80 of its stores nationwide, debit card swipe pads had been either swapped out or otherwise tampered with so as to allow debit card numbers and pins to be systematically and routinely stolen. Unlike other attacks of this type, such as the one directed at Stop & Shop in 2007 in which only a few stores located in the New England region were compromised, the Michaels Stores were geographically located all over the country from New Mexico to Massachusetts. Very quickly it was also discovered that the compromised information had already been used to drain the bank accounts of scores of Michaels customers through the use of ATM machines. The process is quite simple really; the information from the bogus swipe pads is collected and transmitted to the thieves, who quickly create equally bogus ATM debit cards, consisting of very little but a piece of plastic with a magnetic strip. It works just like the real thing at an ATM, though. Michaels announced that within two weeks it would replace more than 7,200 swipe pads at all of its stores, and in the meantime would utilize a much slower yet more secure manual method of processing debit card transactions.
[Article: Playstation Invasion: Child Identity Theft is No Game]
Now what do these seemingly unrelated attacks have in common? First, both were cleverly executed. One assumes that Rupert Murdoch is quite sensitive when it comes to security—data security in particular. It couldn’t have been a walk in the park for LulzSec to hack the Fox computers. Similarly, think of the scale of the Michaels attack; it must’ve taken a large number of folks, all of whom had to be reasonably technical, and all of whom were coordinated in a very precise and premeditated way across all those pads in all those stores in all those states. This crime was organized, even if it was not accomplished by organized crime.
On the other hand, think of the profound differences between these two events. There is no indication that LulzSec was attempting to do anything other than send a pointed and disruptive message. There isn’t a hint of a profit motive, and given the nature of their target, one might naturally assume that these folks are a technologically talented band of fellow travelers out to have a little fun at the expense of the Right. In fact, there is no indication of any criminal motive, aside from the fact that what they did was in itself a crime. But the Michaels battalion of attackers could only be it for the money—and to do what they did they must have invested quite a bit up front. Moreover, the methods of the madness were so different from one another.
The Michaels & Fox Data Breaches (cont.) »
Image: Jonny Hughes, via Flickr.com
So why do I connect these two events?
From the time that I was in grade school, I have always been a fan of Sir Arthur Conan Doyle’s brilliant fictional character Sherlock Holmes. I’ve read all the stories. I’ve seen all the movies with Basil Rathbone and Nigel Bruce. I’ve seen all the movies without Basil Rathbone and Nigel Bruce. I’ve seen every episode of every TV series featuring the character, most particularly the ones starring Jeremy Brett, which I find to be the renditions most faithful to Conan Doyle’s original work. One of the things that always fascinated me about the character was not only his brilliant forensically scientific thinking, but also his pithy expressions of complex and enduring ideas. For example:
“But is it coincidence? Are there not subtle forces at work of which we know little?” From The Adventure of the Blanched Soldier.
[Free Tool: Obtain your Identity Risk Score from Credit.com]
Had Sherlock ever lived, and were he alive today, would he not perceive those subtle forces at work in both the Fox and Michaels debacles? That the humans who act on those subtle forces probably don’t know each other and never will has nothing to do with it—the subtle forces are a pervasive part of the modern world in which we live. Whether for prank or profit, the vulnerability of the digital systems on which we—and indeed our entire economy—rely have served to create those forces, just as the sun and the moon create our wind and weather.
My point is really quite simple: new technology brings with it new opportunity, new convenience, and new problems. When asked why he robbed banks, Willie Sutton famously (and probably apocryphally) said “that’s where the money is.” Now the money is everywhere in digital form. Clever thieves don’t need guns. And those thieves are aided and abetted by everyone who hacks databases and publishes private information. As we have often said in this column, once your personal information is out there, it’s OUT THERE. So while LulzSec and the Fox breaches likely played no role in the Michaels fraud, whatever the motives of LulzSec may be, they are potential enablers of for-profit criminals, identity thieves who grab every piece of personal data that they can, correlate various bits of information from different sources, and thereby make their attempt to perpetrate fraud more sophisticated and more likely to succeed.
[Related article: 77 Million People Affected by Playstation Hack]
The digital world has made mincemeat of coincidence. The attacks on Michaels and Fox are part of the suddenly obvious zeitgeist of exploiting data vulnerability—for whatever purpose. And everyone who does it helps everyone else to do it, sooner or later, for better or worse. Right now, the only countermeasure we have is to remain cautious and vigilant, individually and as a society. If you check your bank account online every day, you can’t be too harmed at an ATM machine, given the ubiquitous daily limits on cash withdrawals. And Michaels, which no doubt has a security department, needs to get on the stick and work with law enforcement to prevent further compromises, and to design systems and procedures to more effectively protect their customers from problems like this in the future.
As another favorite fictional character of mine once said: “Keep watching the skies.”
Note: Regarding the moniker LulzSec—I’ve spent all week trying to figure out the meaning of that abstruse name, and all I know is that “lulz” is Internet slang for laughs, and according to the group’s twitter page, LulzSec stands for “The Lulz Boat.” Maybe Gavin McCloud is behind this?
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams