[ISN] Michaels Breach: How the Fraudsters Pulled it Off

www.bankinfosecurity.com/michaels-breach-how-fraudsters-pulled-off-a-8696 By Tracy Kitten @FraudBlogger Bank Info Security November 20, 2015 More than four years after the point-of-sale attack that struck 80 Michaels craft stores throughout the U.S., compromising nearly 100,000 payment cards, details about how the attackers pulled off their scheme have finally emerged. On Nov. 17, Crystal Banuelos of California, a lead defendant named in the 2011 Michaels debit breach, pleaded guilty to conspiracy to commit bank fraud and aggravated identity theft (see Michael’s Breach: What We’ve Learned). Banuelos’ sentencing date has not yet been set. She faces a maximum sentence of 32 years in prison and a $1 million fine. In her plea filed with a New Jersey District Court, Banuelos notes that she conspired to steal credit and debit card data, as well as PINs, from Michaels’ customers, and knowingly used counterfeit cards created from that stolen data to conduct fraudulent cash withdrawals at ATMs. In all, authorities believe Banuelos and Angel Angulo, a co-defendant named in the indictment whose case is still pending, stole $420,000 from banks through fraudulent ATM withdrawals. Banks defrauded in the scheme, according to the indictment, include U.S. Bank, BMO Harris, Bank of America, JPMorgan Case, TD Bank, Beneficial Bancorp and Wells Fargo. To perpetrate their crime, prosecutors allege Banuelos, Angulo and other unnamed conspirators swapped out 88 legitimate POS devices at 80 different Michaels locations across 19 states with manipulated terminals that were used to capture and store card data and PINs. […]