If you shop at the popular Michaels craft store chain, your bank account may be in jeopardy.
The U.S. Secret Service is investigating a debit card fraud case that started in Illinois and has now spread to 20 states.
Investigators say crooks tampered with PIN pads in the Michaels checkout lanes, allowing them to capture customers' debit card and PIN numbers.
Michaels now confirms that it found an astonishing 90 compromised PIN pads in 80 of its stores.
The chain quarantined an additional 7,000 PIN pads just to be safe.
Jennifer Gatz and Brandi Ramundo didn't know each other, but the two Chicago-area women somehow sleuthed out the key to what has now become a major case. Crooks had made withdrawals from both their accounts.
"They were from ATMs that were nowhere that I've ever been to," Gatz told "Good Morning America."
The women told mutual friends about the thefts. Those friends introduced them on Facebook. And when they started chatting, they discovered they both shopped at Michaels, a store known for its homey crafts, the last place you'd expect to face fraud.
"I couldn't believe it," Gatz said. "It's such a well-known store, it's a huge chain."
"There had to be some type of skimming device that was capturing it and assuming our PIN number," Ramundo said.
She was right. Sophisticated crime rings know how to replace or reprogram PIN pads right in the checkout lane so that they can capture customers' debit card numbers and PINs.
"When we're using technology as old as a magnetic strip on a card that can easily be duplicated, it makes it extremely easy for the criminals to clone our cards and steal our identities," said Chris O'Ferrell, a security consultant.
In fact, I was able to buy a card-cloning machine right on the Internet. O'Ferrell showed me how to clone my own card. All that was required was typing in the card number and PIN, then swiping a blank card through the machine.
That created a duplicate of the credit card.
We cloned my card. Now the question was, would it work at a gas station pump?
The transaction went through.
The FBI says low-level criminals called "cashers" then use cloned cards to hit ATMs and drain accounts.
Here's the worst part: Debit cards tap straight into your own bank account. At the very least, you're going to be without your money for a few days while the bank investigates. Worst case scenario: If you don't notice the theft for 60 days or more, by law, you are liable and the bank doesn't have to reimburse you.
Here are more details about the Michael's PIN pad tampering that might help you determine if you are at risk:
Time Frame: Michaels is working hard to learn more about the PIN pad tampering that led to theft from some customers' accounts. As best the store can tell at this time, the customers who experienced problems shopped between Feb. 8 and May 6, 2011.