May 13, 2011 — -- If you shop at the popular Michaels craft store chain, your bank account may be in jeopardy.
The U.S. Secret Service is investigating a debit card fraud case that started in Illinois and has now spread to 20 states.
Investigators say crooks tampered with PIN pads in the Michaels checkout lanes, allowing them to capture customers' debit card and PIN numbers.
Michaels now confirms that it found an astonishing 90 compromised PIN pads in 80 of its stores.
The chain quarantined an additional 7,000 PIN pads just to be safe.
Jennifer Gatz and Brandi Ramundo didn't know each other, but the two Chicago-area women somehow sleuthed out the key to what has now become a major case. Crooks had made withdrawals from both their accounts.
"They were from ATMs that were nowhere that I've ever been to," Gatz told "Good Morning America."
The women told mutual friends about the thefts. Those friends introduced them on Facebook. And when they started chatting, they discovered they both shopped at Michaels, a store known for its homey crafts, the last place you'd expect to face fraud.
"I couldn't believe it," Gatz said. "It's such a well-known store, it's a huge chain."
"There had to be some type of skimming device that was capturing it and assuming our PIN number," Ramundo said.
She was right. Sophisticated crime rings know how to replace or reprogram PIN pads right in the checkout lane so that they can capture customers' debit card numbers and PINs.
"When we're using technology as old as a magnetic strip on a card that can easily be duplicated, it makes it extremely easy for the criminals to clone our cards and steal our identities," said Chris O'Ferrell, a security consultant.
In fact, I was able to buy a card-cloning machine right on the Internet. O'Ferrell showed me how to clone my own card. All that was required was typing in the card number and PIN, then swiping a blank card through the machine.
That created a duplicate of the credit card.
We cloned my card. Now the question was, would it work at a gas station pump?
The transaction went through.
The FBI says low-level criminals called "cashers" then use cloned cards to hit ATMs and drain accounts.
Here's the worst part: Debit cards tap straight into your own bank account. At the very least, you're going to be without your money for a few days while the bank investigates. Worst case scenario: If you don't notice the theft for 60 days or more, by law, you are liable and the bank doesn't have to reimburse you.
Here are more details about the Michael's PIN pad tampering that might help you determine if you are at risk:
Time Frame: Michaels is working hard to learn more about the PIN pad tampering that led to theft from some customers' accounts. As best the store can tell at this time, the customers who experienced problems shopped between Feb. 8 and May 6, 2011.
Type of Card: Michaels' PIN pads are used to swipe credit and debit cards, so it's possible that customers' credit card numbers were captured. However, law enforcement officials have not had any reports of credit card abuse related to the compromised PIN pads, to date. That is probably because crooks' preferred method of using the card information they glean is to hit ATM machines, which require a PIN, and customers do not enter a PIN at the store when they use a credit card.
However, it is possible that thieves could create cloned credit cards and use those cards to purchase merchandise, so credit card customers should monitor their accounts and report any suspicious activity to their credit card company immediately.
States: Michaels said it discovered compromised PIN pads in the following states:
Colorado, Delaware, Georgia, Iowa, Illinois, Massachusetts, Maryland, North Carolina, New Hampshire, New Jersey, New Mexico, Nevada, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, West Virginia and Washington.
Stores: For a list of specific stores where the problem PIN pads were found, Click HERE.
To read more details about Michaels' continuing efforts to safeguard its customers, Click HERE.
Here's advice for keeping your bank account safe and secure: Consider using a credit card instead of a debit card. That way, you are risking the credit card company's money instead of your own. Laws and policies regarding credit cards offer stronger protection than those for debit cards. If you fail to report a debit card theft within 60 days, by law, you are liable and the bank can refuse to reimburse you. Many good banks will still help you, but they don't have to.
Re-PIN your debit card. Because crooks can swipe PIN numbers, it's a good idea to "re-pin" your debit card several times a year. It takes less than five minutes. Banks have small devices at their service counters where you can choose a new PIN for your card.
Be aware at ATMs, gas stations. Crooks also frequently install skimming devices on ATM machines and at the gas pump. So check out the slot when you insert your ATM card to make sure it looks right and is not a skimmer. It's also a good idea to type in your PIN number with one hand, while using the other to shield the number from view. More simplistic scammers install video cameras above ATM machines to record people's PINs.
Keep a watchful eye on your bank account. Because you can be held responsible for stolen funds if you don't report the theft within 60 days, it's important to monitor your accounts closely. If you suspect any sort of problem, contact your bank or credit card company immediately.