Case Study 01
Case Study 01:
Security in the Retail Environment
The Human Factor
The retailer takes on an incredible responsibility once it accepts any type of debit or credit card, because the buyer has every right to expect that their account information will be safe. Human nature should warn the buyer, that even though the retailer appears as sturdy as the concrete foundation of its store, any system that relies on human beings is not going to be one hundred percent secure.
"The greatest of faults, I should say, is to be conscious of none."
-Carlyle, Heroes and Hero Worship
When the customer uses cash, the only risk is to the retailer. The retailer leaves a limited amount of cash exposed. Cash drawers are counted in and out, tallied against register receipts, and the loss of even all of the cash drawers active at any given point in the day would prove to be very limited and would be noticed immediately.
Electronic accounts, however, can suffer losses up to their limits which is frequently in the thousands of dollars, and many more accounts can be compromised than the number of cash drawers exposed. Additionally, the actual theft can take place stealthily over a period of weeks, with the victim unawares until they receive their statement or they receive notification that their accounts are overdrawn.
Do not believe, for a minute, that the cost is negligible. The consumer may initially be liable up to only fifty dollars, and the retailer may even agree to reimburse the consumer their loss, and this may even be covered by an insurance company, but the insurance company recovers its cost through higher premiums, which makes its way back to the consumer through higher prices.
Recently, a retailer was compromised by a group, not out to steal cash, but account information. Allegedly, the ne'er-do-wells walked into multiple storefronts in broad daylight, modified several of the point-of-sale systems, installing account capture technology, and walked out. As dastardly as this sounds, and certainly not to glamorize them, but what moxie!
What procedures did the retailer have in place to deal with this situation? Why did no employee (clerks, customer service desk, assistant manager, manager) challenge the thieves?
The thieves recorded account information through their electronic interface over a period of time and distributed and/or sold the information to individuals who would later use the accounts to buy goods and services illegally.
Application of the 7-Layer Security Model
Let's apply the model to determine what could have been done to prevent this, and what should now be implemented.
Three possible security measures immediately come to mind.
We will start with physical security. Even though the store was open and employees and customers were conducting their business, physical security could still have alerted the store employees at the location that something was amiss.
Install a physical locking plate requiring a managers key. The device cannot be altered without removing the plate, and the plate cannot be removed without the managers key. The manager will not unlock the device without first confirming that a proper work-order was generated by the appropriate employee within the store or by someone at the corporate office. If this does not sound reasonable, then why do all of the registers have keys?
Electronic sensors could also be used to detect if the devices are being tampered with. The key would disable the alarm. If the alarm is triggered, it could activate the light at the station while emitting an audible alarm. This would draw immediate attention to the location of the intrusion and to the person attempting it.
Keep in mind, all of the point-of-sale systems are connected to a central network. Implement strong passwords and have all electronic devices log in to the network. The device cannot converse with the network without being authenticated when it is installed. This could be implemented in one of two ways. Either require the manager to login in to the network from the register station with a password that authenticates the device by using a keypad or a special swipe card with an encoded magnetic strip; or have the manager authenticate each device by serial number from their office computer using their account. In either case, the device cannot process transactions on the network until this step is completed. This could be taken a step further by denying electronic power to the device until it is authenticated.
Empower the staff through education and training. All of the employees at the registers form a great defensive line. Certainly someone at one register would notice if there was a technician at the next station over. The only thing a thief wants more, besides taking what is not theirs, is not to get caught. They do not want to spend a lot of time exposed. All of the above items will either prevent the installation of account capture devices, or at least make it so difficult and time consuming so as to increase the risk of exposure exponentially. The longer they spend trying to ply their craft at a specific location, the more likely it is that employees will notice them and question their activities.
The other security items in the list are also important and one would expect that the network interconnecting the point-of-sale systems is already protected by these measures.
It Is Déjà Vu All Over Again
Is this a new problem? No, not really. Several years ago there was a case involving remote bank ATMs. Individuals created a rather interesting device to capture account information.
The unit mounted over the ATM interface and card slot, and looked much like any other ATM panel. The customer could see the screen, and the panel had a keypad and its own card slot. But the panel also contained the electronics to capture account data. A cable extended out behind the panel and was attached to a "blank" ATM card which was put into the real ATM slot.
The customer would slide their card into the false slot and enter their PIN and transaction information through the false keypad. The false panel captured the data while passing the transaction information to the ATM. The ATM would process the transaction, even dispensing cash as normal, with the customer none-the-wiser. The thieves would download all of the account information for everyone who had used the compromised ATM at their leisure.
Sensors can now detect if someone is tampering with an ATM, and cameras can show who it is. Whenever a thief finds a way to steal account information from one venue, we should not ask ourselves if they can adapt that method to other systems, but rather, assume they will, and be ready.
|copyright Natelli Systems, Inc. 2015|