advertisement

Top Stories


advertisement

Security / Fraud


London’s Recycling Bins Don’t Do Mobile Tracking Anymore. (Until This Week, They Did.)

August 14th, 2013
At a time when many retail chains are trying to navigate the public-relations minefield of customer tracking, disclosure and data use, a story from London is a useful reminder that nobody is getting this right. On Monday (Aug. 12), the government told a startup called Renew to stop using its recycling bins in London's financial district to track passers-by by way of their phone signals.

Wait, recycling bins? Yes, 100 very high-class recycling bins outfitted with large, Internet-connected digital screens that show advertising (the financial district's government—yes, it has its own government—gets 5 percent of the airtime to display public announcements). But recently Renew added a new feature to a dozen of the bins: the ability to capture any passing smartphone's unique MAC address if it has Wi-Fi turned on. (Which, these being financial-district yuppies, is pretty much a given.) You can see the possibilities—but not necessarily all the possibilities that Renew sees.Read more...


advertisement

Harbor Freight Breach May Be Biggest Of 2013, Issuers Say

August 12th, 2013
What looked initially like a two-store payment-card breach may end up being one of the biggest breaches of 2013. In late July, the 425-store discount hardware chain Harbor Freight Tools posted signs in its stores, warning customers that there might have been a problem with some in-store card transactions. Now it appears thieves were using multiple kinds of malware to tap transactions between June 14 and July 20, and the breach has affected at least 30,000 card holders at just two card issuers. That's eventually expected to climb into the millions.

Harbor Freight itself isn't saying much except that it hired Mandiant to investigate and that the malware has been found and blocked. But card issuers and card brands are now sending out advisories about possibly compromised card numbers on nearly a daily basis, according to BankInfoSecurity, which has been tracking the breach. And it's only in the past two weeks that fraudulent transactions linked to the breach have begun to increase significantly—suggesting that the card numbers are just now beginning to be sold to cashers.Read more...


advertisement

Court To Fed: Keep The (Inter)Change

August 8th, 2013
On July 31, a federal court in Washington sent shock waves through the merchant, banking, and credit/debit card industry by overturning the Federal Reserve's rules implementing limitations on the interchange fees banks can charge merchants for processing signature- and PIN-based debit cards. In doing so, the Judge ruled that the Fed had not reduced these fees enough to comply with the wording and the intent of Congress—and sent the rules back to the drawing board.

While this is good news for merchants and bad news for banks—or will be, once the new lower-fee rules are in place—how much the good news is worth depends on how much a debit card transaction costs, writes Legal Columnist Mark Rasch. And just as important is who gets to decide what a "cost" is.Read more...


advertisement

Can VeriFone Actually Outsource PCI Problems?

August 7th, 2013
In theory, you can't outsource PCI issues, but VeriFone wants to try. On Monday (Aug. 5), the POS maker announced VeriFone Point, a payments-as-a-service offering that basically takes everything in the store except the PINpad out of PCI scope—and, as far as we can tell, the PINpad doesn't belong to the retailer, so that's somebody else's problem too.

This should be a really good idea, and maybe even a good product for some chains if it's implemented right (we haven't seen details yet). But let's imagine it is: The PINpad belongs to the service provider. Card data is encrypted and transferred via the service provider's network, not the merchant's. A token is kicked back to the store POS with the card approval, so the merchant can track customers and meet branded-cart transaction detail requirements. No card data ever comes near the merchant's systems. What could possibly be wrong with this plan?Read more...


advertisement


CMOs, Not CIOs, Now Control 11 Percent Of Retail IT Spending

August 7th, 2013
Almost 20 percent of the $60 billion in annual North American retail IT spending isn't under the CIO's control. Who's spending most of that $11.6 billion? The chief marketing officer, according to a report that IHL released last Friday (Aug. 2). And instead of being just a few limited solutions areas, it looks like CMOs are using their 11 percent of total IT spend to dive into traditional IT operational areas. Translation: Yes, they're buying and running hardware, not just paying for software and services without IT's OK.

That kind of rogue IT activity isn't new, and IT departments in and outside of retail have been dealing with it for decades. What's different is the scale. "Hardware" used to mean a leased minicomputer sitting in a closet, running some specialized application cheaper than what IT would charge. Now CMOs are spending enough to create their own miniature IT shops, and the first the real IT shop will hear about it is after a catastrophe so bad that marketing can no longer hide it—which, with an in-department IT budget that big, can be one heck of an IT catastrophe.Read more...


SAP Exec Who Switched Barcodes At Target Cuts Plea Deal

August 7th, 2013

Remember that SAP exec who last year was arrested for slapping fake barcodes on products within a Target—and his defense was that he was simply testing his company’s systems? Seems he cut a plea deal this month with county prosecutors in California, agreeing to plead guilty to one burglary count. The plea deal recommends to the judge a sentence of one month in jail, five months of home detention and three years of probation.

If he was really just testing SAP systems as his lawyer argued in court, this suggested sentence and conviction might be unwarranted. But Thomas Langenbach, VP at the SAP Integration & Certification Center (ICC) at SAP Labs at the time of his arrest (LinkedIn still has him at SAP in that role), was said by police to have then sold the merchandise on eBay. If true, that rather strongly undermines the pure research defense. East Inflatable Rentals


Self-Service Shifts Legal Risks, May Let Customers Off The Hook

August 1st, 2013
One of the great things about the Internet and computer technologies is that they can empower consumers and businesses to do things that ordinarily require a middleman. Consumers can purchase their own insurance, engage in banking transactions, deposit checks, make purchases, etc. They can do this both online and in the brick and mortar environment.

But this means that when the technology fails, it is the consumer who must suffer the consequences, writes Legal Columnist Mark Rasch—when ordinarily the risk of loss would have remained with the merchant. And he has more than a few day-to-day examples to make the point.Read more...


Sen. Chuck Schumer Wants The FTC To Start Doing What The FTC Is Already Doing On Mobile Tracking. Um, Right.

July 31st, 2013
U.S. Sen. Chuck Schumer has finally gotten around to asking the Federal Trade Commission (FTC) to crack down on in-store mobile tracking. At a press conference on Sunday (July 28) in front of a Manhattan store, Schumer decried the Big Brother-like surveillance that retailers engage in, demanded that retailers send shoppers a message letting them opt out before they begin tracking, and called on the FTC to investigate.

If that sounds a bit familiar, it may be because Schumer was saying back in November 2011 that he was going to call the FTC because two shopping malls were tracking customers by way of their phones. It only took him 20 months to get around to it. And in light of the fact that the FTC has been warning retailers for almost a year not to engage in surreptitious tracking—and is getting increasingly aggressive in its efforts—Schumer seems like he's a wee bit behind the curve. He also doesn't seem to have thought through his proposed send-an-opt-out-message solution. But we're sure he'll get around to explaining all that—in another 20 months or so.Read more...


SIMs Pwned With One Message! (Only About A Decade Too Late)

July 31st, 2013
We were going to do an in-depth teardown this week of one of the scariest-sounding cyberthreats we'd ever heard of: the ability to take control of a mobile phone just by sending it a carefully crafted malicious text message. The implications for mobile commerce, mobile payments and even in-store use of mobile phones sounded catastrophic for retailers. And based on early media descriptions of the work of Karsten Nohl, a security researcher at SR Labs in Berlin, it looked like a quarter of GSM phones might be at risk.

Then it was more like 10 percent of all phones. Now it turns out that, in the U.S. at least, SIMs that use 56-bit DES encryption—the security weakness that the attack depends on—haven't been sold for "at least seven years" by T-Mobile, "nearly a decade" by AT&T, and never by Verizon or Sprint. That means there's still a potential risk to any customer with a decade-old phone, but there's probably not enough of them to make them worthwhile targets for thieves. That makes Nohl's talk at Black Hat this week in Las Vegas interesting, but largely academic—which is exactly the way we prefer our cyberthreats.Read more...


Why Did Gonzales Hackers Like European Cards So Much Better?

July 30th, 2013
Last Thursday's (July 25) indictment of five more Albert Gonzalez gang members by federal prosecutors in New Jersey is a reminder of how big that operation was (and may still be) and how far authorities still have to go before they have it wrapped up—after all, only one of the five is in U.S. custody, with a second one awaiting extradition in the Netherlands.

But a sharp-eyed Washington Post reporter noticed an oddity in the indictment that has less to do with cops and robbers than with mag-stripe and chip-and-PIN: Stolen European card numbers were sold for $50 each, while U.S. numbers fetched a mere $10.Read more...


Walmart Sales Tax Snafu: How Did They Get This So Wrong?

July 29th, 2013
In a sterling example of what big retailers' POS software is not supposed to get wrong, Walmart has apparently been charging too much sales tax on two-for-one coupon deals in Pennsylvania in violation of the state's law. Walmart insists the way it handles coupons in Pennsylvania has gotten an OK from the state—despite the fact that Pennsylvania law appears to spell out exactly the situation in which Walmart is accused of collecting too much tax.

According to a class-action lawsuit that was moved from state to federal court last week, when a Pennsylvania customer uses a two-for-one coupon, Walmart charges sales tax on both items, but it's only supposed to charge for one. Because Walmart gets to keep 1 percent of the sales tax it collects as a collection fee, the chain is being accused of unjust enrichment from every coupon sale it has made since June 2007.Read more...


PCI’s Not-So-Open Global Forum

July 22nd, 2013
PCI's Global Forum is an open forum in name only, at least as long as it continues to force changes on members that they are not permitted to even know about until someone who has been briefed chooses to tell them, pens GuestView Columnist Stephen Ames. What makes him say that? He spins a story about how PCI really works.

He had just wrapped up onsite PA-DSS validations with his PA-QSA this month and a question came up about PA-DSS Requirement 4.2.7, which aligns with DSS Requirement 10.2, which is all about user access. Ames' QSA tells him that PA-DSS Requirement 4.2.7 is now always in scope, regardless of whether or not there is a user database within the application. Both of these options would cause application vendors to take on more liability. He searched the PA-DSS for a security requirement that aligns with PCI DSS 11.5 – File Integrity Monitoring – and there is none. Ames is certain that most application vendors would not take responsibility for file integrity monitoring at merchant sites. He can't understand why the SSC is forcing that upon application vendors when they don’t even have that requirement written into the PA-DSS.Read more...


Best Buy Learns The Downside To Locking Out E-mail Changes

July 16th, 2013
A Best Buy online anti-fraud mechanism has unintentionally created a security hole. I was placing an order with a local Best Buy physical store, using the web site's pickup-in-store option. Because the store only had one of the item left, the associate suggested that I give her all of the account information on the phone and she would enter the order right there.

Everything went fine except that she apparently did a one-character typo in the e-mail address. I didn't discover this until a half-hour later when no confirmation note ever arrived. Using the order confirmation that she gave me, Customer Service was able to identify the order and spot the e-mail typo. Great! Except that Best Buy's fraud procedure locks them out from changing the e-mail address. Wait a second. Best Buy now knows that the address is wrong and further knows that my sensitive order information is going out to someone else (assuming that typo-ed address belongs to a real person). Not only can't they fix it, but they tell me that additional mails will go out to that incorrect e-mail address no matter what. Oops!Read more...


Major Chain Loses PCI Compliance When Data Center Moves

July 16th, 2013
One of the nation's 15 largest retail chains had done a tremendous job segmenting its network to reduce the scope of its PCI assessment. All of that was thrown away, though, during a simple data center transition, when Networking made a security change but no one ever bothered to tell senior IT management.

Late last year, the chain decided to move its data center from an in-house facility to a purpose-built data center campus in another part of the United States. The goal was to gain additional raised floor space, energy efficiency and to avoid significant natural disaster risks with the location of the existing data center. In the QSA's review of the new data center, it was seen as a model of energy efficiency and modern design of data centers. So far, so good. But when the QSA returned for the annual PCI assessment, a review of the core switch and the layer 3 ACLs (Access Control Lists) revealed that all of the switch’s ACLs have been disabled—commented out—for both data centers. The formerly segmented network was totally flat with no segmentation.Read more...


Giving A Thief A Chance To Not Steal

July 9th, 2013
In the loss prevention world of counter-counter-espionage, a California vendor is pitching a silent way to detect shoplifters who have their own silent way of detecting the detectors. Let's slow this down. In an attempt to defeat standard EAS devices, shoplifters for years and years have lined shopping bags with aluminum foil and sometimes carried strong magnets to deactivate EAS tags. Then came LP's response, where stores could detect the foil and those magnets, but the detection was audible and did little beyond alerting the thief. Even worse (well, from the thief's perspective, even better), that alert happened immediately, before the thief could steal anything.

In a handful of jurisdictions, the mere possession of such devices is illegal. What the vendor, San Diego-based Indyme, is pushing is a silent system that alerts LP that a foiled bag (calling it a "booster bag" is so clichéd) or magnet has entered the store and it flags the shopper and allows the shopper to be tracked, hopefully discretely. It also triggers security cameras to follow the shopper.Read more...


MasterCard Seeking To “Be Free To Set Any Fees We Want.” Shudder

July 8th, 2013
MasterCard is involved in an intense battle with the highest European Union court, with the brand begging for the court to overturn a decision that would sharply limit interchange rates MasterCard could charge throughout the continent. On the surface, that seems like exactly what one would expect from MasterCard. And it was, until we saw an unusually candid statement from its chief counsel.

MasterCard lawyer Thomas Sharpe argued to the Luxembourg-based court that "the effect of the commission’s decision is to require MasterCard issuers to continue to provide valuable services to merchants such as guaranteeing payment to them without being able to recover any revenues from those merchants for those services," according to a Bloomberg reporter who attended the hearing. But in an interview right after the hearing, another MasterCard lawyer, associate general counsel Carl Munson, said, “If we win this case, we would be free to set any fees we want." (No need to call your physician, Mr. Retailer. That involuntary shudder is quite normal.)Read more...


Phone Makers Are Still Opening Security Holes By Spying On Phones

July 5th, 2013
A security researcher in Seattle has identified yet another program running in the background of some smartphones in the name of collecting quality of service information. This time the phone is Motorola's (NASDAQ:GOOG) Droid X2, and the program collects data that includes some user passwords—the researcher confirmed that his YouTube password was slurped up—which then are sent back to Motorola over an unencrypted connection.

Motorola doesn't have any real use for YouTube passwords, of course. But the fact that it's collecting them anyway suggests that whoever designed the software is really unclear on the security problems in slurping up data by default. Ironically, the one kind of data security that retailers are most concerned about, PCI, isn't strictly an issue if a customer uses a Droid X2 for mobile commerce, since the data leak is out of PCI scope—it's on the customer side. But a chain's employees might be sending their passwords to critical systems using a Motorola phone too, potentially exposing all the chain's systems to attack.Read more...


Why Quarterly Vulnerability Scanning Is An Impressively Stupid Idea

July 2nd, 2013
The current PCI DSS quarterly vulnerability scanning requirement is nothing short of ridiculous, given the fact that most operating system vendors and some application software providers release patches at least monthly, pens GuestView PCI Columnist Jeff Hall. (OK, it isn’t so ridiculous if your goal is to guarantee a constant security hole for the convenience of cyberthieves. For those of you whose goals are other than that, though….) When Visa published their Customer Information Security Program (CISP) back in 2002, they set the bar of quarterly vulnerability scanning because it was believed to be the most efficient and cost effective approach for providing security. This practice has continued unaltered even when the CISP was converted to the PCI DSS in 2007.

Over the past decade, Council officials, retail IT people and QSAs have begun to question the quarterly requirement, but the fear was that retailers would simply not do it, as they could never cost-justify it, particularly for Level 4 retailers. The council has always had a strong pragmatic nature, weighing the effectiveness of guidelines against what they could realistically hope for retailers to do.Read more...


As Chain Trials Facial Recognition, Channel Assumptions Flip

July 1st, 2013
A major Russian convenience store chain, Ulybka Radugi, is now running a trial of facial recognition to choose digital in-store ads to be displayed and POS coupons to be offered. But as more chains start to seriously investigate the facial recognition potential, some of the fundamental CRM biometric assumptions are being challenged. Such activities need not end with the same channel where they began. Once a shopper is identified in-store and is matched with a CRM profile—or they are identified anonymously in-store and a purchase profile of this unknown-person-with-this-specific-face is slowly built—that information can theoretically be married to data from that person's desktop-shopping e-commerce efforts or their tablet/smartphone's m-commerce efforts.

The question, then, is whether it has to start in-store. What if this hypothetical chain pushes some attractive incentives to get lots of customers and prospects to download its free mobile app? And buried in the terms and conditions is the right for the app to monitor images? The next selfie or Snapchat that the shopper sends is captured and the facial data points are noted. Here's where it gets even freakier. Once the mobile app has identified the face of the shopper—and has linked it to whatever mobile shopper that customer has done—it can tell the in-store camera databases what to look for. When that shopper walks in, it can connect the mobile activity with any observed in-store activity.Read more...


How Much Trouble Could You Be In If Online Customers Can Hide Where They Are?

June 28th, 2013
One of the largest Internet providers in New Zealand is now letting customers pretend they're somewhere else when it comes to buying things online. That's likely to be a thorn in the side of digital content providers such as movie producers and e-book publishers, but it could also set up online retailers for a whole host of complications. What happens when your transaction is subject to the laws of a country you're not expecting?

Slingshot, the third-largest ISP in New Zealand with about 10 percent of the market, last week rolled out its Global Mode service, which lets users block Internet geolocation. That's used by many digital content providers to prevent movies and e-books from being viewed in regions where they haven't officially been licensed.Read more...


Banks to Retailers: Online Fraud? You’re On Your Own

June 27th, 2013
When a land title company in Missouri checked its bank account, it found it short by $440,000. Seems that someone had logged into its account at BancorpSouth and wire-transferred the funds to some strange entity’s bank account in the Republic of Cypress. Now the escrow and title company had never done a wire transfer like that. It had never done an international wire transfer. It had never wired money to Cypress, and had never done any business with the strange entity known simply as "Brolaw Services." The transaction was entirely fraudulent.

In what has become a trend in this area of law, the federal Magistrate ruled that, when it came to bank fraud, the merchant was essentially on its own, writes Legal Columnist Mark Rasch. The answer was for the merchant to have better security, not for the bank to have better alerting procedures. The case involves the interplay between fraud, risk, loss, law and technology. Unfortunately, in this case, fraud wins.Read more...


Extremely Sad News

June 26th, 2013
It pains us greatly to have to report to you that our PCI Columnist, Walt Conway, passed away on Tuesday (June 26) after a battle with pancreatic cancer. Professionally, Walt had that rare ability to take complex compliance issues and make them approachable. He was a huge fan of the PCI process, which meant that he felt the obligation to point out its flaws or its inconsistencies.

Personally, I've never met someone who was as personable, intelligent and just plain nice as Walt. He will be missed far more than any words can convey.Read more...


Cyberthieves Are Going Low-Tech, And The Only Way To Stop Them May Be To Go Even Lower

June 18th, 2013
At a time when retail IT is getting better at locking down just about every avenue cyberthieves have of breaking in—PINpads, wireless networks, connections with processors—it's nice to know the bad guys are still able to hit retail security where it isn't. (OK, it's not nice, but you know what we mean.) According to FICO (NYSE:FICO), scammers are now using a decidedly low-tech technique for stealing payment-card information from consumers—and there's no special reason the same trick won't work against store employees for the keys to a retail network.

It works like this: A cyberthief phones the target claiming to be from a bank and saying there's been suspicious activity on the target's card. If the target doesn't trust the caller, the thief encourages the target to phone the bank using a number the target trusts. The target hangs up—but the thief doesn't. When the target picks up the phone again to dial, the thief plays a recording of a dial tone. The target dials, but it's the thief who fields the call. From that point, it's all Social Engineering 101.Read more...


For Fraud And Trust, A Powerful Reminder That Retail Reality And Perception Are Light-Years Apart

June 17th, 2013
A new insurance company survey's shopper perception figures detail what, in the shopper's perception, constitutes a breach. Let's say a major chain has been breached. Standard bank procedure these days is to change the numbers for all payment cards that had been recently used at—or on file with—that retailer. Given the number of recent breaches—and the millions of customers who collectively received such a notice—that's a lot of shoppers who might think they had been personally breached. But they need to ask the question: Did the bank detect any purchases that seemed fraudulent? If the answer is no, then that shopper did not personally experience fraudulent use of their personal information to make purchases without consent. At best, they were mildly inconvenienced because someone else suffered such fraud, but they didn’t.

As a practical matter, though, very few consumers would bother (or even know) to ask such a question. They hear their bank say that their card is being re-issued due to something fraud-like. If a survey asks whether they have personally experienced fraud, they're almost certainly going to say yes. For retailers, this is a very key problem.Read more...


A Clever Way To EAS Protect High Heels

June 13th, 2013

High heels present some interesting LP challenges. Not only are they easily slipped on and off without the need for a monitored dressing room, but they need to be tried on in the store, which can make typical security tags counterproductive. At the NRF Loss Prevention Conference show in San Diego on Wednesday (June 12), Tyco Retail rolled out a new EAS approach.

Tyco’s heel-friendly approach? The tag connects to the back of the heel, with an adjustable knob for different shoe styles. In theory, this shouldn’t damage the product. Tyco argues that although many shoes “have buckles, eyelets, etc, that allow retailers to easily attach” an EAS tag, a “wide variety of women’s pumps and men’s loafers don’t have a convenient place to hook an EAS tag.” As long as the thief doesn’t have a high magnetic detacher, Tyco suggests it should be difficult to remove the tag. Then again, this is a thief, after all. Hopefully she doesn’t simply steal the store’s—or some other store’s—detacher.


Page 1 of 72123456102030Last »

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.