Evan Schuman's StorefrontBacktalk

When a security problem is discovered, timely response is important. So is making sure that the patch is going to fix the problem while also–hopefully—not introducing any new issues. That process takes time, and that’s OK. But someone at the Open Source Vulnerability Database took the time to see which vendor waited the longest to fix a glitch once it was discovered. No surprise: Microsoft took top honors, with an awe-inspiring 2,027 days. Yes, that’s more than 5.5 years.

Microsoft’s entry was its Microsoft Windows SMB NTLM Authentication Credential Replay Remote Code Execution. Apple was the next major name on the list, at 390 days, for its Mac SLP v2 Service Agent (slpd) Registration Request Overflow. Others who made the dishonorable list including Novell, Sun, HP and Computer Associates. The full list is absolutely worth reviewing. …

When news of the spying laptops from Lower Merion, PA, first surfaced, my initial reaction was fury. No, not at the laptop spying itself (when the Supreme Court sanctioned strip-searching students for over-the-counter medication, I gave up on school privacy). My fury: They’re giving free MacBook Pros to thousands of high school students while my kid’s school is laying off teachers.

But what’s a lot more interesting—especially given the federal, state and county law enforcement probes—is the district’s reliance on the contract that students must sign when they are issued the laptop. If that small-print defense is upheld, retailers will have a field day. Imagine laptops that will report back to the mother ship about every online purchase made, which rival’s sites are being visited and the disposable cash of that consumer (hello online tax returns and personal finance programs). With the Webcam activated, you can now see what the customer is wearing and with what accessories and even listen to what he/she is saying about it. If that case doesn’t come down hard against the school district, they will have at least completed part of their education duty: they will have taught a lot of people some new ways of making money.…

Before he offered the unsolicited advice for Amazon, Lampert penned an unusual claim: that Sears and its 20th Century catalogue business is essentially the father of E-Commerce. It's a bit of a stretch, but he makes a legitimate point.

"Sears has a long legacy in serving customers beyond physical stores. In many respects, The Sears Catalog was the 20th Century model for selling products through the mail," Lampert said, with the suggestion being that selling-through-the-mail is essentially what E-Commerce is. "To be successful, Sears had to earn the trust of its customers who purchased products sight unseen and who had to feel confident that they would receive what they purchased and, if they were not satisfied, they would be able to get their money back."Read more...

We're asking the question because a lot of major retailers today seem to be designing their Web apps based on the assumption that consumers are also using their desktops and that their mobile devices are simply a very temporary point of convenience. But is that how many consumers view mobile devices? What if we zero in on Gen-Y members, who seem to have an effortless natural affinity for these radiation-emitting thumb-typing mini-boxes?Read more...

Braden Black, a senior enterprise architect (and security specialist) for 305-store shoe chain DSW, said that, in his opinion, the biggest problem with chip-and-PIN—as it's currently deployed—is that banks have little incentive to make these systems secure because they no longer have any liability if they're repeatedly breached. That liability has been pushed to the retailers. "The ramifications of this attack are most disturbing when viewed in light of the fraud liability regulations that were adopted alongside the technology. Essentially, the banks offloaded fraud liability to merchants and cardholders." Read more...

From a security perspective, PCI Columnist Walt Conway pens, retail CIOs should understand a few things about these chip cards or smart cards (i.e., payment cards with an embedded integrated circuit or microchip). Chip cards can reduce fraud losses, but chip-and-PIN zealots can overstate the benefits.Read more...

But the economic hardships of last year may have shined a tiny ray of light on some bargain-hunting retailers at the expense of Big Blue. IHL President Greg Buzek said second quarter POS shipments last year for IBM plunged more than 40 percent worldwide, and a good chunk of that was a flood of barely used, ludicrously discounted POS units from chains that never made it to 2010.Read more...

Saying that it was "a result of additional market feedback," the Council ruled that the sensitive payment date on the digital recordings could be retained if the retailer can prove that the data in question can't be queried. "The Council is now saying that call centers can keep this data—even if digital—so long as they protect it per PCI. That is big," said Walter Conway, a 403 Labs QSA who is also StorefrontBacktalk’s PCI columnist.Read more...

Franchisee Columnist Todd Michaud adds that the kicker is that most retailers don’t even know it’s happening. We're talking about your closest competitors having access to some of your customer profiles (at a much deeper level than what you probably are aware of), the purchase patterns of those customers and the amount they are spending on each visit. And you have no idea. Sound scary? It is.Read more...

No, this isn't some IT apparel version of Revenge of the Sith (although that would be cool, in a sort of geeky wool-blend kind of way). It's merely the unexpected path taken by the 53-store chain’s IT leader, who wanted to see how much of a Butterfly Effect he could cause in E-Commerce customer satisfaction by making small improvements in fulfillment operations. The computers in question are not of the Cyborg type, and they look less like C3PO and more like a cross between R2D2 and what Rodgers calls a "giant Roomba"—you know, those robotic self-running vacuum cleaners. They're orange and made by a robotics startup called Kiva Systems, which has placed these squat robots in the warehouses of retailers including Gap, Crate & Barrel, Walgreens and Staples.Read more...

Barely a week after Intel and Microsoft announced their own futuristic digital signage plans—including PDA integration and analytics software linked to hidden digital cameras—NEC is talking up its own approach to digitally guessing consumers’ age and gender (plus counting them, but that’s so 1990s). Takeshi Yamamoto, vice president of NEC America’s IT software group, is quoted in the Wall Street Journal saying that the program is pretty good at getting within 10 years of a consumer’s age, that the program tracks a person’s age and gender but discards the digital footage, and that the data is aggregated.

“The program uses an algorithm that draws upon a database of thousands of faces as a reference. It looks at distinguishing points of the face, from the shape of the ears and eyes to hair color, to determine the age. The database expands as more people walk past the camera, allowing the program to make better judgment calls with time,” Yamamoto said. “The technology originated in Japan, where it was easier to implement because Japanese physical traits are more uniform. Mr. Yamamoto acknowledged that the U.S. market would be more difficult because of the diverse population.”…

In its examination of 10 major E-tail sites—Amazon, Barnes & Noble, Best Buy, Costco, Dell, Foot Locker, Musician’s Friend, Sears, Target and Walmart—the very fastest site (Best Buy) averaged more than twice Keynote’s acceptable slow estimate, crawling in at 8.3 seconds. Again, that was the fastest mobile site. The slowest site delivered its average page in 34 seconds. Keynote officials steadfastly refused to identify which site was the slowest. That said, points made by Keynote while discussing the study pretty much eliminated all of the tested retailers other than Costco from being candidates for the slowest performing site.Read more...

"I typically say something like, 'It is our requirements that drive us to that price point. Adding centralized menu management, polling, integrated inventory management and labor management into the mix requires that we buy this type of system. You can’t do that stuff with a cash register or basic POS.' Typically, the response I get is something like: 'So? I don’t care about all of that complicated stuff. I just need to ring sales.' It’s no wonder franchisees think that retail CIOs are out of touch with reality. Here is the really crappy part. When you add in all of the other costs, such as high-speed broadband, hardware maintenance, software maintenance, help desk, installation, inventory management, labor management, training and various upgrades along the way, that $10,000 POS is probably going to cost franchisees $20,000 over five years--not to mention that they wrongfully expect the system to last 7 to 10 years.”Read more...

The almost daily reports of consumers and retail employees using either weak passwords or the same passwords in multiple places—or both—is being met with yawns by retail security executives. But the kneejerk response—forcing consumers and associates to be smarter about security—has had little effect, beyond being counterproductive.

For example, a company can automate rules for choosing passwords and require that they be changed periodically. But the stronger the password, the more it will fuel its own failure. Let’s say the rules require that passwords be at least 11 characters and include numerals, characters and non-traditional characters (&, %, |, @, #, ~, etc.). Add to that requirement that no character or number be repeated and that each password must pass a dictionary search. Sure, you’ll get a strong password, but you’ll also almost guarantee that that password will be written near the computer in plain sight as well as typed into a desktop file in clear text. As Newton’s IT director said, “To every password action, there is an equal and opposite stupid user reaction.” This is the topic of this week’s StorefrontBacktalk column on the McAfee security blog.…

Although retail sites are obviously very fond of cache, a new report from Forrester Research states that many developers are focusing only on one type of cache and leaving a lot of potential performance boosts in the ether. The report talks about server cache versus browser and edge cache. “Forrester has found that many companies do not take advantage of all three levels of caches in their architecture. Application development professionals often focus on optimizing the server-side cache while ignoring the browser cache or optimize their Web-page design to take advantage of browser caching only to be stung by geographic latency because they don’t know that they should use a content delivery network.”

Forrester stresses the importance of factoring in geography when making cache decisions but points out that IT shouldn’t confuse a dense population of customers with the company’s best (read: most profitable) customers. “Caching nearest to your users goes without saying, but most companies must allocate their caching dollars carefully, and your biggest investment should be close to your most profitable customers. Your most profitable customers may not be located in your highest concentrations of customers. Work with your marketing department to analyze customer profitability and location, and then review this data at least annually.”…

Intel and Microsoft are working on what is truly the next generation of digital signs. These devices will be able to share content—both ways—with phones. But they could also use facial recognition to identify repeat customers without the benefit of loyalty cards or RFID. The cameras embedded within the displays would simply recognize faces the system has captured before, ultimately having the potential to identify those consumers.

The camera software will initially be designed to differentiate between genders and to detect products the customer has touched. That information could signal a coupon to be sent to that consumer’s smartphone. None of these options is rocket science. But they do show a concerted effort to leverage the kind of data that is accessible in-store and, ironically, much harder to capture online. Think of it as Big Brother with a sales commission.…

"3-D Secure has so far escaped academic scrutiny, yet it might be a textbook example of how not to design an authentication protocol," wrote Cambridge University's Steven J. Murdoch and Ross Anderson. "It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. It's bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent." The pair, however, found that 3DS did get one part right: the money and where it comes from. Although "other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology, they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology but got the economics right, at least for banks and merchants. It now boasts hundreds of millions of accounts."Read more...

Although it’s hardly a stunning revelation that retail IT will be spending more on POS software maintenance this year than they expect, it’s unusual for a research report to quantify it precisely. A new report from the IHL Group and RISNews, however, tries to do just that.

Beyond showing a modest IT spending increase at both the store and enterprise level, the report found a “disconnect between what retailers are claiming they are paying today for software maintenance” and what the vendors they are considering for their next POS are actually charging, said IHL President Greg Buzek. “So those people considering buying Oracle for POS their next time, they are currently only paying 10.1 percent of license fees towards maintenance. If they actually buy Oracle, they will be adding an additional 11.9 percent to their annual software maintenance cost for POS. If they move to accounting/finance/HR, it would be an 8.4 percent increase. And if it’s Oracle merchandising and supply chain applications, it would be 8.6 percent more than what they pay today with their current vendor.” The vendors examined were Microsoft, SAP, Oracle, JDA, Micros, IBM, NCR, Retalix, Epicor and Fujitsu.…

The PCI community has been debating the audio rules for years, with our first story on it back in August 2007. (No, we won't say that this is the first sound decision from PCI in years. Plays on words and data security stories rarely mix well.) The issues go beyond the literal digital audio capture ruling that PCI just issued. Another key concern are overheard snatches of conversation. In theory, that is where a cyberthief calls a call center with a series of long questions. The thief records the call and later extracts the sound of other call center operators reading back credit card numbers, expiration dates and CAV2/CVV-2/CVC-2/CID details.Read more...

The CIO needs to sells ideas upstream to senior management and sideways to line-of-business peers, convincing them that the technology is the right move and that it needs to be approved and funded. If that works, it's barely 30 percent of the battle. If the stores aren't sold on the idea, Franchisee Columnist Todd Michaud opines, the data won't be used and the project is doomed to fail. And you're to blame.Read more...

One key issue that both sides are arguing is timing. Some of the franchisees have argued that Burger King is being punitive by moving so quickly. They are pointing out that the chain's deadline was Dec. 31, 2009, and that the lawsuits started being filed within a few days of the deadline passing. Burger King argues that it has been extremely patient, having informed its franchisees of the POS upgrade rule back in April 2008--giving the stores a rather generous 20 months to arrange for and make new POS purchases. Indeed, Burger King is saying that it was even willing to give franchisees more time if they needed help raising the money, as long as they were truly trying to follow corporate's edict.Read more...

A letter from a POS vendor making the rounds warns retailers—under the headline "Information Security Advisory"—that an out-of-date OS will cause lack of compliance with PCI. The warning isn't true, but the popularity of this and related PCI claims is moving beyond annoying. Are these vendors lying or is marketing being allowed to make the claims without anyone checking? A recession drives marketers to desperate measures. (OK, so does prosperity, but let's not go there.) Read more...

Just as certain a fact as stating that many of today’s social network sites will be gone in two years is the fact that new social sites—invariably much more niche and focused—will replace them. Hidden in plain sight within the millions of posts in dozens of languages of these huge number of sites is every trend, every individual customer profile and every hint of what customers will buy—and perhaps even their desired price range—that your chain could ever wish for. There’s only one problem: There is no simple spreadsheet-friendly way to access that data.

You can read it without limits. But to automate that process and to process the data in a way to get anything meaningful out of it, that’s difficult. We are deluged with products and services that are trying to solve problems that hardly anyone has ever experienced. Who will be the first to conquer this one? Many companies—including SAP and Oracle—are trying to figure it out. But they typically try to fall back on algorithms and filters. The software needed is closer to what the CIA and the NSA use to parse billions of phone calls and E-mail messages while trying to figure out plots. It’s much closer to artificial intelligence than cryptography. Military satellite technology eventually came to consumers in the form of GPS. How long will it take for AI to visit the local retail chain, where software will peruse the world to find out the best assortment to be displayed tomorrow?…

"We consider CVS and (Walgreens) to be the most advanced, as they have already implemented chain-wide computer synchronization, advanced inventory management and pharmacy workflow optimization systems," said Deborah Weinswig, from the Citi investment research and analysis group. "The warehouse clubs are considered to be the least sophisticated of the group. However, BJ and (Costco) have fewer inventory management needs as a result of their unique business model."Read more...

Michaud describes the first parent-included IT interview he did, where the mother reminded him that her daughter was trying to decide about him, too. This makes for an awkward interview, but even worse, what does it say about the applicant's independence? Their ability to lead? Are programmers expecting instant gratification, the product of an "Everyone's a winner" upbringing? A frightening column for anyone hiring for IT positions this year.Read more...