A Fundamental Retail Security Premise Dies
Written by Evan SchumanWhen news of a brilliantly coordinated ATM attack—grabbing $9 million from 130 ATMs in 49 cities worldwide, all within 30 minutes—started spreading earlier this month, it shook the financial world. That was because this kind of global, precise coordination was never seriously considered.
Even though no retailers were involved in that particular incident, the implications of this attack technique must be thought through. What the thieves did was to take the fundamental security of time and flip it around.
Amateur home burglars get scared away by burglar alarms, but not the experienced pro. The pro has watched the target home and knows when it will be unoccupied. The pro knows exactly what he wants to take and where in the house it likely is. He also knows the value of a stopwatch.
The typical alarm system can sound for 2 to 5 minutes before the security company will even call to check. The company will allow the phone to ring for another 1 to 2 minutes before hanging up and then dialing the local police. At best, it will take another 2 minutes to make that police report and for the dispatcher to send a car to the home. The best-case scenario is that a patrol happens to a half-block away at the time of the radio alert and can be at the premises in 30 seconds. A more realistic scenario is that it will take 4 to 5 minutes. On a busy Saturday night, it might be closer to 8 to 9 minutes.
Run the numbers, and it’s clear that the burglar has a full 5 minutes of almost complete safety (unless there’s an alert neighbor next door with a crowbar, a German shepherd and maybe a rifle). If he stays focused and just runs in, grabs the item and leaves, the ringing alarm is irrelevant.
All security is based on the assumptions made by the security provider and the thief. Consider the way most bad check detection systems work. They don’t actually check bank balances to see if the check is good. They simply see if the customer has bounced checks before. To be blunt, it means that anyone can present such a system with a bad check at least once. A similar tactic is still used with most anti-virus programs. It waits for the first few victims and then saves everyone else.
With that in mind, let’s look at this massive coordinated ATM attack. If a criminal gang can coordinate a group of more than 100 bad guys in cities as far apart as Atlanta, Chicago, Montreal, New York, Moscow and Hong Kong for an ATM attack, what could they do to the average retail security setup? Just something disquieting to think about.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
