A Fundamental Retail Security Premise Dies

Written by Evan Schuman
February 18th, 2009

When news of a brilliantly coordinated ATM attack—grabbing $9 million from 130 ATMs in 49 cities worldwide, all within 30 minutes—started spreading earlier this month, it shook the financial world. That was because this kind of global, precise coordination was never seriously considered.

Even though no retailers were involved in that particular incident, the implications of this attack technique must be thought through. What the thieves did was to take the fundamental security of time and flip it around.

Amateur home burglars get scared away by burglar alarms, but not the experienced pro. The pro has watched the target home and knows when it will be unoccupied. The pro knows exactly what he wants to take and where in the house it likely is. He also knows the value of a stopwatch.

The typical alarm system can sound for 2 to 5 minutes before the security company will even call to check. The company will allow the phone to ring for another 1 to 2 minutes before hanging up and then dialing the local police. At best, it will take another 2 minutes to make that police report and for the dispatcher to send a car to the home. The best-case scenario is that a patrol happens to a half-block away at the time of the radio alert and can be at the premises in 30 seconds. A more realistic scenario is that it will take 4 to 5 minutes. On a busy Saturday night, it might be closer to 8 to 9 minutes.

Run the numbers, and it’s clear that the burglar has a full 5 minutes of almost complete safety (unless there’s an alert neighbor next door with a crowbar, a German shepherd and maybe a rifle). If he stays focused and just runs in, grabs the item and leaves, the ringing alarm is irrelevant.

All security is based on the assumptions made by the security provider and the thief. Consider the way most bad check detection systems work. They don’t actually check bank balances to see if the check is good. They simply see if the customer has bounced checks before. To be blunt, it means that anyone can present such a system with a bad check at least once. A similar tactic is still used with most anti-virus programs. It waits for the first few victims and then saves everyone else.

With that in mind, let’s look at this massive coordinated ATM attack. If a criminal gang can coordinate a group of more than 100 bad guys in cities as far apart as Atlanta, Chicago, Montreal, New York, Moscow and Hong Kong for an ATM attack, what could they do to the average retail security setup? Just something disquieting to think about.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.