A Shoplifter’s Worst Nightmare

Written by Evan Schuman
January 12th, 2005

Self-checkout may go down in retail history as the most secure insecure piece of technology ever. Wonder why the Wal-Mart bar-code thieves avoided self-checkout? They knew better.

The world of crime prevention is riddled with what?at first glance?seem to be contradictions, but are actually exercises in logic.

The weak-link theory, for example, holds that excessive security on a frontdoor serves no purpose as long as there is a perfectly good breakable window two feet away. In other words, once you have made the window a more attractive means of getting in, that extra deadbolt won’t make you more secure.

Something psychologically similar has happened with self-checkout systems.

For years, retailers had a very legitimate view of them as dramatically less secure than cashier-staffed checkout aisles. When market realities forced the units into stores, management was so fearful that it secured the systems any way it could, with weight verification, an employee assigned to stand in front and watch and an almost-certain security camera aimed right at self-checkout.

That leaves us today in the odd position of seeing self-checkout as substantially less inviting to thieves and it is precisely because they were seen as so insecure. As Yakov Smirnoff would have said, “What a country!”

But just like the window and the door, all security is relative. A locked window is fairly secure, unless it’s next to a steel door with three Medeco deadbolts. But a closed window is secure enough if it’s next to an open sliding-glass door with just a bug-screen as intruder protection.

As the recent Tennessee Wal-Mart bar-code case demonstrated, cashiers are only a fraud deterrence if they periodically look at the merchandise. A more cynical observer might add, “and if they at least pretended to care,” but I’d never say that.

In that Tennessee case, police said that a team of shop-lifters hit hundreds of retail stores?many belonging to Wal-Mart?in 19 states, making away with more than $1.5 million. It’s unclear if they qualified for a Wal-Mart Frequent Shoplifter Discount Card.

Their scheme was to place fake barcodes on top of real bar-codes and, despite having merchandise that often didn’t look at all like what the barcode displayed, not one cashier ever apparently noticed, police said. If any cashier noticed, he/she never alerted the store or police, authorities said. The way they were caught had nothing to do with store personnel.

This does raise the question of whether the human cashiers are indeed performing any verification function. If not, then they are on equal footing with the self-checkout, except the self-checkout has a weight verification.

One of the key reasons self-checkout is more secure is that “it takes some human factors out,” said Vivotech COO Mohammad Khan. “That provides a much better-secured environment, that’s for sure.”

How does self-checkout protect itself? The weight verification is considered a difficult measure to defeat, especially with an employee watching the machines without the distraction of having to also personally scan thousands of items. Of course, one good accomplice who feigns needing some extra assistance is all that is needed to distract that human watchdog at the right moment.

Multiple retail surveys have shown that self-checkout systems sometimes brought a slight reduction in fraud, but invariably did no worse than status quo.

NCR, for example, recently surveyed it’s retail self-checkout customers and reported that two-thirds reported no change in the amount of shrink, with one-third reporting a drop in shrink. “Not a single client thought shrink had gotten any worse,” said Mike Webster, the vice president and general manager of NCR’s self-service products.

Beyond the video, weight and monitoring factors, another reason for that, Webster said, is where shrink is typically coming from. Customer shop-lifters are certainly concerns, but employees stealing merchandise themselves is much more of a worry. A self-checkout system minimizes the co-worker five-finger discount.

RFID item-level tagging and EAS labels have the potential to eventually be good partners for self-checkout, but their cost is prohibitive today. EAS?which sounds an alarm if an unchecked item leaves the store?can today add two to four cents of cost per product, which is simply way too expensive, said Greg Buzek, president of the IHL Consulting Group.

At some Wal-Marts, greeters are supposed to watch for fraudsters, but it’s a program that is administered inconsistently at best. That’s not universally the case. At Costco, for example, they are quite strict about stopping every single shopper, doing a cursory glance at the cart and the shopping receipt and then sending them off.

IHL’s Buzek said that Costco has an another security advantage over Wal-Mart: no bags. All merchandise is exposed in the cart at all times, even after checkout. In addition, the chain’s over-sized products are difficult to hide in a coat pocket.

But Buzek points out that the much higher store-volume makes a lot of those tactics unique to a club store?such as Costco and Sam’s Club. The delay to check each cart would be unacceptable for a higher-traffic retailer such as Wal-Mart, he said.

But is self-checkout a viable alternative for cashier lanes for most retailers? For some retailers such as Home Depot, self-checkout is already handling about one of out every three checkouts, NCR’s Webster said.

But IHL’s Buzek says that interest in retail checkout is real but not wildly enthusiastic in terms of imminent purchases. The exception to that is grocery, where self-checkout is truly a hot item.

Even in grocery, though, it’s severely limited. Today, it’s being used to siphon off a small portion of the express lane (small basket) shoppers. Even self-checkout proponents concede that consumers scan at a much slower rate and that overflowing shopping carts and self-checkout may not be ideal companions just yet.

Buzek sees the future as being very good for grocery self-checkout. Why? Well, he thinks the express lanes are going to be handling an ever-increasing majority of grocery shoppers. “In the professional demographic, people don’t cook any more. They pick up (cooked-in-store) rotisserie chicken,” Buzek said.

That means a lot more customers buying just a few items at a time?such as just enough for tonight’s dinner?and that’s a good recipe for self-checkout.

That fits perfectly with the original business case for self-checkout, which is that those cashiers wouldn’t be laid off, but would instead be put into the back to cook that rotisserie chicken.

Self-checkout system proponents also point to several non-security and non-speed benefits from the systems. “In the more senior demographic,” NCR’s Webster said, “they want their items to slow down so they can see every item.”

Webster also pointed to privacy issues, with some customers feeling gunshy about showing a cashier some personal medical products.

The NCR exec then referred to the other end of the age demographic and said that some children like to push items through the self-checkout lane. For them and their parents, Webster said, “there is a tremendous entertainment value to self-checkout.” Either Webster is pushing his point a bit too much or those parents really need to get out more.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.