Apple Arrest Puts Heat On Mobile Checkout Policies

Written by Evan Schuman
September 5th, 2012

Do the very nature of mobile checkout apps mean that retailers must radically rethink shoplifting policies? (Hint: The answer is “yes.”) After Apple literally sent an 18-year-old Apple Store customer to jail in New York City last month—after the customer apparently failed to click the final complete transaction button—the broader implications for retailers are significant.

Shoplifting policies are based on a simply binary: Is the customer leaving the store with an unpaid-for product? But there needs to be proof of intent. And for the next year or two—while consumer-controlled mobile in-store purchases are very new—there had better be overwhelming proof of that intent.

What should be the policy if the customer absentmindedly—or sloppily or in haste—forgets to click an icon? Even more frightening, what if the shopper does properly process the transaction on his/her mobile phone but the application or the transmission glitches, for whatever reason?

One of the decisions Apple made with its in-store mobile purchase program (EasyPay) complicates establishing proof of intent. For example, EasyPay uses a payment card already on file (not dissimilar to how iTunes uses whatever card is already on file and solely asks for an iTunes password). If it required a card to be typed in—or swiped—each time, that could be a wonderful display of intent.

EasyPay also can only process the purchase of one product at a time. That’s a hassle if the shopper wants to buy nine items. In the intent category, though, that restriction sidesteps the issue of someone taking nine items and only paying for five of them, which is a popular self-checkout theft tactic.

In the Apple case, a customer named Eric Shine went into a Fifth Avenue Apple store on August 20. He had a scheduled meeting with Apple tech support and, while waiting, bought some Bose headphones for $129.95, according to a New York City Police Department criminal complaint. He used EasyPay, and thought he had completed the transaction and had, therefore, paid. Shine then had his meeting with tech support.

After that, he asked a store associate for a bag for his purchase, which is what customers are supposed to do. The associate is then supposed to ask to see the digital receipt. In this case, however, the associate didn’t ask and instead simply gave Shine the bag. That bag is supposed to signal to Loss Prevention that the product has been verified as purchased. (Oops!)

Shine then placed the bag into his backpack and tried to continue with his day.

The LP employee, John Conenna, asked to see Shine’s receipt. Shine pulled out his iPhone, and it was only then that he realized the app had gone through every step except the last one. Instead of asking the Apple fan to please complete the transaction, the associate called the police and had Shine arrested on petit larceny (shoplifting) and criminal possession of stolen property. The New Jersey resident spent the night in a NYC jail and is awaiting a court date for next month.

Let’s do a quick list of the ways this situation was handled in the worst possible way.


2 Comments | Read Apple Arrest Puts Heat On Mobile Checkout Policies

  1. ed Says:

    Mobile check-out has the same challenges as self-checkout stations by putting trust on the customer to pick from inventory,conduct the transaction and walk out the store without interaction.

    Most shoplifters believe they are smarter than the retail security system and the shoplifter game goal is to outsmart the retailer with the prize of the shoplifted item. It wouldn’t surprise me if this was the case, which was a very expensive pair of headphones.

  2. Evan Schuman Says:

    Good point, Ed, but as the story points out, the security issues involving mobile go beyond self-checkout security. ‘Tis not the same issues in the sense that self-checkout transactions are observed in one place, by the associate managing those SCO lanes. In the Walmart story this week, the associate merely sees the shopper scan the single barcode from her phone. This robs her of the ability to notice if she deliberately does NOT scan several items. (Granted, that can be detected with in-aisle cameras, but it’s much more complicated. The system–or associates–needs to notice that a specific customer is using mobile and then notice she doesn’t scan certain items in certain aisles.) In the Apple Store example, a scan can happen but the process may not be properly completed–deliberately or inadvertently.
    None of these issues are unsolvable, but the belief that mobile self-checkout presents no security issues beyond traditional POS self-checkout is a very dangerous thought.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.