The Retail “See No Security Evil” Strategy

Written by Evan Schuman
December 27th, 2006

The best gift for a cyber thief is retail and banking apathy. The good holiday news for those thieves is that, this year, they’re making out a like a bandit.

Security and privacy are among the top issues for consumers so it seems odd that so many retailers and banks often take security so very lightly.

Please don’t get me wrong. Officially, all executives with those entities say they take such matters seriously, but when we listen to the day-to-day management, the priorities seem to be elsewhere.

Consider an upcoming report from the Aberdeen Group, which details a survey of retail IT execs who were asked to discuss contactless payment. Some 80 percent of those IT interviewees said they “do not see security implications to be a chief reason for not considering contactless technology within their enterprise” and the report concluded that “retailers do not see security as a roadblock in usage and customer adoption.”

That report’s chief author, Aberdeen retail research analyst Sahir Anand, questioned whether many of his surveyees had realistically thought the implications. “It seems that the entire picture is not clear to them. The secure environment is more important than they have expressed in the survey,” he said.

Contactless payment–RFID’s gift to the payments industry?has been under a lot of pressure recently, with a variety of credible reports raising questions about how fraud-proof the cards really are.

But consumers, whether well-founded or not, are powerful issues and it could derail contactless cards before they take hold. To hear that retail IT execs are taking comfort in credit-card talking points about “the cards never leave the customer’s hands and are therefore safer” is alarming. Such lines, even if true, are fact-based while fears about privacy invasion, stolen cash and identity thefts are overwhelmingly emotional. This is the old perception versus reality issue and nowhere is that more powerful than when dealing with fear.

A potentially even greater concern is that retail IT folk are giving contactless security a low priority. With retail workers, priorities are supreme. Remember what happened when Wal-Mart made pushing items through the checkout line faster a top priority for its cashiers? Shoplifting got a lot easier.

That story detailed the arrest of a shoplifting gang that hit hundreds of stores across 19 states, including many belonging to Wal-Mart. They changed the barcodes so that a large expensive item?such as a television?would show up on the registers as a much lower cost item, such a bunch of bananas. The hitch would have been if a cashier looked up long enough to notice that the item was clearly not what was it was supposed to be. No cashier, according to police, ever looked up (or at least no one ever reported anything).

Just like with contactless, all of those retailers?Wal-Mart included?were on-the-record as being strongly opposed to shoplifting. And yet, their policy priorities said the opposite. A cashier that checked merchandise carefully was penalized for slowing the line. If the cashier checked through an item that was fraudulent, there was no penality. If the cashier caught a shoplifter, there is no promised reward. Put those together and what message does it give the cashiers about the chain’s seriousness about shoplifting?

That all said, the other side also has valid points. The frequency of shoplifting is small so it will cost the retailer a lot more to slow down every line than to take the few shoplifting hits. A business person has to look at the spreadsheet and make the best decision for the chain.

Another piece of this sad puzzle comes from the way banks are treating credit card fraud. The problem starts with consumers, who do not review bank account and credit-card/debit-card statements carefully enough.

There are two kinds of criminals out there: smart ones and dumb ones. The ones who get most of the headlines?and who are arrested the most?are clearly the dumb ones, or at least the less-clever greedy ones. It’s the blatant thief who tries to steal $10,000 from a credit card. That is going to be instantly detected and will be vigorously pursued by all. Not smart.

The smart thieves are more patient. Instead of trying to make $1 million by stealing $10K from 100 victims, they steal one dollar from one-million victims, a technique known in white-collar crime circles as the salami method.

It’s success depends on two very dependable security holes. The first are those consumers who don’t watch their statements very closely. They’ll often not notice such a small charge. For those who do notice it, they’ll likely dismiss it as ATM charge or something else that they assume is legit. The worst consumers are those who suspect the charge being fraudulent, but decide to do nothing because the time waiting on hold with their bank is simply worth a lot more to them than a dollar.

But Mandeep Khera, a marketing VP for software security firm Cenzic, says the consumer negligence is only half of the problem. When his wife recently discovered a very small charge on her account that they both suspected was fraudulent, Khera alerted the bank and asked that they investigate, alert their fraud unit and most likely contact law enforcement.

The bank official did none of the above, instead opting to merely?and instantly?write it off. “The bank just credited it back. They didn’t want to bother with it,” Khera said. The bank manager’s “attitude was ‘It’s only a dollar. Why even waste time with it?’ A branch manager isn’t going to spend more than two minutes on a one-dollar transaction.”

So there you have it. That bank’s policy helps fraudsters literally get away with these crimes every bit as much as Wal-Mart’s fast-cashier policy aids shoplifters. If retailers and banks are truly going to stand a stand against fraud, they must have consistent policies. If a crook wants to steal that million dollars, they even have a safeguard against a consumer catching and reporting it: the banks won’t pursue.

This all neatly fits under the heading of retailers and banks simply not taking security seriously enough. With these attitudes so prevalent, it’s no wonders retailers are so blas? about contactless security. After all, fraud’s someone else’s headache, right?


One Comment | Read The Retail “See No Security Evil” Strategy

  1. Unspecified Says:

    If someone who works at a given bank has sufficient privilleges and savvy, they can place $1 credit charges on 1000’s of customer accounts and earn interest on the proceeds. The “borrowed” funds are then promptly returned before the statement is finalised. So there is no record of it. Employees of most banks do not have to wait for “clearance” to occur for cheques of value less than say, $1000.

    To keep their account full, they simply cycle the customers that they are “borrowing” from so that their ballance remains constant throughout the interest accrual period.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.