Entries Tagged "retail"

Page 4 of 6

Software to Facilitate Retail Tax Fraud


Thanks to a software program called a zapper, even technologically illiterate restaurant and store owners can siphon cash from computer cash registers and cheat tax officials.


Zappers alter the electronic sales records in a cash register. To satisfy tax collectors, the tally of food orders, for example, must match the register’s final cash total. To hide the removal of cash from the till, a crooked business owner has to erase the record of food orders equal to the amount of cash taken; otherwise, the imbalance is obvious to any auditor.


The more sophisticated zappers are easy to use, according to several experts. A dialogue box, which shows the day’s tally, pops up on the register’s screen.

In a second dialogue box, the thief chooses to take a dollar amount or percentage of the till. The program then calculates which orders to erase to get close to the amount of cash the person wants to remove. Then it suggests how much cash to take, and it erases the entries from the books and a corresponding amount in orders, so the register balances.

Posted on September 2, 2008 at 12:24 PMView Comments

Hypnotist Thief in Italy

Okay, this is weird:

Police in Italy have issued footage of a man who is suspected of hypnotising supermarket checkout staff to hand over money from their cash registers.

In every case, the last thing staff reportedly remember is the thief leaning over and saying: “Look into my eyes”, before finding the till empty.

Posted on March 26, 2008 at 10:30 AMView Comments

Fraud Due to a Credit Card Breach

This sort of story is nothing new:

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

But it’s rare that we see statistics about the actual risk of fraud:

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

And this is interesting:

“Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs,” Spitzer said. “We’ve been engaged in a dialogue for a couple years now about changing this rule…. Without knowing who the retailer is that caused the breach, it’s hard for banks to conduct a good investigation on behalf of their consumers. And it’s a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don’t shop at that retailer.”

Posted on March 21, 2008 at 6:39 AMView Comments

Stealing from Bookstores


There’s an underground economy of boosted books. These values are commonly understood and roundly agreed upon through word of mouth, and the values always seem to be true. Once, a scruffy, large man approached me, holding a folded-up piece of paper. “Do you have any Buck?” He paused and looked at the piece of paper. “Any books by Buckorsick?” I suspected that he meant Bukowski, but I played dumb, and asked to see the piece of paper he was holding. It was written in crisp handwriting that clearly didn’t belong to him, and it read:

  1. Charles Bukowski
  2. Jim Thompson
  3. Philip K. Dick
  4. William S. Burroughs
  5. Any Graphic Novel

This is pretty much the authoritative top five, the New York Times best-seller list of stolen books. Its origins still mystify me. It might have belonged to an unscrupulous used bookseller who sent the homeless out, Fagin-like, to do his bidding, or it might have been another book thief helping a semi-illiterate friend identify the valuable merchandise.

Posted on March 13, 2008 at 1:06 PMView Comments

Chip and PIN Vulnerable

This both is and isn’t news. In the security world, we knew that replacing credit card signatures with chip and PIN created new vulnerabilities. In this paper (see also the press release and FAQ), researchers demonstrated some pretty basic attacks against the system—one using a paper clip, a needle, and a small recording device. This BBC article is a good summary of the research.

And also, there’s also this leaked chip and PIN report from APACS, the UK trade association that has been pushing chip and PIN.

Posted on March 12, 2008 at 2:12 PMView Comments

Is Sears Engaging in Criminal Hacking Behavior?

Join “My SHC Community” on Sears.com, and the company will install some pretty impressive spyware on your computer:

Sears.com is distributing spyware that tracks all your Internet usage – including banking logins, email, and all other forms of Internet usage – all in the name of “community participation.” Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software (“the proxy”) on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the “community,” very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently.

Here is a summary of what the software does and how it is used. The proxy:

  1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.
  2. Monitors secure sessions (websites beginning with ‘https’), which may include shopping or banking sites.
  3. Records and transmits “the pace and style with which you enter information online…”
  4. Parses the header section of personal emails.
  5. May combine any data intercepted with additional information like “select credit bureau information” and other sources like “consumer preference reporting companies or credit reporting agencies”.

    If a kid with a scary hacker name did this sort of thing, he’d be arrested. But this is Sears, so who knows what will happen to them. But what should happen is that the anti-spyware companies should treat this as the malware it is, and not ignore it because it’s done by a Fortune 500 company.

    Posted on January 3, 2008 at 11:02 AMView Comments

    Identity Theft Study

    Interesting study: “Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement,” October 2007. It’s long, but at least read the executive summary. Or, even shorter, this Associated Press story:

    Researchers reviewed 517 cases closed by the Secret Service between 2000 and 2006. Two-thirds of the cases were concentrated in the Northeast and South and there were 933 defendants. The Federal Trade Commission has said about 3 million Americans have their identities stolen annually.

    The study found that 42.5 percent of offenders were between the ages of 25 and 34. Another 18 percent were between the ages of 18 and 24. Two-thirds of the identity thieves were male.

    Nearly a quarter of the offenders were born outside the United States.

    Eighty percent of the cases involved an offender working solo or with a single partner, the report found.

    While identity thieves used a wide combination of methods, fewer than 20 percent of the crimes involved the Internet. The most frequently used non-technological method was the rerouting of mail through change of address cards. Other prevalent non-technological methods were mail theft and dumpster diving.

    Of the 933 offenders, 609 said they initiated their crime by stealing fragments of personal identifying information, as opposed to stealing entire documents, such as bank cards or driver’s licenses.

    Most of the offenses were committed by non-employees who victimized strangers. Employee insiders were the offenders in just one-third of the 517 cases. When an employee did commit identity theft, the offenders were employed in a retail business in two out of every five instances, the report said. Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals were all considered retail operations in the study.

    In about a fifth of the cases, the employee worked in the financial services industry.

    Posted on November 7, 2007 at 7:36 AMView Comments

    Merchants Not Storing Credit Card Data

    Now this is a good idea:

    In a letter sent Thursday to the Payment Card Industry (PCI) Security Standards Council, the group responsible for setting data-security guidelines for merchants and vendors, the National Retail Federation requested that member companies be allowed to instead keep only the authorization code and a truncated receipt, the NRF said in a statement.

    Erasing the data is the easiest way to secure it from theft. But, of course, the issue is more complicated than that, and there’s lots of politics. See the article for details.

    Posted on October 15, 2007 at 2:05 PM

    TJX Hack Blamed on Poor Encryption

    Remember the TJX hack from May 2007?

    Seems that the credit card information was stolen by eavesdropping on wireless traffic at two Marshals stores in Miami. More details from the Canadian privacy commissioner:

    “The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it—putting the privacy of millions of its customers at risk,” said Stoddart, who serves as an ombudsman and advocate to protect Canadians’ privacy rights.


    Retail wireless networks collect and transmit data via radio waves so information about purchases and returns can be shared between cash registers and store computers. Wireless transmissions can be intercepted by antennas, and high-power models can sometimes intercept wireless traffic from miles away.

    While such data is typically scrambled, Canadian officials said TJX used an encryption method that was outdated and vulnerable. The investigators said it took TJX two years to convert from Wireless Encryption Protocol to more sophisticated Wi-Fi Protected Access, although many retailers had done so.

    Posted on October 1, 2007 at 2:37 PMView Comments

    Credit Card Gas Limits

    Here’s an interesting phenomenon: rising gas costs have pushed up a lot of legitimate transactions to the “anti-fraud” ceiling.

    Security is a trade-off, and now the ceiling is annoying more and more legitimate gas purchasers. But to me the real question is: does this ceiling have any actual security purpose?

    In general, credit card fraudsters like making gas purchases because the system is automated: no signature is required, and there’s no need to interact with any other person. In fact, buying gas is the most common way a fraudster tests that a recently stolen card is valid. The anti-fraud ceiling doesn’t actually prevent any of this, but limits the amount of money at risk.

    But so what? How many perps are actually trying to get more gas than is permitted? Are credit-card-stealing miscreants also swiping cars with enormous gas tanks, or merely filling up the passenger cars they regularly drive? I’d love to know how many times, prior to the run-up in gas prices, a triggered cutoff actually coincided with a subsequent report of a stolen card. And what’s the effect of a ceiling, apart from a gas shut-off? Surely the smart criminals know about smurfing, if they need more gas than the ceiling will allow.

    The Visa spokesperson said, “We get more calls, questions, when gas prices increase.” He/she didn’t say: “We make more calls to see if fraud is occurring.” So the only inquiries made may be in the cases where fraud isn’t occurring.

    Posted on June 26, 2007 at 1:21 PMView Comments

    Sidebar photo of Bruce Schneier by Joe MacInnis.