Entries Tagged "retail"

Page 5 of 6

Credit Card Gas Limits

Here’s an interesting phenomenon: rising gas costs have pushed up a lot of legitimate transactions to the “anti-fraud” ceiling.

Security is a trade-off, and now the ceiling is annoying more and more legitimate gas purchasers. But to me the real question is: does this ceiling have any actual security purpose?

In general, credit card fraudsters like making gas purchases because the system is automated: no signature is required, and there’s no need to interact with any other person. In fact, buying gas is the most common way a fraudster tests that a recently stolen card is valid. The anti-fraud ceiling doesn’t actually prevent any of this, but limits the amount of money at risk.

But so what? How many perps are actually trying to get more gas than is permitted? Are credit-card-stealing miscreants also swiping cars with enormous gas tanks, or merely filling up the passenger cars they regularly drive? I’d love to know how many times, prior to the run-up in gas prices, a triggered cutoff actually coincided with a subsequent report of a stolen card. And what’s the effect of a ceiling, apart from a gas shut-off? Surely the smart criminals know about smurfing, if they need more gas than the ceiling will allow.

The Visa spokesperson said, “We get more calls, questions, when gas prices increase.” He/she didn’t say: “We make more calls to see if fraud is occurring.” So the only inquiries made may be in the cases where fraud isn’t occurring.

Posted on June 26, 2007 at 1:21 PMView Comments

Crazy Eddie Financial Fraud

This is an old article—from 2000—but the sidebar (at the end) describing how the electronics store Crazy Eddie committed massive financial fraud is fascinating.

There are numerous ways to classify financial statement frauds. Our research divided them into five principal, but related, types. One of the most outrageous aspects of the Crazy Eddie’s fraud is that he used all five methods. This is how he did it.

Posted on March 30, 2007 at 6:33 AMView Comments

Wal-Mart Stays Open During Bomb Scare

This is interesting: A Wal-Mart store in Mitchell, South Dakota receives a bomb threat. The store managers decide not to evacuate while the police search for the bomb. Presumably, they decided that the loss of revenue due to an evacuation was not worth the additional security of an evacuation:

During the nearly two-hour search Wal-Mart officials opted not to evacuated the busy discount store even though police recomended [sic] they do so. Wal-Mart officials said the call was a hoax and not a threat.

I think this is a good sign. It shows that people are thinking rationally about security trade-offs, and not thoughtlessly being terrorized.

Remember, though: security trade-offs are based on agenda. From the perspective of the Wal-Mart managers, the store’s revenues are the most important; most of the risks of the bomb threat are externalities.

Of course, the store employees have a different agenda—there is no upside to staying open, and only a downside due to the additional risk—and they didn’t like the decision:

The incident has family members of Wal-Mart employees criticizing store officials for failing to take police’s recommendation to evacuate.

Voorhees has worked at the Mitchell discount chain since Wal-Mart Supercenter opened in 2001. Her daughter, Charlotte Goode, 36, said Voorhees called her Sunday, crying and upset as she relayed the story.

“It’s right before Christmas. They were swamped with people,” she said. “To me, they endangerd [sic] the community, customers and associates. They put making a buck ahead of public safety.”

Posted on December 28, 2006 at 1:32 PMView Comments

Gift Card Hack

This is a clever hack against gift cards:

Seems they take the cards off the racks in stores and copy down the serial numbers. Later on, they check to see if the card is activated, and if the answer is yes, they go on a shopping spree from the store’s website.

What’s the security problem? A serial number on the cards that’s visible even though the card is not activated. This could be mitigated by hiding the serial number behind a scratch-off coating, or opaque packaging.

Posted on December 8, 2006 at 12:06 PMView Comments

UK Car Rentals to Require Fingerprints

Welcome to a surveillance society:

If you want to hire a car at Stansted Airport, you now need to give a fingerprint.

The scheme being tested by Essex police and car hire firms, is not voluntary. Every car rental customer must take part.

No fingerprint, no car hire at Stansted airport.

These are stored by the hire firms—and will be handed over to the police if the car is stolen or used for another crime.

This is the most amusing bit:

“It’s not intrusive really. It’s different—and people need to adjust to it. It’s not Big Brother, it’s about protecting people’s identities. The police will never see these thumbprints unless a crime is committed.”

What are the odds that no crime will ever be committed?

Fingerprints are becoming more common in the UK:

But regardless of any ideological arguments, the use of biometric technology—where someone is identified by a physical characteristic—is already entering the mainstream.

Biometric UK passports were introduced this year, using facial mapping information stored on a microchip, and more than a million have already been issued.

A shop in the Bluewater centre in Kent has used a fingerprint checking scheme to tackle credit card fraud. And in Yeovil, Somerset, fingerprinting has been used to cut town-centre violence, with scanners helping pick out troublemakers.

It’s not just about crime. Biometric recognition is also being pitched as more convenient for shoppers.

Pay By Touch allows customers to settle their supermarket bill with a fingerprint rather than a credit card. With three million customers in the United States, this payment system is now being tested in the UK, in three Co-op supermarkets in Oxfordshire.

Posted on November 14, 2006 at 7:37 AMView Comments

Stealing Credit Card Information off Phone Lines

Here’s a sophisticated credit card fraud ring that intercepted credit card authorization calls in Phuket, Thailand.

The fraudsters loaded this data onto MP3 players, which they sent to accomplices in neighbouring Malaysia. Cloned credit cards were manufactured in Malaysia and sent back to Thailand, where they were used to fraudulently purchase goods and services.

It’s 2006 and those merchant terminals still don’t encrypt their communications?

Posted on August 15, 2006 at 6:19 AMView Comments

Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the register: “Your purchase free if you don’t get a receipt”? You almost certainly didn’t see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: it works best when you align interests with capability.

If you’re a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner—who was presumably elsewhere in the store—that an employee was handling money.

The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it’s impossible to insert or delete transactions. It’s an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with what the register. Any discrepancies can be docked from the employee’s paycheck.

If you’re a dishonest employee, you have to keep transactions off the register. If someone hands you money for an item and walks out, you can pocket that money without anyone being the wiser. And, in fact, that’s how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the employee, of course. But that’s not very efficient; the whole point of having employees is so that the store owner can do other things. The customer is standing there anyway, but the customer doesn’t care one way or another about a receipt.

So here’s what the employer does: he hires the customer. By putting up a sign saying “Your purchase free if you don’t get a receipt,” the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.

There is a general rule in security to align interest with capability. The customer has the capability of watching the employee; the sign gives him the interest.

In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

“When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks’ agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn’t care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses—most of the fraud actually was not the cardholder’s fault—while in the UK, the banks did nothing.”

The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn’t until the UK courts reversed themselves and aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don’t have much interest. Features, schedule, and profitability are far more important. Software liabilities will change that. They’ll align interest with capability, and they’ll improve software security.

One last story… In Italy, tax fraud used to be a national hobby. (It may still be; I don’t know.) The government was tired of retail stores not reporting sales and paying taxes, so they passed a law regulating the customers. Any customer having just purchased an item and stopped within a certain distance of a retail store, has to produce a receipt or they would be fined. Just as in the “Your purchase free if you don’t get a receipt” story, the law turned the customers into tax inspectors. They demanded receipts from merchants, which in turn forced the merchants to create a paper audit trail for the purchase and pay the required tax.

This was a great idea, but it didn’t work very well. Customers, especially tourists, didn’t like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn’t guard merchants wasn’t as effective an enticement as offering people a reward if they didn’t get a receipt.

Interest must be aligned with capability, but you need to be careful how you generate interest.

This essay originally appeared on Wired.com.

Posted on June 1, 2006 at 6:27 AMView Comments

No-Buy List

You’ve all heard of the “No Fly List.” Did you know that there’s a “No-Buy List” as well?

The so-called “Bad Guy List” is hardly a secret. The U.S. Treasury’s Office of Foreign Assets Control maintains its “Specially Designated Nationals and Blocked Persons List” to be easily accessible on its public Web site.

Wanna see it? Sure you do. Just key OFAC into your Web browser, and you’ll find the 224-page document of the names of individuals, organizations, corporations and Web sites the feds suspect of terrorist or criminal activities and associations.

You might think Osama bin Laden should be at the top of The List, but it’s alphabetized, so Public Enemy No. 1 is on Page 59 with a string of akas and spelling derivations filling most of the first column. If you’re the brother, daughter, son or sister-in-law of Yugoslavian ex-president Slobodan Milosevic (who died in custody recently), you’re named, too, so probably forget about picking up that lovely new Humvee on this side of the Atlantic. Same for Charles “Chuckie” Taylor, son of the recently arrested former president of Liberia (along with the deposed prez’s wife and ex-wife).

The Bad Guy List’s relevance to the average American consumer? What’s not widely known about it is that by federal law, sellers are supposed to check it even in the most common and mundane marketplace transactions.

“The OFAC requirements apply to all U.S. citizens. The law prohibits anyone, not just car dealers, from doing business with anyone whose name appears on the Office of Foreign Assets Control’s Specially Designated Nationals list,” says Thomas B. Hudson, senior partner at Hudson Cook LLP, a law firm in Hanover, Md., and publisher of Carlaw and Spot Delivery, legal-compliance newsletters and services for car dealers and finance companies.

Hudson says that, according to the law, supermarkets, restaurants, pawnbrokers, real estate agents, everyone, even The Washington Post, is prohibited from doing business with anyone named on the list. “There is no minimum amount for the transactions covered by the OFAC requirement, so everyone The Post sells a paper to or a want ad to whose name appears on the SDN list is a violation,” says Hudson, whose new book, “Carlaw—A Southern Attorney Delivers Humorous Practical Legal Advice on Car Sales and Financing,” comes out this month. “The law applies to you personally, as well.”

But The Bad Guy List law (which predates the controversial Patriot Act) not only is “perfectly ridiculous,” it’s impractical, says Hudson. “I understand that 95 percent of the people whose names are on the list are not even in the United States. And if you were a bad guy planning bad acts, and you knew that your name was on a publicly available list that people were required to check in order to avoid violating the law, how dumb would you have to be to use your own name?”

Compliance is also a big problem. Think eBay sellers are checking the list for auction winners? Or that the supermarket checkout person is thanking you by name while scanning a copy of The List under the counter? Not likely.

Posted on April 10, 2006 at 6:23 AMView Comments

More on the ATM-Card Class Break

A few days ago, I wrote about the class break of Citibank ATM cards in Canada, the UK, and Russia. This is new news:

With consumers around the country reporting mysterious fraudulent account withdrawals, and multiple banks announcing problems with stolen account information, it appears thieves have unleashed a powerful new way to steal money from cash machines.

Criminals have stolen bank account data from a third-party company, several banks have said, and then used the data to steal money from related accounts using counterfeit cards at ATM machines.

The central question surrounding the new wave of crime is this: How did the thieves managed to foil the PIN code system designed to fend off such crimes? Investigators are considering the possibility that criminals have stolen PIN codes from a retailer, MSNBC has learned.

Read the whole article. Details are emerging slowly, but there’s still a lot we don’t know.

EDITED TO ADD (3/11): More info in these four articles.

Posted on March 9, 2006 at 3:51 PMView Comments

Child-Repellent Sounds

I’ve already written about merchants using classical music to discourage loitering. Young people don’t like the music, so they don’t stick around.

Here’s a new twist: high-frequency noise that children and teenagers can hear but adults can’t:

The results were almost instantaneous. It was as if someone had used anti-teenager spray around the entrance, the way you might spray your sofas to keep pets off. Where disaffected youths used to congregate, now there is no one.

At first, members of the usual crowd tried to gather as normal, repeatedly going inside the store with their fingers in their ears and “begging me to turn it off,” Gough said. But he held firm and neatly avoided possible aggressive confrontations: “I told them it was to keep birds away because of the bird flu epidemic.”

At least he didn’t claim it was an anti-terrorism security measure.

Posted on December 6, 2005 at 7:46 AMView Comments

1 3 4 5 6

Sidebar photo of Bruce Schneier by Joe MacInnis.