Technology only part of security story
- 08 December, 2002 22:00
Retail information systems must be defended vigorously against theft and irregular dealings to protect the reputation of the company and its balance sheet. Amongst computer systems they are usually the most open to the customer.
One significant danger is unauthorised adjustment of prices in the computer by retail staff, says Peter Benson of security specialist EMS Global. A few cents adjustment can be quietly pocketed and the difference probably not noticed by the customer.
Inadequate protection of customer information by the store can also allow credit card numbers to be misused. In the case of online stores in particular a clear privacy statement should be made to give the customer confidence, and the practices must be there for it to be adhered to.
The customer must be wary, on or offline, that they are not giving away too much information, says Benson.
“It’s often trivial to collate information on an individual towards complete identity theft.”
The danger is of course present from third parties, such as the customer behind the victim in the queue, indulging in the now well known pursuit of “shoulder-surfing” — looking over the customer’s shoulder to see the numbers entered. With an Eftpos or credit card number, or worse yet a chance to steal the actual card and a “surfed” pin, a thief can wreak havoc with the victim’s bank balance or even retrieve other information.
Physical layout of the PoS terminal can do a lot to prevent such snooping, but it is incumbent on the customer to take care, he says.
Another kind of “shoulder-surfing” takes place at the back end of the store, where a criminal mingles with a group of legitimate workers — perhaps standing outside during a break, smoking — and tags along, obtaining entrance to a secure area.
One thief, Benson assures Computerworld, once walked into the back of a store carrying a server. Everyone assumed he must be a computer maintenance man; he simply removed one of the store’s own servers, substituted the one he’d brought in with him and walked away with a lot of confidential information.
New Zealanders, both on an individual and organisational basis, are convinced this kind of crime “doesn’t happen here”, Benson says. “It’s a social and cultural thing.”
The proverbial days when everyone left their back door unlocked are not far back in many Kiwis’ minds, he suggests.
When buying on the web, in particular, “you need to think whether a site is trustworthy”. Complete fake online stores have been set up which simply take customers’ money and credit card numbers, with no intention of delivering the goods.
Benson alludes to a scam in the US, in which very cheap computers were supposedly offered for sale. But there has been at least one in New Zealand, where a fake pornographic site was set up using a slight misspelling of the legitimate site’s name. Police declined to take action, because of allegedly stretched manpower, and because the customer, as a porn purchaser, “would not have much public sympathy”, in the words of a police officer.
Steer clear of sites which process their own payments, unless they are well-known names, Benson advises. Go for those who use a trustworthy intermediary like PayPal or Verisign, which has proper procedures to prevent leakage of customer information.
Visa’s VSDC technology and the Zed Card, which has information encoded into a chip, add some security by preventing trivial “skimming” of magnetic strips. The Verified by Visa and Zed Card schemes also provide an additional PIN as some security that the purchaser is the legitimate owner of the card.
The store should, however, keep a continual eye on anomalous patterns in transactions. If something does not fit into the customer’s usual purchase patterns, or if there is an extremely unlikely pattern, such as a purchase in Auckland at 3pm and in Wellington at 5pm on the same card, it is legitimate to ask questions.
Many stores run audits of their transactions and collect information continuously, but the logs don’t get read or are read infrequently or only when there is a problem. Such analysis should be used regularly, frequently and proactively, Benson says.
Safeguarding against dishonesty is a combination of “people, process and technology”, he says. The right technology can do a lot to improve security, but it must be accompanied by correct organising of processes — notably “separation of function”, so one person does not deal with too much collatable data or have too much power to alter data in various parts of the system. “Vetting employees’ backgrounds, rotating people among duties, and tracking what they do; it’s all part of the picture.”