The Retail "See No Security Evil" Strategy

The best gift for a cyber thief is retail and banking apathy. The good holiday news for those thieves is that, this year, they're making out a like a bandit.

Security and privacy are among the top issues for consumers so it seems odd that so many retailers and banks often take security so very lightly.

Please don't get me wrong. Officially, all executives with those entities say they take such matters seriously, but when we listen to the day-to-day management, the priorities seem to be elsewhere.

Consider an upcoming report from the Aberdeen Group, which details a survey of retail IT execs who were asked to discuss contactless payment. Some 80 percent of those IT interviewees said they "do not see security implications to be a chief reason for not considering contactless technology within their enterprise" and the report concluded that "retailers do not see security as a roadblock in usage and customer adoption."

That report's chief author, Aberdeen retail research analyst Sahir Anand, questioned whether many of his surveyees had realistically thought the implications. "It seems that the entire picture is not clear to them. The secure environment is more important than they have expressed in the survey," he said.

Contactless payment--RFID's gift to the payments industry?has been under a lot of pressure recently, with a variety of credible reports raising questions about how fraud-proof the cards really are.

But consumers, whether well-founded or not, are powerful issues and it could derail contactless cards before they take hold. To hear that retail IT execs are taking comfort in credit-card talking points about "the cards never leave the customer's hands and are therefore safer" is alarming. Such lines, even if true, are fact-based while fears about privacy invasion, stolen cash and identity thefts are overwhelmingly emotional. This is the old perception versus reality issue and nowhere is that more powerful than when dealing with fear.

A potentially even greater concern is that retail IT folk are giving contactless security a low priority. With retail workers, priorities are supreme. Remember what happened when Wal-Mart made pushing items through the checkout line faster a top priority for its cashiers? Shoplifting got a lot easier.

That story detailed the arrest of a shoplifting gang that hit hundreds of stores across 19 states, including many belonging to Wal-Mart. They changed the barcodes so that a large expensive item?such as a television?would show up on the registers as a much lower cost item, such a bunch of bananas. The hitch would have been if a cashier looked up long enough to notice that the item was clearly not what was it was supposed to be. No cashier, according to police, ever looked up (or at least no one ever reported anything).

Just like with contactless, all of those retailers?Wal-Mart included?were on-the-record as being strongly opposed to shoplifting. And yet, their policy priorities said the opposite. A cashier that checked merchandise carefully was penalized for slowing the line. If the cashier checked through an item that was fraudulent, there was no penality. If the cashier caught a shoplifter, there is no promised reward. Put those together and what message does it give the cashiers about the chain's seriousness about shoplifting?

That all said, the other side also has valid points. The frequency of shoplifting is small so it will cost the retailer a lot more to slow down every line than to take the few shoplifting hits. A business person has to look at the spreadsheet and make the best decision for the chain.

Another piece of this sad puzzle comes from the way banks are treating credit card fraud. The problem starts with consumers, who do not review bank account and credit-card/debit-card statements carefully enough.

There are two kinds of criminals out there: smart ones and dumb ones. The ones who get most of the headlines?and who are arrested the most?are clearly the dumb ones, or at least the less-clever greedy ones. It's the blatant thief who tries to steal $10,000 from a credit card. That is going to be instantly detected and will be vigorously pursued by all. Not smart.

The smart thieves are more patient. Instead of trying to make $1 million by stealing $10K from 100 victims, they steal one dollar from one-million victims, a technique known in white-collar crime circles as the salami method.

It's success depends on two very dependable security holes. The first are those consumers who don't watch their statements very closely. They'll often not notice such a small charge. For those who do notice it, they'll likely dismiss it as ATM charge or something else that they assume is legit. The worst consumers are those who suspect the charge being fraudulent, but decide to do nothing because the time waiting on hold with their bank is simply worth a lot more to them than a dollar.

But Mandeep Khera, a marketing VP for software security firm Cenzic, says the consumer negligence is only half of the problem. When his wife recently discovered a very small charge on her account that they both suspected was fraudulent, Khera alerted the bank and asked that they investigate, alert their fraud unit and most likely contact law enforcement.

The bank official did none of the above, instead opting to merely?and instantly?write it off. "The bank just credited it back. They didn't want to bother with it," Khera said. The bank manager's "attitude was 'It's only a dollar. Why even waste time with it?' A branch manager isn't going to spend more than two minutes on a one-dollar transaction."

So there you have it. That bank's policy helps fraudsters literally get away with these crimes every bit as much as Wal-Mart's fast-cashier policy aids shoplifters. If retailers and banks are truly going to stand a stand against fraud, they must have consistent policies. If a crook wants to steal that million dollars, they even have a safeguard against a consumer catching and reporting it: the banks won't pursue.

This all neatly fits under the heading of retailers and banks simply not taking security seriously enough. With these attitudes so prevalent, it's no wonders retailers are so blas? about contactless security. After all, fraud's someone else's headache, right?