Thieves Stealing Poorly Protected EAS Keys: An Amazingly Serious Achilles Heel

It was just past 10:30 PM on January 15 when police say a shoplifter walked into the Murrieta, Calif., Wal-Mart. But as part of a growing trend, she didn't try and steal any merchandise. What she did was walk over to an unstaffed counter, pull out what seemed to be wire cutters and cut loose the store's keys to its safer security devices.

Other thieves have opted for grabbing EAS tag detachers, but the point is the same. Beyond protecting products, retailers need to reinforce protections around the devices that protect their products. How are keys and tag detachers handled when not in use? Is there an explicit policy about ignoring EAS alarms? Ironically, one of the defenses against thieves stealing EAS tag detachers is that the detachers have their own EAS device. But if the tool is removed during a busy time for the store, when the EAS alarms are ignored, the thief has a double win.

The most frightening part of this trend is the magnitude of the risk. If one store gets hit, that key/detacher can now unlock anything in that store. In fact, it can most likely unlock anything in any other store in that chain and can probably defeat the protection of any store within any chain where the same system is installed, said Karen Bomber, director of marketing operations for Tyco Retail, which sells EAS to Wal-Mart. As a practical matter, there is little defense against this problem, because there is no cost-effective way to—if you will—change the locks.

(Note: It's of some comfort that EAS label deactivation tools are much less attractive to these kinds of thieves, given the size of the deactivators and how they are typically integrated into POS stations.)

From a "protect the protector" standpoint, this is reminiscent of the TJX data breach. One of the great details of that attack, although it never got much attention, is that Gonzalez's crew apparently was able to steal the chain's encryption key. It didn't matter with the TJX attack, because they were also able to access the payment data before it was encrypted, so they never had a need to use the encryption key. (How's that for comforting?)

The point is protecting your security system's designed override. Having top-notch encryption is silly if you don't adequately protect the encryption key. That's just like not protecting your keeper key or your EAS tag detacher.

Is leaving the unused devices in a locked drawer or a secure backroom office so onerous?

Current mechanisms all seem to focus on after-the-fact deterrents. For example, the mere act of being caught in a store with a safer key or a tag remover can—in many jurisdictions—justify a felony charge of possession of burglary tools, said Joe LaRocca, the National Retail Federation's chief loss prevention official.

In the Wal-Mart California incident, store security captured clear video of the key being grabbed and of the car the grabber apparently was driving. What if that person never intends to return to that store? That key could be sold online for a decent price or simply used at another store. Maybe that Wal-Mart wasn't keeping its safer key under the doormat in front of the store, but it got close.