Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Security risks at a big box retailer

Security risks at a big box retailer

  • Comments 6

Even though things like phishing and spoofing and hacking are what we normally think of when we consider electronic security risks, sometimes the simple things are what cause the biggest problems.

I was recently in a big box retailer picking up some stuff.  I won't tell you which one, but it's on the SP-500 and the stock has performed poorly since July.  And, I'm not disappointed in the company. 

I was standing in line at the self-checkout counter waiting to get my stuff through the scanner.  I thought I would be able to get through the line quicker.  I was wrong.  I was standing there waiting, I swiped my stuff (after having to scan one of the items about 8 times to get it to scan properly) and I then swiped my ATM card and debited my account.  I stood and waited for my receipt.

I waited.  And continued to wait.  Where is my fricking receipt?  Finally, a clerk came over and checked something for me.  Ah, it turns out that the receipt printing thingie was out of paper which is why it wasn't printing.  You would think that it could have at least displayed that message.  But here's the thing: the clerk had to login in order to check to see what the problem was.  Now, the login screen is right in front of me.  It's like a wall mounted keypad with an LCD display above it, and it hangs vertically.

The clerk took no security precautions when logging in.  I decided to see how easy it would be to get her credentials.  I casually watched her type in her username.  The letters did not appear on the LCD display, I simply watched her type the letters on the keypad.  She typed them one at a time with the same finger, which is natural to do because the keypad was hanging vertically, not horizontally like a typical keyboard.  I then caught only a couple of the keys of the password.  "Dang," I thought, "I might have been able to get the login."

But then, it turns out that she mistyped something.  So, she decided to enter them again in plain sight of me with no attempt to shield her hand.  I watched more intently this time as I made a mental note of the username and then watched to see if I could discern the password.  I could.  I recognized it as a proper name, most likely a last name.  Right then and there, I realized that I had the username and password credentials to login to their checkout system.

I have since forgotten the credentials because I didn't bother to make a mental note to remember them.  The point is that sometimes security is simply a matter of taking the time to do basic stuff.  Examples here would be shielding your hand from prying eyes like mine, or hanging the keyboard in a position such that you can type with multiple fingers.  That would have made it much more difficult for me to watch the letters she was typing.

Leave a Comment
  • Please add 5 and 6 and type the answer here:
  • Post
  • PingBack from http://hacking.thegeekyblog.com/2007/11/29/security-risks-at-a-big-box-retailer/

  • That's strange. Most of the stores that I've been at all have a central workstation that's off to the side. The clerk that is in charge of the self checkout area can only log into that one workstation. From there they can see full state information on each unit, and do remote editing of the order, and other tasks.

  • All of the self-checkout places I've seen, the cashier has an ID card with a barcode on it that they scan in order to be recognized by the system.

  • > From there they

    ... and anyone else nearby with a wireless laptop ...

    > can see full state information on each unit, and do

    > remote editing of the order, and other tasks.

  • Total Retail Solution RF equipment productes

    The retailed articles have a complicated supply chain and different operating aspects have different challenges and unique needs. We offered you not only the solutions of EAS, source tagging, intelligent EAS and RFID but also the solutions of integrated from fire alarm system, CCTV system, access control system and invasion guard system. We can offer you the real integrated guard solutions.

    Solution

    Excellent effect

    Electronic article surveillance (EAS)

    Prevent the unpaid articles brought outside the shops. At the exits of the shops, the systems can detect the unpaid articles by the tags and labels.

    Add the EAS tags or labels when producing and packing the products for better burglarproof effect.

    RFID system offers the storage data from manufacture to distribution and it also offers tracking control. Damage which could happen in any producing step could be detected efficiently.

    Access system

    It needs the e-card and card reader at the exits for preventing unauthorized persons from entering into important place.

    Other uses: monitor the temperature of safe; note the duty hours of workers.

    CCTV system

    In terms of your needs, we use cameras and digital video system to prevent stealing.

    Other uses: monitor and manage in long-distance and observe the serve condition.

    Invasion guard system could protect you from illegal invasion and robbery.

    Fire alarm system: fire preventing system with portable fire-fighting equipments

    Alarm calling center

    Whenever called, the center will receive the information and deal with it which will protect your properties and life.

    reference

    <a href=http://www.dragon-guard.com>eas tag</a>

    <a href=http://www.eas.cc>eas</a>

    <a href=http://www.manywood.com>plywood</a>

    <a href=http://www.dragonguard.cn>图书防盗</a>

  • dragon-guard.com/Development-Radio-Frequency-Technology.htm

Page 1 of 1 (6 items)