Security risks at a big box retailer
Even though things like phishing and spoofing and hacking are what we normally think of when we consider electronic security risks, sometimes the simple things are what cause the biggest problems.
I was recently in a big box retailer picking up some stuff. I won't tell you which one, but it's on the SP-500 and the stock has performed poorly since July. And, I'm not disappointed in the company.
I was standing in line at the self-checkout counter waiting to get my stuff through the scanner. I thought I would be able to get through the line quicker. I was wrong. I was standing there waiting, I swiped my stuff (after having to scan one of the items about 8 times to get it to scan properly) and I then swiped my ATM card and debited my account. I stood and waited for my receipt.
I waited. And continued to wait. Where is my fricking receipt? Finally, a clerk came over and checked something for me. Ah, it turns out that the receipt printing thingie was out of paper which is why it wasn't printing. You would think that it could have at least displayed that message. But here's the thing: the clerk had to login in order to check to see what the problem was. Now, the login screen is right in front of me. It's like a wall mounted keypad with an LCD display above it, and it hangs vertically.
The clerk took no security precautions when logging in. I decided to see how easy it would be to get her credentials. I casually watched her type in her username. The letters did not appear on the LCD display, I simply watched her type the letters on the keypad. She typed them one at a time with the same finger, which is natural to do because the keypad was hanging vertically, not horizontally like a typical keyboard. I then caught only a couple of the keys of the password. "Dang," I thought, "I might have been able to get the login."
But then, it turns out that she mistyped something. So, she decided to enter them again in plain sight of me with no attempt to shield her hand. I watched more intently this time as I made a mental note of the username and then watched to see if I could discern the password. I could. I recognized it as a proper name, most likely a last name. Right then and there, I realized that I had the username and password credentials to login to their checkout system.
I have since forgotten the credentials because I didn't bother to make a mental note to remember them. The point is that sometimes security is simply a matter of taking the time to do basic stuff. Examples here would be shielding your hand from prying eyes like mine, or hanging the keyboard in a position such that you can type with multiple fingers. That would have made it much more difficult for me to watch the letters she was typing.
