Monday, September 15, 2014

A look at EAS

So far in all of my security posts, has been network and/or security related. This one speaks of a gig that I just finished from a pen-test project  that was conduct against a major retail operation.  A friend of mine,  hired me on as a augmenter to a team of pen-testers, for a  project that was currently under way.

I came on initially for network penetration testing and firewall policies review.  Since the project had a requirement for conducting site physical security  test and penetration, I was able to suggest to  the project manager ,  if we could include product security;  “as in anti-theft  preventive measures”.

This ideal was suggested to  the customer, who immediately liked it and after a 1 hour conference call, we laid out the ground rules and restrictions;

·       No armed robbery (yes I’m not joking here, no physical confrontation with anybody to include loss-prevention personnel or customers)

·       No tampering with any EAS tags

·       No tampering with any EAS monitor gear ( aka transceivers)

·       No tampering with the packing material of any device that has a embedded EAS tag

·       Items must be at least $100.00 USD or more in value to be considered for this project

 Okay that looks simple, right ?

Will let’s back up some and explain the whole EAS tags concept and retail-theft and the flaws within.

Retail theft is always a problem with a host of stores thru out the world. Product are always stolen, and various department stores are always deploying various means for reducing theft. Some install cameras thru out the store’s public and private areas, others place security guards at entrance and exits, some even place door-open-alarms if open,  and lastly others trust the EAS systems.

EAS stands for Electronic Article Surveillance and primarily & is used to track the smaller/high value products such as; a handheld electronic devices ( phone/tablets/memory/cameras/etc...) , CD/DVD, games cartridges, phones, etc….

These devices are typically coupled  to a EAS tag or embedded in the packing material of the item. They are typically less than the thickness of a  pen/pencil width and shorter than a human pinky finger in length.

How the EAS concept works;  

·        A product  that's reviewed  as being an high theft object, will under go a EAS insertion. The store
negotiate with a EAS vendor  like  TycoSensormatic ( who  at one time I was employed as contractor in their IT/network dept). The vendor will provide an assortment of tags similar to these;

·       Transceiver devices are deploy at the entrances of the retailer store doors similar to the following;

When a tagged article that‘s actively armed & passes thru a transceiver, a audio/flashing warning is emitted.  I know you have seen these devices and/or at least heard one go off. They produce a buzz, chime, or siren. And in some cases, they briefly emits  flashes or lights to alert store employees of an possible theft.

The retailer stores deploys these systems as deterrence to theft, in a way similar to how a bank installs, security guards, dye packs, cameras, bullet-proof glass and man traps, but yet banks are still always being robbed and in some case the crooks are very successful  ( makes one think ) . 
Keypoint on history:  At one time  the Chicagoland was the bank robber capital of the world , & with a bank being hit every week if nt every day, but back to the story at hand.

Will back to our tagged articles of protection, the stores tries to reduce theft, but in reality they are not 100% successful by a long shot. Most stores will not publish data on just how many goods are stolen yearly, but most choose to report only an estimated. Who really knows, we just know items are being stolen on a daily basis by both amauetur  and professional thieves.

So in this gig, my goals was to prove that this particular retailer outlet & their choice of anti-theft mechanism was fool proof or not. I was given a list of 10 stores in the greater tri-county area that I resided in. Out of these 10 sites, I picked 6 store that where going to be “hit” so to speak. And didn’t let anybody know, and that including the pen-test leads  nor customer or any of there personnel.

I can’t disclose the store name or locations, but the sites where scoped out for a few days & before my big event would take place. In those few days, I recon'd the stores, and mentally selected the merchandise that I was going to try to lift.  I also probe their EAS alarms systems to get an ideal of the employees reactions,  and to validate the EAS gear was actually working.

How I probed the stores was very easy. I purchase a few device at another store ( that where not properly deactivated )  and removed the EAS tag from that device,  and used it to trigger the 6 selected stores EAS detection systems. It took me a few tries to get a non deactivated tag from my initial purchases, but when I found a few good ones, it was simple just to walk in thru the store entrance, and with my trigger EAS tag in my front shirt pocket.  A couple of pass thru the doors, will let you know if the systems was active.

In most cases the store employees did one of the following;

  • ·       hardly raised their heads or barely looked my way
  • ·       wave me on my way , as if nothing happen
  • ·       or did  absolutely nothing

The latter was what happen in almost eight out of ten times in my probe testing of the retail stores 6 targets locations. They did nothing, no challenge, and even to the point of no acknowledgement. I thought to myself ; “ This is going to be easy”

All but one of the six stores, had working EAS transceivers, so I skipped store #6 since the detection device was non-operative at the time of my initial probe. How often do they actually monitor the function of these devices and provide Maintenance is questionable imho.

So on the day of my big event, I dressed up in a nice causal polo & shorts, with my get out of jail paper, and drove to store number #1. It was a fall/winter day and the time was approx. 10:00AM. I strolled around in store #1 for about 30mins, looking at this and that, and loading, up my cart with big/heavy,  &  duplicate items. The goal was to lay the item(s) of theft, under these bigger items. These items where going to do one of two things;

  • ·                   shield the item from the EAS transceiver
  • ·                   or from visual eye sight, if it should go off

My planned worked like a charm.  My 1st store was looted of one item that weighed under 2lbs and cost approx  $132.00 usd.

I spent maybe 1 hour in that store total. The heavier items where too much of a hassle for the checkout employee, to remove and reinsert into my shopping cart. So she just scanned one item of the numerous/many that I had. I went to my next 4 targets, doing the exact same thing, but selecting another product to lift, but using the same method as with store number 1.

In all, I was 5 out of 5, and at the conclusion of that day or work, I had  $687.82 USD of goods.  Not bad for a day of work

Now can get an ideal of how organized retail theft rings work, and that the goods they lift  typically ends up at a flea market, or pawn shop.  At these place they are sold for a fraction of their face value. These organized pros targets stores like mine, and by lifting small items with no serial-numbers or with very hard means for tracking.

Now you can see that EAS systems are not effective be any means. In all of the 5 stores, and not counting the one with a broken, or non-operative transceiver, I was not challenge by any store personnel. In store #5, they even had a renta-security-guard at the door, and she barely raised her head when the alarm went off, since she her attention was directed at her smartphone, and the reading of a text or email.

I will say this; 

the alarms did trigger in all cases, but the culture of enforcement was broken by the employees ”.

So one can say the systems operated as designed, but it was the employees fault. But overall the EAS systems was not 100% in the prevention of theft. Only the honest person would be deterred by the EAS systems. Theirs an ole saying that goes like this; “locks, only keeps out the honest persons”. Will this holds true for the EAS systems.

Stores like office-depot for example, don’t bother to waste time and money with these EAS protection devices. They choose the route of  delaying  the customer, by making him/her bring a inert display item or box to the front counter,  and to make them wait, while they call up an associated to retrieve the items of interest for purchasing.  Or they stock certain items, upfront and behind the front counter.

This is probably more effective, than a multi-thousand dollar EAS systems and the 0.05-0.15 cent bulk pricing of the EAS tag that either packaged, pinned or coupled to the device.

I hope you found this article useful. 

Ken Felix
Freelance Security Network Guy
kfelix  “ a t “ hyperfeed dot com

No comments:

Post a Comment