So far in all of my security posts, has
been network and/or security related. This one speaks of a gig that I just finished
from a pen-test project that was conduct
against a major retail operation. A friend of mine, hired me on as a augmenter to a team of
pen-testers, for a project that was currently
under way.
I came on initially for
network penetration testing and firewall policies review. Since the project had
a requirement for conducting site physical security test and penetration, I was able to suggest
to the project manager , if we could include product security; “as in anti-theft preventive measures”.
This ideal was suggested to the customer, who immediately liked it and
after a 1 hour conference call, we laid out the ground rules and restrictions;
· No armed robbery (yes I’m not joking here, no physical
confrontation with anybody to include loss-prevention personnel or customers)
· No tampering with any EAS tags
· No tampering with any EAS monitor gear ( aka
transceivers)
· No
tampering with the packing material of any device that has a embedded EAS tag
· Items
must be at least $100.00 USD or more in value to be considered for this project
Okay that looks
simple, right ?
Will let’s back up some and explain the whole EAS tags concept
and retail-theft and the flaws within.
Retail theft is always a problem with a host of stores thru
out the world. Product are always stolen, and various department stores are always
deploying various means for reducing theft. Some install cameras thru out the
store’s public and private areas, others place security guards at entrance and
exits, some even place door-open-alarms if open,
and lastly others trust the EAS
systems.
EAS stands for Electronic Article Surveillance and primarily
& is used to track the smaller/high value products such as; a handheld electronic devices ( phone/tablets/memory/cameras/etc...) , CD/DVD, games cartridges, phones, etc….
These devices are typically coupled to a EAS tag or embedded in the packing
material of the item. They are typically less than the thickness of a
pen/pencil width and shorter than a human pinky finger in length.
How the EAS concept works;
· A product that's reviewed as being an high theft object, will under go a EAS insertion. The store
negotiate with a EAS vendor
like TycoSensormatic ( who at one time I was employed as contractor in their
IT/network dept). The vendor will provide an assortment of tags similar to these;
· Transceiver
devices are deploy at the entrances of the retailer store doors similar to the following;
When a tagged article that‘s actively armed & passes thru a
transceiver, a audio/flashing warning is emitted.
I know you have seen these devices and/or at least heard one go off.
They produce a buzz, chime, or siren. And in some cases, they briefly emits flashes or lights to alert store employees of an possible theft.
The retailer stores deploys these systems as deterrence to
theft, in a way similar to how a bank installs, security guards, dye packs,
cameras, bullet-proof glass and man traps, but yet banks are still always being
robbed and in some case the crooks are very successful ( makes one think ) .
Keypoint on history: At one time the Chicagoland was the bank robber
capital of the world , & with a bank being hit every week if nt every day, but back to the story at
hand.
Will back to our tagged articles of protection, the stores
tries to reduce theft, but in reality they are not 100% successful by a
long shot. Most stores will not publish data on just how many goods
are stolen yearly, but most choose to report only an estimated. Who really knows, we just know items are being stolen on a daily basis by both amauetur and professional thieves.
So in this gig, my goals was to prove that this particular retailer
outlet & their choice of anti-theft mechanism was fool proof or not. I was given
a list of 10 stores in the greater tri-county area that I resided in. Out of
these 10 sites, I picked 6 store that where going to be “hit” so to speak. And
didn’t let anybody know, and that including the pen-test leads nor customer or
any of there personnel.
I can’t disclose the store name or locations, but the sites
where scoped out for a few days & before my big event would take place. In
those few days, I recon'd the stores, and mentally selected the merchandise that
I was going to try to lift. I also probe
their EAS alarms systems to get an ideal of the employees reactions, and to validate the EAS gear was actually
working.
How I probed the stores was very easy. I purchase a few device at another
store ( that where not properly deactivated ) and removed the EAS tag from that
device, and used it to trigger the 6 selected
stores EAS detection systems. It took me a few tries to get a non deactivated
tag from my initial purchases, but when I found a few good ones, it was simple
just to walk in thru the store entrance, and with my trigger EAS tag in my
front shirt pocket. A couple of pass
thru the doors, will let you know if the systems was active.
In most cases the store employees did one of the following;
- · hardly
raised their heads or barely looked my way
- · wave
me on my way , as if nothing happen
- · or did
absolutely nothing
The latter was what happen in almost eight out of ten times
in my probe testing of the retail stores 6 targets locations. They did nothing,
no challenge, and even to the point of no acknowledgement. I thought to myself ;
“ This is going to be easy”
All but one of the six stores, had working EAS transceivers,
so I skipped store #6 since the detection device was non-operative at the time
of my initial probe. How often do they actually monitor the function of these devices and provide Maintenance is questionable imho.
So on the day of my big event, I dressed up in a nice causal
polo & shorts, with my get out of jail paper, and drove to store number #1.
It was a fall/winter day and the time was approx. 10:00AM. I strolled around in store #1
for about 30mins, looking at this and that, and loading, up my cart with
big/heavy, & duplicate items. The goal was to lay the
item(s) of theft, under these bigger items. These items where going to do one
of two things;
- · shield
the item from the EAS transceiver
- · or
from visual eye sight, if it should go off
My planned worked like a charm. My 1st store was looted of one item
that weighed under 2lbs and cost approx
$132.00 usd.
I spent maybe 1 hour in that store total. The heavier items
where too much of a hassle for the checkout employee, to remove and reinsert
into my shopping cart. So she just scanned one item of the numerous/many that I had. I went to my next
4 targets, doing the exact same thing, but selecting another product to lift,
but using the same method as with store number 1.
In all, I was 5 out of 5, and at the conclusion of that day
or work, I had $687.82 USD of
goods. Not bad for a day of work.
Now can get an ideal of how
organized retail theft rings work, and that the goods they lift typically
ends up at a flea market, or pawn shop. At these place they are sold for a fraction of
their face value. These organized pros targets stores like mine, and by lifting
small items with no serial-numbers or with very hard means for tracking.
Now you can see that EAS systems are not effective be any
means. In all of the 5 stores, and not counting the one with a broken, or
non-operative transceiver, I was not challenge by any store personnel. In store
#5, they even had a renta-security-guard at the door, and she barely raised her
head when the alarm went off, since she her attention was directed at her
smartphone, and the reading of a text or email.
I will say this;
“ the alarms did trigger in all cases, but the culture of enforcement was broken
by the employees ”.
So one can say the systems operated as designed, but it was
the employees fault. But overall the EAS systems was not 100% in the prevention
of theft. Only the honest person would be deterred by the EAS systems. Theirs
an ole saying that goes like this; “locks, only keeps out the honest persons”.
Will this holds true for the EAS systems.
Stores like office-depot for example, don’t bother to waste
time and money with these EAS protection devices. They choose the route of delaying the customer, by making him/her bring a inert
display item or box to the front counter, and to make them wait, while they call up an associated to retrieve the items of interest for purchasing. Or they stock certain items, upfront and
behind the front counter.
This is probably more effective, than a multi-thousand
dollar EAS systems and the 0.05-0.15 cent bulk pricing of the EAS tag that
either packaged, pinned or coupled to the device.
I hope you found this article useful.
Ken Felix
Freelance Security Network Guy
kfelix “ a t “
hyperfeed dot com