⬆️ ⬇️

Retail Security: Major Attacks





Removal of goods



Drag everything, even unnecessary. It seems out of sports interest, out of habit or simply because it worked out. But there are real pros. In the simple case, the goods are simply put in a pocket, in more complex ones - they get rid of tags for anti-theft gates or are screened with a special bag with an analogue of Faraday's lattice in the walls (clothing stores suffer from this). Steep expensive anti-theft gates are able to distinguish rare-earth magnets and bags with shielding cameras at the entrance - therefore, analogs of EW facilities, in particular, various Chinese jammers, have become a new round. But much more often carry in a pocket, a sleeve, trousers, for a top or in a box of other goods.



DDoS attack on the shop with theft



Imagine, a man suddenly enters the store. For example, a gypsy camp. Keep track of the goods is simply physically impossible. Measure - first the alarm button is pressed (for another moment of entry). Sometimes schoolchildren try to undertake such an attack, being overwhelmed by the whole class, but they are rather easy to find in schools (people are on video surveillance).

')

The attack on the exchange of 5000 rubles



It is a beautiful social engineering method. An attacker approaches the seller, he discusses the goods for a long time, hesitates, then buys something small (up to a thousand), draws 5,000 rubles, waits for delivery, refuses, takes the goods again - and then, as a result, he still buys and leaves. The essence of the attack is that he never gave up his bill. The treatment is simple - do not give change, while the money from the buyer is not in the hands. However, such attacks try about once a week to shop on the stream.



Counterfeit money



At the point there simply must be equipment for checking bills. Not all fakes can be distinguished visually - I saw the year in 2007 notes, where the watermark was drawn in a thin pencil like a real one. A talented artist was sought, by the way, but not found. The implementation of the attack is usually this - about 15 minutes two people discuss the goods, delve into the details, collect a bunch of small things, make the seller run back and forth, exhaust. Then they try to quickly pay off and get a change (about 3-4 thousand rubles from a 5 thousand bill). If the seller is distracted by conversation, some action with a trifle and exhausted - may miss the moment of verification.



Attack at a discount from an employee



When an employee has the right to put a tangible discount, he can sell you the goods at one price (retail), and record the sale as a sale at a discount. Measures two: first, in principle, not to make big discounts (this is part of marketing - the price should be fair, and not be discounted by discounts). The second measure is monitoring checks and reasons for discounts.



Attack to merge orders into large



Sometimes for a large order rely gift, bonus or something else (discount). The seller-attacker can not break through 2-3 checks, and then hammer everything sold into one, and pick yourself a gift. It is solved in the same way - monitoring checks, tight IT policies, tough pendyuls for not issuing checks.



Return a virtual return



This is a type of theft, but here the malicious seller sells the goods to another attacker, and then returns the documents, giving the money back (or simply making out a return on any goods purchased by another buyer “in his pocket”). Measures: each return is reporting, accurate tracking of the goods and an understanding of the exact reasons for the return.



Divorce with the local Internet at a monopoly price



This is an attack by the landlord aimed at the tenant. Quite often, in shopping centers, business centers, and so on, it is allowed to connect cable Internet only from one provider, and at a horse price. When trying to push through any other cable, the owner can formally resolve it, but create a bunch of problems, accidentally chop the cable once a day, and so on. Someone won a satellite dish blown away by the wind (with neatly twisted bolts).



Divorce from the "input"



Managed from afar, a shopping center can officially take the "entrance" (a one-time amount for the right to rent a room), and it can do it informally - sometimes small shopping centers in the regions sinning to earn money independently, without informing the owner in Moscow or Europe. See the agreement carefully to clarify the status of each payment. Another type of such a divorce is suddenly arising payments "for the shop window" after the end of the repair and so on, which are not in the contract. They can be as real (no one has yet canceled the mess), as well as an attempt to shake off some money from you. Read the contract. No in the contract - should not be in reality.



Theft



We have somehow cleaned the store on Taganskaya (the old one, on Friendly). They dragged us money, a laptop and a set of poker - next to it was an Ixbox store, so they carried it all. In general, it is impossible to make the store completely protected from the thief. But you can make it uninteresting in comparison with the neighboring shops - it’s like running away from a lion, you don’t have to run faster than it. We must run faster than a neighbor. Strong doors, a pair of locks, video surveillance, folding the archive on a remote server, an alarm button. Timely collection. All this helps a lot. True, the story here as with backup - there are those who do not, and those who already do.



Observation data



Surveillance data is usually used to determine whether the goods are stolen. As a rule, they are stored for several days, plus they are broadcast in real time to the guard. The guard, rationally, must change so that in the hall - so as not to get tired. In general, the face of the thief will be found on one of the frames, given to the police and printed on the wall of the store in the back if the character clearly acted professionally. In clothing stores it is very interesting to go into the premises for staff - there are sometimes galleries of such people and descriptions of the thefts applied to this store.



Video surveillance is very important for catching people stealing from the inside: cashier from the former USSR, whose temptation was stronger than reason; ushlyh warehouse staff; sellers beating a bar code from their sleeve, not a product, etc. One security guard known to me at a large retail store did a great trick. The staff knew that they could not cover the whole territory with cameras, and therefore counted on the visibility sector. A man who had previously worked in an interesting place zafigachil unpackaged chambers in different foods on the upper shelves and hung up new dummies of large chambers so that the thieves come out exactly on his "ambush". For three days, slept two dozen people.



CCTV Vulnerability



You probably know about the fact that you can connect to cameras simply sticking ip outwards. There are thousands of them in Google. The vulnerability to the store is that the HD camera hanging above the cash register shows perfectly all keystrokes on the keyboard, including all password entries.



So, how is all this treated by the store?



  1. Selection of normal people.
  2. Strict control of stock balance and documents for each movement.
  3. Tracking returns and their causes.
  4. Tracking stale goods and regular physical inventories.
  5. Keeping detailed logs of each operation from acceptance to sale. Plus video surveillance.
  6. Regular checks by secret buyers.
  7. Review reviews and feedback on all channels.
  8. Regular checks of cash and regular collection.
  9. Strict rules for working with the cashier: do not turn your back to the client, the money box should always be closed. Money - only in the box. You should always keep a trap bill - the thousandth note, the number of which is recorded in a notebook.
  10. Physical security, for example, when you dismiss an employee, you must change the lock cylinder and all passwords used in the store.


Vulnerabilities and their variations still hundreds. It is striking, on the one hand, simply the inhuman ingenuity of some individuals, and on the other, sometimes, stupidity, bordering on idiocy. For example, I know the situation when the seller of one of the mobile phone salons pulled money out of the cash register, then I saw a camera over my head. Not having found a “video recorder” (well, the data would have been added immediately to a remote server), this genius decided that he was just looking for something. And, to cover the tracks, set fire to the point.



If you add a topic and tell us about vulnerabilities you know in the comments, it will be very cool.



UPD:

zomby : “The most IT attack is search by vendors for vulnerabilities in the POS terminal software. They found a miracle bug in one cell salon and used it successfully for some time: the program allowed to sell 0.1 phones, while a whole was written off the balance. ”

dimitrimus : “ Regarding passwords, I once saw loading a OS at a cash register in one large supermarket, apparently someone turned on and left on business. I don’t know how critical the protection is there (maybe there are no public networks or there is no need to protect the information), but at the time of loading on the console, there were passwords from databases and other things right in the log. ”

ncix : “This is what, somehow the client addressed with a problem in my then-project (cash software). They requested databases - they received in response an Internet address that Firebird server with a standard username / password shamelessly watching with a database of several banks hidden behind it. ”

domino_47 : “Once I was withdrawing money from an account, the cashier issued out bills of small bills after recalculation on a typewriter. And he was already in line, and began to hurry, but he took and defended, lacked 10,000 rubles, when he asked where the missing money was, she with surprised eyes handed over another pack, which was “lying around” on the side of the delivery window, naturally from her side . "

NovgorodovNikolay : “When he was the head of IT at Euroset DV, there was a classic case in Anadyr:

The seller did return the phones sold 11 months ago. I filled out the return documents myself, used a copy of my passport from the documents for issuing loans from any person. Then in the program, using the “left” processing, changed the status of the goods from “return” to “new” and designed its re-implementation to the client. Since the time of sending / receiving "remotnogo equipment" from Anadyr to Khabarovsk or Moscow exceeded all established standards, no one was particularly interested in transferring money from "customer goods" to "company goods". What is the benefit of the seller - the difference in prices for goods between "now" and "a year ago." New telephony can be sold for example for 25,000 rubles (especially in Anadyr), and a year later - for 7,000 rubles to lie. ”

perk : “Ryker in the cafe. The waitress disconnected the terminal from the Internet and the data did not get on the server, and the money in the cashier. Found 4 months later, after a careful analysis of reports and videos. The camera was standing nearby, but did not record what was happening exactly off. It can be seen that climbing under the counter, looking for a pen or a piece of paper or a napkin or something. ”

Source: https://habr.com/ru/post/225611/



All Articles