LPRC - CrimeScience Episode 61 – Ransomware, Social Engineering, & Physical/Digital Skimming Featuring Nolen Scaife (University of Colorado, Boulder)
Episode Date: October 13, 2020Nolen Scaife, Assistant Professor of the Department of Computer Science of the University of Colorado, Boulder, rejoins our podcast to discuss ransomware detectors, when organizations pay the ransom,... social engineering, malware countermeasures, password management, and much more with our host, Dr. Read Hayes. The post CrimeScience Episode 61 – Ransomware, Social Engineering, & Physical/Digital Skimming Featuring Nolen Scaife (University of Colorado, Boulder) appeared first on Loss Prevention Research Council.
Transcript
Discussion (0)
Hi everyone, welcome to Crime Science. In this podcast, we aim to explore the science of crime and the practical application of this science for loss prevention and asset protection practitioners, as well as other professionals.
We would like to thank Bosch for making this episode possible.
Be a leader in loss prevention by implementing integrated solutions that enhance safety, reduce shrink, and help to improve merchandising, operations, and customer service.
operations, and customer service. Bosch integrated security and communication solutions span zones one through four in the LPRC zones of influence while enriching the customer experience and
delivering valuable data to help increase retail profitability. Learn more by visiting
Bosch online at boschsecurity.com. Welcome everybody to another episode of Crime Science,
the podcast. I'm excited to talk again. Really, this is a redux in a way, the second version of Dr. Nolan Scaife of the University
of Colorado at Boulder.
Nolan and I go back two, three years while he was doing some graduate work at the University
of Florida.
In other words, getting his PhD.
But he's a cybersecurity expert.
And we've really relied on his expertise and some of the other members of that time of FICS,
including Patrick Treanor and Kevin to name two. But what we thought we'd do, Nolan, is tap into your expertise on just an ever-present
and presumably growing problem out there with cybersecurity.
So, Nolan, welcome.
First of all, let me say welcome to you.
Thanks.
It's great to be back, Reid.
All right.
So, Nolan and I were just chatting before we started the on-air recording, if you will, about 2020,
the year that many of us, if not everybody, will hopefully want to forget.
But, you know, talking about now forest fires on top of everything else that we've been experiencing
and just the sheer number. And in
the state of Florida, we've had some very serious ones in the past, but knock on wood right now,
for some reason, not participating in the current one. It's probably because we're having torrential
rains all day, every day. So Nolan, let's talk a little bit, if we could, about what you're working
on at University of Colorado in your area, what's some of your focal points that
you're allowed to share with us at Crime Science? Sure. So I have some students that are working
with me on a project to better test ransomware detectors. And I think last time i was on here read we talked a little
bit about uh the ransomware problem and this really started from you know in the academic
literature now there are hundreds of papers about um ransomware of course this is this is an attack
where if you haven't heard of it uh an attacker runs some software on a computer, and it goes
through and it encrypts the files in a way that the only way to recover from those files is to
pay the ransom. So in this way, it's kind of an extortion attack. And, you we've we we did some uh some work on ransomware uh while i was at university
of florida i guess it's probably been five years or so ago now and in fact that was one of um
that was one of university of florida's first uh startup companies crypto drop
for for security and um you know in the meantime I've seen this problem continue to grow. You know,
it's grown in some sense from just a crime of opportunity to more of a targeted attack. And so
you're seeing, you know, these big companies and even government agencies, the city of Atlanta,
Garmin, and so forth that have been in the
news recently and get hit by these and get extorted for millions of dollars.
And we were curious why if there's been all this work that's been going in
to research and ransomware.
Why does this continue to be a problem?
It seems like we're getting a pretty good handle on this attack
and the kinds of ways to stop it.
So the students and I here at CU Boulder have been working on a way
to better evaluate these detectors, if you will,
to try and figure out where are the gaps in our coverage
to maybe hopefully in the future be able to build a better detector.
So that's one thing.
So that's one thing. And, you know, we continue to work on different devices into our home, how can we have better guarantees of, better guarantees that devices are doing what they say they're going to do on the package?
So that's another project that we're working on.
Hopefully that answers your question, Reed.
No, that's fantastic. And I thought if we could maybe start with ransomware
and dig a little deeper. And, you know, we all, I can sense in your voice and I can read that
in the literature even that while ransomware continues to be a very serious issue for some
organizations, including law enforcement agencies, city municipal governments, we know,
have been shut down and so on. But yet yourself and others in the cybersecurity realm are saying,
wait a minute, I think we've got some good tools. We can get better. We are getting better.
But maybe tell us a little bit more about what's going on with ransomware, Nolan.
Why is this so difficult?
And are there some things that we should be looking at in our behavior as well as the tools that we might use?
So the ransomware problem is a particularly challenging one for security researchers.
challenging one for security researchers because this is a behavior encrypting your own files that a user might do themselves. So, you know, unlike a lot of other malware that's trying to
perhaps exfiltrate data or other kinds of attacks, this is a somewhat benign looking activity in a lot of cases.
So if you think about having data on your own laptop, for example,
you might choose to encrypt that data to either email it out safely,
or maybe to just protect it on your disk.
And really, there's not much of a fundamental difference
between what ransomware is doing and you doing that to your own data,
which makes it difficult to decide.
If I say I'm going to write a program to detect this type of attack, for example,
it makes it difficult because I can't
necessarily determine the intent of the action that's happening on the machine.
And, you know, there's a lot of belief, I think, that circles around. And you can see this if you look, you know, when there are these types of attacks in the media, for example, with not to pick on Garmin, but the Garmin attack that happened just a few weeks ago, that, well, you should have had better backups, for example. You should have had a better recovery plan.
And the challenge with those types of criticisms is that even if you have a backup, I mean,
if you think about, you know, a large-scale organization like what I think probably your listeners here are in,
that having a backup, having that copy of that data, and actually being able to restore it
and do a full disaster recovery when you're attacked on a scale like, say, Garmin was,
recovery when you're attacked on a scale like, say, Garmin was, is really challenging and time consuming and expensive to do. And so what we're seeing is that the ransomware market, in some
sense, is able to bear the costs of these ransoms. So if you're a large company and you get hit with one of these large scale attacks, and the ransom demand is $10 million, we're starting to see companies really seriously consider and even paying those ransoms.
that cost is less than the cost of either they don't have the ability to recover or the cost of recovery is substantially more expensive than the ransom. Interesting. So I thought we could
talk a little bit about social engineering and asset protection loss prevention. It's been a
topic and an issue and it's been tackled to a certain extent over the years, but it seems more important than ever.
And that seems you're alluding a little bit to social engineering.
We know we've long had people calling the stores and saying or doing certain things and setting up scenarios.
doing certain things and setting up scenarios.
But there's been a few,
and I thought we could run through these a little bit,
where some of the ways it might lead to ransomware that might lead to other cyber issues.
And maybe you as the doc, if you will,
could talk to us about it.
But an example are when customers email customer service
or to the retailer's corporate office or an outsource place location or even to the store sometimes, and they include a downloadable file that's their receipt or proof of purchase.
They've scanned it with their phone or a printer or something like that.
or a printer or something like that.
Any thoughts around that type of social engineering,
a way to, is there anything we can do to scan or lock down or validate?
I'm not sure, just a question though.
So a lot of systems, especially large enterprise systems that accept unsolicited user input, or not unsolicited, that accept unfiltered user content.
So, for example, like you said, a customer service portal where somebody can upload a file,
and that file might be a receipt or a screenshot or a copy of an email or something like that.
A lot of these systems have the capability to perform basic virus scanning
or the ability to limit certain types of files from being uploaded.
But this really isn't a panacea for the ransomware attack,
especially for a targeted attack.
A lot of these systems are designed to detect malicious content that's been seen before.
So, for example, if I were to upload a piece of ransomware that's infected thousands of other people, then maybe your system would catch that and stop it.
The real challenge comes when I want to target your environment.
And so I'm going to make sure that I send something in that I know nobody, your vendors,
your employees, nobody has seen this before.
And so these kinds of heuristic-based checks for malware are likely to not pick it up.
And so what you want to make sure that you have is that if you need a customer, for example, to upload a PDF, then your system should only allow PDF uploads, for example. And then when that gets to your employee
who's going to view that,
one way to do this might be to change that
into a different format,
like change it into a picture
instead of a PDF programmatically
so that what they're viewing
is not this executable content
that might lead to something like a ransomware attack.
But in general, this is the kind of thing where your developers for these types of applications should be in close contact with your security teams
in close contact with your security teams to make sure that there isn't this path between,
for example, the general public and an employee system where there's not a series of checks and access controls and so forth to prevent unknown malicious content from getting in.
Okay. Interesting.
Another that has been reported is employees finding a USB drive,
you know, on the floor in the restroom under a display fixture or in a
fitting or dressing room. Any thoughts there?
And then, of course, say, oh, we need to find out what's on this or who does this belong to so we can return it.
Any thoughts on that type of attack?
This is actually, interestingly, Reid,
this is solvable in some sense at both the technical and the behavioral level.
So, obviously, you want to tell your employees,
don't plug in USB drives that you find,
but also you can take action on the technical side
to make sure that, for example,
there are products that will say only a particular brand
or serial number or type of USB drive can be connected to our systems,
or you can just block them altogether.
So there are those access controls on the technical side.
Interestingly, to read, there's a great academic paper out of the University of Illinois.
I think it's called, yes, users really do plug in USB drives, they find,
where they did this campus-based study
where they would drop USB drives across the campus
and then track how and when they got plugged in.
And it turns out that, you know, people really do do
this. And so it's a behavioral thing to teach employees and customers and everybody that,
you know, just because you find it doesn't mean it's safe to use.
Interesting. And, you know, it's sort of topical right now, but we're all aware, or most of us, that people across the United States and perhaps other countries began receiving these mysterious seeds and packets that were mailed to us, presumably from China, according to the return address and the postage and other indicators.
the postage and other indicators. And local, county, state, federal, government, media started warning and putting up, but still hundreds of individuals evidently went and planted those seeds,
not knowing if it was invasive, not knowing anything. And so it's interesting, like you say,
human behavior. Yeah, I think there's a, there's a, there's a certain amount of, of curiosity that goes into it. Um, whether that's a letter or a package, um, or a USB drive,
but you find something and, and you think that it is, you think it might have something
interesting or fun, um, in it. And so you, you kind of naturally are just curious about what this thing might contain
without thinking that perhaps this is an adversarial environment that you're in.
Interesting. What about this idea? I know that Chipotle and others have experienced breaches and
maybe ransomware attacks, credential stuffing or using
stolen names and passwords. But part of the idea is that if you get somebody's name and a password,
that we all know we should have unique passwords for each site and keep them up to date and they
should be actually good passwords. Any thoughts around this idea of credential stuffing and preventing that?
This is a, it's a pretty pervasive problem. And on the part of, on the part of the company that is,
that's running the service, that's having credentials stuffed into it, there's very
little that you can, very little that you can conceivably do about that. In some sense, Reid, it's a lot like the ransomware attack,
where this is something, you know, a user trying a handful of passwords
on a legitimate account is something that you might, you know,
conceivably do as a user.
The real challenge here, in my opinion, is the behavioral aspect of using a different password at each site that you go to.
And the challenge, of course, there is that we talk about, okay, you should have these.
Security people, we say you should have these really long passwords that have letters and numbers and and symbols and capital
letters and um and they should um and you should use a totally different one for each uh for each
site that you go to the challenge with this is that in order to do that you need some you'll
have to have some sort of password manager or some sort of system to manage those. Now, for the general public, there are a handful
of really great ones. I wouldn't say that they're always the simplest to use. Sometimes they fail
in interesting and mysterious ways and you kind of have to take over.
But, you know, what I've found is that in my industry experience over, you know, many years of working in industry is that one of the things that's overlooked is the ability
for the enterprise to give that to the employees, to offer a system and training to use that
system to have unique passwords at different sites
or to securely share a password for a shared account for an internal application or something like that.
Long term, I think we may move further and further away from passwords.
And you already see this on mobile devices with, for example,
face recognition, fingerprint scanners, those kinds of things.
Where that hasn't really quite made the leap yet is in desktop platforms.
But I think we're inching ever closer to that every day.
Very good.
I know we hear about near-field communication, you know, NFC and,
you know, cell phones and card readers, price scanners, you know, and that someone can scan
a QR code and maybe gain access to an exclusive app. But there's evidently some risk here,
But there's evidently some risk here, corruption and modification, eavesdropping.
Any thoughts, Nolan, on NFC, what it is, what we could maybe do about it as a retailer? I think one thing that's overlooked is this idea that we're kind of implicitly training people to point their cameras at things.
You know, take a picture of this, scan this QR code, tap your phone here.
And today, the majority of those cases are benign. You know, if you go into a store and you scan a code or you tap your phone or you take a picture of something, it's not, it's going to be, you know, a benign experience for the user. But once people are comfortable doing that, it'll be, in my opinion,
relatively straightforward to start, you know, putting up QR codes that link to malicious content or NFC scanners that do a different thing than what it would appear that it does.
For example, a fake payment terminal or something like that.
And once we're kind of used to just working through that workflow on benign applications,
I think what we'll start to see is malicious use of
that increase. And so, you know, I would encourage folks that are out there considering how do we
bolster our engagement with customers? Can we have them take a picture, scan a QR code, or tap their phone to really think
about whether or not they've put the tools in place for the customer to be able to identify
if this is a legitimate or fraudulent situation? Good insights. I appreciate that. You know,
another thing that we know back in 2013, Target a horrific breach um i understand the the terminology
the attack type was ram um you know ram scraping and so forth what anything about that we should
know about uh that type of pos or car transaction uh interface um in the in this type of ram
scraping attack no yes so so this type of you know this type of RAM scraping attack? Yeah, so this type of payment malware works by,
the workflow is sort of approximated by this.
You swipe your credit card or put a payment in,
a gift card, something like that.
The terminal will read that, and then it's stored briefly
in the point-of-sale unit's memory while it's being processed.
So you can imagine that processing being, okay, I need to package it up
and send it to the payment processor or something like that.
And what this malware will do is it will just constantly sit there and check the memory of the
machine to see if it contains a valid credit card number or gift card number, something like that,
and then when it does, it pulls it out and it stores it. Now, you know, there's a probability
that any sequence of 16 digits will appear to be a valid credit card number. So the attackers don't really worry
about whether it's valid at that time. They can test them later. And so the fix for this is,
and you see this now in payment terminal technology, the terminal will encrypt the
card number so that the point of sale machine, for example, does not ever see or is able to store that number.
So you see techniques improving on the point-of-sale side for doing that.
doing that. I think one thing we don't talk about particularly often, and I understand that the rationale for this is development ease, cost of equipment, and so forth. But one thing I think is
worth thinking about is, in a lot of cases, point-of-sale equipment in a store or retail environment is a general purpose computer that is able to do
lots of things. It's just that the code that's currently running on it is point of sale code.
And with that comes all the same challenges that are there with securing a desktop or a laptop
computer. It's a general purpose operating system
that can do lots of different functions.
And so I think in some sense,
this is an artifact of low cost computing equipment
that's able to be used for,
or low cost general purpose computing equipment
that's able to be used for a lot of different tasks,
and we have just loaded software on it to do one particular thing.
And I think that there's some value in exploring if you're a merchant and you're working with,
or a technologist that's working in retail, that it's worth thinking about how can we reduce the surface area for attack
on, for example, point-of-sale machines by thinking about
can we build a machine that is primarily a point-of-sale machine
and doesn't have the capability or the capacity to do extra
things like scrape the memory and so forth. Now, this isn't a panacea for all types of problems,
but I do think that as computing has been widely deployed in these organizations,
widely deployed in these organizations, that it's worth thinking about how do we build machines that are more purpose-built, which reduces that attack surface area.
Great insights. Let me ask you this, Nolan, a little bit about
online, I guess we should call it web skimming. That is a problem for us consumers, but also,
as you know, most of our retailers have e-commerce sites. And we work with some that that's all they
have. But anything about web skimmers, and I'm not sure if I'm even pronouncing this right,
is it MagCart or MageCart, MagCart? Yeah, MageCart. It's a MageCart is a particular skimmer that was targeted.
Not not certain if it's still solely targeted to that, but was for the Magento shopping cart system.
And the idea here is that an attacker somehow gets the ability to control what's on the website.
Now, that might mean that they compromised your web servers to be able to add this code,
or maybe they compromised one of your partners.
For example, if you load third-party code on your website.
And in any case, they get the customer's browser essentially to load your shopping cart page and load an additional piece of code, which is the malware.
And so when the customer types in their credit card number and clicks submit, this extra code also runs.
And so in addition to actually successfully checking out on your website, the attacker also gets to siphon off that credit card data.
So that's kind of the web skimming problem.
web the web skimming problem and uh this is um this is something that um we've been looking at something that is interesting to us um and how to detect this so in some sense when we think about
um when we think about what this means or how to detect this, you might say, well, I don't want third-party code to load on my site.
But in the vast majority of cases, that's not possible.
For one reason or another, there is third-party code that loads that makes the widgets look just right or performs a certain kind of check on the customer's machine.
And so typically, you find that websites want that functionality.
So the question for us as researchers, and I don't have the answer to this yet, this is, you know,
why we call it research, right, is how do we detect when the credit card data is being used in an unauthorized way. And what that looks like
and how we detect that, I think are still open questions. But we're certainly interested in
how to resolve this over time. Fantastic. So I guess let's kind of on these attacks,
let's start, let's stop with this next one. And this is one of the ways I got to know you and Patrick and your team there,
and that is around card readers, skimmers.
What's kind of the 101?
A little bit about how these skimmers work.
Where do they put skimmers?
I guess, where do they put them?
How do they work?
And what's going on to affect them?
And maybe is EMV actually preventative or not?
So, yeah. So, the skimmer problem is one of terminal tampering. So, the idea here is that
someone is going to come into your store, into your bank, or anywhere where there's a payment terminal or an ATM, and they're going to make some sort of the card slot. These are kind of independent embedded devices.
They fit right over the card acceptor,
or they will put something inside the card acceptor.
In other words, this is kind of a card-shaped device
that they can insert and press into the card slot.
But the general gist of it is the same.
So what happens is a customer puts their card in,
whether it's EMV or a mag stripe,
there is some mechanism on the skimmer
that is going to either read the card
or communicate with the card.
And this can give the attacker enough information to be able to make a fraudulent
payment or fraudulent withdrawal from an ATM, for example.
And yeah, so a couple of years ago, we worked with the NYPD. And since then we've worked with, my gosh, countless law enforcement agencies,
retailers, banks, et cetera, to work on this problem.
And in fact, this was, I talked a little bit
about CryptoDrop, UF's first security startup.
Now we have Skim Reaper, which is our second,
UF's second security startup,
which designs devices to check for skimmers.
One of the challenges in this arena is that unless you catch somebody in the act of installing one of these,
which is very difficult to do on its own,
the difficult part is that a customer is almost never going to spot it.
And even trained eyes like specialized law enforcement officers and so forth can have a hard time actually detecting these, especially if they're on the inside of the machine.
You know, if I stick it into the front of the card acceptor slot.
side of the machine, you know, if I stick it into the front of the card acceptor slot.
So what we've been trying to do over the last couple of years is bring to market and test and deploy devices that help detect these types of attacks electronically.
So rather than, you know, measuring or eyeballing this
problem, this is a device that can tell you definitively that there was something in the
machine that did or did not attempt to, you know, read or communicate with the card that's in there.
and so what the the ultimate outcome for this you know for for merchants uh it's loss of trust uh that you know consumer comes into your store and they get and you know they they believe that
they got skimmed at your store and they're less likely to come back uh and so what we've been
this is the problem we've been trying to solve is how do we put these
tools right in the hands of people that can give you a more definitive answer of what the problem
is. That's great. And I know that you guys continue your research and the Skim Reaper's
been pretty amazing. I understand there's some good activity around that, larger and larger purchases of the technology.
It's just the logic that you all applied and then the engineering you put into that and then the refinements you've made.
And it's got to be one of the most user-friendly technologies I've ever seen.
technologies I've ever seen. It's, it was a, thanks Reed. And it was a really, it was a really fun and interesting process to go through actually looking at skimmers and seeing how they work.
And then really getting down to the, the basic physics of how these cards work. You know, I'm a,
I'm a computer scientist, but you know, you know, when the work takes me into the field
of magnetics and electrical engineering, I get really excited about that because it doesn't
happen very often in our field. And so, you know, when we got in there and we saw how these work,
and we were able to build a detector that detects them in a way that, you know, we don't believe
it's possible to evade without breaking the laws of physics.
That's a pretty exciting aspect of that technology.
And so we took that and we wrapped it up in a package that it's easy to use.
You basically turn it on and you press a button and then you swipe it like a credit card.
And then it reports back instantly. Yes,
this is okay or no, it has a problem. And that can lead you to do further testing,
go back. And if you're doing this kind of check regularly, then you have the ability to go back
to your cameras and look to see, okay, well, it must have been installed between, you know, time X and time Y.
And that can really give you a great picture of who's attacking you.
I appreciate that. So let's do this. Let's go, Nolan, kind of finish up here. You've given us
a tremendous amount of information on some of the more common and devious attacks that a retail
company might experience and helping the AP, LP, or law
enforcement practitioner understand at the level that we need to at this point about these problems
and some possible fixes. I'm really curious to understand, I'm, as you know, a criminologist,
a social behavioral scientist, so I understand as much as I guess anybody can what our field looks like, both in academia, as well as companies that we work with, the government and the funding there and so on. what disciplines do cybersecurity experts come from? What fields?
And what's it look like from the academia side,
how you get science to practice?
Of course, we have journals, we have conferences,
and then we've got ways that we put that information out.
Well, it's largely the same way here, Reid.
So we have conferences and we have security journals that we send our academic publications to. venues, for example, in distributed systems and operating systems and so forth, that are now
excited and willing to take security works. It's been my experience that,
and it's my belief that, you know, outside of kind of the basic tenets of security,
access control, and confidentiality, and integrity, and these things that we want,
these properties we want. The security as a whole is not really something that you build.
You know, I can't go and make you a box of security. And so it's a property that we seek
in other systems. And so our community is really one of collaboration, where we go in and we look at operating systems or payment systems or looking at malicious software.
And we take to those areas these practices that we have and this way of what I would call adversarial thinking in these other disciplines.
And that's what helps us make other disciplines more secure
or at least explore the problems of security in those areas.
Now, from the aspect of where security folks come from
and their backgrounds, it's all over.
We find people that are interested in machine learning or data analytics that are interested in security.
People come to us from the law school, from the business school, from the School of Arts and Sciences here at CU, that want to know more about security because these issues are not strictly, in
my opinion, computer science issues. A lot of these issues are becoming more
prevalent today, especially with regards to law and policy. And so one of my goals has been to try and figure out how we can give security,
how we can deliver quality content that gives people a security acumen that aren't necessarily
from a security background. And the example I use, Reed, is that if you're working in finance at a company, you are not necessarily interested, perhaps, in becoming a security expert.
In other words, you don't necessarily want to leave that job.
You like finance.
You want that career path.
But that's a very security-sensitive role.
But that's a very security-sensitive role.
And so what we're trying to figure out how to do here is deliver the right content to folks that are interested in having some security background.
And so what I'm finding is that it's coming from all backgrounds. It's not any one. And it's certainly not only computer science.
That's excellent. So, and I understand, you know, industrial systems engineers, electrical
engineers, as well as, as you mentioned, computer science are involved in them. But I love the idea
that social behavioral sciences and others can all do that.
And I've enjoyed working with you all and trying to look at it from the human
back and forth while you all are the technical people,
but you certainly,
you all also have to understand the human behavior around this and everything
about around these attacks and the countermeasures,
the counter countermeasures and so forth.
That's right. I mean, I'm a firm believer that many technical solutions are not useful if they're
not usable. And so, you know, we talked a little bit earlier about password managers and, you know,
password managers are a great tool they're very they're
very good at keeping track of these really complex strings and and and
making them accessible to you but if they're if they're complicated to use if
they don't always work and and worse if you if it adds friction to the experience, whether that's using a computer
or shopping at a store or whatever, people are going to naturally attempt to avoid it.
And so we're always trying to, you know, our community is always trying to look at ways to
make things frictionless, you know, to add these properties of security
without fundamentally damaging the user experience.
This has been excellent. And I know I appreciate your time, your expertise,
and really your delivery, Nolan. You take very complicated, very complex issues,
and you make them understandable for us that are lay
people in this area. And much appreciated. It's a serious issue. And as you know, the asset
protection LP people that we deal with, they've got a pretty broad portfolio. And sometimes they're
in charge of cybersecurity or components of it, or their team provides investigative support for the IT,
the IS professionals that deal with it. So thank you very much for that and your time. And I look
forward to talking to you again. And I ask, stay safe out there in Colorado, but it's certainly a
beautiful area there in Boulder. And I got to
go out there and tour before COVID hit and can't wait to get back out there. Thank you so much,
Reid. It was great to be on here. All right. Enjoy the rest of the week and to the rest of you,
thank you for listening to Crime Science, the podcast. And again, please stay safe out there.
Any questions, comments, or suggestions for us at the LPRC or our UF research team,
operations at LP Research is a great way to communicate, and lpresearch.org is the website.
So stay safe. Thank you.
Thanks for listening to the Crime Science Podcast presented by the Loss Prevention Research Council
and sponsored by Bosch Security.
If you enjoyed today's episode,
you can find more crime science episodes
and valuable information at lpresearch.org.
The content provided in the Crime Science Podcast
is for informational purposes only
and is not a substitute for legal, financial, or other advice.
Views expressed by guests of the Crime Science Podcast
are those of the authors
and do not reflect the opinions or positions
of the Laws Prevention Research Council.