LPRC - CrimeScience – The Weekly Review – Episode 121 with Dr. Read Hayes, Tom Meehan & Tony D’Onofrio
Episode Date: September 23, 2022NRSS is released in partnership with the LPRC & the data is enlightening! In this week’s episode, our co-hosts discuss the conclusion of a rail strike and its implications, the leaks of unreleased m...edia continue, the data in the NRSS is analyzed and discussed in great detail, Russia’s continued threats, and a look at why people are hacking for credit rather than financial gain! Listen in to stay updated on hot topics in the industry and more! The post CrimeScience – The Weekly Review – Episode 121 with Dr. Read Hayes, Tom Meehan & Tony D’Onofrio appeared first on Loss Prevention Research Council.
Transcript
Discussion (0)
Hi, everyone, and welcome to Crime Science. In this podcast, we explore the science of
crime and the practical application of this science for loss prevention and asset protection
practitioners as well as other professionals. Welcome, everybody, to another episode of
Crime Science, the podcast. Today, the latest episode in our weekly update series, and I'm
joined by my co-hosts, Tony D'Onofrio and Tom Meehan, and our producer, Diego Rodriguez, who's also producing the upcoming LPRC Impact Conference as well, which is going amazingly.
What's not going well is my voice.
I'm very hoarse.
I did have a cold.
So what I'm going to do with no further ado is turn it over to the expert team.
Tony, take it away.
Thank you very much, Reid, and I hope you feel better.
First, I want to say really great job at GSX in terms of the panel that we had with Bloomingdale's.
Really, really nice job in terms of the material that was discussed.
And so I'm looking forward to
many more of these. But this week, I want to focus on the just published NRF 2022
Retail Security Survey. And first of all, I really congratulations to NRF, to the Loss
Prevention Research Council that participated this year, and Opris Retail for publishing a really
nice and new edition in terms of what's happening with retail shrink in the United States.
Similar to the last five years, the average shrink rate in 2021 was 1.4 percent.
When taken as a percent of total retail sales in 2021, that shrink equates to an amazing $94.5 billion
in losses, up from $90.8 billion in 2020. While retail shrink encompasses many types of losses,
it is primarily driven by external theft, including theft attributed to organized retail crime. In fact, retailers on average saw a 26.5% increase
in ORC incidents in 2021. Beyond the loss of goods, these incidents are increasingly alarming.
Eight in 10 retailers, I repeat, eight in 10 retailers surveyed report that the violence
and aggression associated with organized retail
crime incidents increased in the past year. In terms of the size of the retail teams,
the majority of respondents said the teams are remaining the same. A relatively large subset
of just over 37 percent of the retailers indicated that the departments are growing,
the retailers indicated that the departments are growing, while roughly 12% said they are shrinking.
Modern loss prevention teams are responsible for securing a variety of facilities and assets.
100% of the respondents reported that they're responsible for physical stores.
85.5% indicated they were responsible for also securing the organization's headquarters,
and nearly 84% reported that the LP team was responsible for securing supply chain facilities.
One of the greatest changes in retail over the last 30 years has been the shift to e-commerce.
in retail over the last 30 years has been the shift to e-commerce.
Interesting, just over 53% reported that their team is responsible for securing their e-commerce platforms, but only 10%,
roughly 10% reported that they were responsible
for the retail app ecosystem.
Really great question that I liked a lot in this edition was for your
APLP department to become more successful, which of these skills you believe need to be strengthened
or further developed? The majority of respondents reported needing greater analytic and investigative
skills, which likely reflects the increasingly important role of business intelligence
which likely reflects the increasingly important role of business intelligence in the role of loss prevention,
as well as retailers' need to investigate and organize retail crime.
Close to half, roughly 45 percent of respondents reported that their 2022 budgets were increasing compared to the previous year. Most respondents are spending more on
technologies or capital equipment, while a sizable minority reported that budgets for guards and
other were increasing. On average, participating retailers attributed the greatest portion of shrink, 37%, to external theft, including organized retail crime,
followed by employee internal theft and process control failures.
Shrink control is only one aspect of loss prevention.
These departments must also act to protect associates, customers and facilities and many other types of non-merchandise assets.
The majority of respondents report incidents of guest and associate violence, external theft, and organized retail crime.
In particular, it had become more of a priority compared with five years ago.
were five years ago. However, respondents also indicated that other violent threats,
such as mass violence, and this was high, nearly 58 percent, and gun violence,
have risen in priority in recent years, and gun violence was nearly 53 percent.
Respondents were also asked to list their top three priorities for 2022, and the respondents are categorized as these,
as offense-oriented, which are things like external theft, internal theft, violence, fraud,
organized retail crime, tactic-oriented, which are target hardening, training, education,
and investigation, resource-oriented, which are personnel and technology, or operations-oriented, which
operational controls, process, and reporting.
A lot of this, we spend a lot of time here at the Laws Prevention Research Council, so
if you're not a member, you need to be.
Additionally, just nearly 13% of respondents reported they have had prosecution thresholds for internal incidents, and just
over 29% reported that they have prosecution thresholds for external incidents, while the
majority, nearly 71%, reported that they did not have dollar value prosecution thresholds
for either internal or external incidents. As retail risk changes,
retailers must turn to new strategies and technologies to mitigate those risks. The
greatest challenge of participating retailers reported and what technologies they're actually
applying was very, very interesting this year. Number one is RFID. Number two is artificial intelligence at point of sale and self-checkout,
including video analytics. Number three is license plate recognition. And number four is
self-service locking cases or lockers. In many ways, these technological changes, and really this is important, represent a shift toward more intelligence-based loss prevention practices, as many of the technologies provide more data and richer data about offenders and loss prevention events in store.
This intelligence is necessary for investigating crime, but it is also necessary for detecting what problems are occurring
and addressing those problems. Again, this is a key focus of the Loss Prevention Research Council.
We spend a lot of time at technology and figuring out which ones work best and really driving
towards more intelligence is one of the key goals of the LPRC. Finally, COVID-19 has had a tremendous implication on the retail risk landscape.
Nearly 90% of respondents report that COVID has resulted in an increase of risk of violence
within their organization. These echoes early in funding show that retailers are increasingly
concerned about violence in stores, as well the safety of
their employees. Organized retail crime, again, received a lot of attention this year. The
majority of participating retailers, 68.5% reported that they did not have an ORC team.
In fact, only 31.5% reported that they did, while nearly 53% reported organized
retail crime increased, 27.5% said it stayed the same, and nearly 20% were not sure.
The majority of participating retailers, just over 81%, reported that ORC offenders are somewhat to much more violent when compared to
a year ago. This is concerning since over a third, which is roughly 36%, reported that ORC
offenders were much more violent when compared with a year ago. Research suggests that their
favorite topics, and this is, again, one of my
favorite lines, are the ones that are CRAVED. Now, you might be wondering, what do I mean by CRAVED?
CRAVED is an acronym that stands for conceivable, removable, available, valuable, enjoyable,
and disposable. And the report actually has a really nice list of by retail category exactly what are
the high items in retail. So that's just a quick summary of what's in the organized, what's in the
Retail Security Survey published by NRF. But really congratulations to NRF, to the Loss Prevention
Research Council, and to Epris Retdale for publishing this great new edition of the
security survey for the United States. And with that, let me turn it over to Tom.
Well, thank you, Tony. Thank you, Reid. And quite a bit going on, you know, since our last podcast,
we nearly had an extremely large rail strike, which would have really crippled us. Additionally,
we have major weather events occurring, so I know we'll be spinning up the fusion net.
I wanted to talk about some cyber incidents, cybersecurity-related topics, because they're
hot, and I think it's something that could, in fact, impact all of us. Uber has
had a hacking incident and a cyber incident. I'm resisting using the word breach because I think
this is going to turn into more than just what a traditional breach is. And there are a couple
interesting key factors about this attack. One being that it was perpetrated by an 18-year-old teenager.
That's not in itself that concerning. I think what's really concerning is this was
not a sophisticated technical attack, but rather a social engineering attack where
reports suggest as of today that through social engineering, this individual sent text messages to Uber employees and convinced them that he worked for the IT department and was giving a password.
So I just want to kind of think through social engineering.
And I know in retail, we talk about people calling registers and asking to do test transactions.
And so this is something that we face in retail.
But I think we assume that highly technical individuals wouldn't fall prey to it.
And I think this really talks about the importance of education and awareness that an individual
is able to text an Uber employee and have them give credentials, which then allowed
them to roam free in the system. There were a lot of
embarrassing screenshots posted, some just joking in nature. One was an actual screenshot of a Slack
message saying you've been hacked. And a lot of people thought it was a joke, didn't really take
it seriously. But the overarching comment here was this wasn't someone with a high degree of technical capability,
and I don't want to minimize their technical capability
because that's an assumptive statement.
But what I can surely say is that their technical capability
may have been present, but they didn't use it here to get into the system.
Additionally, the same week, the company that makes the very popular game Grand Theft Auto had a very similar attack, actually probably the exact same methodology according to what we're
hearing so far. And that was also perpetrated through a test social engineering tax and there
was leaks of what arguably was one of the one is arguably one of the more popular video games and
leaks of videos of a video the version that's not even going to be released in two years um so
really unfeathered access if you will to to these systems and And when you think of the Uber attack,
we don't even know what the significance is yet.
There is some assumptions to be made about hashing
and hashed and encrypted data.
So I think at this stage, it's somewhat safe to assume
that the credit card data is probably actually safe. So I think when we think
through that, it's probably encrypted. And when I say probably, I'm resistant to get into too far
detail because obviously I don't have any deep, dark details on this whole incident, but it would lead,
my basic thought would be that you probably have a minimal,
actually minimal, if at all,
potential for credit card information to be leaked
based on kind of what the type of occurrence
that had that occurred.
So anecdotally, I think we'd be uh probably won't be
seeing credit card data but we don't know what level of data we'll see uh almost all of the
screenshots are very embarrassing and really perpetrated to do to show the the ability to
hack into it so i think this is um a trend that we saw many years ago, often
that kind of died down and potentially could be resurfacing where people are
hacking to show their skill set. I think we will see more to come with this. There's obviously
risk in this person bragging about it getting caught, and I think there's a lot more to come from this.
So one thing that really came interestingly out of this whole piece is that there was a rash of cybersecurity job posted right after.
So one of the indicators of potential cybersecurity issue is jobs that are open.
the indicators of potential cybersecurity issues, jobs that are open. That was one of the things that was communicated via some of the news channels afterwards that there would be a method
to track based on job postings. Switching gears a little bit to Russia, Russia issued a veil threat
to shoot down commercial satellites. I think some of this may be over portrayed in the news media, but there were comments about commercial satellites being potentially shot down.
And they used the word private and commercial and pesky, and they could become legitimate targets if they were directed against Russia. So it isn't clear that they were referring to Elon Musk's Starlink, but one can draw that conclusion because Starlink was deployed to make sure that the Ukrainian people still had access to internet. So while they didn't specifically say that, I think there is something
to be said about the kind of insinuation that really comes through that.
I think this is going to be something to watch. I think that some of these veil threats, you have to take a very
sophisticated approach to a threat like this because you don't want to discredit,
but you also don't want to over-credit or put too much behind these type of threats. So one of the
things I often wonder is when you get a threat like this, what does it actually mean? And Russia has talked about potentially using nuclear weapons. This one
was a little bit more specific in what they said. I think that we'll just keep an eye on it and
continue to report on it. And then something that I thought was interesting and really important to
the group here is California. So Fox News released a story earlier this week that said California County saw 70% of
criminals that were released on zero bail committed a new crime, says the DA.
And I think this was a news report.
So I'm curious and going to try to find some more information to get a little bit more facts behind it.
But we also – it's important to note.
So New York, New Jersey have bail reform laws in effect, and New York is probably as close to a bail elimination law as you could get.
New Jersey is pretty strict as well.
And then there are several other states
that are going down that path. I think the city of Chicago is going to institute one in the next
six months. So it's something certainly to look at because the previous study stated that there
was no direct correlation between bail
and people attending court.
That was what really the New York State one cited so often, but they didn't talk about
recidivism and likely to repeat.
So I think this is an interesting thing to watch as we continue to see the trends and
the tides changing.
And then last last but certainly not
least, Impact's just a few weeks away. There's still time to register if you haven't registered
already. Register will be there. Excited to be there and hope to see everybody there.
With that, I'll turn it back over to Reed. Thank you, Tony. Thank you, Tom. Thank you,
Diego. And thank you all for listening. Stay in touch, and we hope to see you in Gainesville at 2022 LPRC Impact in two weeks. Take care.
enjoyed today's episode, you can find more crime science episodes and valuable information at lpresearch.org. The content provided in the Crime Science Podcast is for informational purposes only
and is not a substitute for legal, financial, or other advice. Views expressed by guests of the
Crime Science Podcast are those of the authors and do not reflect the opinions or positions of
the Loss Prevention Research Council.