LPRC - CrimeScience – The Weekly Review – Episode 160 with Dr. Read Hayes, Tom Meehan & Tony D’Onofrio
Episode Date: August 24, 2023The LPRC is in full swing preparing for IMPACT 2023. Our hosts discuss our prep and welcome a new research scientist, Caleb Bowyer, to the team. Some other topics covered this week are the recent Axis... event and some takeaways, some recent retail trends and how they affect us, and latest cybersecurity updates and best practices. Listen in to stay updated on hot topics in the industry and more! The post CrimeScience – The Weekly Review – Episode 160 with Dr. Read Hayes, Tom Meehan & Tony D’Onofrio appeared first on Loss Prevention Research Council.
Transcript
Discussion (0)
Hi, everyone, and welcome to Crime Science. In this podcast, we explore the science of
crime and the practical application of this science for loss prevention and asset protection
practitioners as well as other professionals. Welcome, everybody, to another episode of
Crime Science, the podcast. This is the latest in our weekly update series, and I'm joined
today by our co-hosts, Tom Meehan and Tony D'Onofrio. And of course, big news is we can continue here
at the LPRC to work now with two presidents on crime science, Tom Meehan of ControlTech
and Tony D'Onofrio now of Sensormatic, part of the overall team out there. And what we're going
to do is talk about a little bit around the world on crime and loss
prevention right now we're in heavy preparation for the 2023 lprc impact conference we've got all
of our content identified the team is each working on putting together their slide decks we've got a
template of course we're working with our co-speakers.
We always like to have one or more retail practitioners, as well as if it's called for,
a solution partner, law enforcement partner, whoever else might have been working on that
project with us. Again, the content at LPRC Impact can be a little different than other conferences in that most of it is, by and large, evidence-based,
based on survey, offender interview, experimental, data analytic, or a combination of those types of research
to gain more understanding about problem dynamics, gain more understanding about much more precise and targeted solution sets and sometimes rigorous
to very rigorous assessment or evaluation of the impact of whatever treatment or intervention
or countermeasures are applied. So it's pretty neat. We like to add a lot of spice. We have
polling and questions, Q&A as part of each and every session. We have props in
the room, things to bring it alive, and so on. So impact, we try it across the board to make it a
lot different experience. Clearly, having social events at the UF Innovate Hub, inside and outside,
touring the labs, talking about research with the researchers, looking at the collaboration that's
going on with solution partners between them and retailers and our research team.
Now, I don't even know the number. We're at well over 300 solutions across all of our six interior
and our one exterior lab area that we have at the UF property. Now we're also talking about and showing and
demonstrating with interactive maps the field research areas that we're starting to work in,
the east side, the west side of Gainesville, Port St. Lucie, and then we're in heavy prep for Atlanta
and Albuquerque as well. Those maps are underway as we prep to go in there. We also like to go into
the social environments at the Wright Student Union where the conference is hosted. It's a big,
beautiful, very modern facility. Absolutely beautiful in there. It's a neat place to explore
and right in the heart of the campus right there in a very pretty area, a big, huge,
open, grassy, treed mall and so forth. And then, of course, having the social events in the swamp
over there makes it especially interesting. We'll be doing something with UFPD's new public safety
complex. And in fact, some of us are heading over there today at 930 this morning to meet with the University of Florida Police Department executives or command staff, as well as the safety people that are based there that work on tabletops.
So we're going to be doing some joint planning on that, particularly for the integrate part of Ignite.
And that's our winter planning meeting February on UF campus.
So we're excited about all that.
We're working on different types of deterrent countermeasures across the double bow tie.
If you're not familiar with the double bow tie, we invite you to come into MPAC,
spend some time with us or come in and whiteboard with us as we do strategic planning, but also demonstrating how we look at the offender journey.
A big part of this is creating dilemmas for would-be offenders or crews, things that we put up and out there that they've got to figure out.
At each and every point we're trying
to persuade them to desist not progress their crime event their journey to harm somebody else
to take their possessions to threaten intimidate or worse with them so a lot of discussion around
that we had a top professor for the university of Florida's ECE, or Electrical and Computer Engineering Department in the Wertheim College of Engineering working on potential sensor alignment.
We're going to be having some CIS, or Computer Information Sciences and Engineering, in other words, computer science folks coming over.
The folks coming over, we're talking about looking at some new technology that's just been deployed for law enforcement when they pull over vehicles that they can first contact them by their phone before they walk up, possibly reducing anxiety, tension, confrontation, so forth. So the beauty of having now our growing team here at the LPRC is also getting to interact with world-class, I mean, absolutely world-class faculty and graduate students across all types of disciplines.
We've got this week also Professor Kang Hyo coming by, and she is a world-renowned expert in creating VR, virtual environments, particularly retail
environments and outdoor environments. We've used those environments for testing, particularly
female fear of crime in parking areas and understanding all those factors, which we've
discussed before. So we're taking that to the next level. She has some students to work on
creating environments for active assailant scenarios to get more and
better data. There's been some preliminary work done by Kong and her team and some of the team
we've got here in what we call Operation SafeCord, which is engineering and criminology and urban
planning, interior design, architecture, and of course, digital worlds where Kong is
and creating the virtual environment. So a lot of collaboration and collective activity here,
a whole lot going on. As per always, some of you all have seen on social media, we've had
the leadership from Ralph Lauren, from Rite Aid, from Harbor Freight, and many others coming through here to spend a day
with us. Solution partners like Axis. We just had a group in here from Publix and At Home and TJX
and Ah Hold and some other Bloomingdales and so on. So continually bringing in the top leaders in the industry to brainstorm
with us, for us to learn, for them to learn, but to think and stretch and test and to bring them
into an environment where we've got hundreds of solutions arrayed, looking at integrations,
but there's a place that they can come in that's independent and assess things. So almost too many things to talk about.
We do have a new research scientist too.
Caleb Boyer has just joined.
He is just finishing his PhD in computer engineering
and with a specialty in machine learning,
complex AI modeling and so forth.
He's the one that's working with me already
and Sam and some of the
other team here on arraying sensors and AI models along the offender journey to crime
so that we're thinking about every aural, digital and visual signal or signature that an offender,
their crime tools and weapons, their vehicles and so forth, emit or their features of them
that might be inferenced to give us an earlier and better defined warning to a decision maker
so that we might head some of these people off the offending track and save lives and assets.
So with no further ado, let me turn this over to Tony D'Onofrio. Tony, if you would,
take it away. Thank you, Reid, again, for all that great information. This week, I want to focus on
some updates that I delivered on the state of retail at the Access Retail Leadership Forum,
which was held in California. Let me start by saying that LPRC was well represented by a presentation by one of our producers, Diego Rodriguez,
who did a great job on presenting and sharing all the activities that are taking place at
the Loss Prevention Research Council.
The audience was 73 individuals representing 43 retailers, and the meeting was held at
the Google Cloud Innovation Center in Silicon Valley.
As the event was sponsored by Axis, I opened my presentation by asking the question,
in which country was the CCTV camera invented? The choices were the United States, China,
Germany, or Japan, and the answer is Germany. The CCTV camera was invented during World War II by the Germans
to watch remotely the launch of their V2 rockets as they sometimes tended to explode on launch.
The first mass use of CCTV cameras was the coronation of Queen Elizabeth in 1950s,
and this is probably when London started acquiring the reputation
as one of the most video-surveilled cities in the world.
There are currently nearly a million cameras installed just in London,
or roughly one CCTV camera per 10 people.
If you do go to London, you are likely to be captured on CCTV
up to 70 times a day.
All this data is from Clarion UK as of 2022. Also interesting that in 2021,
the world overall crossed over 1 billion cameras installed, with China and the United States having
the most. If you look at the top 10 cities with the most CCTV cameras per thousand people, the top
four cities, it was actually interesting to find out, are in India.
Number five is Singapore, and London is actually still number 10.
In the presentation that I did, I provided an update to the audience on the state of the world economies using July 2023 data from the International Monetary Fund and the OAECD.
Globally, gross domestic product is projected at 3% for 2023 growth and 3%, again,
GDP growth in 2024, according to the IMF. This is actually an improvement from the last forecast
earlier this year. For advanced economies, such as the United States, the projected growth overall for all the advanced economies is projected at just 1.5% in 2023 and 1.4% in 2024. And this is a dramatic decline from
the 2.7% GDP growth in advanced economies that they saw in 2022. All this data is from the
International Monetary Fund again. If you look at the OECD data, they show that the United States this year will grow at just 1.6%, which is actually slightly better than the global average.
But next year, for 2024, they're projecting that growth will only be 1%.
To that same audience, I also ask a second question which I thought was very interesting.
Which countries have the highest theft per 100,000 people?
The choices were United States, United Kingdom, Denmark, and Sweden.
The answer again was very interesting and surprising.
The number one country with the highest theft per 100,000 people is actually Denmark, followed
by Sweden.
I counted that this was interesting that multiple of the Scandinavian countries are also included
every year as some of the happiest countries in the world. And Scandinavia, again, includes
Denmark, includes Sweden, and includes Norway and Finland. But what is this really data telling us? What's the
correlation between happiness and theft? That's something to go investigate. But I didn't do it
for this presentation. The data that I shared was actually from World Statistics, which they
regularly publish on Twitter. I continued in my presentation and reminded the audience that retail is a very vibrant industry that will keep on growing into the future.
In 2023, according to eMarketer, retail as an industry is valued at over $30 trillion.
It will rise to nearly $34 trillion by 2026.
Retail e-commerce will keep on growing, but at a slower pace. By 2024, 2026, 24% of total retail will be
online. This means that 76% of total retail sales in 2026 will still be in physical stores.
So stores are not going away. They're actually the opposite, becoming much more important
in making online sales more
profitable. One of the stats that I shared is that online orders cost retailers 10 to 15 percent
more than purchases made in physical stores. For the first time, I also shared some forecasts for
the 2023 holiday season. NRF projected this year holiday sales in the United States will grow 4 to 6 percent.
Just over 80 percent of the holiday spend this year will be in physical stores. Also interesting
this holiday season, AI will influence 194 billion dollars in global online spend.
Buy online and pick up in stores will drive an incremental 28 billion dollars
in spend globally and social media advertising will drive 10x more holiday shopping
visits than traditional market. And finally, 17% of gifts this holiday season will be resold or
used item, saving 32 billion pounds of waste from landfill. In the presentation, I also shared the five hottest technologies for retailers, which are defined as those that have, for retail winners or retail leaders, and retail winners are defined those that had 10% growth or more the previous year.
And the five hot technologies in 2022 were RFID, updated bonus sale, microservices, edge computing, and extended communications
into the parking lot.
For 2023, the top five technologies are currently projected to be geolocation solutions, tools
for associates, electronic shelf labels, mobile checkout, and for this audience, loss
prevention prescriptive analytics.
checkout, and for this audience, loss prevention prescriptive analytics. The top five technology analysis in both 22 and 23 is from the IHL group, and this is great data that I think we need to
keep in mind. I ended my presentation by stating that loss prevention is at a critical moment in
importance. Over 200 retailers at the CEO and CFO level brought up the problem of shrink in the last round of earnings call.
I reminded the audience that more needs to be done, including improved loss prevention technologies, improved legal frameworks around controversial technologies and organized retail crime,
and stronger partnership between retailers, law enforcement, solution providers, government entities,
and industry groups such as the Loss Prevention Research Council.
According to 1RF, 6 in 10 retailers believe that a federal organized retail crime law is required
to address the challenges of professional thieves.
And I do believe that loss prevention, by stepping up to the opportunity that is around us right now,
where all the staff has the potential to get into the C-suite,
and I think the Loss Prevention Research Council can actually help with all the great data and research that we do.
So a really great week.
I really enjoyed spending time with the retailers and the Google people because I was at the Google facility
and engaged with the Google teams and the Access team.
So great job, Diego.
And with that, let me turn it over to Tom.
Well, thank you, Tony.
Thank you, Reid.
Lots to talk about.
It'll be brief.
I'm overseas traveling.
I think we're all traveling this week.
But I wanted to give a couple updates, some old, some new, some recaps, but thought
it would be relevant to just start with the cybersecurity space.
A couple different updates, some you may have actually heard or experienced before, but
I think it's important to just kind of reiterate and talk about them again.
One piece is that there has been a resurgence, if you will, of ATM skimming.
is that there has been a resurgence, if you will, of ATM skimming.
So I know that we spoke about a tap and pay or tap and access your ATM in the past episodes and how bad actors were taking advantage of this.
But just good old skimming has seemed to resurface in a big way.
So there was actually some guidance given out to grab and hold and give it a wiggle.
There was actually some guidance given out to grab and hold and give it a wiggle.
ATM machines are seeing an uptick of skimming throughout the globe.
There's a tremendous amount out on the internet now of actual keypads that are over and the actual changing out of card access ports. One of the things as technology advances, you now do not have what I
would say is the old age of skimming that some of us grew up with, where it was an insert that was
very obvious. Now you're getting exact copies of inserts that slide over the keypads that were
shared in some of these recent videos were really very well done keypads that arguably were with adhesive were put right
over top and then there's a bluetooth connection so or a a device that is when you go by um they
can actually collect the data with a bluetooth so one of the things i think that there is a bit of
a misconception about is that the chip and signature in the United States will protect
the consumer. It is not the same as chip and PIN overseas because in a lot of cases, it still will
work. When someone uses your APM card, if they're able to read that card and get that PIN number,
they essentially have access to your funding. If they do not get that PIN number, there are some
things they can do with that card
number, not as much as before. And as you travel abroad, you'll notice that you have different
levels of exposure. Myself personally, I noticed that in several foreign countries, when you're
checking into hotels, they're taking a picture of your passport, which is very common practice,
especially in smaller hotels that don't have the systems.
And what they're doing, they're using a mobile device, but you're essentially taking a picture of someone's passport
and then again taking a picture of sometimes their credit card, which that allows them to have some of that information.
Now, I think from a consumer fraud perspective, a photo of a credit card protects you pretty well.
When they have a PIN number, you have a whole other layer of challenging.
So what can you do when you're out and about at these ATMs?
Look around, take a quick peek.
If something doesn't seem right, it probably isn't.
I think this is one of the age-old things we always talk about here.
If it doesn't feel right, it probably isn't.
age-old things we always talk about here if it doesn't feel right it probably isn't if your intuitions are up and you're looking at an atm and just the keypad looks funny or that something
doesn't look right and it wiggles you know opt for a different scenario go somewhere else if
you're out in the midwest on a car trip and you stop at a gas station and there is something that
looks off again take a take a peek see what you can come up with, and just practice super
good hygiene.
I know that we had years back on the podcast, and I think this individual actually was out
of the U.S., developed a technology to detect skimming, but it's not just about traditional
skimming.
It's about how these scams advance and some of the things that are occurring.
So not a new problem, but a certain sort of problem that's been around for a very long time.
Next, FBI warning is about scams that lure or entice you into using beta apps.
So if you've ever gotten a message from an app developer legitimately saying,
you use this app, we're looking for beta testers to test our apps.
Basically what that means is there's a new app out there
and they're looking for an end user to test the app.
In software terminology, beta usually means testing.
It's important to note that sometimes you'll get an email about alpha testing.
iOS and Android are built very differently,
but they have similar challenges on iOS. One of
the things that occurs when you're a beta tester is you download an app called TestFlight. And
what TestFlight does is it allows you to put an application on an iPhone that isn't necessarily
gone through the same security protocols or process that a finished app would. There's still a process here.
I think it's important to note that this is where iOS, Apple, and Android are very different.
This doesn't mean that your everyday person can just go in and make an app and get it out there.
Test flight does have some requirements, but the reality is, by design, it's made to go outside the Apple store,
which allows them to have different
things occur.
There is a rash of applications out there that are taking advantage of this by installing
malicious code on iOS devices.
So if you want to be a beta tester, which I think some of our listeners probably would
be, you really have to take the time to make sure that this comes from a reputable source.
be, you really have to take the time to make sure that this comes from a reputable source.
In my full-time job at ControlTech, it's often we have customers that we beta test apps with,
that we go to and say, there's a new version coming. We'd like you to try this version and give us feedback. It is a very common practice. And while I would say that it's a little bit more
personal probably for us because we're working with these customers every day, the reality is the process is we have an app.
We're going to load it through TestFlight, and you're going to load it on your machine, and we're going to work with you as opposed to launching that full app through the App Store and going through the process.
So bad actors are taken advantage of that.
In the Android space, it's a little different you can actually be given an apk file an actual file that could be sent to you via
link and you can download that onto your device now there are there are protections in place to
protect you on android which uh but they're mostly prompting driven like you know you'll get a
message saying is this a trusted source before you you install this, make sure that you understand this is not an app store app.
This is also extremely common, especially in the development space.
And I would argue that retailers do this pretty regularly through their IT departments where,
all right, here's a test version.
Let me know how it goes.
Here's a version that you can manage through your MDM.
So it matters device management software giving that.
With all of these things, it all goes back to trusted sources
and doing the due diligence.
If someone's offering you something as a personal device,
a consumer device program that has normally cost something
and they're saying, hey, this is free. That's the first red flag.
You know, you generally businesses don't give things away for free unless there's some sort
of incentive.
So if you're beta testing a weather app, for instance, and the reason I use this is because
I travel a lot.
I use a lot of weather and travel apps that you're already paying a subscription to.
That is a little bit different than getting an outreach out of the blue saying,
hey, we'd love for you to test this.
We saw you downloaded this.
We'd love for you to test this.
Go through the process.
There is a false sense of security given when you have to go through a process
like test flight, download an app, do this.
It creates this false sense of security.
And the scammers are doing a really good job of saying,
we know that this process is laborious, but it's to protect you. And there is this impression
of control given by them because the process is more laborious on iOS. At the end of the day,
these hackers or bad hackers are loading malicious code that sometimes steals information,
gathers information in real time, or just outright is disruptive.
It's very, very important to stay vigilant
when you're doing any type of software testing.
The United States, we've seen a very, very large increase
in attacks on the healthcare system.
So about two weeks ago, and let's see the date here.
I'm not sure I'm right on the dates.
But towards the end of the first week of August, there was a substantial amount of tax around healthcare.
It's hard to say if they just were coincidental or actually connected.
There are some reports that show they were connected.
There are some reports that show they were coincidental.
But one of the things here is just we are all targets all of the time.
And I think that it's very important to make sure that you're constantly, both at home and at work, aware of patching, updating, using good hygiene.
If you have children in the house, if you have elderly folks in the house, ensuring that that education awareness is more and more fluid is really,
really important to stay safe.
Snakes in airplane mode was the headline that Naked Security put on an iOS device.
There was a vulnerability identified that when you're in airplane mode, you could still
be connected to.
I'm not going to get too far into this.
I think that the bottom line here is that when we're using technology, to be very aware
that sometimes there's a false sense of security and that if you have that device in hand, it's a device in hand and it isn't.
And what I like to say is an entry point into your life.
I talk about digital risk footprint.
When we carry two phones and have a smartwatch and have an iPad with us, a laptop with us, we increase our digital footprint.
We're increasing the risk landscape personally and professionally for us.
So as opposed to getting too far into the weeds because it's fairly technical,
when you have a device with you,
you understand that it's a point of entry for a bad guy.
That's the best way I could say it.
So when you turn a device into airplane mode,
be aware that with some devices, especially now,
that these devices are still accessible,
this is driven by design a lot of times so that if you lose a phone, it's able to be found.
So I think it's very, very, very important to talk through when you're buying devices that you're using for work with your IT department,
what the risk load is and what you should be aware of.
Two stories, and then I'm going to turn it back over to Tony and read.
One is smart light bulbs could give away your password secretly.
Be very, very aware of smart devices.
This goes right alongside what we just spoke about, increasing your digital footprint
and your risk latency increasing.
The more devices that are connected, the more risk you will have in your home and in businesses.
IoT devices are expected to continue to grow,
and I would argue at this point everything's connected.
That's what I say when people say connected devices.
We're in the quasi-stage of life where the reality is just about everything we do
has connectivity, light bulbs, refrigerators, toasters, things at home.
It's important to understand when you're buying a smart home device, who makes it?
Is it a reputable brand?
Go through the basic principles of electronics before you put that to the network.
This is a hard one because you have just tons of companies making smart light bulbs and smart devices at a very, very low price.
And sometimes it's hard to identify who is who. making smart light bulbs and smart devices at a very, very low price.
And sometimes it's hard to identify who is who.
The thing here is this isn't necessarily a malicious actor.
So this isn't that the company that you're buying the light bulb from is bad.
This is that they may not have the capability to patch at the same level as a big company or update at the same level as a bigger company.
So when you're buying a device like this, it might make more sense to spend a little
more and buy it from a larger, more reputable manufacturer so that you have at least the
pseudo confidence that, hey, my assumption is if I buy this device from Samsung, there's
a higher likelihood or Philips, there's a higher likelihood that
they're going to be able to maintain what's needed to keep this device up to date than
a smaller no-name company.
I think that this is a little bit anecdotal.
So this is just be very aware of when you're on Amazon and you see things, there is a benefit
to buying an Amazon device versus a no-name device because there
is a perceived or assumption, and it's a logical one, that the larger, more reputable
companies will have more investment in security patches and future patches.
The other thing to realize is, I know this sounds crazy, but if you have smart devices
that have been on your network for many years, it may be end of life.
They may be at the point where they're not patchable, especially with security cameras. And I'm talking consumer
grade now. So be aware of that before you go out and do things. So if you have a camera like
that was a, you know, a camera that you bought 10 years ago, or five or six years ago,
that's a connected consumer grade camera i would look
at that and see is that even a device that can be upgraded any longer and then last but certainly
not least and i'll leave it with this there's been a nasty nasty vulnerabilities in the last
few weeks remember to patch and update your machines if you haven't updated your smartphone
your pc your laptop your mac in in recent times and don't have automatic updates on, put it on.
Trust me, it's probably the easiest, simplest thing to do.
And it is the most important thing to do today because it takes care of those known vulnerabilities.
And with that, I'll turn it back over to Tony and Reid.
All right.
Thanks so much, Tom.
Thanks so much, Tony.
Again, some fantastic information from the two presidents here this morning.
And I want to thank our producers, Diego Rodriguez and Wilson Gavarino, for their hard work in editing and trying to make us sound like we're focused.
And I want to thank you all, the listeners.
So stay in touch and let us know what else we need to be doing or what we need to do better at the LPRC. Thanks, everybody. Thanks for listening to the Crime Science Podcast
presented by the Loss Prevention Research Council. If you enjoyed today's episode,
you can find more crime science episodes and valuable information at lpresearch.org.
The content provided in the Crime Science Podcast is for informational purposes only,
and is not a substitute for legal, financial, or other advice.
Views expressed by guests of the Crime Science Podcast are those of the authors and do not
reflect the opinions or positions of the Loss Prevention Research Council.