LPRC - CrimeScience – The Weekly Review – Episode 84 with Dr. Read Hayes, Tom Meehan & Tony D’Onofrio
Episode Date: December 16, 2021Happy Holidays from the LPRC Podcast Team! LPRC Kickoff is January 19th in NYC Bloomingdales Flagship Store! In this week’s episode, our co-hosts discuss Pills to combat symptoms of Covid variants a...re produced, Retail Flash Mobs Continue to plague the US, Recapping NRF survey information on ORC, and a recent Cyber Breach has been designated the highest threat level. Listen in to stay updated on hot topics in the industry and more! The post CrimeScience – The Weekly Review – Episode 84 with Dr. Read Hayes, Tom Meehan & Tony D’Onofrio appeared first on Loss Prevention Research Council.
Transcript
Discussion (0)
Hi, everyone, and welcome to Crime Science.
In this podcast, we explore the science of crime and the practical application of this
science for loss prevention and asset protection practitioners, as well as other professionals.
We would like to thank Bosch for making this episode possible.
Take advantage of the advanced video capabilities offered by Bosch to help reduce your shrink
risk.
Integrate video recordings with point-of-s sale data for visual verification of transactions and exception reporting. Use video analytics for immediate notification of important
AP related events and leverage analytics metadata for fast forensic searches for evidence and to
improve merchandising and operations. Learn more about extending your video system beyond simple
surveillance in zones one through four of LPRC's zones of influence by visiting Bosch
online at boschsecurity.com. Welcome everybody to another episode of Crime Science, the weekly
review. I'm joined today by Tony D'Onofrio and Tom Meehan and our producer Diego Rodriguez. And
today we're going to take a quick trip around the world, talk about a few issues, and we'll start off as we have during this global
pandemic, talking a little bit about the coronavirus. We know that the Omicron variant
is now continuing to spread. A new UK study showing it's spreading much more rapidly than
Delta and Delta Plus throughout the UK. A UK advisor so far looking at some of the evidence from South
Africa and other places that had a little bit earlier sequencing and identification of this
variant reported in some ways that thankfully this particular brand of the coronavirus may not be
as virulent or create as much serious disease as the Delta or Delta Plus variants that
we've seen in the past and maybe others. So this is where we talk about keeping our fingers crossed.
This may be where at some point what it could look like in the future where we still unfortunately
have this particular virus and its different variants that come along, but potentially maybe less
virulent. But nevertheless, it's so transmissible and seems to be, again, we talked about some of
the mutations much more rapidly and completely able to evade some of our natural immune responses,
whether we are naive, have not been infected, or we have been infected by an earlier variant
or another variant, or have been vaccinated with one or more of the different vaccines that are
currently available for this. But again, if we've got minimal or at least less serious disease,
then that could be, of course, very encouraging. More studies are attempting around the world.
I'm reading about in studies trying to better understand antibody and cellular responses.
We've talked about that many, many times, what the research is showing, at least from
our interpretation here, is non-physicians or medical scientists.
or medical scientists. But cellular responses, we've talked about B and T cells and so on,
are particularly interesting to see initial and more sustained immunity that might be available to us, again, whether natural infection as a result of natural infection or from vaccines,
as a result of natural infection or from vaccines or in many cases and in growing number of cases,
both. So there are also some interesting studies out there around why is obesity a red flag for potentially more serious, severe disease from coronavirus infection. And it seems to be that
our fat tissue plays a role and that that tissue is, in fact, attacked by the coronavirus in a variety of dynamics and cutting viral particles that any of us might admit through normal speech, singing, coughing, sneezing and so forth.
So more to come, but it still seems to be a safe and effective way to protect from infection or to cut the infection risk for the person on the other end. And then
again, if both parties are masked. So I know there's pushback and resistance to masking,
certainly masking mandates. And I think, you know, the more we think about, we read,
listen to podcasts and everything else that's going on around the research, the science part,
um, uh, it seems to be what seems to be safe, first of all, but
effective. And in what combination we talk about, again, in criminology about dosing a lot, a lot,
it's not what, but how we do things and the same thing here. But then there's sort of the
individual or group freedoms and the political side of that, or in other words, are elected or
officials, the lawmakers, as well as those that are the policymakers at the different strata of
government that we have here, you know, what do they mandate? And that seems to be somewhat of
a difference. And I think it's the differential application of mandates that seem to be a part
of the serious concern. But I think
at the end of the day, again, here, you know, we're talking about the science, not mandates
or other governmental or political decisions or actions that are taken. In our case, we're
interested in our own families and friends and others that we come into contact with,
including our own health and safety. So that's what we talk about here, just to kind of reinforce
that again. And because there's also research, again, showing that, you know, there can be some
potential or even documented cardiological effects, it looks like, of one or more of these vaccines that are being used. And again, you know,
in the case of the Pfizer mRNA in the United States, at least, these have both gone through
rigorous United States testing, multiple stages, one, two, and three tiers, as well as replication
studies and then studies, similar studies around the world so they're rigorously investigated um and so we're talking about there are have been some cardio effects
um inflammation and other things i understand from the reading but um but that uh probability
for any of us even though there are categories that are at higher risk, still seems to be dramatically lower likelihood
of that kind of response than compared to COVID-19 infection itself, which has documented
at a much higher rate of probability, much higher rate of any kind of cardio effects,
whether they're near term or potentially could be longer term. So, you know, what we know
is that's why they believe there's always trade-offs. And we all have that in science.
We do that again in criminology, if we're trying to protect people or places or both,
that we're trying to elevate the friction a little bit, but not too much. We're trying to look for
any neutral or positive or negative side effects or, you know, results of what we're trying to look for any neutral or positive or negative side effects or results of what we're trying to do here to reduce death, fraud, and violence.
So same thing, same science, same theory or logic models, same research observation methods by and large that are occurring in any scientific endeavor.
that are occurring in any scientific endeavor. So that's part of the thinking there on what's going on now. When we talked a little bit about antibody and cellular responses, the innate
and adaptive immune systems that all of us are gifted with, I was reading a study that J&J,
when it came to the Omicron variant, just didn't seem to generate much antibody response.
You know, more to come.
That's not the only response.
Is that meaningful?
These are lab tests, my understanding, not necessarily human trials.
But the one injection of J&J may not have the same effectiveness as far as reducing serious disease likelihood.
You know, that's what they're thinking and researching or their initial results seem
to show.
So take it for what you will on that particular one.
We hear about the two doses, the initial and then the secondary when we're talking about
the mRNA vaccines from BioNTech, Pfizer, and the other one from Moderna.
And then we're hearing about, of course, boosters or a third shot and things like that.
MRNA, I saw some studies that were indicating that there is a 100 times better response and resistance to the Omicron variant than the two-shot series. And so there you see where the
evidence is showing or indicating any way that it looks like these boosters can provide more protection for us. But the deal with Omicron is, regardless, even with
three injections, excuse me, that we are four times more likely to have the Omicron overcome
that. So we might get some disease, presumably, and it seems like so far in a lot of the observations,
and it seems like so far in a lot of the observations, pretty mild to moderate.
And examples I saw include things like scratchy throat versus severely sore throat. But again,
those are just being non-medical professionals here. Those are the things that we're reading,
but it does look like 100 times better protection if there are three injections of the mRNA, according to these research data, than two. And I know that some of us, a team of us that went over to London,
we all got our third booster a couple of weeks before departure in an attempt to maybe have more
antibodies ready to go, as well as more cellular activity potentially come on the way,
being enclosed for six, eight, 10 hours inside of aircraft with who knows who in different
conditions and so on, or in the tube or other transport. So that was kind of the intent. And
just, again, based on trying to objectively look at the science that's out there. You know, again, on the therapy front, Pfizer and Merck and others are working on pills.
The Pfizer, more data are out, and still looks like if those in the trial that were non-placebo
but actually got the treatment, that if they took the pills within three days of
symptom onset, they seem to have an 89% protection level against more serious disease
or hospitalization. Some of the endpoints that they're looking at are outcomes,
measures that they're looking at. If the patient wasn't able to or decided to wait
till five days after their first symptoms, still seem to maintain pretty robust, 88%.
These are pretty phenomenal numbers. Again, anything over 50% is beyond random normally,
right? So it's probably systematic response, not some random event that we're not sure.
And so just give you an idea that these pills hold great promise, I understand the U.S. government is acquiring tens of millions shape, or form involved with the actual development or the profit or anything from the drug understudy.
So that's kind of a little bit more about what's going on in the pandemic world for all of us continues to affect us. We all want to go to
spend more time with our family, with our friends. It's that time of year, holiday,
Christmas parties, other events going on around the U.S. and around the world, travel, just being
home and so on. Those are all things that we're all looking forward to conferences i know that uh some of our
team we're looking forward to the hopefully the the probability of going to new york city for the
nrf national retail federation big show um we're on a panel um some of us around uh we've mentioned
this before i know computer vision uh ai artificial intelligence, camera vision, looking at reducing the probability
of errors or theft or fraud, reducing transactional accuracy. And in other words, at the point of
sale, self-checkout, the scope that wrong scans, intentional or otherwise, or non-scans and so forth, are detected by the action models that
have been trained to recognize that, that the transaction is suspended, that there's video
available and can show to the customer what happened or didn't happen or how it happened,
as well as for the employee on duty and so forth. So uh this is some testing and a massive rollout by the
kroger company um that uh tom rigi will be talking uh about in this case the research they're doing
our role at the lprc and at the university of florida um and then also also representatives from Alex, Cisco's from Eversine, for example.
There'll be Lenovo and NVIDIA represented and Compass.
And so we're excited about this opportunity to talk about, to demonstrate, to think about the future of real world cost effective AI that just helps identify behaviors that are harmful in a very non-intrusive
way so that the individual can make the call. So we'll also, as we've talked about before,
on that January 19th, if all goes well, hosted by Bloomingdale's at their flagship store in
Manhattan, we'll have the 2022 version of the LPRC kickoff event, typically 100
executives in, and we're talking about sort of the strategy of combining together and connecting
within an enterprise to protect against theft, fraud, and violence, and connecting and partnering
with other retailers, each other, and then, and connecting and partnering with other retailers, each other,
and then, of course, partnering with law enforcement, but doing these things in a very strategic way, in a very visual way, in an evidence-based way. We'll then also have discussion,
a lot of brainstorming in the two sessions we'll have, and this will be 8.30 to 12.30,
8.30 a.m. to 1230 on January 19th to attend or participate.
And it's about participation.
You do need to be an LPRC member and have registered at operations at LPResearch.org.
protection research that needs to be done or is being completed around, again, preventing different types of theft, different types of fraud, and different types of violence or
aggression or intimidation. So we're excited about that. We look forward to seeing everybody.
Those LPRC members that are on the Board of Advisors or the LPRC Innovate Advisory Panel
and some working group leaders will be coming into Gainesville, again, if all goes well,
panel and some working group leaders will be coming into Gainesville again if all goes well for the annual LPRC Ignite Summit. And this is our leadership and planning meeting in Gainesville
in our lab complex. So again, we need you to register. More details are on the way. We've
already gotten a lot of registration. I think we were at over 80 last night already, by the way,
for kickoff. And we've already had a handful register for Ignite, which will be that February 16th time frame in 2022.
So I want to wish everybody happy holidays, safe and happy holidays.
And let me go ahead and turn it over to Tony D'Onofrio.
Tony, take it away.
Thank you for those great updates. Let me start
and focus this week on the crime wave that we've seen in terms of the flash mob of flash robs that
have taken place in California and some other states with some updates in terms of how the
industry is responding. The first update is from MarketWatch, which reported on a letter sent by the CEOs of
multiple major retailers to the Congress of the United States. The CEOs from 20 major retail
brands, including Target, CBS, and Walgreens, have jointly penned a letter to Congress
over concerns of the increasing crime in their stores. As the letter said,
as millions of Americans have undoubtedly seen on the news in the recent weeks and months,
retail establishments of all kinds have been significantly seen an uptick in organized crime
in communities across the nation, the letter reads. While we constantly invest in people, policies, and innovative technology to deter criminals,
criminals are capitalizing on the anonymity of the Internet and the failure of certain
marketplaces to verify their sellers, it continues.
This trend has made retail businesses a target for increasing theft, hurt legitimate businesses
who are forced to compete against unscrupulous sellers, and has greatly increased consumer
exposure to unsafe and dangerous counterfeit products.
69% of retailers said they have experienced a rise in retail crimes over the past year according to MarketWatch
as published in the NRF 2021 Retail Security Survey. The survey company cited issues surrounding
COVID-19, policing, changes in sentencing, and the huge growth of online marketplaces.
growth of online marketplaces. So that's how retailers are responding.
How is law enforcement responding to this retail flash mob rob theft?
And this is a summary from CNN in terms of how law enforcement is trying to stop retail
theft.
In Chicago, Los Angeles, and other major cities, police departments are increasing
patrols at retailers targeted by mobs of thieves in brazen raids. In Northern California, district
attorneys form an alliance to prosecute organized theft rings. At the federal level, the FBI said
it is in close contact with local law enforcement investigating such
cases and preparing to take further action.
Since this problem is top of mind, I thought this week I would also recap the 2021 Retail
Security Survey from NRF focusing specifically on organized retail crime. So reading from that survey or summarizing from that survey,
in 2021, participating retailers said that the pandemic
resulted in an increase or overall risk
in their organization.
It also brought new areas of promise as consumers
had to find ways of getting products and criminals new channels
to exploit. Buy online, pick up in stores, and other multi-channel methods became right targets.
This comes as the average loss for shoplifting and robbery incidents has increased.
The increasingly risk environment has repercussions that extend well beyond the
company's bottom line into actual threats against employees and customers. It is increasingly clear
that greater support is needed from lawmakers and law enforcement. Yet, despite the growing
dangers from organized retail crime, no federal law prevents this type of activity.
organized retail crime, no federal law prevents this type of activity.
That leaves prosecutions, if they do occur, that is in a patchwork of local jurisdiction, even though the crimes are typically multi-generational and multi-state.
Health professionals and retailers are not sitting idly while all these changes occur. They have
brought attention to the continuing increase in organized retail crime, cybercrime, and shootings,
and other violent incidents in malls and stores. They continue to invest in multiple resources.
Half of the respondents said their organization was adding technology resources and capital
compared to last year, and a lot more focus
is on hiring additional personnel this year. As the long-term impacts of the COVID-19 pandemic
continue to evolve, one thing is clear, the retail risk environment is more complex and costly than
ever. One potential driver behind the increases in robberies and shoplifting incidents
is the growth of organized retail crime reported by retailers. As I said earlier, about 69 percent
of retailers said they have seen an increase in organized retail crime activity this past year.
They cited reasons such as COVID-19, policing, changes in sending guidelines, and the growth of online
marketplaces for the increase in organized retail crime activity. Most alarming, retailers report
these gangs are more aggressive and violent than in years past. Some 65% of responders noted an
increase in violence, while 37% said ORC gangs were much more aggressive than in the past.
From comparison, in 2019, only 57% said ORC gangs were more aggressive, and 31% said they
were much more aggressive.
One area of strong agreement, beyond a doubt, is the need for federal law against organized retail crime. 78% of retailers
felt they will effectively combat these issues in part because ORC is a multi-jurisdictional
issue that crosses the state line. It is growing in its use because of the broad range of activities.
It will be more productive to bring
charges at the federal level versus a series of small cases. LP professionals are proactively
investing in tools to combat the rise in crime as well as the new risk areas. When compared
to previous years, respondents were more likely to say their company was allocating additional
resources to address ORC risk this year. Half say their company was allocating additional resources to address ORC risk this year.
Half reported their organization was allocating additional technology resources,
and another 50% said they were allocating additional capital specifically to LP equipment.
In a share from last year, there was also a significant increase in those reporting that they would dedicate additional staffing resources.
So that's a summary in terms of the organized retail crime survey and also the challenges and how law enforcement and retailers are responding.
It's a challenge that we will continue to monitor here at TLPRC and report on in future podcasts.
Hello and good morning, everyone.
Thank you, Tony.
Thank you, Reid.
Man, busy, busy weekend in the cybersecurity and risk space.
And I will say that it was interesting because my daughters had a birthday party on Friday
and we had activities all weekend.
So I was more disconnected than
normal. And then I had a flight to Seattle early yesterday morning and it was a six hour flight.
So I got to catch up on all my reading and the internet was a storm for this, for this log 4J
flaw or the, and that occurred sometime last week. And when I say that the internet was on fire,
it was on fire.
Actually, Wired wrote an article that said,
the internet is on fire.
That was the title of the article
about this vulnerability that was found.
And for all the listeners on here,
I'm not going to spend a tremendous amount of time
because it goes into that space
where the folks on the call
are generally going to have to work with their
IT departments on this.
But there was a vulnerability discovered.
There was a researcher that in typical kind of zero-day vulnerabilities released it after
he reached out to the overall IT community.
And for those of the listeners that don't know what a zero-day vulnerability is, it's
a vulnerability that wasn't previously discovered and that is
discovered. It happens often in software. And generally what happens is there's a patch
and there's a level of severity. This is the highest level of severity that could be out there.
And there was a lot of warnings that were issued about patching. But this is not your average patch.
And why? Because Log4j is a part of JavaScript, and it's been around since the 90s.
And it's used in just a tremendous amount of open source applications.
So this is an interesting one in the sense that this isn't your standard kind of application
that like Microsoft Windows has a vulnerability to put it in.
It is a part of open source code that's used in arguably probably
hundreds of thousands of software. One of the scary things about this vulnerability is it's
fairly easy for hackers and criminals to take advantage of. So what we're seeing yesterday
and over the weekend via reports is that China and Russia scanning, you know, millions of systems to try to find this vulnerability and take advantage of
it.
You should see on a lot of your devices updates.
I couldn't stress to you more than I've ever in the past,
the severity of this and how easy it is to,
to get this vulnerability to go through.
And there's thousands of attempts per second via bots to go after this.
So if you see an update on your Windows machine,
on any of your software packages, programs you use,
if you see one on your iPhone or anything,
go ahead and do the patch.
This is one where you've got to do it right away.
Because this vulnerability affects the job to the JavaScript logging library
and it's a it's really an Apache code so if anybody in here has heard Apache part
of the Apache piece it it's actually you know every minute that you wait to patch
this you open the exposure because of the scanning so here's the hard part
here because this is a type of code that's used in many,
many programs, some of them may not be as easy to patch. We often talk about Internet of Things
devices and the importance of buying them from reputable vendors so that if there is an issue
that there's a way to patch. This is a perfect example of there's going to be devices out there
that just either the company no longer exists or they don't have a method to patch it's also known as log for shell um if you if you've heard of it um that name too
and if you're if you're searching your twitter and the internet it really was over there what
it allows to uh someone to do is have you know unauthorized uh unauthenticated remote code
execution uh into your computer.
And there are some, there is some evidence, not are some,
there is some evidence to support that this could be transmitted via email.
So this is still new.
We'll keep an eye on it.
I know we'll talk about it next, but I want to just, you know,
move on to the next one because there's not much more that I can talk about
here.
So another thing we talked about artificial intelligence,
often at the LPRC, some of the bigger players, Microsoft, Google, you know, I've always been
working on this, but Nike, CVS, Walmart, and more are loosening their algorithms, their
algorithm biases. So algorithms are made by by humans one of the things about machine
learning algorithms is yeah they learn and they replicate human behavior artificial intelligence
is just the simplest way to format it is it's a computer mimicking human behavior so when we talk
about artificial intelligence we always think of these huge kind of robotic and futuristic things
but at the end of the day artificial intelligence is just a computer mimicking human behavior.
And I'm not limiting that, how important that is.
And then when you have a couple machine learning in,
which is a model that's built or an algorithm that's built,
that continuously learns and changes to adapt to an environment.
And I'm oversimplifying this.
Humans build these.
So there are inherently biases built into them so that what
we're seeing is there's this big push and retailers are now jumping on to try to you know take the
algorithm for workplace decisions or workforce decisions and specifically this this report talks
about nike cvs walmart and others taking this algorithm and changing it and trying to loosen the bias
of it for workforce decisions.
This is the same thing that happened many years ago.
And I use this.
There's two kind of funny, scary, interesting examples.
One was a bot that was designed, a chat bot that was designed on the internet.
And I believe it was Microsoft.
that was designed a chat bot that was designed on the internet. And I believe it was Microsoft.
And within a couple hours,
the bot was learning inappropriate and racist comments because the people who
were,
who were interacting with bot were trying to teach it that.
So the bot picked up on it and started to change,
you know,
change.
And this is the challenge with,
with true machine learning and artificial intelligence
is the bot did exactly what it was supposed to.
It listened to what people were saying.
It learned the behavior and then repeated it.
And then the other piece of artificial intelligence was,
if you've ever seen, there's hundreds of videos of the robot.
It's actually a robot that looks like a female.
And reporters started to consistently ask it questions.
And the robot answered the questions.
But when you heard the answers, it was a very almost unreal response.
And one of them, the questions from a reporter was, you know, would you ever hurt humans?
And the response was, no, I would never hurt humans.
I'm programmed not to.
Humans are my friends.
But I don't like water.
And my goal is to eliminate all the water in the world
because water is not good for robots.
So their machine learning algorithms,
someone actually, in talking to them,
kind of kept asking those questions.
So a lot of these machine learning algorithms that are out
there are based on human biases. And I shouldn't say a lot of all of them, right? Humans are making
these. And so when they're being written, there's some bias as well as they're learning from what's
out there. So that's a real good step forward. We continued over the last few years to see
algorithmic challenges from the ACLU,
facial recognition, not working as well with certain races.
That's not really a bias, but there is this continuous need
to drive artificial intelligence and machine learning
and help address some of those challenges.
So that's actually something that's really, really a good step forward.
And then I think we'll continue to see there was some conversations over the last two weeks about
companies pushing users to adopt two-factor authentication. We talk about two-factor
authentication, but also, and that's, sorry, before I go to the next stage,
with two-factor authentication, that's the point when you're logging in and you're asked to either
get a text message or go to an app or a token to get your number. I think you've probably heard me
say hundreds, if not more than that times on this, the importance of going to two-factor
authentication. My recommendation hasn't changed. I think two-factor is the quickest, easiest line of defense for an average user or even
for a business user.
My recommendation today is when you can use an app-based versus a SMS-based, that there's
a benefit.
The thing about an app-based authentication is it allows you to eliminate that SIM swapping or any of these tech, any of these phone scams
that are out there while they require social engineering.
But the other advantage of having an app base is when you're on the plane and you can't
get a text message or when you're in an area where you have bad service, you can't get
a text message.
There you have the app.
So Google Authenticator, there's a lot of different authentication apps that allow you
to use two-factor.
It's free, super quick to set up. It's actually, the setup is almost exactly the same. Their only risk, if there's any with that phone, is if you lose or damage that phone,
you have to make sure that you have your backup codes to get in or it becomes challenging. I've
been using app-based authentication really since it's actually come out, its inception.
really since it's actually come out, it's inception. I prefer it more not from the,
I prefer it more from a standpoint of I travel quite a bit. I don't like to be in a position where I can't get into something that via that you need to be a text message. And I know even
when you're on the plane, sometimes the plane, you can get internet, but you can't get text
messages. So two factor authentication app based is where to go but
the next step is there's a lot of
conversations about
actually taking automated
we talk about AI and machine learning approach
to try to do attack
two factor or one time password
so
there are some new
methodologies for the bad guys to try to go
after that it's definitely something we all
should stay close to but I
at this point still believe that
two factor is
a great line of defense for the average
user I don't believe that
it's an end all tell all but it definitely definitely helps
with that I'm going to
turn it back over to Reed
and Tony I covered a whole
bunch of things and I know that we'll have an update on Log4J probably in the upcoming weeks.
Thank you.
All right.
Thanks so much, Tom, on all those updates.
Tony, fantastic information as well.
And we're here for you, lpresearch.org.
So everybody stay safe and stay in touch.
you, lpresearch.org. So everybody stay safe and stay in touch.
Thanks for listening to the Crime Science Podcast, presented by the Loss Prevention Research Council and sponsored by Bosch Security. If you enjoyed today's episode,
you can find more crime science episodes and valuable information at lpresearch.org.
The content provided in the Crime Science Podcast is for informational purposes only,
and is not a substitute for legal, financial, or other advice. Views expressed by guests of the Crime Science Podcast are those
of the authors and do not reflect the opinions or positions of the Loss Prevention Research Council.