LPRC - Episode 9 – Hacked Online Profiles & Online Safety
Episode Date: July 12, 2018The post Episode 9 – Hacked Online Profiles & Online Safety appeared first on Loss Prevention Research Council....
Transcript
Discussion (0)
Hi, everyone. Welcome back to Crime Science. In this podcast, we aim to explore the science of crime prevention and the practical application of this science for loss prevention and asset protection practitioners as well as other professionals.
Co-host Dr. Reed Hayes of the Loss Prevention Research Council and Tom Meehan of Control Tech discuss a wide range of topics with industry experts, thought leaders, solution providers, and many more. On today's podcast, we have featured guest Abraham Gonzalez of Bloomingdale's, who will discuss hacked online profiles, distribution
of compromised data, general online safety tips, and much more. We would like to thank Bosch for
making this podcast possible. The security of your data is just as important as the storage
or safeguard, making it imperative to consider both physical and cybersecurity simultaneously.
making it imperative to consider both physical and cybersecurity simultaneously.
Bosch's system approach maximizes data security by covering all major elements of the video infrastructure.
This strategy is the key to achieving the highest standards in end-to-end data security.
Learn more about Zone 5 of the LPRC's Zones of Influence or by visiting boschsecurity.com.
All right, welcome everybody to another episode of Crime Science from the Loss Prevention Research Council. And again, a reminder, LPRC is a research and results community
that continues to grow. I think we're approaching 60 retail chains, including some international
members with many, many more expressing very strong interests.
So the community continues to grow.
But I want to welcome everybody here today to Crime Science, the podcast.
Again, introduce our host, our co-host here, Tom Meehan from Control Tech.
We've also got Abe Gonzalez from Bloomingdale's.
So, Tom, I'm going to go over to you and kind of get your initial takes
and setup and context, if you will, sir.
Thanks, Reid.
Welcome, everybody.
This is our ninth episode.
We're happy to have everybody listening.
Please take the time to subscribe to the podcast,
and if you will, leave us a rating.
We're obviously always looking for feedback,
but wherever you subscribe,
whether it's through the Apple iTunes, the Google Play Store, the Stitcher mobile app, please just take a few moments to like and subscribe to the podcast.
It really helps get our listenership out there.
Abraham and I worked together in multiple capacities in the past, so it's always exciting to have a guest that I know personally.
So it's always exciting to have a guest that I know personally.
And what I wanted to talk to Abraham today about and read is really some of the trends in fraud related to credit card fraud in-store and also online, as well as some of the cyber elements that in retail we sometimes talk about but don't really get into the full detail,
especially related to loyalty programs and
online programs.
So, Aba, I just wanted to welcome you to the show.
Why don't you tell the listeners a little bit about yourself and what your role is with
Bloomingdale's?
Well, thank you for having me, Tom.
I'm a fraud mitigation manager for our organization, and I'm tasked with really identifying where
we have fraud exposure in our organization currently
and coming up with programs to mitigate that exposure.
My fraud encompasses, the umbrella of fraud is all encompassing under my role.
I do, if anything, from loyalists or proprietary in-house rewards program and fraud related to that
to third party and proprietary
credit card fraud. So it's a little bit of everything. My background is traditionally
in investigations, kind of done a little bit of everything in the asset protection field,
and this is where I'm sitting now for our organization. Great. So our listeners are
abroad and we're learning more and more that it's not all retail listeners.
There's law enforcement, academia, and then just general folks that want to learn about some of the things that are happening.
In your current role, if you had to pick, what are the two or three hot trends or things that are really happening regularly today related to the e-com world or the fraud world?
We're seeing a rise of folks using reverse engineering techniques to really get merchandise from a company,
steal merchandise from a company, trick companies into taking margin loss.
to taking margin loss. We're seeing a very, we've seen an uptick rather
in stolen loyalist rewards and third party bad actors
kind of impacting that part of our business.
We're also seeing a rise in third party and proprietary
or private label credit card fraud
across the industry really.
I'm a member of a couple of uh
different uh committees one of them is with the lprc um and organized retail crime specifically
we've seen a rise in in the use of credit cards stolen credit cards uh impacting loyalty programs
and uh you know just there's just a very creative element out there that we're kind of facing these days, and it's all in the scope of fraud.
When you speak about loyalty, what's a common way that folks are compromising loyalty accounts?
So what we see, there's a recent trend of loyalty or customer-specific profiles being targeted by fraudsters, bad actors kind of getting in there, stealing reward
cards, stealing different benefits that we afford to our good customers and
repurposing them for everything from criminal activity to just you know using
the merchandise selling it and profiting from it. So I've definitely seen a trend
increase in loyalty fraud being something that's been increasing trend
these days and when I say loyalty I mean any type of reward program that a
company might have if a company offers a percent off or a dollar or a couple of
dollars off or even gift cards for you know for someone's loyalty our
foster are definitely taking advantage of those opportunities to uh you know to
recoup money and use that money to commit fraud. Can you briefly just share with the listeners what is a common
way that someone would attack a profile and how long does it take? So it's interesting. A big part
of this industry is reading about this type of activity and getting to know this type of activity is to understand that it's not sophisticated and it's very quick. So we have our average or
safe to say a fraudster who's impacting company loyalty programs is typically using a very
amateur tools. They're using freeware, online readily available software, and typically it's a combination of something like an IP spoofer most to your online profile your loyalist or your your company rewards incentive profile
by trying multiple different username and passwords until they finally get
into one of those profiles so it's as simple as someone sitting behind a
computer for anywhere between 30 seconds and half an hour to
obtain 2200 profiles a couple of hundred profiles and and you know and and the
purpose of that is really to for that bad actor and it depends what they want
to do with the information they're either looking for your your your name
your address some credit card information or they're using what's
already available in those profiles,
whether it be a loyalty profile or customer profile, to then shop. And the name of the game
is, just like anything, they're either shopping because it's for personal gain, or they're
selling the merchandise on the black market, or still fencing it off.
So, and based on your experience, have you seen an increase in this activity?
You know is there a time frame that it is changing or has this just been steadily happening?
We're seeing you know based on experience we're seeing a more elevated
element when it comes to or rather we're seeing more folks get involved with this type of
this type of activity.
As you can imagine, when something's easy and someone's kind of figured out a way to
profit off of a company, the word, the news is going to travel.
So I frequent online forums, both on the deep web and on the clear net.
And we kind of, from my organization,
I kind of, you know, I kind of look at these forums
and I read and really try to understand
how this with kind of the explosion of social media
and the way we communicate,
how that word of mouth travels.
And what we're seeing is if you go to any,
and it's called carding,
any carding forum on the internet, there's someone on there offering either services in order to acquire, again, personal information, credit cards, or loyalty information from one of the companies that they offer services for.
Or there's folks that are educating others on how to do this.
that are educating others on how to do this.
And again, it takes everyone kind of taking the approach of understanding that this industry is ever evolving.
Whatever we're learning, we have someone out there,
we're facing a bunch of folks that are also learning
to exploit and kind of get around
whatever measures we put in place.
So I just have two more questions and they're kind of a dual question and I'll turn it over to
read but this is this is kind of a dual question in the sense of you know what
what what type of things can a company do to mitigate the activity and then the
second portion of that is you know how, how does the customer, the end user protect themselves? So a company needs to really have all the right partners in
place when they're coming out with a new initiative or when they're talking through
items that boost profit and, you know, and result in better sales performance. I think the important
part of having that conversation
and getting those initiatives ready
is really looping in some of our IT,
our asset protection partners,
our law enforcement partners,
whoever it might be to give insight
on what vulnerabilities might actually be there.
Companies should be very aware
of the way our customers interact with our profiles.
If they notice that there's an increase in activity involving fraudsters, of the way our customers interact with our profiles.
If they notice that there's an increase in activity involving fraudsters,
we should not only look at those folks as individuals,
but see where the exposure point is in our profiles,
in our accounts and so forth.
A lot of companies can easily solve these problems
with things like terror capture
and two-stage verification and so forth.
It's just a matter of being aware of it, speaking about it,
and having the right people in the room when they're having these conversations.
And I'm sorry, Tom, you had another question?
Yeah, from the customer side, and I think you answered some of it,
is if you're a customer and user,
are there some simple things that you can do to protect yourself?
Yeah, absolutely.
Your passwords.
Make sure you have different passwords for different accounts.
So that if one account is compromised, if there's an event with a company that you use that password with, your information isn't readily out there.
I'll give you an example.
You know, there's no secret.
There's been a couple of different, and it's an ugly word, but breaches in different industries.
If your password was impacted and you had a profile with one of those companies,
a typical user will have the same password for all their accounts. That list is on the
internet somewhere. It's on a pastebin or a forum, and that's readily available. So I think the most important part is actually really, really making sure that you have a
password lock or you have different passwords.
You don't put things on the internet that you don't want public.
Be conscious of what your security questions are and what kind of information it takes
to get into your profile and make an extra effort to make sure that you throw off any
possibility that someone can get into these profiles.
to make sure that you throw off any possibility that someone can get into these profiles.
But yeah, just that alone, I think,
would mitigate a lot of these issues,
or some of these issues.
All right.
I really appreciate that.
That's good insight into the issues,
and we appreciate that, Abraham and Tom.
And I think to put things in context,
we've heard, and like you said, it's a pretty scary word, breach, whether it's of mass data from an individual organization or corporation.
And then, as you've mentioned also, us as individual citizens or account holders.
Abe, is there anything you could mention or discuss around Netflix or Facebook or LinkedIn type of breaches of an individual's account or a takeover of that account? Is there anything that you might share in that area or where we might look for more information on that?
Oh, absolutely.
If you're a victim of one of those profile breaches, unfortunately, that information is already out there.
Once that information is out there, you really have to do a better job at controlling, you know, that information that's already out there and come up with new information to put out there for the, you know, make sure that your passwords are different again.
Make sure that maybe you should start changing your usernames.
You set up something, you set up alerting to see if
someone's opening accounts under your name. You have to take the proactive approach
at really stopping this activity once there's an event like that. So we do see a spike in all
types of fraud when an event occurs. And my company, when we know another company's had a major event, we expect or I tend to see a spike in both credit card fraud and profile breaches and those type of events.
So it's a matter of just really understanding what's going on and really just making sure that you control whatever information you have.
It's a password, but I mean, that's, that's, it's as simple as
that. Folks are, are acquiring username and passwords. And then once you have one, you can
try that on every website under the moon and see if it matches up. And, you know, it's as simple as
that. That's how our folks are getting into our loyalty profiles. Interesting. And I was relating
to our team during our, we have a weekly team meeting where we go over what we're up to and
what we're headed into and what we're headed
into. And we were talking about a family member of mine that over the weekend in New York City,
her purse was taken, of course, her iPhone was taken. And the individual was able to not only
take the iPhone, but to take over her iPhone account or Apple account. And then when she went to shut it down or do anything,
then Apple evidently related to her, this is not your account. This is who the account holder is,
and so forth. So any thoughts on preventing that type of a situation or trying to manage and
recover for our listeners out there if they are confronted with something like this?
You know, how do we prevent it if there's some options there that you're aware of?
And then again, how do we handle that?
I mean, now you're wandering the streets of New York.
You have no way to communicate.
And even when you finally can, the account holder says, I'm sorry, but I don't show this is your account.
You don't have the right codes and passwords and information.
You know, I've read a couple of articles related to this type of phone theft.
And I know there's a couple of different police departments out there that have written articles on this.
And there's information on the Internet.
When it comes to your phone and your information on your phone
you want to make sure that again your phone's always locked that you know you
have a password that's actually strong you know when if you go down the list of
folks that had their cell phones taken and accounts taken over it's as simple
as again folks looking at the phone typing in the number one numerous times
number two numerous times just trying to guess through a password.
iPhones are pretty secured.
So are Samsung phones.
I know that they're hard to get into.
It's usually lack of having a password.
And then if you're faced with that kind of situation,
you just need to gather all your billing statements.
You gather anything you have.
If you can still log into the account,
make sure that you change your password immediately,
your personal iPhone or whatever account whatever service provider you use as a
mobile service provider and make sure that you know you're able to go into your profile make
sure that you change your password immediately that you contact um you know you contact the
appropriate uh representatives at those companies and and have all your evidence. Have, you know, I bought this phone.
Here's my statement.
They're pretty good at tracking MEI numbers and unique identifiers for these devices.
I think, again, the big part is reacting to this very quickly and, you know, and just
making sure that preventatively you have, you're very careful and you take every security
measure that's suggested to you, including locking your phone.
That's good.
And you mentioned passwords.
And I've read some articles where they've tried to conduct some research, random, as
we know, mixing numbers and letters and other symbology.
numbers and letters and other symbology. Others recommend long terms and different terms combined rather than using random or what you think is random, because we're actually not able
to come up with something that's really random. Any thoughts or anything from you? And also go
to Tom on some of my questions as well. Tom, you may have some expertise, but I'll start with you, Abe, and then maybe to Tom. Thoughts on passwords? Absolutely. You want a combination of uppercase,
lowercase letters. It's what you've heard before. You want special characters. You want your
password to be a certain length, six or more, eight letters or characters. And the reason for
that is depending on the type of the person,'s sophistication of the program or the person that's trying to get into your account,
they're not going to spend much time attempting to get into an account that's well protected,
knowing that there's so many out there that aren't the program programs that do this type of thing become more sophisticated
again they they have better algorithms but the reality is our average the
average person that's going to try to impact one of these profiles is using
very simple measures they're just how they have a list of usernames and
passwords that they've known that they know are previously
compromised, and they use that. So the more complex, the better. I would always kind of
go with whatever that provider or that website provider or profile provider recommends. And
typically, when you're setting up a password, they tell you, you know, the uppercase, lowercase characters, and special characters. That's good insight, Tom. Yeah. Anything to add,
Tom? Yeah, this is something that I actually do today. And, you know, as the chief information
security officer, we offer a lot of professional services to folks both in banking and retail. And
there's really two schools of thought. And there is actually a lot of research behind this.
There are a lot of studies, university studies around passwords and the future of
passwords. And depending on which study you read, there's some varying of how long
passwords be around. But I think there's a couple easy things that everybody can do today. And one is,
and I know Abe mentioned this before, is if you create a password, regardless of the complexity
of the password, you use that password for Gmail, for instance, you can only use that password for
Gmail. You can't reuse passwords. You have to make sure that you have different passwords for
everything. And that centers around if there's a breach of one thing like Netflix and your Netflix
password is your password for Chase, your password for Gmail, your password for other
things, this allows hackers very easily with almost no skill set to get into your accounts
and they follow these breaches.
There's a lot of talk now in the last six to eight weeks even
where studies have come out where randomized passwords by humans don't exist.
And Reid, you mentioned that.
We don't have the capability to truly make a randomized password.
There are a lot of both free and paid services like password vaults
that allow you to use password generators that are
random. The benefit there is they're very difficult passwords. They're generally long.
That's the benefit. The challenge there is that they're not passwords that people can easily
remember. So one of the biggest things with anything in security, both physical or cyber,
things with anything in security, both physical or cyber, is if you make it too difficult, people will, you know, out of human nature, find ways to cut corners to make it easier for themselves. So
if you're using a password vault, like a 1Password or any of the other ones out there
that are commercially available, all of them have password generators. That's a great way to do it.
It's not the most convenient way to do it. If you think about the two schools of thought with random characters, where so Abe
talks about uppercase special characters, one of the newer studies is suggesting phrasing in
passwords and non-common phrasing. So you would see a password that says dogs.
It would literally be dogs, sun, eat, chicken, one.
Those are very long but allow people to remember them.
And so phrased passwords are becoming a lot more common today.
But it can't be common phrases because the algorithms out there will find a common phrase.
because the algorithms out there will find a common phrase,
but when you use a completely non-common phrase,
that is what researchers are starting to study because the length of the password
is actually what has the most protection method
when it's non-characteristic.
So to break that all down,
I think for me, there are three real things I would say
is length of password is
very important. If you can mix a freeze password with some upper, lower case and special symbols,
that's a really great one.
And then the one that we don't often talk about and we kind of forget is most providers
today offer two factor authentication for free. Every single banking does it. Every
single social media platform does it. Every single social media
platform does it. And what two-factor does while it's not foolproof is when you have a really
strong password, there's another two-step or two-factor verification, whether you'd receive
a text message with a code, whether you have a code sent to an email. While this isn't a full-proof application, it does and will prevent someone from using
a brute force attack or things like that because it requires another step.
The other thing that two-step or two-factor is really good for is if someone is trying
to attempt to get into your account, you'll get that text message or email.
So you'll have an early warning that it's happening. I know this is a
long-winded answer so I'll stop with that but I do think in the future you're going to see
very much how you saw in banking and fingerprint reading that you're going to start to see
other ways to authenticate because passwords time and time again are the cause and generally
the underlining factor that leads to breaches and compromises.
Yeah, I appreciate that. Thanks for that, Tom. And I know more of us even on our phones are
having this biometric option. And again, any research on comparing facial recognition built
in your phone versus a long, long terms and so on that are not meaningful other than to you
versus again, these random digits or so-called random. Any quick thoughts on that are not meaningful other than to you versus, again,
these random digits or so-called random.
Any quick thoughts on that, and we'll move on.
Yeah, Tom's having issues.
Well, while Tom works on that, I'll give some perspective on biometrics. I think the shift from using fingerprint authentication and using your image
or using that technology to identify if that's you
on your phone when logging in or when making a purchase.
It's a step in the right direction.
What we have to remember is that what's always going to be defeated first is the older
technology.
So we have to get away from, companies need to get away from using very basic passwords and start using, as Tom's note, two-stage verification, re-cablet capture, and, you know, images to verify, you know, that you're not a bot and so forth.
I think the technology, the fingerprinting and the different type of myometrics will certainly be something that helps until there's a catch up.
And then we might have to go through a two-step myometric verification and so forth.
But the advantage we have by creating new ways to secure our profiles is that the fraudster
is always going to go for what's easiest.
They're always going to go for your regular easy to your profiles based on the information
they already have or a password generator or a brute force attack.
As long as we keep advancing and changing things, those folks are always kind of,
those bad actors are always going to go for whatever is easy, not for what's new and what's hard.
Fantastic.
And I wanted to kind of switch gears a little bit and ask you,
how are some of the customers in your stores or others' stores victimized in that store while they're during or during their
shopping adventure? How might they be victimized? What are some ways that can happen to them?
And ways, of course, that they can prevent that, that type of
theft probably that leads to breach and then all the problems that result?
So, first thing, you have to be aware of your surroundings. I mean, we have,
you know, when you see an associate ringing your transactions, be conscious of what kind
of information you give someone. Do they really need all the information you're giving them to
ring a transaction? Are they writing anything down at that point of sales? If you identify
that you've been a victim of, you victim of your profile, your loyalty reward cards
have been stolen, or your credit card has been used immediately after making a purchase,
contact the retailer.
There's asset protection teams in all our retailers, and most companies have teams,
and they're able to identify if the person at the register is the person that was able to impact your personal customer information.
So it's being conscious of who's taking what information, who's writing that down, who's using it, who's asking what questions, and just being very much aware of what you need to conclude a transaction.
You don't need your source security number to conclude a transaction. So just be conscious of what you need to conclude a transaction. You know, you don't need your social security number to conclude a transaction. You don't. So just be conscious of what you're being asked
and, you know, how you're providing information out there.
All right. I appreciate that. So in this case, what I wanted to ask about as well is some of these hackings, some of these profile or account takeovers, or at least the leveraging that theft and fraud to go ahead and take advantage of what they've got.
How are investigators finding these people?
And what are some of the areas of origin of some of these hackers and account takeover fraudsters?
You know, what part of the world, what countries, how are they operating?
And I know that's kind of a pretty broad question, but we're really interested in understanding the forensics, how we might track them down, who they are, where they're coming from.
So there's a combination of things.
So there's a combination of things. And again, this is from the perspective of the investigations I've conducted and folks that we've tried or have gone after.
We're noticing that we have a lot of bad actors that are coming from overseas.
We were for a while seeing a lot of activity come out of Spain.
of activity come out of Spain and you know the different you know that area we see some South American impact from users are in South America and the only reason we know this is
because those are the folks that are active on forums and having information or money
shipped to them or asking folks to send merchandise to their addresses. But it seems like because of the way information travels
and the way forums and communication through social media occurs,
it looks like there's really a pretty good distribution of folks
that do this kind of thing all over, all over the United States,
in Asia, kind of all over the world.
So it's less important to know, and there's,
you do risk and you have a disadvantage
when it's someone that you can't physically touch,
that you can't get the right law enforcement partners
to go out and touch.
But the important thing to remember is that
if you're able to identify someone in the United States,
you can take action by gathering information,
by linking IP addresses,
by linking times that they might have hit your network with, you know, with folks that are
talking about it on forums or folks that are processing returns of the merchandise. And
when you're having conversation, you're able to kind of, you know, gather some information and
figure out who that person is and who that user is. But the other piece of that is
if you have someone from another country and they're impacting you in that way, you should
be working with your web security department to start banning IP addresses and IP ranges and
do the more sophisticated things to get those people out of your systems.
Right. That's good insight. Tom, from your perspective too, I'll go over to Tom.
Any suggestions you have or anything you can relate on how to identify who these
people are forensically, how to track them down, where they're coming from?
I think this is like the similar conversation to anything related to ORC.
I know you and I always talk about ORC and where does credit cards fit in did you people think of it
is the total loss kind of say in terms of it I think at the line level at the
store it's going back to the basics the credit card fraud folks exhibit the same
behaviors as shoplifters so you're looking for behaviors there's their
shopping pattern their behaviors in the store are
different so I think if you're talking about it from that angle it's getting if
you are approaching the store thinking of it the same way we've always thought
about it and using good asset protection processes when you get out of the store
and you get into an analytics mindset, you're looking
for patterns and trends.
So Abe talked a lot about the mitigation of IP address and mass lindering, things of that
nature.
One of the indications that I always look at is if you're in a retail environment and
you have a robust analytics program, you generally have a profile built on what a good customer
looks like, their shopping habits,
how often they make a visit, how long they stay. What I've done in my past and continue to talk
to people about in the future is when you reverse engineer that science and you say,
this is what a good customer looks like, and you reverse engineer and apply some regression every
time you talk to a fraudster there are
patterns and trends that occur certainly there are trends in the type of merchandise and the
quantity of merchandise there generally are trends in bin numbers and banks there are a whole bunch
of different analytics things you can do i i think the biggest challenge here is much like theft
there's no secret sauce it's doing all of of these things together and trying to come up with a proactive method
versus a reactive.
And in asset protection and loss prevention, for years, security, if you think of traditional
security, is a very reactive response.
Someone steals, I stop them from stealing.
Someone is doing something, I stop them from stealing someone is you know doing something I
stop them after the fact credit card fraud is much the same is how do you
take steps ahead to use analytics to decline those sales to identify things
and sometimes it's analytics driven sometimes it's behavioral driven and
getting the message down to the lowest level I I know in my path, sometimes just, you know, just making the
aspect of asking someone to hand you the card is enough deterrence when you're talking about
a counterfeit instance. So I wish that I had a simple answer, but I think it's taking that,
you know, proactive approach. And for those of the listeners that are not members of the LPRC,
we have a fraud working group. And what we do in the fraud working group is we compare notes and we talk about you
know different things that are working and come up with you know demonstrated best practices and
i think that's one of the biggest things that when you talk about the lprc and the benefit of the
lprc is you can get in a room with a whole bunch of people and say, this is a, you know, this is a demonstrated best practice.
There are 10 retailers that have,
have replicated it and have had a result.
And sometimes that's as simple as changing an algorithm.
And I'll use gift cards as an example. This is a real one of, you know,
three retailers said, Hey,
we learned very quickly that when a customer bought more than X amount of gift
cards for this dollar amount, the likelihood of fraud was substantial so we changed the
threshold to not allow that now that that change reinforced the behavior and now caused the the bad
guy if you will to do something differently uh increasing you know perceived risk you know using
signage throughout the store all of those deterrent things,
I think are really important here.
And then measuring what you're doing and understanding what works.
So I know that, again, another long-winded answer, but I think this is a topic that we
could talk about for a really long time.
I would say that while there's no one-size-fits-all, this is a place where I truly believe if you're in
a convenience store, a gas store, a gas station, or an upscale retailer, the behaviors and the
patterns are very similar. It's coming in and buying things that are outside the norm,
the very rapid, the multiple buys of things that aren't normally bought. And then developing that proactive strategy is a lot harder than just saying it.
It sounds simple when we talk about it,
but sometimes little things can move the needle a long way.
All right. I appreciate that, Tom.
And, you know, I think what we've been talking about a little bit here today,
and I know it's coming up with our retailers is, you know,
we're trying to always, always reduce theft, fraud and violence and everything that comes from that.
And a big part of that is reducing those incidents, those events or those crime attempts.
But I think another part of this is our customers' perception.
If their phone, if their credit cards or other personal information was stolen while they were in our stores, that's something we can help them manage. Because, again, whether it directly harms the retail organization is up to question.
It depends on that particular situation, but it certainly can in some way damage our reputation.
And I think there's so that's part of it.
can in some way damage our reputation.
And I think there's, so that's part of it.
We want to always manage our customers' perceptions and help them really feel safe and comfortable
and at ease in the location.
And I think by the same token, though, in an extended way,
if our customers are billed by our store,
our company for merchandise they never purchased,
but rather one or more of their accounts were hijacked,
taken over, hacked. That's another thing. Again, it may not directly affect us or it does,
but it also can indirectly. And I want to get you all's comments on customer perception of
theft and fraud in our stores or where they're, again, being billed by us.
or were they again being billed by us?
I think it's the most important piece of why we should mitigate any of these issues, no matter how big or small they are.
Loyalty-related reward card type of fraud is typically very small in terms of dollars for an organization but the impact of having you know uh 4 500 uh
even 10 000 customers a year uh being impacted for anything from 10 to 25 dollars the residual impact
of having a customer feel like their information isn't secure is felt throughout the organization
your sales start to suffer uh you know the the word travels, you're going to see social
media posts speaking to how we're unable or companies unable to secure, you know, a customer's
information. So it's just really important that we keep that in mind that, you know, we have to
make sure that we educate our customers as soon as something happens that we call them and we try
to build that confidence again, that we let them know hey there's there's an issue with your profile this is what
occurred this is how we're going to remedy it and this is how we need you to kind of handle your
information in the future and you know it's it's we have to remember to have a personal touch have
our agents uh call directly um not receive not have a customer receive a letter that says hey
you there was an issue um try your best to reach out to your top customers, those important folks and all your customers
and really kind of express what occurred.
When a profile, when something happens, even if it's residual from a real breach, if another
company is the victim of a breach and then you start seeing as a residual effect
your customers being impacted their credit cards for again it could be a
Amex or discover a MasterCard Visa card from unrelated issue being used at your
store the the the the act did not occurred based on your security at your
store but because that victims information on your security at your store but because that victim's information is
being used at your location you need to make sure that you follow up and that you express
how we're going to do a better job secure that information and what they can do to protect
themselves so i think there's a there's a level of just making sure that you uh touch with the
you know touch base with those uh those customers and make sure that they understand that you care as a retailer.
Reid, I think this is actually the one thing that we all know is so super important, but when we're talking about mitigation strategies and the impact of fraud, it's the thing that while I know we
think about it, sometimes we miss it. And one of the things in my experience in everywhere I've ever worked is when a customer is impacted by fraud in any realm, identity theft, account takeover, someone just steals their wallet.
They have an expectation, whether it's unrealistic or not, that the retailer is not going to let someone use that card or their identity.
is not going to let someone use that card or their identity.
So in my past, it was often not something you actually controlled where someone came in with a stolen credit card.
And the emotional impact on a customer,
the first thing is how could X store let this happen?
Why didn't they ask for ID?
Why didn't they know it happened?
So oftentimes, credit card fraud in the legal system is viewed as a victimless crime because the customer is made whole.
But there is an emotional impact and that occurs when someone takes someone's identity or even just takes their credit card and uses it. literally hundreds of times of getting a call where a customer was, you know, infuriated that
our organization would let someone use their credit card. And how could we ever let that
happen? And how come we didn't stop it? So I think anytime you talk about mitigation and strategies,
and this is a really good tool or tip, if you're looking for funding for something,
always remind everybody of the customer that is a great customer at
what regardless of what organization, the Home Depot, Walmart, Bloomingdale's, it doesn't matter,
7-Eleven, and they're a great loyal customer that shops there every day. Someone pickpockets them
and uses their card at those same retailers and the immediate impact to that customer is it's now that retailer's fault
as well. They should have had methods to stop it. And I know that the listeners in law enforcement
and retail will say, well, we would have no way to know it. But that emotional impact really is
something important. So I think it's a great, great point, Reid. And I think it's a great
thing for everybody reminded of every day. And I know we all think about it but remember that when someone is a
victim of fraud every touch point has a negative condensation regardless of what
it is and on the flip side that's why when you do catch someone and you do
actually stop something you could gain a customer for life because you were that
you were the stopgap. You were the person that actually
got the fraud. So there's some real big benefits. And when you achieve the actual stoppage of fraud,
you not only protect the company of losses, but you now have protected that customer. And I know
every day we do that in the industry, but I think it's one of those things that should be sobering for all
of us is that, you know, yes, we might lose a dollar, but what's the impact on that person
for real? And what's the emotional impact? So, Reid, I'm going to turn it over to you and
for some final words. Thank you, Tom, on that. And so I think with that, I really want to thank you, Abe, for coming on the Crime Science
Podcast today, sharing some ideas about how some of this fraud in person and online is happening,
what it looks like, a few ways that we might prevent the problem, and then a little bit about
what's going on in the investigations. And again, I want to encourage all of our retailer
practitioners out there and those in law
enforcement that are addressing the issue and I know Tom hit on this and that the LPRC's
retail fraud working group as well as organized retail crime working groups are both addressing
what's going on here as well as delivery last mile fraud and theft and so on in the supply chain
with the supply chain protection working group.
So a lot to know and still a lot more for us to learn through good research and development and collaboration and sharing what we're doing and what seems to be working,
what our problems are to drive even further research.
So with that, I want to thank our co-host Tom Ian from Control Tech.
Thank you very much for today.
Abe Gonzalez, of course, of Bloomingdale's.
And as always, our producer, Kevin Tran.
You know, again, look for us on Apple, iTunes, Stitcher, and upcoming looks possible to be
on Google Play and SoundCloud.
So everybody have a fantastic week and look for the next episode of Crime Science.
Thank you from Gainesville.
Thank you, everyone, for tuning in to next episode of Crime Science. Thank you from Gainesville. Thank you everyone for tuning in to this episode of Crime Science. We also want to thank Bosh again
for making this podcast possible. If you would like to suggest topics for future episodes or
provide feedback, please email kevin at lpresearch.org. See you next time.