You are currently viewing Retail security in an online world
Retail security threats - triangulation attack workflow.

Retail security in an online world

The internet has been changing the world for decades now, and nowhere has this been more obvious than the retail sector. Internet access has opened up new markets, invented new businesses and allowed retailers to grow in ways never before imagined. However, along with this growth, the internet has also shown that retail security needs to evolve and adapt to keep up.

Retail security - behind a computer, its hard to spot criminals
Retail security – behind a computer, its hard to spot criminals

Earlier this year, we talked about the BRC Retail Crime Survey, which highlighted that retailers in the UK are quite rightly concerned about the security risks they face as they go online. Correctly, the BRC placed a lot of emphasis on the police to investigate crime and arrest criminals, however the basics of retail security really need to be driven by the retailers themselves.

Retail security in an online world needs to follow on from the good practices driven by centuries of experience – shops lock up at night, tills are kept safe, stock is protected – it just needs to adapt.

Retail security – online threats

The first step to adapting is understanding how things are different online. This is important because all too often retailers leave their doors wide open, their tills abandoned and their stock exposed simply because they don’t realise where the walls and doors have move to.

By learning how criminals will leverage the internet, retailers can also learn what they need to do to avoid becoming a victim of crime.

While we can’t cover everything in one blog post – we can look at one common attack which frequently leaves a retailer out of pocket with very little risk to the criminal.

Triangulation attacks

One type of threat which retail security faces in the online world is called a “triangulation attack.”

Retail security threats - triangulation attack workflow.
Retail security threats – triangulation attack workflow.

The way this attack works is quite simple – which is why it presents a growing problem for retail security and can cost businesses dearly.

  1. A criminal gets hold of a stolen credit card. This is surprisingly easy and criminals can either steal them by hacking other retailers or purchase them directly on the black market.
  2. The criminal posts an advert online. Often on eBay, but other second-hand sales portals (such as Craigslist, Facebook marketplace etc) are used. This is normally for a fairly high value item such as the latest iPhone or games console. However, as retail security becomes more aware, criminals are moving to sell less obvious items.
  3. The innocent customer bids or purchases the item. The customer is pretty innocent in all this and normally just thinks they are getting an excellent bargain.
  4. The criminal places the customers order with an innocent retailer. This is where the triangulation begins. Using the stolen credit card, the criminal orders the goods to be shipped to the innocent customer. The customer, however, pays the criminal – normally via a difficult to trace PayPal, Moneygram or Western Union transaction.
  5. The credit card company’s security kicks in. At some point the stolen card will be reported and blocked. Unfortunately this is often after the order has been placed and the innocent retailer has shipped the product. This is one reason why retail security needs to link up with other sectors to function properly.
  6. The bank / card payment company refuse to pay or reclaim funds. For the retailer, this is where it really hurts. Frequently, the retailer has shipped the product when the bank reverse the payment leaving the innocent retailer out of pocket.
  7. Retailer has to make a choice. When a retailer becomes a victim of this scam, they have to decide if they can absorb the loss and move on, or if they are going to try and recover the product from the customer. Having a good retail security policy in place before this happens will help you decide which is best for your business as both options carry costs.
  8. Everyone but the criminal loses out. As a retailer, even if you manage to get the product back from the customer, you will have lost time and money in recovering it and you will have certainly lost a lot of goodwill with the innocent customer. The criminal, however, has made off with the customers money and is likely to be very difficult to trace.

As you can see, for very little effort, the criminal has made a profit and without good retail security measures in place, the retailer and customer have lost out.

A few years ago this sort of attack was pretty much entirely aimed at Amazon, eBay and the likes, however this is no longer true. The big targets have spent massive amounts of money on building anti-fraud teams, retail security specialists and e-crime investigators so the criminals have moved on.

Now, any retailer, in any sector, is at risk.

Dont wait until it is too late and dont rely on the police to lock your doors. Good retail security is the responsibility of every retailer.


Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.

This Post Has One Comment

  1. Ron

    Can I get an unprotected and perferrably and updated copy of the following:
    1. Risk Register
    2. SPF-ISO027001_mappping_Draft
    3. Informaiton_Protection_Security_Policy_Template

    Your resources are awesome and I really appreciate the thought process and effort put together on these documents!

Comments are closed.