Tuesday, November 20, 2012

Safeway: a Case Study why Regular Security Audits are Required

A Security Audit is part of any company's IT practice and must be done on a regular basis. A more specialized computer security audit is combination of a manual or systematic technical assessment of a system or systems and all objects win the context in which they are run, including human behaviours and interactions.  Manual components include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments can no longer be relied on in most cases as social engineering is a major part of the way hackers operate nowadays.

Ignoring this over several years can lead to serious security breaches.  I have seen some very fragile systems however this week I came across one that is a perfect example of why these audits need to be done regularly.

The example we have in mind is Safeway, a Canadian food store chain.  Now that seems like a very unlikely source for a hackers to compromise a person's information and gain access to their systems, but it is very possible and if you read the rest of this, you will probably take steps to protect yourself.  For the record, we invite Safeway to comment back as we are sure they will be taking concrete steps to change this assuming they read it.

CAVEAT:  The goal of this blog post is not to specifically hurt Safeway.  They are a great company and I regularly shop there.  The purpose is to raise the awareness for both those who have not done security audits and for those who use stores like Safeway to be more aware of the vulnerability such systems create for identity theft by multiple systems and protocols evolving over time.

Their system of customer interactions has developed over years and individually, each component makes sense.  Together, they are lethal.   Safeway started identifying customers by implementing a "Club".  Under this club, consumers were given savings on groceries.  The primary method of identification was a Safeway Club Card however many people do not bring these to the stores anymore.  The solution was for Safeway staff to ask people to use their phone numbers as the primary key to identify the fact they have a club card.  There are often spoken verbally to a cashier with a line up of people around who can listen in.

Another great customer experience Safeway uses is to thank customers by their name upon leaving the checkout.  I get a regular "Thank you Mr. Nickull" when I leave.  Now add in the ATM and visa card capabilities into the mix and there is potential for trouble.  Oh - don't forget the total amount of the bill.  This is flashed for all to see.  I'll get back to this in a bit.  If I am real clever I can also get the person's PIN for their card.  Here is the synopsis of how I would hack people based on using Safeway to do the work.

I go to Safeway, make some purchases and stand in line.  Every customer ahead of me who have a club card will verbally tell the clerk their phone number.  At this point I know their phone number.  Next when they pay for their groceries, I can see what card they are using to pay for their groceries.  Let's presume it is a Royal Bank Visa Card.  As the person leaves,  the Safeway clerk says " Thank you Mr. XXX".

Now what has just happened is subtle yet amazing.  I now have the last name, home telephone number, transaction amount, airmiles card number and some bank account detail.   So how do I use this to exploit the person?

The first thing I do is a Google search on the phone number.  I picked a random BC phone number and did a search.  There are plenty of reverse phone number lookups.


returned to me the following:

Persons First and last name
Physical home address including postal code.  Since I can verify the truth of this (I know the last name after all), if I get a positive match, I can proceed to stage two.

Now, what can I do with this information?  There are many possibilities.  First, I could phone the bank and change the address to a new address (a PO Box I control for example) and ask for a duplicate card to be issued to that address.  Alternatively, I could phone the person and tell them I am from the bank and that their card has been compromised.  I could give them some supplemental details to gain their trust, then get more information from them and ask them to ensure their current data is updated.  Conversation would go like this:

Me: "Hello Mr. XXX.  This is the Royal Bank and I am calling because we have had some strange incidents on your card.  I want to notify you that this call may be recorded for quality assurance.  I must ask you some questions"
Victim: "okay"
Me: "Can you verify that you had a transaction at Safeway on Broadway and MacDonald at [date] for [amount]?"
Victim " yes - that one is valid"
Me: "I have  a second transaction about 30 minutes later buying an iPad for delivery to an address in New Jersey.  Is this one also valid?"
Victim: "No.  I never ordered that"
Me: "Ok please don't worry, we will make sure that you are not billed for this. "
Me: "one more thing, can you please verify the email address you have on record for security"
Victim: (after thinking this is probably little or no security risk) "my email is XXXXX @foo.com".
Me. " Thank you, I have entered this"


Me: "I have no email address for you on file.  Would you like to add one to your account?"
Victom: "Yes.  Please use victim@imabouttogetscrewed.com"
Me: "Thank you.  That has been added to your record."

So at this point I now have the following information:

- the victims bank name (and possibly PIN code)
- the victims name address and postal code
- the victims airmiles collector card
- the victims phone number

That is enough to set up a fake Airmiles.com email and present the person with an offer too good to be true (based on what I think they will be interested in from their physical appearance and grocery purchases).  For instance, if the person is buy tofu, I would offer them a subscription to vegetarian magazine for free as an Airmiles collector or offer them it for $3.99 and they get 1,000 free airmiles.  When they set up their account, I will get their password which I can then try their password/email against high value websites like Paypal, their email etc.

Once I hack their email account, I can then go to the bank website (I know their bank after all) and click the "forgot password" button and have it send me a new password.  Voila!  I now have their bank account.

Without divulging too many more details, I would also point out that there is a way to rectify this from Safeway's point of view that also might accomplish two other goals:

1. Speed up the checkout lines; and
2. Increase customer service; and
3. Increase customer security.

The scenario above is not Safeway's fault not is it Airmiles.  It is a very typical combination of systems and programs growing uncheck for years without someone having an external security audit specialist come in and analyze the bigger picture.  This scenario happens at many retail outlets.

As a consumer, express your concerns and ask the businesses you work with to take steps.  If you are a business, consider getting someone experienced in IT security to help you prevent your customers from being harmed.  This is something we all have to work towards together.