Revolutionary New Checkout Scanner a Great Shopping Experience

Within days of the 40th anniversary of the first bar code scan in a retail store, the newest Tesco Extra store in Lincoln is offering customers a revolutionary new checkout alternative that improves the customer checkout experience by reducing the time spent in checkout queues.

40 Years ago Datalogic, the global leader in the development of automatic data capture (ADC) solutions for the retail industry, installed the world’s first bar code scanner in a supermarket. Today, their newest technology, allows the shopper to place their items on a checkout belt, in any orientation, and have them automatically scanned by the Jade™ X7 Automated Scanner. Items are then automatically directed to a bagging area just like traditional checkout lanes. This frees up staff to spend more time engaging with shoppers and delivering great customer service at the checkout, driving up satisfaction and loyalty.

“We are always looking for innovative ways to support our colleagues to give great service and to improve the shopping experience for our customers,” said Nigel Fletcher, a Director at Tesco. “We’re looking forward to seeing what our customers in Lincoln think of the new checkouts over the coming weeks and months.”

As the shopper places items on the checkout conveyor they pass through scanning arches which automatically read bar codes and visually recognize items at a much higher speed than a traditional checkout configuration. The items are then directed to one of three bagging areas for bagging and payment and the next customer’s transaction can begin immediately.

Datalogic has invented the Jade X7 Automated Scanner using advanced high performance imaging and provides the technology as a key building block to key system integrators around the world who customize checkout installations to meet the specific needs of retailers and their customers. The new, high-speed retail checkout for Tesco was designed by NCR allowing up to three customers to pack and pay for their shopping simultaneously. The combined solution is capable of automatically scanning up to 60 items per minute.

“We are delighted that a world class retailer and innovator, such as Tesco, made the commitment to trial our Automated Scanning system,” states Mike Doyle, Datalogic U.K. Country Manager. “However, technology by itself is of little value if it doesn’t provide quantifiable benefits. That’s why Datalogic is fully committed to using our advances in technology as a tool to help retailers build a valuable and relevant shopping experience for their customers.”

Datalogic provides the building blocks for a completely re-invented checkout, enabling store associates to continue to deliver great customer service by reducing the time customers spend in the checkout lane. Datalogic continues their heritage of inventing, adapting, and applying technologies that aid retailers and system integrators in developing solutions that make the in-store shopping experience move valuable to customers.

About Datalogic

Datalogic Group is a global leader in Automatic Data Capture and Industrial Automation markets. As a world-class producer of bar code readers, mobile computers, sensors, vision systems and laser marking systems, Datalogic offers innovative solutions for a full range of applications in the retail, transportation & logistics, manufacturing and healthcare industries. With products used in over a third of world’s supermarkets and points of sale, airports, shipping and postal services, Datalogic is in a unique position to deliver solutions that can make life easier and more efficient for people. Datalogic S.p.A., listed on the STAR segment of the Italian Stock Exchange since 2001 as DAL.MI, is headquartered in Lippo di Calderara di Reno (Bologna). Datalogic Group as of today employs about 2,400 members of staff worldwide distributed in 30 countries. In 2013 Datalogic Group achieved revenues for 450,7 million Euro and invested over 35 million Euro in Research and Development with a portfolio of over 1,000 patents across the world.

Target Hack: Ensuring It Doesn’t Happen Again

We have all heard about the recent Target breach, and read about the many retail breaches of the past, and wondered why they keep happening. While we don’t yet know what happened, maybe this article will help illustrate the problem and a solution.

Retail systems generally involve “hub and spoke” architectures. The spokes are networked systems such as Point of Sale (POS), and the hub is a data collection and processing facility. The POS calculates cash and credit-card transactions and negotiates approvals through a software exchange of card data with financial “clearing” systems. The transactions are encrypted at the POS and the key is a combination of the PIN (cash) or CVV (credit) + a certain number and configuration of the card numbers, and a private key provided by the financial service via a Hardware Service Module (HSM) that negotiates the communications between the POS and the clearing authority. Once authorization for a purchase is made, the POS data is transported (again in an encrypted form) to the retailer’s data collection and processing facility.  

The data that is transported to the collection and processing facility is usually encrypted in transit, and contains separate elements of the card number and the encrypted PIN or CVV. That data is then stored for various reasons, including data mining for marketing statistics purposes (sometimes to sell to other companies), as well as for secondary clearing and settlement with banks or their interval financial processing companies. Unfortunately that data is often stored in several disparate locations according to its utility to the retailer, and is often not encrypted where it is stored (though the PIN and/or CVV are usually encrypted).

Payment card handling standards and regulations currently only require the data to be encrypted in transit—not where it is stored. This is fundamentally the reason that the most notorious data breaches have had such large scale impacts—the attackers went after the data stores rather than the POS. The volumes of unencrypted data in the stores was far more lucrative and easier to compile. How attackers get to that data, though, involves malware and APT activities.

There are three types of malware usually involved in retail data breaches:

  1. Phishing emails with malicious droppers/downloaders to infect systems with backdoor trojans, enabling remote access and exploitation of networked corporate systems
  2. “PUPs” (potentially unwanted programs)—which are usually administrative tools, sometimes legitimate, that allow password hash collection or cracking, Active Directory or LDAP browsing, SQL server interaction, RAR/ZIP packaging, Simple Mail transport, Proxy service configuration, and reconnaissance tools such as FPORT—to assist the attackers in their exploits of the networked systems by enumerating systems by type (POS, DB, AD, etc.), infecting those systems according to need, and establishing data harvesting and exfiltration methods.
  3. Harvesters that are custom utilities programmed to perform needed actions to harvest card data (RAM Scrapers such as DexterPOS malware), PIN/CVVs (Man-in-the-Middle HSM collector proxies), or bulk data (SQL miners that integrate network, database, and administrative functions), which provide persistent access, automated harvesting, and programmed exfiltration of data.

The malware described above provide compromise, exploitation, and persistent access to retail systems. This is the pattern of activities common to “advanced (or targeted) persistent threats” as it relates to retail environments. It should be noted that sometimes web services compromises take the place of phishing emails, and corporate systems usually have all the needed tools to facilitate what PUPs offer attackers. Sometimes attackers can simply make use of internet-accessible “administrative backdoors” such as RDP, VNC, or SSH accesses that are unfortunately common network vulnerabilities (in all corporate systems). Our investigations in retail data breaches has consistently identified these types of malware tools, tactics and procedures.

The reason that these breaches have occurred is that the industry approach to identifying malware is broken. Malware is part of the toolkit employed by APT actors. It facilitates the activities and accordingly is a critical indicator of attacks.

Antivirus, White/Blacklist, in-flight recording, virtual machine reverse engineering, etc., are currently the tools available to retailers to assist in their defenses against constant APT attacks—but they don’t work. There are fundamentally two reasons: 1) they are after the fact, relying upon something someone else has seen (A/V and W/B lists) or resulting from analysis (IFR/VM); and 2) they are too “heavy” to serve the needs of the POS environment, as they require frequent signature updates or a human interaction.

Antivirus and White/Black list success depends upon either a signature or a heuristic match to an index of known patterns—from past submissions. Accordingly, the phishing emails that commonly employ Zero days or polymorphism to obfuscate recognizable signatures cannot be detected by Antivirus. Most of today’s malware also employs anti-VM or RE analytics tools, making them similarly undetectable by RE/VM. IFR and related Incident Responder tools are by their nature not defensive—they are reactive or investigative.

Secondly, POS systems are stripped down and often out-of-date operating systems (usually Windows XP or NT, sometimes even DOS). They have limited RAM and almost no available storage; so voluminous signature files that require frequent updates simply cannot be supported by POS.

That leaves retail environments with the need for a solution that will recognize malware based upon its properties, in a lightweight and fast functional format. Cylance Infinity platform has that capability. Using an incredibly lightweight and extremely fast mathematical algorithm for determining maliciousness, Infinity technology can detect advanced and standard malware before the world has even seen it: truly predictive. This capability is what retail environments desperately need; the information stored in retail contains consumer identity and financial data that has real economic value and corresponding impact. Identifying and preventing constantly evolving (and evasive) compromise malware, man-in-the-middle data harvesters, and data exfiltrators simply cannot be overlooked.

The risks and threats described above are not unique to retail; they can be applied in any teller-related environment including financial services, insurance, healthcare, etc. However, retail has the most risk of economic and financial loss affecting the market. Several things need to change to help retail limit these risks:

  1. Payment card industry standards and regulations need to enforce a requirement to encrypt data wherever it is stored in retail or associated systems. There will still be some risk of RAM scrapers collecting transactional data, but at least the huge volumes of data that have been collected in past events from accessible databases will be prevented in future attacks (which will undoubtedly continue to occur).
  2. Retail must be provided with tools that recognize and prevent malware. Those tools must be suited to their needs, though. You can’t teach an old dog new tricks, but you can put a collar on it. Cylance Infinity tools (V and soon to be released PROTECT) are examples of the capabilities to address retail cyber threats. By applying math rather than signatures, malware can be identified even if it has never been seen before.
  3. This is certainly more long term—the entire US retailing/credit/banking system must consider moving to chip and PIN card system that the European and world markets have largely moved to. Chip and PIN systems prevent these types of man-in-the-middle attacks because it encrypts the data secured from the card all the way through the payment processing backend. While nothing is unbreakable, it’s a stronger solution that needs to be considered.

Retail (and associated payment card) breaches will continue to be pursued by attackers; they are simply too lucrative to ignore. In today’s retail system’s architecture, they are also too easy to accomplish.

Woes at Target Continue – and other security breaches revealed

The trouble at Target continues post-Christmas as the details of the theft of data for 40 million credit and debit cards are shared.

Yesterday news agency Reuters began reporting that the PIN data was stolen.

“(Reuters) – The hackers who attacked Target Corp and compromised up to 40 million credit cards and debit cards also managed to steal encrypted personal identification numbers (PINs), according to a senior payments executive familiar with the situation.”

Target responded by saying that there was no evidence that unencrypted PIN data had been compromised, and no evidence that PIN data had been compromised.

But, how hard could it be for determined hackers to unencrypt a 4 digit PIN that is purely numerical? There are only 10,000 possible combinations. If a hacker was smart enough to have run his/her own card through the system and maybe one or two others, and could then see a few known PINs in encrypted form, it would seem a relatively straightforward exercise to create a software program and use brute force to reverse engineer the encryption.

Another method to acquire that data could have been to hack into an in-store video surveillance system and record customers as they use their cards and enter their PINs. Or even to have worked as a cashier and simply watched enough customers to learn some PINs and matched them to card numbers. Acquiring enough data to break the system seems not all that hard to do. So, no surprise that banks have lowered credit card limits and ATM withdrawal limits.

Meanwhile, as a regular and even enthusiastic credit card user (I do love those airline and hotel miles…) , and now, one who is much more concerned – as I suppose I should have been all along, I am going to see if I can change the settings on my credit cards to email me after every use of my card. That’s probably the earliest warning system possible.

“Chip and pin” (EMV) – credit cards with chips on them that require a PIN for each use – is due to arrive in 2015 in the United States. I, for one, would welcome it now. Even if it took retailers a full year to roll out the needed equipment, I would start using the card with a chip on it immediately and preferentially.

Memo to Master, Visa, Amex  – how about taking the initiative here and offering chipped cards to US consumers AS AN OPTION… voluntary , right now?? I’ll bite. And I’ll pull that card out first, at every store I go to!

As for Target, they have my sympathies… there is a Super Target about five miles from me and I shop there occasionally – it’s a great store. Hope you get it all under control soon.

Article by Craig Aberle