Credit Card Fraud

Abstract

This chapter provides a single person case study of Mr. Dan DeFilippi who was arrested for credit card fraud by the US Secret Service in December 2004. The chapter delves into the psychology of a cybercriminal and the inner workings of credit card fraud. A background context of credit card fraud is presented to frame the primary interview. A section on the identification of issues and controversies with respect to carding is then given. Finally, recommendations are made by the convicted cybercriminal turned key informant on how to decrease the rising incidence of cybercrime. A major finding is that credit card fraud is all too easy to enact and merchants need to conduct better staff training to catch fraudsters early. With increases in global online purchasing, international carding networks are proliferating, making it difficult for law enforcement agencies to be “policing” unauthorized transactions. Big data may well have a role to play in analyzing behaviors that expose cybercrime.

Introduction

Fraud is about exploiting weaknesses. They could be weaknesses in a system, such as a lack of controls in a company’s accounting department or a computer security hole, or a weakness in human thinking such as misplaced trust. A cybercriminal finds a weakness with an expected payout high enough to offset the risk and chooses to become involved in the endeavor. This is very much like a traditional business venture except the outcome is the opposite. A business will profit by providing goods or services that its customers value. Fraud takes value away from its victims and only enriches those committing it.

Counterfeit documents rarely need to be perfect. They only need to be good enough to serve their purpose, fooling a system or a person in a given transaction. For example, a counterfeit ID card will be scrutinized more closely by the bouncer at a bar than by a minimum wage cashier at a large department store. Bouncers have incentive to detect fakes since allowing in underage drinkers could have dire consequences for the bar. There is much less incentive to properly train cashiers since fraud makes up a small percentage of retail sales. This is sometimes referred to as the risk appetite and tolerance of an organization (Levi, 2008).

Lack of knowledge and training of store staff is by far the biggest weakness exploited when counterfeit or fraudulent documents are utilized by cybercriminals. If the victim does not know the security features of a legitimate document, they will not know how to spot a fake. For example, Visa and MasterCard are the most widely recognized credit card brands. Their dove and globe holograms are well known. A card without one would be very suspicious. However, there are other less known credit card networks such as Discover and American Express. Their security features are not as well recognized which can be exploited. If a counterfeit credit card has an appearance of legitimacy it will be accepted.

Background

Dan DeFilippi was a black hat hacker in his teens and early twenties. In college he sold fake IDs, and later committed various scams, including phishing, credit card fraud, and identity theft. He was caught in December 2004. In order to avoid a significant jail sentence, DeFilippi decided to become an informant and work for the secret service for two years, providing training and consulting and helping them understand how hackers and fraudsters think. This chapter has been written through his eyes, his practices and learnings. Cybercriminals do not necessarily have to be perfect at counterfeiting, but they do have to be superior social engineers not to get caught. While most of the cybercrime now occurs remotely over the Internet, DeFilippi exploited the human factor. A lot of the time, he would walk into a large electronics department store with a fake credit card, buy high-end items like laptops, and then proceed to sell them online for a reduced price. He could make thousands of dollars like this in a single week.

In credit card fraud, the expected payout is so much higher than traditional crimes and the risk of being caught is often much lower making it a crime of choice. Banks often write off fraud with little or no investigation until it reaches value thresholds. It is considered a cost of doing business and additional investigation is considered to cost more than it is worth. Banks in Australia, for instance, used to charge about $250 to investigate an illegal transaction, usually passing the cost onto the customer before 2002. Today they usually do not spend effort on investigating such low-value transactions but rather redirect attention on how to uphold their brand. Since about the mid-2000s, banks also have openly shared more security breaches with one another which have acted to aid law enforcement task forces to respond in a timely manner to aid in investigating cybercrime. Yet, local law enforcement continues to struggle with the investigation of electronic fraud due to lack of resources, education, or jurisdictional issues. Fraud cases may span across multiple countries requiring complex cooperation and coordination between law enforcement agencies. A criminal may buy stolen credit cards from someone living on another continent, use them to purchase goods online in state 1, have the goods shipped to state 2 while living in state 3, with the card stolen from someone in state 4.

Online criminal communities and networks, or the online underground, are often structured similarly to a loose gang. New members (newbies) have to earn the community’s trust. Items offered for sale have to be reviewed by a senior member or approved reviewer before being offered to the public. Even when people are considered “trustworthy” there is a high level of distrust between community members due to a significant level of law enforcement and paranoia from past crackdowns. Very few people know anyone by their real identity. Everyone tries to stay as anonymous as possible. Many people use multiple handles and pseudonyms for different online activities, such as one for buying, one or more for selling, and one for online discussion through asynchronous text-based chat. This dilutes their reputation but adds an additional layer of protection.

The most desirable types of fraud in these communities, and for monetary crime in general, involves directly receiving cash instead of goods. Jobs, such as “cashing out” stolen debit cards at ATMs, are sought after by everyone and are handled by the most trusted community members. Due to their desirability the proceeds are often split unequally, with the card provider taking a majority share of the reward and the “runner” taking a majority of the risk. The types of people in these communities vary from teens looking to get a new computer for free to members of organized crime syndicates. With high unemployment rates, low wages, and low levels of literacy particularly in developing nations, it is no surprise that a large number of credit card fraud players are eastern European or Russian with suspected ties to organized crime. It is a quick and easy way of making money if you know what you are doing.

Of course, things have changed a little since DeFilippi was conducting his credit card fraud between 2001 and 2004. Law enforcement agencies now have whole task forces dedicated to online fraud. Bilateral and multilateral treaties are in place with respect to cybercrime, although this still lacks the buy-in of major state players and even states where cybercrime is flourishing (Broadhurst, 2006). In terms of how technology has been used to combat credit card fraud, the Falcon system has been able to help in fraud that would have otherwise gone unnoticed. If the Falcon system identifies any transaction as suspect or unusual, the bank will attempt to get in touch with the cardholder to ascertain whether or not it is an authentic transaction. If individuals cannot be reached directly, then their card is blocked until further confirmation of a given transaction. Banks continue to encourage travelers to contact them when their pattern of credit card use changes, e.g. when travelling abroad. Software platforms nowadays do much of the analytical processing with respect to fraud detection. Predictive analytics methods, not rule-based methods, are changing the way fraud is discovered (Riordan et al., 2012). Additionally, banks have introduced two factor (also known as multifactor) authentication requirements which means an online site requires more than just a cardholder’s username and password. Commonly this takes the form of a SMS or a phone call to a predesignated number containing a randomized code. Single factor authentication is now considered inadequate in the case of high-risk transactions, or movement of funds to other parties (Aguilar, 2015).

Main Focus of Chapter 

Issues, Controversies, Problems

Katina Michael: Dan, let’s start at the end of your story which was the beginning of your reformation. What happened the day you got caught for credit card fraud?

Dan DeFilippi: It was December 2004 in Rochester, New York. I was sitting in my windowless office getting work done, and all of a sudden the door burst open, and this rush of people came flying in. “Get down under your desks. Show your hands. Hands where I can see them.” And before I could tell what was going on, my hands were cuffed behind my back and it was over. That was the end of that chapter of my life.

Katina Michael: Can you tell us what cybercrimes you committed and for how long?

Dan DeFilippi: I had been running credit card fraud, identity theft, document forgery pretty much as my fulltime job for about three years, and before that I had been a hacker.

Katina Michael: Why fraud? What led you into that life?

Dan DeFilippi: Everybody has failures. Not everybody makes great decisions in life. So why fraud? What led me to this? I mean, I had great parents, a great upbringing, a great family life. I did okay in school, and you know, not to stroke my ego too much, but I know I am intelligent and I could succeed at whatever I chose to do. But when I was growing up, one of the things that I’m really thankful for is my parents taught me to think for myself. They didn’t just focus on remembering knowledge. They taught me to learn, to think, to understand. And this is really what the hacker mentality is all about. And when I say hacker, I mean it in the traditional sense. I don’t mean it as somebody in there stealing from your company. I mean it as somebody out there seeking knowledge, testing the edges, testing the boundaries, pushing the limits, and seeing how things work. So growing up, I disassembled little broken electron­ics and things like that, and as time went on this slowly progressed into, you know, a so-called hacker.

Katina Michael: Do you remember when you actually earned your first dollar by conducting cybercrime?

Dan DeFilippi: My first experience with money in this field was towards the end of my high school. And I realized that my electronics skills could be put to use to do something beyond work. I got involved with a small group of hackers that were trying to cheat advertising systems out of money, and I didn’t even make that much. I made a couple of hundred dollars over, like, a year or something. It was pretty much insignificant. But it was that experience, that first step, that kind of showed me that there was something else out there. And at that time I knew theft and fraud was wrong. I mean, I thought it was stealing. I knew it was stealing. But it spiraled downwards after that point.

Katina Michael: Can you elaborate on how your thinking developed towards earn­ing money through cybercrime?

Dan DeFilippi: I started out with these little things and they slowly, slowly built up and built up and built up, and it was this easy money. So this initial taste of being able to make small amounts, and eventually large amounts of money with almost no work, and doing things that I really enjoyed doing was what did it for me. So from there, I went to college and I didn’t get involved with credit card fraud right away. What I did was, I tried to find a market. And I’ve always been an entrepreneur and very business-minded, and I was at school and I said, “What do people here need? ... I need money, I don’t really want to work for somebody else, I don’t like that.” I realized people needed fake IDs. So I started selling fake IDs to college students. And that again was a taste of easy money. It was work but it wasn’t hard work. And from there, there’s a cross-over here between forged documents and fraud. So that cross-over is what drew me in. I saw these other people doing credit card fraud and mak­ing money. I mean, we’re talking about serious money. We’re talking about thousands of dollars a day with only a few hours of work and up.

Katina Michael: You strike me as someone who is very ethical. I almost cannot imagine you committing fraud. I’m trying to understand what went wrong?

Dan DeFilippi: And where were my ethics and morals? Well, the problem is when you do something like this, you need to rationalize it, okay? You can’t worry about it. You have to rationalize it to yourself. So everybody out there commit­ting fraud rationalizes what they’re doing. They justify it. And that’s just how our brains work. Okay? And this is something that comes up a lot on these online fraud forums where people discuss this stuff openly. And the question is posed: “Well, why do you do this? What motivates you? Why, why is this fine with you? Why are you not, you know, opposed to this?” And often, and the biggest thing I see, is like, you know, the Robin Hood scenario- “I’m just stealing from a faceless corporation. It’s victimless.” Of course, all of us know that’s just not true. It impacts the consumers. But everybody comes up with their own reason. Everybody comes up with an explanation for why they’re doing it, and how it’s okay with them, and how they can actually get away with doing it.

Katina Michael: But how does a sensitive young man like you just not realize the impact they were having on others during the time of committing the crimes?

Dan DeFilippi: I’ve never really talked about that too much before... Look the aver­age person when they know they’ve acted against their morals feels they have done wrong; it’s an emotional connection with their failure and emotionally it feels negative. You feel that you did something wrong no one has to tell you the crime type, you just know it is bad. Well, when you start doing these kinds of crimes, you lose that discerning voice in your head. I was completely dis­connected from my emotions when it came to these types of fraud. I knew that they were ethically wrong, morally wrong, and you know, I have no interest in committing them ever again, but I did not have that visceral reaction to this type of crime. I did not have that guilty feeling of actually stealing something. I would just rationalize it.

Katina Michael: Ok. Could I ask you whether the process of rationalization has much to do with making money? And perhaps, how much money did you actu­ally make in conducting these crimes?

Dan DeFilippi: This is a pretty common question and honestly I don’t have an answer. I can tell you how much I owe the government and that’s ... well, I suppose I owe Discover Card ... I owed $209,000 to Discover Card Credit Card Company in the US. Beyond that, I mean, I didn’t keep track. One of the things I did was, and this is kind of why I got away with it for so long, is I didn’t go crazy. I wasn’t out there every day buying ten laptops. I could have but chose not to. I could’ve worked myself to the bone and made millions of dollars, but I knew if I did that the risk would be significantly higher. So I took it easy. I was going out and doing this stuff one or two days a week, and just living comfortably but not really in major luxury. So honestly, I don’t have a real figure for that. I can just tell you what the government said.

Katina Michael: There is a perception among the community that credit card fraud is sort of a non-violent crime because the “actor” being defrauded is not a person but an organization. Is this why so many people lie to the tax office, for instance?

Dan DeFilippi: Yeah, I do think that’s absolutely true. If we are honest about it, everyone has lied about something in their lifetime. And people... you’re right, you’re absolutely right, that people observe this, and they don’t see it in the big picture. They think of it on the individual level, like I said, and people see this as a faceless corporation, “Oh, they can afford it.” You know, “no big deal”. You know, “Whatever, they’re ripping off the little guy.” You know. People see it that way, and they explain it away much easier than, you know, somebody going off and punching someone in the face and then proceeding to steal their wallet. Even if the dollar figure of the financial fraud is much higher, people are generally less concerned. And I think that’s a real problem because it might entice some people into committing these crimes because they are considered “soft”. And if you’re willing to do small things, it’s going to, as in my case, eventually spiral you downwards. I started with very small fraud, and then got larger. Not that everybody would do that. Not that the police officer taking the burger for free from Burger King is going to step up to, you know, to extortion or something, but certainly it could, could definitely snowball and lead to something.

Katina Michael: It has been about 6 years since you were arrested. Has much has changed in the banking sector regarding triggers or detection of cybercriminal acts?

Dan DeFilippi: Yeah. What credit card companies are doing now is pattern match­ing and using software to find and root out these kind of things. I think that’s really key. You know, they recognize patterns of fraud and they flag it and they bring it out. I think using technology to your advantage to identify these patterns of fraud and investigate, report and root them out is probably, you know, one of the best techniques for dollar returns.

Katina Michael: How long were you actually working for the US Secret Service, as a matter of interest? Was it the length of your alleged, or so-called prison term, or how did that work?

Dan DeFilippi: No. So I was arrested early December 2004. I started working with the Secret Service in April 2005, so about six months later. And I worked with them fulltime almost for two years. I cut back on the hours a little bit towards the end, because I went back to university. But it was, it was almost exactly two years, and most of it was fulltime.

Katina Michael: I’ve heard that the US is tougher on cybercrime relative to other crimes. Is this true?

Dan DeFilippi: The punishment for credit card fraud is eight-and-a-half years in the US.

Katina Michael: Do these sentences reduce the likelihood that someone might get caught up in this kind of fraud?

Dan DeFilippi: It’s a contested topic that’s been hotly debated for a long time. And also in ethics, you know, it’s certainly an interesting topic as well. But I think it depends on the type of person. I wasn’t a hardened criminal, I wasn’t the fella down on the street, I was just a kid playing around at first that just got more serious and serious as time went on. You know, I had a great upbring­ing, I had good morals. And I think to that type of person, it does have an impact. I think that somebody who has a bright future, or could have a bright future, and could throw it all away for a couple of hundred thousand dollars, or whatever, they recognize that, I think. At least the more intelligent people recognize it in that ... you know, “This is going to ruin my life or potentially ruin a large portion of my life.” So, I think it’s obviously not the only deterrent but it can certainly be useful.

Katina Michael: You note that you worked alone. Was this always the case? Did you recruit people to assist you with the fraud and where did you go to find these people?

Dan DeFilippi: Okay. So I mainly worked alone but I did also work with other people, like I said. I was very careful to protect myself. I knew that if I had partners that I worked with regularly it was high risk. So what I did was on these discussion forums, I often chatted with people beyond just doing the credit card fraud, I did other things as well. I sold fake IDs online. I sold the printed cards online. And because I was doing this, I networked with people, and there were a few cases where I worked with other people. For example, I met somebody online. Could have been law enforcement, I don’t know. I would print them a card, send it to them, they would buy something in the store, they would mail back the item, the thing they bought, and then I would sell them online and we would split the money 50/50.

Katina Michael: Was this the manner you engaged others? An equal split?

Dan DeFilippi: Yes, actually, exactly the same deal for instance, with the person I was working with in person, and that person I met through my fake IDs. When I had been selling the fake IDs, I had a network of people that resold for me at the schools. He was one of the people that had been doing that. And then when he found out that I was going to stop selling IDs, I sort of sold him my equipment and he kind of took over. And then he realized I must have something else going on, because why would I stop doing it, it must be pretty lucrative. So when he knew that, you know, he kept pushing me. “What are you doing? Hey, I want to get involved.” And this and that. So it was that person that I happened to meet in person that in the end was my downfall, so to speak.

Katina Michael: Did anyone, say a close family or friend, know what you were doing?

Dan DeFilippi: Absolutely not. No. And I, I made it a point to not let anyone know what I was doing. I almost made it a game, because I just didn’t tell anybody anything. Well, my family I told I had a job, you know, they didn’t know... but all my friends, I just told them nothing. They would always ask me, you know, “Where do you get your money? Where do you get all this stuff?” and I would just say, “Well, you know, doing stuff.” So it was a mystery. And I kind of enjoyed having this mysterious aura about me. You know. What does this guy do? And nobody ever thought it would be anything illegitimate. Everybody thought I was doing something, you know, my own webs ites, or maybe thought I was doing something like pornography or something. I don’t know. But yeah, I definitely did not tell anybody else. I didn’t want anybody to know.

Katina Michael: What was the most outrageous thing you bought with the money you earned from stolen credit cards?

Dan DeFilippi: More than the money, the outrageous things that I did with the cards is probably the matter. In my case the main motivation was not the money alone, the money was almost valueless to a degree. Anything that anyone could buy with a card in a store, I could get for free. So, this is a mind-set change a fraudster goes through that I didn’t really highlight yet. But money had very little value to me, directly, just because there was so much I could just go out and get for free. So I would just buy stupid random things with these stolen cards. You know, for example, the case where I actually ended up leading to my arrest, we had gone out and we had purchased a laptop before that one that failed, and we bought pizza. You know? So you know, a $10 charge on a stolen credit card for pizza, risking arrest, you know, for, for a pizza. And I would buy stupid stuff like that all the time. And just because I knew it, I had that experience, I could just get away with it mostly.

Katina Michael: You’ve been pretty open with interviews you’ve given. Why?

Dan DeFilippi: It helped me move on and not to keep secrets.

Katina Michael: And on that line of thinking, had you ever met one of your victims? And I don’t mean the credit card company. I actually mean the individual whose credit card you defrauded?

Dan DeFilippi: So I haven’t personally met anyone but I have read statements. So as part of sentencing, the prosecutor solicited statements from victims. And the mind-set is always, “Big faceless corporation, you know, you just call your bank and they just, you know, reverse the charges and no big deal. It takes a little bit of time, but you know, whatever.” And the prosecutor ended up get­ting three or four statements from individuals who actually were impacted by this, and honestly, you know, I felt very upset after reading them. And I do, I still go back and I read them every once in a while. I get this great sinking feeling, that these people were affected by it. So I haven’t actually personally met anyone but just those statements.

Katina Michael: How much of hacking do you think is acting? To me traditional hacking is someone sort of hacking into a website and perhaps downloading some data. However, in your case, there was a physical presence, you walked into the store and confronted real people. It wasn’t all card-not-present fraud where you could be completely anonymous in appearance.

Dan DeFilippi: It was absolutely acting. You know, I haven’t gone into great detail in this interview, but I did hack credit card information and stuff, that’s where I got some of my info. And I did online fraud too. I mean, I would order stuff off websites and things like that. But yeah, the being in the store and playing that role, it was totally acting. It was, like I mentioned, you are playing the part of a normal person. And that normal person can be anybody. You know. You could be a high-roller, or you could just be some college student going to buy a laptop. So it was pure acting. And I like to think that I got reasonably good at it. And I would come up with scenarios. You know, ahead of time. I would think of scenarios. And answers to situations. I came up with techniques that I thought worked pretty well to talk my way out of bad situations. For example, if I was going to go up and purchase something, I might say to the cashier, before they swiped the card, I’d say, “Oh, that came to a lot more than I thought it would be. I hope my card works.” So that way, if something happened where the card was declined or it came up call for authorization, I could say, “Oh yeah, I must not have gotten my payment” or something like that. So, yeah, it was definitely acting.

Katina Michael: You’ve mentioned this idea of downward spiraling. Could you elaborate?

Dan DeFilippi: I think this is partially something that happens and it happens if you’re in this and do this too much. So catching people early on, before this takes effect is important. Now, when you’re trying to catch people involved in this, you have to really think about these kinds of things. Like, why are they doing this? Why are they motivated? And the thought process, like I was saying, is definitely very different. In my case, because I had this hacker background, and I wasn’t, you know, like some street thug who just found a computer. I did it for more than just the money. I mean, it was certainly because of the chal­lenge. It was because I was doing things I knew other people weren’t doing. I was kind of this rogue figure, this rebel. And I was learning at the edge. And especially, if I could learn something, or discover something, some technique, that I thought nobody else was using or very few people were using it, to me that was a rush. I mean, it’s almost like a drug. Except with a drug, with an addict, you’re chasing that “first high” but can’t get back to it, and with credit card fraud, your “high” is always going up. The more money you make, the better it feels. The more challenges you complete, the better you feel.

Katina Michael: You make it sound so easy. That anyone could get into cybercrime. What makes it so easy?

Dan DeFilippi: So really, you’ve got to fill the holes in the systems so they can’t be exploited. What happens is crackers, i.e. criminal hackers, and fraudsters, look for easy access. If there are ten companies that they can target, and your company has weak security, and the other nine have strong security, they’re going after you. Okay? Also, in the reverse. So if your company has strong security and nine others have weak security, well, they’re going to have a field-day with the others and they’re just going to walk past you. You know, they’re just going to skip you and move on to the next target. So you need to patch the holes in your technology and in your organization. I don’t know if you’ve noticed recently, but there’s been all kinds of hacking in the news. The PlayStation network was hacked and a lot of US targets. These are basic things that would have been discovered had they had proper controls in place, or proper security auditing happening.

Katina Michael: Okay, so there is the systems focus of weaknesses. But what about human factor issues?

Dan DeFilippi: So another step to the personnel is training. Training really is key. And I’m going to give you two stories, very similar but with totally different outcomes, that happened to me. So a little bit more about what I used to do frequently. I would mainly print fake credit cards, put stolen data on those cards and use them in store to go and purchase items. Electronics, and things like that, to go and re-sell them. So ... and in these two stories, I was at a big- box well-known electronics retailer, with a card with a matching fake ID. I also made the driver’s licenses to go along with the credit cards. And I was at this first location to purchase a laptop. So pick up your laptop and then go through the standard process. And when committing this type of crime you have to have a certain mindset. So you have to think, “I am not committing a crime. I am not stealing here. I am just a normal consumer purchasing things. So I am just buying a laptop, just like any other person would go into the store and buy a laptop.” So in this first story, I’m in the store, purchasing a laptop. Picked it out, you know, went through the standard process, they went and swiped my card. And it came up with a ‘CFA’ – call for authorization. Now, a call for authorization is a case where it’s flagged on the computer and you actually have to call in and talk to an operator that will then verify additional information to make sure it’s not fraud. If you’re trying to commit fraud, it’s a bad thing. You can’t verify this, right? Right? So this is a case where it’s very possible that you could get caught, so you try to talk your way out of the situation. You try to walk away, you try to get out of it. Well, in this case, I was unable to escape. I was unable to talk my way out of it, and they did the call for authorization. They called in. We had to go up to the front of the store, there was a customer service desk, and they had somebody up there call it in and discuss this with them. And I didn’t overhear what they were saying. I had to stand to the side. About five or ten minutes later, I don’t know, I pretty much lost track of time at that point, they come back to me and they said, “I’m sorry, we can’t complete this transaction because your information doesn’t match the information on the credit card account.” That should have raised red flags. That should have meant the worse alarm bells possible.

Katina Michael: Indeed.

Dan DeFilippi: There should have been security coming up to me immediately. They should have notified higher people in the organization to look into the matter. But rather than doing that, they just came up to me, handed me back my cards and apologized. Poor training. So just like a normal consumer, I act surprised and alarmed and amused. You know, and I kind of talked my way out of this too, “You know, what are you talking about? I have my ID and here’s my card. Obviously this is the real information.” Whatever. They just let me walk out of the store. And I got out of there as quickly as possible. And you know, basically walked away and drove away. Poor training. Had that person had the proper training to understand what was going on and what the situation was, I probably would have been arrested that day. At the very least, there would have been a foot-chase.

Katina Michael: Unbelievable. That was very poor on the side of the cashier. And the other story you were going to share?

Dan DeFilippi: The second story was the opposite experience. The personnel had proper training. Same situation. Different store. Same big-box electronic store at a different place. Go in. And this time I was actually with somebody else, who was working with me at the time. We go in together. I was posing as his friend and he was just purchasing a computer. And this time we, we didn’t really approach it like we normally did. We kind of rushed because we’d been out for a while and we just wanted to leave, so we kind of rushed it faster than a normal person would purchase a computer. Which was unusual, but not a big deal. The person handling the transaction tried to upsell, upsell some things, warranties, accessories, software, and all that stuff, and we just, “No, no, no, we don’t ... we just want to, you know, kind of rush it through.” Which is kind of weird, but okay, it happens.

Katina Michael: I’m sure this would have raised even a little suspicion however.

Dan DeFilippi: So when he went to process the transaction, he asked for the ID with the credit card, which happens at times. But at this point the person I was with started getting a little nervous. He wasn’t as used to it as I was. My biggest thing was I never panicked, no matter what the situation. I always tried to not show nervousness. And so he’s getting nervous. The guy’s checking his ID, swipes the card, okay, finally going to go through this, and call for authorization. Same situation. Except for this time, you have somebody here who’s trying to
do the transaction and he is really, really getting nervous. He’s shifting back and forth. He’s in a cold sweat. He’s fidgeting. Something’s clearly wrong with this transaction. Now, the person who was handling this transaction, the person who was trying to take the card payment and everything, it happened to be the manager of this department store. He happened to be well-trained. He happened to know and realize that something was very wrong here. Something
was not right with this transaction. So the call for authorization came up. Now, again, he had to go to the front of the store. He, he never let that credit card and fake ID out of his hands. He held on to them tight the whole time. There was no way we could have gotten them back. So he goes up to the front and he says, “All right, well, we’re going to do this.” And we said, “Okay, well, we’ll go and look at the stock while you’re doing it.” You know. I just sort of tried to play off, and as soon as he walked away, I said, “We need to get out of here.” And we left; leaving behind the ID and card. Some may not realize it as I am retelling the story, but this is what ended up leading to my arrest. They ran his photo off his ID on the local news network, somebody recognized him, turned him in, and he turned me in. So this was an obvious case of good, proper training. This guy knew how to handle the situation, and he not only prevented that fraud from happening, he prevented that laptop from leaving the store. But he also helped to catch me, and somebody else, and shot down what I was doing. So clearly, you know, failing to train people leads to failure. Okay? You need to have proper training. And you need to be able to handle the situation.

Katina Michael: What did you learn from your time at the Secret Service?

Dan DeFilippi: So a little bit more in-depth on what I observed of cybercriminals when I was working with the Secret Service. Now, this is going to be a little aside here, but it’s relevant. So people are arrogant. You have to be arrogant to commit a crime, at some level. You have to think you can get away with it. You’re not going to do it if you can’t, you know, if you think you’re going to get caught. So there’s arrogance there. And this same arrogance can be used against them. Up until the point where I got caught in the story I just told you that led to my arrest, I was arrogant. I actually wasn’t protecting myself as well as I had been, should have been. Had I been investigated closer, had law enforcement being monitoring me, they could have caught me a lot earlier. I left traces back to my office. I wasn’t very careful with protecting my office, and they could have come back and found me. So you can play off arrogance but also ignorance, obviously. They go hand-in-hand. So the more arrogant somebody is, the more risk they’re willing to take. One of the things we found frequently works to catch people was email. Most people don’t realize that email actually contains the IP address of your computer. This is the identifier on the Internet to distinguish who you are. Even a lot of criminals who are very intelligent, who are involved in this stuff, do not realize that email shows this. And it’s very easy. You just look at the source of the email and boom, there you go. You’ve got somebody’s location. This was used countless times, over and over, to catch people. Now, obviously the real big fish, the people who are really intelligent and really in this, take steps to protect themselves with that, but then those are the people who are supremely arrogant.

Katina Michael: Can you give us a specific example?

Dan DeFilippi: One case that happened a few years ago, let’s call the individual “Ted”. He actually ran a number of these online forums. These are “carding” forums, online discussion boards, where people commit these crimes. And he was extremely arrogant. He was extremely, let’s say, egotistical as well. He was very good at what he did. He was a good cracker, though he got caught multiple times. So he actually ran one of these sites, and it was a large site, and in the process, he even hacked law enforcement computers and found out information about some of these other operations that were going on. Actu­ally outed some, some informants, but the people didn’t believe him. A lot of people didn’t believe him. And his arrogance is really what led to his downfall. Because he was so arrogant he thought that he could get away with everything. He thought that he was protecting himself. And the fact of the matter was, law enforcement knew who he was almost the whole time. They tracked him back using basic techniques just like using email. Actually email was used as part of the evidence, but they actually found him before that. And it was his arrogance that really led to his getting arrested again, because he just didn’t protect himself well enough. And this really I cannot emphasize it enough, but this can really be used against people.

Katina Michael: Do you think that cybercrimes will increase in size and number and impact?

Dan DeFilippi: Financial crime is going up and up. And everybody knows this. The reality is that technology works for criminals as much as it works for businesses. Large organizations just can’t evolve fast enough. They’re slow in comparison to cybercriminals.

Katina Michael: How so?

Dan DeFilippi: A criminal’s going to use any tools they can to commit their crimes. They’re going to stay on top of their game. They’re going to be at the forefront of technology. They’re going to be the ones out there pioneering new tech­niques, finding the holes before anybody else, in new systems to get access to your data. They’re going to be the ones out there, and combining that with the availability of information. When I started hacking back in the ‘90s, it was not easy to learn. You really pretty much had to go into these chat-rooms and become kind of like an apprentice. You had to have people teach you.

Katina Michael: And today?

Dan DeFilippi: Well after the 2000s, when I started doing the identification stuff, there was easier access to data. There were more discussion boards, places where you could learn about these things, and then today it’s super easy to find any of this information. Myself, I actually wrote some tutorials on how to conduct credit card fraud. I wrote, like, a guide to in-store carding. I included how to go about it, what equipment to use, what to purchase, and it’s all out there in the public domain. You don’t even have to understand any of this. You know, you could know nothing about technology, spend a few hours online searching for this stuff, learn how to do it, and order the stuff overnight and the next day you could be out there going and doing this stuff. That’s how easy it is. And that’s why it’s really going up, in my opinion.

Katina Michael: Do you think credit card fraudsters realize the negative conse­quences of their actions?

Dan DeFilippi: People don’t realize that there is a real negative consequence to this nowadays. I’m not sure what the laws are in Australia about identity theft and credit card fraud, but in the United States, it used to be very, very easy to get away with. If you were caught, it would be a slap on the wrist. You would get almost nothing happening to you. It was more like give the money back, and possibly serve jail time if it was a repeat offence, but really that was no deterrent. Then it exploded post dot com crash, then a few years ago, we passed a new law that it’s a mandatory two years in prison if you commit identity theft. And credit card fraud is considered identity theft in the United States. So you’re guaranteed of some time in jail if caught.

Katina Michael: Do you think people are aware of the penalties?

Dan DeFilippi: People don’t realize it. And they think, “Oh, it’s nothing, you know, a slap on the wrist.” There is a need for more awareness, and campaigning on this matter. People need to be aware of the consequences of their actions. Had I realized how much time I could serve for this kind of crime, I probably would have stopped sooner. Long story short, because I worked with the Se­cret Service and trained them for a few years, I managed to keep myself out of prison. Had I not done that, I would have actually been facing eight-and-a-half years. That’s serious, especially for somebody who’s in their early 20s. And really had that happened, my future would have been ruined, I think. I probably would have become a lifelong criminal because prisons are basically teaching institutions for crime. So really I, had I known, had I realized it, I wouldn’t have done it. And I think especially younger people, if they realize that the major consequences to these actions, that they can be caught nowadays, that there are people out there looking to catch them, that really would help cut back on this. Also catching people earlier of course is more ideal. Had I been caught early on, before my mind-set had changed and the emotional ties had been broken, I think I would have definitely stopped before it got this far. It would have made a much bigger impact on me. And that’s it.

Future Research Directions

Due to the availability of information over the Internet, non-technical people can easily commit “technical” crimes. The internet has many tutorials and guides to committing fraud, ranging from counterfeit documents to credit card fraud. Many of the most successful are hackers turned carders, those who understand and know how to exploit technology to commit their crimes (Turgeman-Goldschmidt, 2008). They progress from breaking into computers to committing fraud when they discover how much money there is to be made. All humans rationalize their actions. The primary rationalization, criminals use when committing fraud, is blaming the victim. They claim that the victim should have been more knowledgeable, should have taken more steps to protect themselves, or taken some action to avoid the fraud. Confidence scams were legal in the US until a decade ago due to the mindset that it was the victim’s fault for falling for the fraud. There needs to be a lot more research conducted into the psychology of the cybercriminal. Of course technological solutions abound in the market, but it is less of a technology problem, than a human factor problem. Technology solution patents for making credit cards more secure abound. But with near field communication (NFC) cards now on the market, fraud is being propelled as investment continues in insecure devices. One has to wonder why these technologies are being chosen when they just increase the risk appetite. There also has to be more campaigning in schools, informing young people of the consequences of cybercrime, especially given so many schools are now mandating the adoption of tablets and other mobile devices in high school.

Conclusion

Avoiding detection, investigation, and arrest for committing identity theft or electronic fraud is, in most cases, fairly simple when compared to other types of crime. When using the correct tools, the internet allows the perpetrator to maintain complete anonymity through much of the crime (Wall, 2015). In the case of electronic fraud, the only risk to the perpetrator is when receiving the stolen money or goods. In some cases, such as those involving online currencies designed to be untraceable, it may be impossible for authorities to investigate due to anonymity built into the system. The internet and broad reach of information is a two-way street and can also work in law enforcement’s favor. Camera footage of a crime, such as someone using a stolen credit card at a department store, can now be easily and inexpensively distributed for the public to see. The same tools that keep criminals anonymous can be used by law enforcement to avoid detection during investigations. As with “traditional” crimes, catching a fraudster comes down to mistakes. A single mistake can unravel the target’s identity. One technique used by the US Secret Service is to check emails sent by a target for the originating IP address. This is often overlooked. Engaging a target in online chat and subpoenaing IP records from the service provider is often successful as well. Even the most technologically savvy criminal may slip up once and let their true IP address through.

Many types of fraud can be prevented through education. The general population becomes less vulnerable and law enforcement is more likely to find the perpetrator. A store clerk who is trained to recognize the security features of credit cards, checks, and IDs will be able to catch a criminal in the act. The problem with education is its cost. A store may not find a positive return on investment for the time spent training minimum wage employees. Law enforcement may not have the budget for additional training or the personnel available to investigate the crime. Added security can also prevent certain types of crime. Switching from magnetic stripe to chip and PIN-based payment cards reduced card present fraud in Europe but then we have seen the introduction more recently of NFC cards that do not require a PIN for a transaction less than $100. Consumers may be reluctant to adopt new technologies due to the added process or learning curve. Chip and PIN have not been adopted in the USA due to reluctance of merchants and banks. The cost of the change is seen as higher than the cost of fraud. NFC cards on the other hand allegedly add to convenience of conducting transactions and have seen a higher uptake in Australia. However, some merchants refuse to accept NFC transactions, as usually fraudsters go undetected and the merchant is left to with problems to address. Human exploitation is the largest factor of fraud and can make or break a scam (Hadnagy, 2011). Social engineering can play an important role when exploiting a system. Take using a stolen credit card to purchase an item in a store. If the fraudster appears nervous and distracted employees may become suspicious. Confidence goes a long way. When purchasing a large ticket item, the fraudster may suggest to the cashier that he hopes the total is not over his limit or that he hopes his recent payment has cleared. When presented with an explanation for failure before a failure happens, the employee is less likely to expect fraud. However, if there is more training invested when new employees start at an organization, the likelihood that basic frauds will be detected is very high. There is also the incidence of insider attack which is growing, where an employee, knowingly accepts an illegitimate card from a known individual, and then splits the profits. Loss prevention strategies need to be implemented by organizations and the sector as a whole need to address the credit card fraud problem in a holistic manner with all the relevant stakeholders engaged and working together to crack down on cybercrime.

References

Aguilar, M. (2015). Here's Why Your Bank Account Is Less Secure Than Your Gmail. Gizmodo. Retrieved from http://gizmodo.com/heres-why-your-bank-account-is-less-secure-than-your-gm-1683777281

Broadhurst R. (2006). Developments in the global law enforcement of cyber‐crime.Policing: An International Journal of Police Strategies & Management, 29(3), 408–433. 10.1108/13639510610684674

Hadnagy C. (2011). Social Engineering: The Art of Human Hacking. Indiana: John Wiley.

Herley, C., van Ooirschot, P.C., & Patrick, A.S. (20). Passwords: If We’re So Smart, Why Are We Still Using Them? Financial Cryptography and Data Security, LNCS (Vol. 5628, pp. 230-237).

Levi M. (2008). Organized fraud and organizing frauds: Unpacking research on networks and organization.Criminology & Criminal Justice, 8(4), 389–419. 10.1177/1748895808096470

Reardon, B., Nance, K., & McCombie, S. (2012). Visualization of ATM Usage Patterns to Detect Counterfeit Cards Usage. Proceedings of the45th Hawaii International Conference on System Science (HICSS). Hawaii (pp. 3081-3088). 10.1109/HICSS.2012.638

Turgeman-Goldschmidt O. (2008). Meanings that hackers assign to their being a hacker. International Journal of Cyber Criminology, 2(2), 382–396.

Wall, D. S. (2015). The Internet as a conduit for criminal activity. In A. Pattavina (Ed.), Information Technology and the Criminal Justice System (pp. 77-98). London: Sage Publications.

Key Terms and Definitions

Authorization: Authorizing electronic transactions done with a credit card and holding this balance as unavailable until either the merchant clears the transaction or the hold ceases.

Call for Authorization: Also known as CFA. A message that may come up when attempting to purchase something using a credit card. Requires the store to call in and verify the transaction.

Carding: Illegal use of a credit card. When criminals use carding to verify the validity of stolen card data, they test it the card by presenting it to make a small online purchase on a website that has real-time transaction processes. If the card is processed successfully, the thief knows the card is still good to use.

Card-Not-Present Fraud: Card-not-present fraud is when you make purchases over the phone or internet using card details without the card being physically presented.

Credit Card Fraud: Defined as the fraudulent acquisition and/or use of credit cards or card details for financial gain.

Cybercrime: Either crimes where computers or other information technologies are an integral part of an offence or crimes directed at computers or other information technologies (such as hacking or unauthorized access to data).

Hacking: Criminals can hack into databases of account details held by banks that hold customer information, or intercept account details that travel in unencrypted form. Hacking bank computers can lead to the withdrawal of sums of money in excess of account credit balances.

Identity Document Forgery: The process by which identity documents issued by banks are copied and/or modified by unauthorized persons for the purpose of deceiving those who would view the documents about the identity of the bearer.

Merchant: Account that allows businesses to process credit card transactions.

Risk Appetite and Tolerance: Can be defined as ‘the amount and type of risk that an organization is willing to absorb in order to meet their strategic objectives.

Citation: DeFilippi, Dan and Katina Michael. "Credit Card Fraud: Behind the Scenes." Online Banking Security Measures and Data Protection. IGI Global, 2017. 263-282. Web. 6 Jan. 2018. doi:10.4018/978-1-5225-0864-9.ch015

Minimizing Product Shrinkage across the Supply Chain using Radio Frequency Identification

Abstract

This paper identifies the contributing factors of product shrinkage and investigates the current state of anti-theft technology as part of the loss prevention strategy for a major Australian retailer. Using a case study approach a total of eleven interviews were conducted with employees of the retailer to identify factors contributing to product shrinkage and ways to overcome these through the use of radio frequency identification (RFID) technology. Known sources of product shrinkage included: warehouse discrepancies, internal and external theft, product recalls, shop return fraud, extortion, human and system error, poor stock control, poor rotation of stock, misplaced product items, lost products, product spoilage and damage. Each of the retailer's stores, in the chain of approximately 700, loses about 350000 Australian dollars to product shrinkage every six months. This paper argues that RFID would act as a partial solution toward the minimization of the retailer's product shrinkage and provide greater visibility throughout the supply chain.

Section 1. Introduction

This paper will determine the contributing factors of product shrinkage and investigate the current state of electronic identification as part of a loss prevention strategy in a case study of an Australian retailer. The main method of data collection for the case study was using interviews. In total, eleven interviews were conducted with members of the retailer's Loss Prevention Department, and managers of departments within retail outlets in two regions of New South Wales in Australia. The retailer is currently using barcode systems to identify products, and electronic article surveillance (EAS) as an anti-theft technology. As a key driver to the existence of a loss prevention strategy, product shrinkage and sources which comprise it were identified. Radio frequency identification (RFID) is then proposed as a partial solution to minimize the retailer's product shrinkage. This paper aims to explore how RFID could replace EAS given its superior functionality.

Section 2. Background of the retailer

The grocery retailer chosen for the case is one of Australia's leading supermarket chains, with approximately 270 stores in New South Wales and over 700 Australia wide. Supported by thousands of suppliers, the retailer has over 42,000 product lines on sale to consumers. Product lines include both Australian made consumer goods and internationally imported goods. Goods on sale by the retailer consist of long-life foods (e.g. confectionary, canned fruit, condiments), perishable foods (e.g. vegetables, bread, frozen meals) and general merchandise (e.g. electrical appliances, cosmetics, liquor). Over 100,000 staff members across Australia work together to get products into stores and on displays, which are then purchased by over 13 million customers each week.

Section 3. Methodology

Product shrinkage

Product shrinkage

The research was conducted using eleven semistructured interviews with employees from Loss Prevention, and various departments within five retail stores. All the interviews were conducted in August and September of 2006. The interviewees had the following job descriptions: Loss Prevention Manager (1), Loss Prevention Investigator, Loss Prevention Manager (2), Liquor Manager, Grocery Manager, Store Services Manager, Store Trading Manager, Store Manager, Delicatessen Manager, Night-fill Captain, and Customer Implementation Executive. Employees within Loss Prevention work as a team to ensure policies and procedures are adhered to at a store level (figure 1). Product shrinkage is considered to be the general indicator of how well a store's loss prevention strategy is performing, or how well it has been executed. Furthermore, the primary motivator of loss prevention is to reduce product shrinkage. As stated by the Loss Prevention Manager (2): “[The Retail Organization] has been fairly focused on shrinkage for the last 5 years.” The interviews were transcribed and then analyzed using the Leximancer computer assisted qualitative data analysis software (CAQDAS). As a tool used to extract main concepts from documents, the researcher was able to use these concepts in the creation of themes to be addressed in the narrative.

Section 4. The retailer's legacy systems

The retailer currently uses barcodes for the automatic identification of products across the supply chain, and EAS for anti-theft purposes as part of a loss prevention strategy. Both systems have distinct functions and operate independently of one another. Barcodes provide a way to record damaged products and identify targeted areas, whereas EAS is used to deter thieves.

4.1 Barcode for product identification

The retailer's barcode system is primarily used to identify products in a variety of daily activities. One of these activities, closely related to loss prevention, is its ability to help keep track of damaged goods. For instance, damaged products can be scanned and automatically declared as ‘damaged goods’, electronically recorded and then disposed of. This process notifies the automatic stock ordering system that products are damaged and need to be re-ordered, thus helping to maintain product availability in the retail outlet. Barcodes can assist in minimizing product shrinkage by recording damaged products but exist primarily to semi-automate supply chain operations. When the Night-fill Captain of one of the retailer's leading stores was asked if barcodes play a role in minimizing product shrinkage, he responded: “[i]t makes you aware of it. It doesn't actually deter or prevent it in any way. It gives you more knowledge of what's going on and where the targeted areas might be.” In other words, stock which has been misplaced or stolen is not readily identified by retail staff As supported by the Loss Prevention Investigator: “[b]arcoding really has no impact. All it does is identify that we have lost something by scanning it at the end of the day.” Furthermore, these targeted areas are usually brought to the retailer's attention once a store has been targeted by a thief or when stock fails to arrive from the distribution centre. It is in this light that barcodes offer knowledge through recording goods as damaged or by identifying targeted areas. As a result, barcodes play a minor role in a loss prevention strategy. EAS however, plays a more active role in loss prevention as an effective deterrent against theft.

4.2 Electronic article surveillance as a theft deterrent at the retail outlet

The retail organization currently utilizes EAS as part of its loss prevention strategy. The system's primary activity is to reduce theft within supermarkets and liquor stores. According to Lahiri (2006), EAS tags are generally unaffected by magnets and are available in various sizes to be applied [1]. The retailer uses a combination of adhesive and reusable EAS tags which are strategically fitted to certain products.

EAS antennas, also known as gateways, are installed at store entrances and exits (Figure 2). When a product with an active tag passes through a gateway, an alarm sounds to notify staff of possible theft. For the retailer's particular application, EAS tags are attached to products at the item-level. Tagged products generally include high theft lines and high dollar value items. Not all products were found to be tagged, in fact, most products were not secured by the EAS system. As expressed by the Loss Prevention Manager (1):

it's what we deem to be high-theft lines and obviously what our stores are recording as known stolen as well. So you look at the high-theft lines as well as the most attractive lines, some of it is going to be cost driven just by the unit price, in terms of what we put an EAS tag on. The retailer is currently testing new reusable EAS tags designed to be attached to liquor bottles.
Figure 2. EAS tag and EAS gates in a liquor store

Figure 2. EAS tag and EAS gates in a liquor store

Instead of using an adhesive tag, which is easily removed or a tag which is concealed within a packet, reusable tags are encased in high density plastic and manually fitted to products. Attached to the neck of a bottle with a zip locking mechanism, this new type of tag is removed by staff with a decoupling device at point of sale. As revealed by the Loss Prevention Manager (2): “[w]e are running trials at the moment on new tags in our liquor departments in five stores. They have been extremely successful, as they have minimized product shrinkage across our range of spirits by 62%, which is a great result.” Other than the obvious benefit of the tag's ability to be reused, this type of EAS tag has a number of other benefits. The tags are difficult to remove by hand, tagged products ‘standout’ and regularly deter thieves. “Many times I have seen people walk into a store and be overwhelmed by the EAS tagging” explained the Sydney-based liquor manager. The use of reusable tags by the retailer may help to minimize product shrinkage by deterring thieves, however, additional labor is required by retail employees to manually apply and remove tags.

Products bearing adhesive or concealed tags within a product's packaging are either tagged in-store manually by retail employees or source-tagged from the supplier. As revealed by the Store Trading Manager: “ …we have a specific list that we have got to stick to. A lot of the stock actually comes in pre-tagged now.” Source-tagged products provide the only example where EAS is used across the supply chain. However, by the same token, those tags remain idle until they come in contact with an EAS antenna or tag deactivator. As suggested by the Loss Prevention Manager (1), with the help of a recently designated Source Tag Manager the retailer is attempting to extend the ‘source-tagged list’ and push suppliers to tag products at the point of manufacture. Essentially, suppliers then take part in the overall process of applying EAS tags to products which will definitely reduce some overhead costs for the retailer. However despite this, it was found that the retailer's EAS system had a number of inefficiencies.

The retailer's thoughts on the overall performance of the system varied. One of the main questions relating to EAS was whether the technology was considered a deterrent or a total solution. All employees agreed that it was definitely a deterrent and it would be hard to find a total solution. As supported by the Loss Prevention Investigator: “[l]ook as a deterrent, yes. As I said before it's not the be-all and end-all. There's certainly some new stuff coming out.” As part of a loss prevention strategy, EAS was believed to be a deterrent on many occasions. When the Loss Prevention Manager (1) was asked for his opinion, he also said that it was a deterrent: “I wouldn't say it's a total solution. I suppose with any loss prevention initiative or procedure, there are thousands of bricks in the wall and EAS is one of those.” To further support the responses of the loss prevention staff, Lahiri also suggests that RFID is an “effective deterrent against theft” [2]. To be an effective anti-theft solution within a retail environment an EAS system is required to operate consistently and meet the demands of customer traffic. During initial testing phases of EAS systems some time ago, tests were conducted between two major brands. The Loss Prevention Manager (2) was asked whether he was happy with the overall performance of the EAS system: “Not really … I thought ‘X’ performed better than ‘Y’. But unfortunately we have invested in the ‘Y’ system.” This suggests that a retailer may not always consider an EAS system's level of performance a high priority. Other factors, such as the cost of a system may also have a direct effect on the retailer's willingness to invest in an anti-theft solution.

In one particular case, the way in which the system was installed revealed some drawbacks of the technology. When the Liquor Manager from one of the retailer's leading liquor stores was asked if he was happy with the overall performance of the system, he revealed “our gates leading out of our shop into the centre are too far apart, so there is a gap in the middle that can be exploited if you walk down the middle.” He believed that incorrect measurements had been made during the installation of the EAS system and as a result, he was unhappy with the overall performance of the system. An additional view which also supports a negative outlook on EAS was the way in which it can be exploited even when it has been correctly installed and functioning the way it was intended. According to the Loss Prevention Investigator:

Some of the practices of professional thieves and even people that associate with certain people within a community know how to beat EAS systems. The EAS tagging that we have can be ‘beaten’, three or four main ways and good crooks or people that associate with people that target our stores would know those ways of doing it.

This highlights the fact that an EAS system can be exploited by people who know about the technology. It was also understood by the Night-fill Captain that: “people are aware that EAS is out there, people know about it, so they can work around it.” Poor work practices at store level also contribute to the ineffectiveness of EAS. “Store practices have an effect. Double tagging, bending tags past 90 degrees, putting tags behind metal, those sorts of things all detract from the system,” explained the Loss Prevention Investigator. EAS tags are generally damaged because they are applied manually by hand, hence it is important to realize that retail employees play an active role in overall workings of an EAS system.

The Store Trading Manager highlighted the fact that the EAS system requires staff members to work as part of the system. Apart from manually attaching tags to products, staff members must react to the EAS alarm system and act accordingly. She said “I don't think the culture's there for it…” Occasionally staff members at point of sale do not respond to the alarm system appropriately. Employees either fail to respond to an alarm, or when a customer activates the alarm the employee assumes that they did not deactivate a tag and allow the customer to leave the store. In this typical scenario, the employee has not taken into account the possibility that the customer may in fact have a packet of batteries in their bag. The Store Trading Manager claimed that the EAS gates are not monitored properly and responding to the system's alarm is not always enforced by staff supervisors.

Retail employees agreed that EAS plays an important role in their loss prevention strategy. According to the Grocery Manager “at the moment, it's the best it can be.” If the EAS system is operating at an optimum level and in the way in which it was designed, it raises much concern when reflecting back on some of the short comings of the system. The retailer's EAS system may play an active role in minimizing product shrinkage at point of sale, but what about across the entire retail supply chain?

Section 5. Product shrinkage

To ensure stock levels are maintained in-store, an efficient supply chain is required to provide an uninterrupted supply of products for shelf replenishment. However, it is far from unusual to come across an empty shelf in a supermarket. On many occasions, this empty shelf can be directly linked to theft or unsupplied stock due to warehouse discrepancies, both of which contribute to product shrinkage — the retailer's dilemma. When Loss Prevention Manager (2) was asked whether product shrinkage was a major concern to his organization he replied: “[i]t's a huge problem, especially from distribution centre to retail outlet.” This concern reinforces the importance of this issue to the retailer and is fundamental to this study. But from a retailer's perspective, what actually constitutes product shrinkage?

5.1 Factors contributing to shrinkage

From the retailer's perspective, product shrinkage is broken into two main categories: known and unknown. “Loss Prevention Investigator: At the end of each half of the financial year we record an unknown shrinkage which is obviously the difference between our bookstock and our physical counts at stock take times. So there are two separate figures. ǀ Interviewer: So there is known and unknown? ǀ Loss Prevention Investigator: Yes.” The contributing factors of known shrinkage are calculated progressively throughout the financial year by the retailer. For example, the retailer may calculate that 75% of stock was lost due to warehouse discrepancies, 20% due to internal theft and 5% due to other sources. Whereas, the figure found for unknown shrinkage is calculated only twice a year by stock take and can be contributed to by any number of sources. It is significant that unknown sources were the largest contributor to product shrinkage (Store Manager; Store Services Manager).

According to the retailer's Grocery Manager of a supermarket in Sydney's south, product shrinkage is “damaged stock, theft, warehouse discrepancies, paper work errors; not checking stock correctly off invoices, recalled stock and withdrawn stock.” In the retail industry, poor stock control across the supply chain covers misrouted and unsupplied products due the common occurrence known as a warehouse discrepancy. More specifically, it was discovered that warehouse discrepancies were the largest contributor to product shrinkage. “Through experience I would say warehouse discrepancies, that's the biggest one,” explained the Store Trading Manager. A warehouse discrepancy was described as the difference in what the retailer is charged for, and what they actually receive from the warehouse or supplier (Loss Prevention Manager (1); Store Trading Manager). The Grocery Manager further supported this by stating: “[t]he main contributor is warehouse discrepancies and number two would be theft.” In this instance, it was discovered that the two main contributors to product shrinkage were warehouse discrepancies and internal and external theft. Warehouse discrepancies are largely a procedural based problem, as thoroughly explained by the Loss Prevention Manager (1):

Look there's a couple of thoughts on it. There has been some research done in the States, they tend to do most of the loss prevention type research. They tend to think that internal theft is probably the bigger contributor. I don't know if that would be the case, certainly external theft in [region] that I look after, the main core chunk of Sydney from eastern suburbs out to the western suburbs certainly external theft I think plays a bigger part than the actual internal theft. So you've got your internal paperwork errors and procedural errors which result in loss. You've got internal theft and certainly external theft and they're probably the three drivers for shrinkage. But certainly I can say within [region] external theft would probably play the predominant role. But if you look at it on a national basis procedures would probably tend to take over.

From this extract it was therefore discovered that the three main contributors to product shrinkage could be recognized in order of the severity in which they contribute as: (i) warehouse discrepancies (errors due to procedures); (ii) external theft; and (iii) internal theft. In a recent study conducted by the National Retail Security Survey, it was discovered that internal theft caused 46 percent and shoplifting caused 32 percent. This study takes an opposing stance compared to that of the Loss Prevention Manager (1) although external theft encompasses more than shoplifting alone. Figure 3 illustrates the breakdown of known and unknown sources to product shrinkage.

Figure 3. Contributing factors to product shrinkage

Figure 3. Contributing factors to product shrinkage

5.2 What products commonly constitute shrinkage?

Both high-end products and a variety of other products were found to contribute to product shrinkage. These included: batteries, razor blades, liquor and products from the health and beauty range. Table 1 summarizes the main types of products (including brand names) that were identified by all interviewees as items that constitute product shrinkage.

Table 1. Products and associated brands often named as contributing to product shrinkage by the retailer

Table 1. Products and associated brands often named as contributing to product shrinkage by the retailer

To support theories upheld by the retailer, similar results were found by the Food Marketing Institute in 2003. It was also discovered that items with a high resale value and items that are easily concealed could go missing at any point across the retail supply chain. The Night-fill Captain of one of the Sydney-based stores said: “[b]asically, it's anything they can get their hands on. If the consumer wants something they'll take it. The size is a variable; it doesn't really matter if they can sneak out of the store they'll get it out. People are pushing trolleys of stock, mountains stock out through liquor, with observant staff catching them, so size isn't really a factor.” However, what are the primary factors that have a direct influence on the possibility of a product being transported to the wrong store or the unknown disappearance of a particular product?

Section 6. Product shrinkage in the supply chain-a process, technology or people problem?

Contributing sources to product shrinkage are considered to originate from a process, technology or people problem. These three factors collectively create the foundation for product shrinkage and its regular occurrence in the retail industry. When the Loss Prevention Manager (1) was asked whether product shrinkage was a process problem, technology problem or people problem, he responded: “[a]ll three would contribute to it in some way.” The following retail based examples in Table 2 are to provide a context in which the three can be understood.

Table 2. Retail-based Examples of Process, Technology and People Problems in the Supply Chain

Table 2. Retail-based Examples of Process, Technology and People Problems in the Supply Chain

When the Loss Prevention Investigator was asked about his opinion on these three factors affecting product shrinkage, he replied:

I think it encompasses all of it. We certainly have some processes that need to be looked at. The way that our DC [distribution center] is structured, the way that they ship items from there certainly needs to be looked at and will be over a period of time. Obviously, to take out the human side of it would certainly help because unfortunately humans make mistakes and that does certainly cause some errors. The other side of it is theft which is very much a human side of it, people walking in and just stealing from us. And also poor practices in-stores also contribute where we don't follow our processes and procedures.

It was revealed in this case that both processes and people were a primary influence to the many sources of product shrinkage. The retailer was concerned about the processes involved at the distribution centre when organizing the transportation of goods across the retail supply chain. In addition, human error, poor practices in-store and theft were recognized as being contributors to the problem of product shrinkage.

The Store Services Manager also identified the issue of poor procedures when receiving goods at the back-dock as a process problem. “[T]here is no way that you can physically scan every item that comes in on the load. There's no way.” Employees involved in the study were asked when their superiors begin to ask questions about loss. As emphasized by the Store Trading Manager, based on previous audits a product shrinkage figure is predicted for each individual store: “[s]o if it's over that, then they will definitely come in and investigate and usually the first thing they look at is systems and procedures in the store. If they're not right then it's automatically the store's responsibility to get it right.” It was certainly recognized that procedures, closely connected to processes are critical in minimizing product shrinkage levels. These three factors may influence product shrinkage levels, but whereabouts does it occur across the retail supply chain?

Section 7. Where does product shrinkage occur?

Stores within each of the retailer's regions receive goods from both company owned warehouses and third party suppliers. Company owned warehouses consist of one regional distribution center (RDC) and five local distribution centers (DC). An RDC may supply products to hundreds of retail outlets, whereas a DC will only deliver goods to a designated region. The majority of stock is supplied from company owned distribution centers, yet interestingly there are more third party suppliers. Third party suppliers are external to the retailer and are known as direct suppliers. The retailer engages in hundreds of transactions with suppliers daily. All stock is ordered using an automatic stock ordering system. It was estimated by the Store Manager that approximately 200 transactions are made daily between his store and its suppliers. The Loss Prevention Manager (1) stated that a “continuous electronic barrage of orders” is required to keep retail outlets fully stocked in order to satisfy customer demands. Coordinating these orders across the entire retail supply chain and scheduling deliveries is an enormous task performed by the retailer using its warehouse and logistics services. During this process, product shrinkage occurs at various points, whether it be at the distribution centre, in-transit, or when a delivery is received by a back-dock attendant at a retail outlet. When the Loss Prevention Manager (1) was asked where most product shrinkage occurs across the retail supply chain he replied:

Look we are aware that you can have theft issues with truck drivers. Truck seals aren't put on, we know stock can go missing. We have had instances where drivers have been caught. I suppose our processes are not conducive to checking, so you're relying on what the DC says that they send you, is in fact what you are receiving. So if you have a store that has 10 palettes of stock delivered from a DC, unless we pick-up at store level the fact that we're missing something and it's pretty hard if you've got 10 palettes of stock, night-fill come in and fill it. Unless you do a line-by-line check, how do you know what's missing? And certainly the stores put in an order for X-amount we're trusting that that store will get X-amount, if they don't, a lot of that tends to go uncaptured. If you look at the case of say [Cold-Storage Logistics Company] which is one of our external suppliers, they warehouse it and distribute our cold stock, but there's massive issues with them. It's not uncommon for a load to come in several thousand dollars short. Do we pickup on that fact? No, we don't. Because it comes in, it goes into a cool room and then night-fill or then your perishable people will come through and fill, it's pretty hard to pickup on the fact that you're short on a line, it might be a couple of days down the track and you might say where's that? You then go through and make your stock adjustments so [automatic stock ordering system] will then reorder it, but by that time it's too late to put in a discrepancy. Big problems with [Cold Storage Logistics Company], the sooner that comes in-house so we get some better control of it the better.

Issues raised here by the Loss Prevention Manager are critical when recognizing the contributing factors of product shrinkage. Contributing factors across the retail supply chain include: (i) internal/external theft by vehicle drivers; (ii) assuming deliveries are correct; (iii) not realizing deliveries are missing stock; (iv) being too late to notify the automatic stock ordering system of a discrepancy; and (v) problems with direct suppliers e.g. the retailer's direct supplier of cold goods. These factors reveal that product shrinkage occurs at various points across the supply chain. The Liquor Manager also believes when an order made by the automatic stock ordering system is picked at the warehouse, the incorrect amount or type of product is often dispatched. Inconvenient and time consuming tasks, such as the process of having to return an incorrect order, are then necessary. Incorrect orders may require additional labor intensive tasks to be performed, however, there are more serious consequences that accompany product shrinkage.

7.1 The consequences of product shrinkage

There are a number of consequences that are directly related to product shrinkage. The primary consequence of product shrinkage is financial loss. When asked how much stock is lost over a period of 12 months, the Loss Prevention Manager (1) replied: “its millions of dollars in unknown shrinkage.” Product shrinkage is a relentless force in the retail industry and the loss it causes is extremely high. When the Loss Prevention Investigator was asked how much stock is lost, he said: “[s]ome stores will lose as little as 350,000 in six months.” In the Store Trading Manager's experience, unknown product shrinkage totaled $360,000 for a period of six months. Apart from the direct financial loss incurred other forms of loss involve additional costs (e.g. EAS systems, loss prevention staff), additional labor (e.g. security guards, manually applying EAS tags), and out of stocks (e.g. empty shelves effects sales levels and customer satisfaction). According to the Grocery Manager, due to theft alone prices can rise up to 15 percent ultimately affecting customers. If products can be accurately tracked across the supply chain it is anticipated that it will have a direct effect on product shrinkage.

Section 8. Tracking products across the supply chain

The retailer currently tracks products across the retail supply chain using a combination of barcodes and manual paper work procedures. When asked how products were tracked from distribution centre to retail outlet, the Store Trading Manager replied: “there's that big void in the middle where an order goes onto the load list and we can check it line-by-line if we want, but we just don't have the man power. It's not a standard thing that you check a load list line-by-line and given that here they get 30 to 35 pallets a night.” As this employee suggests, it is unfeasible to count each individual carton of a large delivery using existing procedures.

The distribution centre coordinates the largest deliveries to be transported to the retail outlet. Currently, employees rely on the DC to select the desired goods and ship them accordingly. The current system has the ability to track products to a certain extent, but acknowledged by the Grocery Manager “it's not 100% accurate, probably because they're expecting people at the warehouse to do it correctly.” As the DC is responsible for other discrepancies, it can be assumed that other procedures carried out at the same site are also heavily flawed. Deliveries may arrive at a store's back-dock missing a number of products, so how are products monitored during transportation?

The retailer uses Global Positioning Systems (GPS) as a means to track vehicles across the supply chain. Using a pre-planned route, GPS-enabled trucks are tracked from the distribution centre to the retail outlet. The system is designed to provide the geographical position of the truck during the transportation of goods. However, GPS does not provide information regarding the status of goods onboard. A number of voids exist across the retail supply chain where products fail to be accurately tracked. When asked if products were tracked across the supply chain, the Loss Prevention Manager (1) said: “[p]roducts aren't tracked. If you're talking about electronic tracking or things like that, then no.” In this response, the Loss Prevention Manager (1) is referring to new RFID systems designed to track products across the supply chain.

Section 9. The retailer's perceptions of RFID

Employees of the retailer were asked if they were aware of the latest RFID systems and their benefits. It was found that employees involved in the study had a positive outlook on new RFID technologies yet were unaware of the technologies' commonly reported primary benefits. Loss prevention employees had a far better understanding of the technology than managers from other departments. As explained by the Loss Prevention Manager (1): “I have a basic understanding. There are all sorts of things product tracking, inventory management, there's a whole range of things.” Furthermore, he explained:

I haven't done any research in it, there would be a whole range of things. There'd be all sorts of cost benefits there I would assume in inventory management right down to even, we may even be able to know the product size and weights in terms of transport we'd be able to work out to the nearest cubic centimeter how much stock we can fit on a truck. Whether we are being over charged in transport costs, for weight or pallet space or size, they'd probably be a whole range of hidden benefits there that you probably haven't even thought of before.

It was interesting to discover that loss prevention managers focused on secondary benefits of the technology. Rather than its ability to provide total visibility of stock across the supply chain and ultimately a means to minimize product shrinkage, employees concentrated on some of the benefits it could bring to point of sale. For example, the Loss Prevention Manager (1) recognized that “you can put X-amount of stock in a trolley with RFID that are all tagged, pass it through some antennas and you know exactly what went out of the store and if it was paid for.”

The Store Trading Manager claimed to have little knowledge of RFID as a technology with the ability to track products across the supply chain. However, she declared that it would definitely benefit the retailer as it would “probably reduce our shrinkage by a huge amount, not to mention the time spent actually adjusting the stock on hand because there have been miss-picks and things haven't gone right.” In this instance, the Store Trading Manager not only suggests that RFID is likely to minimize product shrinkage, but also the manual procedures. The Store Services Manager also had an appreciation for the technologies' ability to minimize manual procedures at store level. She claimed that less labor would be required when manually stamping products with the store stamp as a new RFID system would require suppliers to do it at the product's point of manufacture. She also believed that if the retailer was to implement an RFID system that its imperative that suppliers also be part of the overall system as “[i]t would be of no benefit otherwise.” The Store Services Manager believed that if such a system was introduced, their suppliers would most likely comply: “[t]he suppliers usually do come into line with any new systems that we are bringing in so I couldn't see that there would be a problem.” She also highlighted the fact that RFID tagging would most probably have an effect on the total price of a product, but she believed that this increase could be counteracted if product shrinkage was kept to a minimum.

An organization willing to adopt a new RFID system must be able to see potential for a return on investment (ROI). When the Loss Prevention Manager (1) was asked whether he thought the retailer would ever be interested in investing in an RFID solution he responded: “[t]here's always that cost versus benefit exercise and if the sums are right, then yes.” As identified by Global Standards One, in the case study called the Australian Demonstrator Project (which claimed to be Australia's first case study), it was revealed that it is “necessary to estimate the potential benefit that will come from deploying RFID and improving the business process using the data that the system provides” [2]. It is in this light, that testing an RFID system is highly recommended prior to total rollout as it assists in building an expected ROI.

Section 10. Conclusion

It was discovered that the retail organization currently utilizes two technologies as part of a loss prevention strategy; a barcode auto-ID system and an EAS anti-theft system. Operating independently, it was revealed that both technologies possess a number of limitations which consequently present adverse challenges to the retailer. The barcode system can record damaged products and detect targeted products or areas, yet the technology plays a minor role as part of the retailer's loss prevention strategy. Even though the retailer was currently testing a new EAS system throughout five liquor stores, the technology was still considered a deterrent rather than a total solution. It was also discovered that professional thieves avoid triggering the alarm using a variety of methods and staff members regularly neglect standard procedures readily relied on by the EAS system. These inadequacies expose a weakness in the retailer's loss prevention strategy as a result effecting product shrinkage levels. Made up by contributing sources, the two main categories of product shrinkage identified were known and unknown, with unknown representing a larger value of the two. Contributing factors to product shrinkage were found to come from a diverse range of sources and through various activities. Warehouse discrepancies and theft were identified as the two highest sources of product shrinkage. Whether it involved a standard company procedure or an illegal activity, it was found that during most of these events provisions were lacking to effectively counteract these activities. It was verified, particularly by loss prevention staff members that all sources originated from the combination of three factors; process, technology and people. Furthermore, the loss prevention department claimed that product shrinkage across the supply chain was one of the department's main challenges, especially when transferring goods from distribution centers to retail outlets. This dilemma necessitates an alternative solution be found to minimize product shrinkage across the retail supply chain.

References

1. S. Lahiri, RFID Sourcebook, Upper Saddle River:IBM Press, Pearson Education, pp. 77, 2006.

2. Australia (2006) EPC Network Australian Demonstrator Project Report, September 2006.

IEEE Keywords: Supply chains, Radiofrequency identification, Australia, Marketing and sales, Information systems, Humans, Error correction, Control systems, Merchandise, Electrical products

INSPEC: supply chain management, business data processing, fraud, radiofrequency identification, stock control, RFID, product shrinkage across minimization, supply chain, major Australian retailer, anti-theft technology, loss prevention, radio frequency identification technology, internal theft, external theft, shop return fraud, poor stock control, poor stock rotation, lost products, product spoilage

Citation: Nick Huber, Katina Michael, 2007, "Minimizing Product Shrinkage across the Supply Chain using Radio Frequency Identification: a Case Study on a Major Australian Retailer", ICMB 2007. International Conference on the Management of Mobile Business, 2007, 9-11 July 2007, DOI: 10.1109/ICMB.2007.43