Typically considered one of the most accessible and in many cases least-sophisticated types of crime, shoplifting persists as an undeniably damaging affliction across the retail sector. In fact, the National Retail Security Survey reported that loss of inventory cost U.S. retailers an estimated $49 billion USD in 2016, with 70 percent of the loss caused by employee theft and shoplifting.
The survey also indicated that in response, retailers are investing more in technological deterrents like live, customer-visible closed-circuit television (CCTV) systems and point-of-sale (POS) data mining software rather than in Loss Prevention (LP) personnel. Indeed, retailers’ investments in staffing for LP departments remained generally flat in 2016.
Motivated to help our retail sector customers bolster defenses, evaluate deterrents, and ultimately combat this threat, Flashpoint embarked on a research project to identify the tools and tactics contributing to the widespread proliferation of shoplifting.
During the course of this research, we observed various websites hosting advertisements for shoplifting tools, some of which also have legal, legitimate uses. Many of the tools that enable retailers to remove anti-theft devices also serve the same — though malicious — purpose for shoplifters.
While tools such as “sensormatic jammers” and “RF-impulse shielding fabric” are strictly used for theft, “hook detachers” and various magnetic keys can all be used to unlock certain security tags and wraps — regardless of whether the user is a retail employee or shoplifter. While tools used by retailers to legitimately remove anti-theft devices were listed for sale on numerous Deep & Dark Web forums, the same tools were also found easily on several well-known surface web eCommerce sites.
Image 1: Advertisements for various shoplifting tools on a Deep Web forum.
Image 2: Advertisements for various shoplifting tools on a surface web eCommerce site.
Our research also suggests that some shoplifting tools are more popular than others. Two in particular were discussed across multiple forums and appear to be among the most common shoplifting tools in use today: the “detacher hook” and the “S3 key.”
A detacher hook is a sickle-shaped tool typically made of stainless steel or aluminum. Law-abiding retail employees might recognize a detacher hook as a component of the Sensormatic SuperTag Hand-held Detacher. Shoplifters, however, typically use the detacher hook by itself. In addition to the ease-of-use provided by the tool’s small size, removing it from the Sensormatic SuperTag Hand-held Detacher helps shoplifters evade detection. Indeed, many handheld devices contain internal RFID tags designed to set off electronic article surveillance (EAS) sensors at store entrances.
Image 3: A “detacher hook (Hook)” alongside a Sensormatic EAS hard-tag, which it opens.
An S3 Key is a magnetic device used to unlock Checkpoint Systems’s Alpha anti-theft devices such as “spider wrap,” “keepers,” “Bottle Caps,” hard tags, and “Cableloks.” While instructions to build homemade S3 Key devices are readily accessible to shoplifters across the Internet, official Alpha S3 Keys are also easily obtained on various well-known surface web eCommerce sites. In addition, numerous Deep & Dark Web forums and marketplaces are laden with dozens of instructional videos and forum posts detailing how each anti-theft device works and, more importantly, how shoplifters can defeat it.
Image 4: Search results for “alpha s3 security key” showing various surface web advertisements for the tool.
As expected, our research also revealed that information sharing and collaboration on Deep & Dark Web forums continues to enable shoplifters to learn from one another, advance their skills, and develop new tactics for bypassing retailers’ anti-theft controls.
In particular, members of certain forums frequently discussed specific retailers’ security measures and response techniques. We monitored multiple forum threads in which posters “decoded” various retailers’ in-store public address announcements, such as those used to alert employees of suspected shoplifting. In another post, we observed an actor explaining how to access a large retailer’s public service announcement system – a tactic that could be used to distract and deploy security personnel to one section of the store while the shoplifter targets another.
Image 5: A poster on a Deep Web forum explains one retailer’s “code” for shoplifting.
Image 6: A poster on a Deep Web forum discusses a large retailer’s telephone and public-address system.
Throughout our research, we observed numerous posts in the Deep & Dark Web related to the effects of uniformed security or LP personnel on shoplifters’ operations. The presence of LP personnel near checkout areas appears to be a significant deterrent for perpetrators of in-store stolen card purchases. In fact, some posters on the now-defunct AlphaBay Market Forum emphasized the dangers by describing incidents in which LP personnel detained the perpetrators until they relinquished the stolen credit card or paid for the merchandise in cash.
In the same AlphaBay Market Forum thread, another poster described one retailer’s POS system as having the ability to “distinguish between a real, written only once /original to a card that has been re-written, and that sh** can show up on cashiers POS.”
We also observed numerous posts on several forum threads authored by alleged “former cashiers.” By providing insight into their former employers’ LP schedules and typical in-store headcount, the authors of these posts aimed to support fellow miscreants’ attempts to make fraudulent in-store purchases and/or shoplift items.
In addition to discussing in-store carding, several forums “reviewed” retailers’ return policies and the presence of LP personnel at the returns desk, which appears to be a significant deterrent to return fraud.
Image 7: A June 29, 2017 AlphaBay Market Forum post discussing LP personnel and carding attempts.
Image 8: A sample of retail store return policies posted on a surface web social network.
Perhaps the most valuable outcome of our research stems from the critical insight we gained into one of the simplest yet most effective shoplifting deterrents: human interaction. Despite the 2016 National Retail Security Survey’s results indicating that retailers are opting to invest more in technological deterrents than in personnel, our research suggests that — especially when it comes to less-sophisticated shoplifters — customer-facing personnel may be a more effective deterrent. While shoplifters and cybercriminals will always seek new tools and develop new tactics to evade anti-theft technologies, these tools and tactics can only be so effective at circumventing uniformed security and LP personnel.
Our research also suggests that stringent return policies — such as those requiring the scanning of government-issued identification cards and receipts for cash refunds, or those limiting the cash-back amounts for non-receipt returns — can significantly constrain return fraud. Additionally, customer service employees should appear as “hard targets,” by physically inspecting items returned in opened packaging to ensure that items inside match the receipt and were not replaced with old or used items.
Above all else, it’s crucial for retailers to recognize that despite the substantial damages inflicted by shoplifters, simple security measures and the physical presence of effective personnel can help reduce these crimes.
To learn how retailers are leveraging Flashpoint’s Business Risk Intelligence to combat shoplifting and other threats, download our use cases here.