"The Armed Robbery Epidemic" - NRF

Avatar
Rob Kilpatrick
Published Jul 06, 2017 13:19 PM

The National Retail Federation (NRF) Protect 2017 featured a session titled: "The Armed Robbery Epidemic: How to Stay Safe [link no longer available]". IPVM attended this and shares key findings from the session.

To combat this robbery epidemic, the Loss Prevention Research Council worked with retailers to examine robbery data and surveillance video, producing a set of recommendations which they refer to as "Zones of Influence".

The presentation covered these zones and how three different retailers implemented specific technology in each zone, with presenters from:

  • Kroger: Kevin Larson, Sr. [link no longer available], Corporate Loss Prevention
  • Rite Aid: Robert Oberosler [link no longer available], SVP, Loss Prevention
  • Walmart: Russell Hinds [link no longer available], Senior Manager, Facility Security

LPRC ***** ** *********

*** **** ******* * ***** ** influence ** ******, ****** **** ******* the ***** ** ****** ** ******** assets:

  • **** * ****** ** ***** ******* the ***** ********, **** ** *** surrounding ************, ** **** ** *** store/brand's ****** ********.
  • **** * ******** *** ********'* ******* lot ***** ** *** ***** ********.
  • **** * ****** ** *** *****'* entry *** ******* ******** ***** (***-********, generally **** ******** **** ***** *** covered ** ***** * ** *).
  • **** * ******** ******** ******** ***** of **** ***** ** ******** ****** goods, **** ** ********, ***** *******, etc.
  • **** * ** ******** ******** ******, including **** **** ** ********, ***** on ******, *** ******** ** *** batteries, ***.

Surveillance/System *********

*** ********** ********* ******* ********* ** each ** ***** ***** ** ***** security ******** ***** **** ******* *** worked ** ******* ***** ********* ** reduce ***** ******, *********:

  • ****** **** ******** (****)
  • ****** ******** ******
  • ************ *******
  • ******** ***** *******
  • *** ********
  • ***** *****

Public **** ******** (**** */*)

*** ********** ********* *** ************* ** additional ****** **** ******** (****) ********* not **** ** *********/*****, *** ********** the *****. *** *******, *** *** below ** ********* ****** * ******** counter, ****** ********* *** ********* *********.

Camera ******** ****** (**** *)

********* ** **** ***, *** ***** size ** ****** ******* *** ******* or ********** ***** ********* ******* ** the ******* *** ****** ********* ***** the *****. ** ****** **** **** have ********* ******** ****** **** ***** exterior ******* *** ********** ******.

Signage ** *** (*** *****)

*** ********** **** ******* *** **** Aid **** ******** *** ********** ** surveillance *******, ****** ** ** * key ********* ** *****-** *******. **** Aid ****** **** "*** ***'* **** enough" **** ***** ** *** ******* lot.

Smart ***** (**** *)

*** ** *** ********** ************** ******* ******* ** ********** ******* ******* or ******** ******* **** ****. ***** safes *********** ********* ** * "******* ATM", **** ********* ********** ***** *********, which ** ******* *** *********** ** their *******. ********* **** *** *** be ********* ** *** *****, **** the ****/******* *** *******.

***** ***** **** ******* ******** *** impact ** ***** ********* ** *** key ****:

  • ** ******* ****:****** ******** ***** ***** ******* ******** to ***** **** ******** ** **** night ******* *****, ****** **** * target ** *******. ***** * ***** safe, ***** ******/**** ******** ***** *******.
  • **** **** ** ****:******* **** *** ** ******* *** deposited **** ******, ********* *** **** less **** ** *** ****, ****** it * **** ********** ****** *** robbery *** ******** *** ********* ****.

GPS ******** (**** *)

****** *** ******** ******* ** ***** robbery, ********* *** ********* *** ******** as ****** *** ******** ******* ***** theft ********. ******* **** ** ******* of ******** ****** *** ********* *** GPS ********, ***** **** ***** ******* blocks **** **** *** ***** ****** to ****** ***** ** ******* *****. GPS ******** *** **** ** ******** to **** **** **** ** **** of *******.

Future ***********

*******, *** ********* ****** **** **** were ******* ** **** ************ *** future ***:

  • ******** *****:**** *** ********* **** **** ******* at ******** ******* ***** ****** *** each ********. **** ***** ****** **** to ***** ***** *********** **** ******* instead ** ******* ** ** ** reach ** ********* ** ********.
  • **** ***** ********:**** ***'* ********* **** *** ****** technology ****** "****" *** **** ***** "digital ********* ********". ***** ** **-**** device ** "****" ****** ******, *** store *** ***** *** *****'* *** address *** "** ** */***** ** a ****." **** ********** ***** ***** easier ************ ** ********* ***** *** fact.
Comments (21)
U
Undisclosed #1
Jul 06, 2017

"Using an on-site device to "ping" mobile phones, the store may track the phone's MAC address for "up to 2/10ths of a mile." This technology would allow easier apprehension of criminals after the fact."

The 'tracking' part sounds pretty far-fetched.  (read: marketing hype)

Let's play out the scenario.

Perp robs a CVS with his mobile phone in his pocket. (could happen)

On-site device pings this mobile phone during the commission of the robbery, capturing the mobile phones MAC address. (could happen)

Cops show up in good time, consult the on-site 'tracking device' and catch the perp counting his loot behind a dumpster in some alley less than 1050 feet away from the CVS he just robbed. (never happen)

How does this on-site device purport to 'track' a mobile phone anyway?  Without triangulation, I would think the only thing it could provide is simple distance from pinging device - not direction, and certainly not location.

(2)
Avatar
Brandon Knutson
Jul 06, 2017
IPVMU Certified
In reply to Undisclosed #1

Seems like a better use of this cell phone tracking gizmo would be to establish (the owner of) the cell phone was on-site at the time of the robbery.  

(1)
UE
Undisclosed End User #2
Jul 06, 2017
In reply to Brandon Knutson

Also useful to tell you if the owner of the phone re-enters the store at some point in the future.

(1)
Avatar
Ethan Ace
Jul 06, 2017
IPVM
In reply to Undisclosed #1

I wouldn't necessarily disagree with you. Those comments were Rite Aid's, not ours. We don't know enough about what's out there or "coming soon" to comment one way or another, though Brandon and Undisclosed #2 have good points. 

U
Undisclosed #1
Jul 06, 2017
In reply to Ethan Ace

I realize that you were just reporting what they said about 'future' technologies that may or may not be rolled out.  I was just pointing out what I thought were obvious flaws in the purported stated capabilities of this future technology (i.e. 'tracking').

And to Brandons point, I would also point out that the technology can tell when a device is on-site - not whom the possessor of the device is/was. (though video might help to establish this).

UI
Undisclosed Integrator #3
Jul 06, 2017
In reply to Undisclosed #1

The device in question is called "String Ray" and they can be extremely effective at metadata collection. If used in a Mesh-Networked Environment (IE- Deployed at multiple stores) they can track a cellphone's MAC Address/IMEI and get general location data based on the base-station that the phone connected to. 

https://www.extremetech.com/mobile/184597-stingray-the-fake-cell-phone-tower-cops-and-providers-use-to-track-your-every-move

U
Undisclosed #1
Jul 06, 2017
In reply to Undisclosed Integrator #3

I am aware that law enforcement in the U.S. are using stingrays - primarily because their aren't any up-to-date laws restricting their use without a warrant.  That will eventually change.

I am not aware of any private corporations that are allowed to use this same technology. This will not change (imo).

UI
Undisclosed Integrator #3
Jul 06, 2017
In reply to Undisclosed #1

I agree. The chances of them using String Ray (IE- Cellular Based Tracking) is small due to the legal issues. That being said, if a BTLE/WiFi solution similar to Sting Ray were to be implemented you could make the case that any data collected from those type of devices would be legal because the device accepted the connection from the store.

 

Think Rouge APs  logging the connection of every device that connects to the free WiFi in the store. 

 

U
Undisclosed #1
Jul 06, 2017
In reply to Undisclosed Integrator #3

I got no beef with logging devices that connect to free wifi - since this is 'opt-in' - i.e. an overt act to connect and use a free service.

What I (and I think lots of other people might) have a beef with is the surreptitious logging of devices by retail outlets without requiring users to opt-in.

imo, Rite Aid is dreaming if they think they are going to be able to use the kind of tracking technology they describe as 'coming soon'.

 

UE
Undisclosed End User #4
Jul 06, 2017
In reply to Undisclosed #1

Turn off your phone before robbing someone.

(2)
UI
Undisclosed Integrator #3
Jul 06, 2017
In reply to Undisclosed End User #4

... but how will I call the getaway driver?

(3)
Avatar
Brian Karas
Jul 06, 2017
IPVM
In reply to Undisclosed #1

The more common scenario (based on discussions I have had with other companies about this) is that they are constantly logging phone MACs. In many cases with theft you are not dealing with highly logical/organized individuals, so there is a good chance the person has been at the store before and/or at other stores. They may also visit other stores after the fact.

By taking all of the phone MACs that were pinged by in-store wifi devices at the time of the robbery they can search previous video and/or video from other stores for those same MACs. From there you can potentially narrow it down to certain people, based on basic appearance data. And in some of those cases the person may have made a transaction that used a loyalty card or a credit card, both which can reveal additional detail about the person.

I was not at NRF, and the Rite Aid guy may have truly been referring to some much newer technology for tracking mobile phones, or he may have been referencing technology already in use elsewhere that he just did not have a lot of first-hand experience with yet.

 

(2)
(1)
Avatar
Ethan Ace
Jul 06, 2017
IPVM
In reply to Brian Karas

I believe what you describe about MAC address is at least part of what he was talking about. He definitely mentioned tracking subjects for "2/10ths of a mile", though. 

UI
Undisclosed Integrator #3
Jul 06, 2017
In reply to Brian Karas
I am really curious how they plan to accomplish getting the MAC Address/IMEI of the device. I had a conversation with UD1 about it above and he brought up the legality of the situation, but it sounds like what they are describing is a commercial version of what the government is already using.
Avatar
Brian Karas
Jul 06, 2017
IPVM
In reply to Undisclosed Integrator #3

I'm not sure if they will capture IMEI or not. Getting the mac of the wifi adapter is pretty easy though.

I imagine you could get IMEI data if you setup in-store pico-cells, particularly if they were designed to sniff/log IMEI data, but I'm not sure it is worth the overhead of carrying cellular call traffic on your store's internet connection.

It might also be feasible with in-store "signal boosters", similar to those used in dense buildings to provide better reception in those buildings.

I believe IMSI ID (GSM networks) is broadcast from the phones un-encrypted. Not sure about IMEI.

Either way, I think there are a few means of capturing a unique identifier from customer-carried mobile devices. It is likely not 100% accurate or reliable, but may be sufficient to use to solve some percentage of robberies (not to mention track other data, like frequency of customer visits, etc.).

The Stingray devices are specifically designed to intercept calls, and provide a means to listen in. I can see legal issues for those, as you are getting access to encrypted data that the user would not expect to be available to 3rd parties. Capturing broadcast data from the phone may be different, particularly if that data only identifies the hardware, and not the user/holder.

 

(1)
UM
Undisclosed Manufacturer #7
Jul 13, 2017
In reply to Brian Karas

I'd say Brian is on the money with what the retailers are doing and planning. That's already happening on a large scale right now - and not just "opt in" WiFi users - basically anyone who has their mobile device WiFi on (and in some cases those who have their Bluetooth enabled). This is happening in many malls and large retail centers, as described in this HBR paper from 2014.

Head to any of the big retail analytics providers (RetailNext, Cisco Meraki etc) and you'll see what they're doing - most of this is being sold to marketing departments but the integration with security is coming, and that's where the integration with video surveillance / access control gets interesting.

The basic device detection is done without opt-in, as Ruckus describe in one of their white papers "In a typical retail environment, a very high percentage of
shoppers will have Wi-Fi enabled devices and between 50-70% of them are likely to have their Wi-Fi turned on, so will be able to be anonymously tracked via the Wi-Fi infrastructure".

Here's one example of a basic primer blog on it. Worth noting that Bluetooth is also used, and can be more effective (in another country I know they use Bluetooth sensors to sample and monitor vehicles along roads, and they found it more reliable to detect than WiFi seeking in that application).

As to the tracking to 2/10th of a mile, that seems high unless they're talking about inside a mall or other network outside the store itself...

JH
Jay Hobdy
Jul 06, 2017
IPVMU Certified

When I read it, I assumed they were talking about pre-paid phones they sold....

UI
Undisclosed Integrator #5
Jul 07, 2017

It seems everyone carries a phone today, especially the bad guys. Leaving a retrievable electronic signature in a store, a bank, or some other location where they have this technology, and where a crime just occurred, will give investigators a tremendous tool to track down a criminal. An investigator could submit the data to cell provider databases for ping location history, which may correlate to other locations where similar crimes occurred. 

(1)
JH
John Honovich
Jul 07, 2017
IPVM

Here are the slides from the NRF Robbery Epidemic presentation.

(1)
Avatar
David Coughlin
Jul 12, 2017
Protection One / ADT

Good points (pro and con) regarding the cell phone tracking. That noted, I have a question and a point. First, what cameras (besides dummy devices) have blinking lights?

Regarding loss prevention in general, technology will help. However, the biggest difference will be made through educating store employees about what to do (and what not to do) regarding armed robberies and shoplifting. Too often, there is no set policies and/or training for the minimum wage workers that are at the point of loss. The policies should be vetted by experienced security professionals and communicated often to employees. Training should be done at initial hire and regularly to re-enforce the importance and bring in changes in approach and highlight new threats.

As technology integrators, we often overlook the importance of the human element...which is often the difference between making the technology effective or rendering it useless.

 

David Coughlin

 

UM
Undisclosed Manufacturer #6
Jul 12, 2017

Here is why we need to rethink camera positions.  Although many are afraid to install audio due to regulations, the audio does provide a lot more insight into the perpetrator than the video.

The video shows a possible witness, that helps!

I wonder if detectives would think to capture a log of any attempts to connect to the motel wireless?  I could see this guy leaving his phone on.

When will law enforcement be able to request phone GPS information from sites that track it like Facebook?