South Florida Super Target gains convenience edge
America is on sale for foreign tourists thanks to the weak U.S. dollar, and it has been a boon for retailers who operate stores in key destinations. Nowhere was this phenomenon more evident than last week when Tiffany & Co. reported spectacular second quarter results that were aided by a 41% sales increase at its flagship New York store. That location is frequented by tourists, and so is the Saks flagship New York location, which reported a second quarter comp increase in the neighborhood of 15%.
With foreign tourists coming to the United States with bags of money and buying all sorts of goods to take home, a new service has been added at Simon Property Group’s Sawgrass Mills outlet mall in South Florida, and it stands to benefit Target. Shoppers at the expansive mall with 350 stores can now take advantage of an in-mall bag storage and shipping service called Bags To Go.
The way it works is shoppers visit drop off locations near Super Target, the Bloomingdale’s outlet or Burlington Coat Factory where they have the option of sending their bags directly to the airport or having them shipped to anywhere in the United States or select worldwide destinations. The service is provided by Bags To Go Enterprises, an off-airport check-in, baggage storage, and baggage claim and delivery firm founded in 1999 and authorized by the Transportation Security Administration.
“This marks our first launch into a retail destination and we are confident that Sawgrass Mills’ shoppers will embrace our services,” said Keith Wiater, founder of Bags To Go Enterprises. “Because of Sawgrass Mills’ huge number of shoppers, which includes an impressive draw of people from around the world, we estimate that many will take advantage of our options to check, store or ship their bags through us.”
It costs $10 to store bags in a tagged-and -sealed storage bag, and when shoppers are ready they simply call, text, or send an email and a Bags To Go representative delivers their purchases curbside or to the designated parking spaces located between Super Target and BrandsMart USA.
Sawgrass Mills bills itself as the largest outlet, value retail and entertainment center in the United States with 350 name-brand outlet and off-price retail stores, two food courts, six full-service restaurants and entertainment venues such as Gameroom and Sawgrass 23 Stadium & IMAX. Some of the signature tenants include Bloomingdale’s, Coach, Escada, Guess, Hugo Boss, Kate Spade New York, Kenneth Cole, Lacoste, Nike, Polo Ralph Lauren, Stuart Weitzman, Theory, Nordstrom Rack, Saks Fifth Avenue OFF 5TH and Last Call by Neiman Marcus.
Are Your Security Tokens Really Secure?
By Steve Dispensa, [email protected]
Escalating IT security threats and strengthening regulatory requirements have driven adoption of two-factor authentication among retailers to unprecedented levels. In an effort to stave off increasingly virulent attacks and meet PCI DSS mandates, many retailers have deployed security tokens, like RSA’s SecurID, to secure access to their corporate network and the sensitive customer and payment data it contains.
Security tokens generate a pseudo-random sequence of digits referred to as a One-Time Password (OTP). When a user logs in, they must enter their username and password and the OTP from the token to access network resources and applications. During a recent breach at RSA, maker of SecurID security tokens, attackers stole SecurID token seeds which they later used to bypass SecurID tokens in an attempt to infiltrate some of the most secure networks in the world. With more than 40 million tokens in use today, many enterprises, retailers included, are left wondering about the implications for their organizations. Unfortunately, given the lack of public information from RSA, the answer has not necessarily been clear. Here’s a look at some of the most common misconceptions:
1. Myth: Not all companies with SecurID tokens are at risk.
The black market value of compromised SecurID seeds skyrocketed after their successful use in attacks against Lockheed Martin and others. Attacks against compromised SecurID tokens are not difficult, and can easily be replicated. Companies in every industry are targeted by attackers looking to gain access to credit card numbers, personal information, and even e-mail addresses (Sony, Epsilon, HBGary, Michaels Stores, iTunes, Fox.com).
2. Myth: Not all companies with SecurID tokens need to replace them.
RSA has indicated that all tokens are impacted, yet they only offered to “replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks” and for others, they simply suggest implementing risk-based authentication. If you have SecurID tokens in place today, they are vulnerable and they need to be replaced. Companies should not accept a lower level of protection than they were promised when they bought tokens.
3. Myth: Companies can simply replace existing SecurID tokens.
There’s nothing simple about replacing millions of tokens. RSA has to ship replacement tokens. One has to wonder how RSA will prioritize these shipments and whether they have a sufficient inventory available. Companies have to re-provision each token – unpacking them, assigning each token to a user, sending the token to the user, and educating the user about what’s going on (averaging 15 minutes per token). This is not trivial, particularly for companies with thousands of tokens to deal with and those who have to deploy replacements to customers or subcontractors. And it cannot be done overnight. The process could take months, and given the internal resources required to deploy tokens, the process can be more costly than replacing tokens with an alternate two-factor solution.
4. Myth: Replacing compromised SecurID tokens will restore security to my network.
While replacing SecurID tokens addresses the issue of compromised SecurID seeds from the March breach, it does not address the following:
- Tokens are vulnerable to malware, keylogging, and man-in-the-middle attacks.
- Tokens cannot provide granular authentication of high risk activities, such as transactions or the movement of data.
- Token seeds were stolen once, and they can be again.
5. Myth: RSA has been forthright about the risks to customers.
It’s no surprise that RSA is trying to downplay the risk to their clients. However, the breach at RSA was executed over 60 days before RSA admitted that SecurID tokens might need to be replaced and they only did so after high-profile attacks at defense contractors hit the news.
Shoring Up Authentication Practices
Using security tokens is like bringing a knife to a gun fight. The nature of the battle has changed. Malware and man-in-the-middle attacks easily defeat all one-time-passcode methods, including software and hardware tokens. More than 50 percent of malware goes undetected by anti-virus software. Trojans, worms, rootkits, and their countless variants have infiltrated an astounding number of computers with malware increasingly designed to subvert a computer’s operating system, making it extremely powerful and difficult for anti-virus software to detect and remove.
Given the prevalence of malware, one must always assume that the end point device (or an OTP entered into the end point device) is compromised. As a result, organizations are increasingly moving to out-of-band methods which authenticate logins and transactions through a separate communications channel, e.g. the telephone network. Out-of-band phone-based authentication methods are increasing in popularity and are seen as a leading token replacement option.
Analysts predict a continued decline in the use of hardware tokens for authentication and an increased reliance on phone-based methods. Gartner, Inc. expects that by year-end 2013, fewer than 10% of all authentication events will involve discrete, specialized authentication hardware of any kind (Predicts 2011: Identity and Access Management Continues Its Evolution Toward a Strategic Discipline, November 23, 2010 by Ant Allan, Earl Perkins, and Ray Wagner). The research notes that “by adopting alternative authentication methods, enterprises will be able to meet their needs for improved security at a lower cost and with a better user experience.”
In addition to the security benefits of out-of-band authentication, phone-based methods are significantly easier for end users and IT departments. By leveraging an existing device, phone-based methods can be instantly enabled for employees at retail locations around the globe. There are no devices for IT to provision, ship, replace, or retrieve when an employee leaves the organization. Everyone knows how to use the phone, so user training and ongoing support is minimal.
Retailers that utilize security tokens, many of whom are already frustrated with supporting current token deployments, are being driven to action by the RSA breach. The breach has many re-evaluating their use of security tokens and considering alternatives. As attacks have evolved, the effectiveness of security tokens has been significantly impacted. The RSA breach may just be final nail in the coffin for security tokens.
Steve Dispensa, is chief technology officer at PhoneFactor, a leading provider of multi-factor authentication services. Its platform leverages a device every user has — a phone — to strongly authenticate logins and transactions. He can be reached at [email protected].
Office Depot offers customers a shred of privacy
BOCA RATON, Fla. — The small business customer may have a greater reason to visit Office Depot now that the retailer has expanded its shredding and secure document archiving service program through a new partnership with information management company, Iron Mountain.
The company is offering shredding services at the rate of 99 cents per pound as well as document scanning for a nominal fee, allowing customers to leave the storewith a digital record of their document that was destroyed. Customers with larger volumes of materials for shredding can utilize the shredding drop off service, under which Iron Mountain picks up the items directly from Office Depot for shredding. Furthermore, businesses with larger needs can visit their nearest Office Depot store toschedule the business shredding service and pick up boxes that will hold up to 35 pounds each of materials.
“Shredding has become a personal and business necessity in order to be protected from financial loss, identity theft, and more,” said Kristin Micalizio, VP Office Depot’s Copy & Print Depot. “Whether a customer chooses to visit one of our more than 1,100 stores or have Iron Mountain come directly to their place of business, this new agreement allows us to provide Office Depot customers with a number of safe and secure shredding options.”