Comments on: Security Review: Costco

By: Justin

Justin — Thu, 27 Mar 2008 04:17:40 +0000

I agree with comment #2 that the main function of Costco’s membership cards is not to earn money directly through the annual fee, but to increase customer loyalty and revenue per visit. It also increases the importance of going to Costco, so you’re more likely to spend a lot when you go and make fewer trips. For a store that’s crowded most of the time, this is important.

Also, it’s worth pointing out that you need the card to check out, not just when you enter the store. The card is swiped at the register and kept by the cashier until they give you a receipt. That’s plenty of opportunity to look at the picture on the card.

So, I’m not sure exactly what is being protected by the “security” provided by the Costco membership card. After all, they do give guest passes if you just want to go in and look around.

By: Anthony

Anthony — Tue, 25 Mar 2008 17:27:44 +0000

VSYNC: Some Costco cards have photos, some don’t. It depends on how you got your Costco card if it has your photo on it.

By: Rick Mach

Rick Mach — Fri, 21 Mar 2008 22:13:49 +0000

rybolov, do note that Costco makes a fairly large percentage of their profits from membership sales. This is from some business articles I have read regarding their very low markups on merchandise. Another ’security item’ to consider is the checks they do on receipts to reduce theft. This is one I have considered and it would be very easy to circumvent this as well.

By: vsync

vsync — Fri, 21 Mar 2008 20:43:36 +0000

Wow. You realize the Costco ID has a photo on it, right? If Costco really cared they could have the register actually display that photo from their database for the cashier when swiped, to guard against duplicated ID barcodes.

By: Randy

Randy — Fri, 21 Mar 2008 17:50:40 +0000

I haven’t been to a Costco, so forgive my ignorance if this is wrong. I remember back in the day with a wholesale club, they would simply look at the card, there was no barcode or mag stripe. If this is still the case, then it would be possible to easily forge a card, as the authentication of the card is very weak (they just look at it).

Even if a magstripe/barcode is present, it could be possible to forge a card, and then copy a legitimate barcode /magstripe onto the forgery. It seems these arguements are all centered around the weakness of the authentication scheme however.

By: Liam Greenwood

Liam Greenwood — Fri, 21 Mar 2008 14:17:15 +0000

My understanding is that there is a requirement, at least in some states, for certain types of discount operations to be only for ‘members’. So Costco has a need to have a membership scheme, and to be seen to be enforcing it.

Secondly, every Costco card does have a photograph of the member on it, as well as a name.

By: rybolov

rybolov — Thu, 20 Mar 2008 17:16:21 +0000

Costco is a retailer, don’t forget that. They make money by selling goods, not by selling membership cards. In that sense, it’s in their best interest to get as many people into the store.

Of course, you might wonder what value Costco gets from selling cards. At $50/person/year, it’s hardly any income for them at all. Considering the labor to run and maintain a card system, it probably is at the break-even point: the costs to Costco are about the same as the income it generates in membership fees.

My theory is that Costco cards do the following things:
#1 They fulfill the same purpose as a customer loyalty cards: you look online for the nearest Costco because “yeah, I have a membership”.
#2 By requiring people to pay for their cards, customers attach value to the Costco shopping experience. Think about what would happen if they gave away cards for free: the ratio of “real shoppers” to “tourists” would change from 1:0 to maybe 1:1 with increases in costs to Costco because they lose money on tourists.
#3 By restricting shopping to cardholders, Costco has turned membership into an “elite” category with an illusion of exclusivity. People like that.
#4 Membership allows Costco the ability to track you and do trend analysis on what you buy.

So yes, Costco does get value out of a membership system, but is it any security? No, nor do I think it was designed to be a security feature–I think it’s a very strong marketing gimmick and nothing more.

Good job, keep it up.

By: zaxim

zaxim — Mon, 17 Mar 2008 07:50:41 +0000

You make an excellent point about the costs Costco might incur if they clamp down on membership violators. It’s an observation that can be extended to many other situations. For example, copyright protection; there are methods to “ensure” that a CD can’t be read by a computer, like the Michael Jackson CD from several years back. This was an attempt to prevent people from ripping the songs and distributing them. Instead it caused an outcry and drastically reduced sales. Record companies obviously want to minimize piracy, and one way to do so is by increasing the security of their product, but people may not want to go along with it.

This can actually be applied to any security policy deemed to stringent or hampering. Such as people deliberately trying to get shortcuts around security measures, like long passwords (sticky notes) and other issues.

Basically a company needs to ask how important security is to them, and whether or not the benefits of security will outweigh the cost. Sure there are some places where we demand high security, such as online credit card transactions, but even that has a limit. One way to reduce credit card fraud would be to abolish the use of credit cards online, and require a physical presence, but we’re not willing to go that far.