This security review is inspired by the story of a firefighter whose Safeway shopping history landed him an arrest for arson in August, 2004. More information on the story here: http://www.computerbytesman.com/privacy/safewaycard.htm
Most people are probably familiar with the concept of a grocery store shopping card. The Safeway Club Card is a membership card that can be used to save money on grocery shopping. Products throughout the grocery store store are marked with special limited-time-only “member prices”, which are slightly reduced prices that can be used by anybody carrying a Safeway Club Card. People without the cards must pay full price, but are often asked at the cashier if they would like to apply for a Safeway Club Card. The Safeway Club Card are “free” to acquire–there is no fee involved, only disclosure of personal information.
The Safeway Club Card Application requires that the individual provide their full name and current address. Optional information includes phone number, birthday, driver’s license number, and social security number. Members identify themselves either by using the Safeway Club Card they are given, or by providing the phone number associated with the card account.
Let’s break it down. Here are the assets, threats, security weaknesses, and defenses associated with having a Safeway Club Card. For brevity’s sake, we will assume Safeway’s customer database is perfectly secure and requires no evaluation. 🙂
Assets:
Member benefits Members receive lower prices for select items, a frequent flier mile program, special member deals (such as buy one get one free), etc. Goal: Only members should be allowed to use benefits.
Personal information Card holders must disclose personal information as previously described, which is maintained in Safeway’s customer database. Safeway will also keep track of the shopper’s recent shopping history for the purposes of marketing and promotions, as explained in the Safeway privacy policy. Goal: Customer information should be kept confidential.
Adversaries/Threats:
Non-member customers Customers without a Safeway Club Card may wish to use your membership to gain access to member benefits, such as cash savings. Additionally, somebody could purchase incriminating products using your membership, which will be recorded and possibly used by law enforcement (read the article at the top of the page for a perfect example).
Store Employees When a customer fills out a Safeway Club Card Application, they trust the store and the store employees to maintain confidentiality of personal information. Because card applications are typically hand-written and given to an employee, a malicious employee could easily intercept, modify, or interrupt this information.
Potential Weaknesses:
Weak authentication When a customer uses their card membership, the only required identification is either the physical Safeway Club Card or the telephone number associated with the account. A stolen card could be used without consequence. A physical card can easily be forged and reproduced (here is an example). Adversaries can use known customer telephone numbers to gain membership access without needing to provide the physical card or any form of authentication.
Exposure of personal information When one purchases products using a membership, the transaction receipt will print the name of the account holder (as provided on the application). This is done so cashiers can address the individual by name. Using one of the techniques described above, an adversary could use somebody’s Safeway Club Account, and learn the name of the individual on the receipt of the transaction.
Paper Membership Applications A customer fills out a paper application and gives it to the cashier. A malicious cashier can easily intercept the application.
Online Membership Application The online application page uses the standard HTTP protocol and uses no form of encryption.
Defenses (that currently do not exist!)
Require Authentication Safeway could easily prevent malicious customers from using false Safeway Club Cards by requiring further authentication. As a former Safeway employee, I can say that this is not done because Safeway does not wish to inconvenience its loyal customers.
Use of Encryption Should be a no-brainer. The online membership does not use any encryption, and it should.
Added Security for Paper Applications An envelope could be included with a paper application, and could be dropped in a drop-box that requires a manager’s key. This would prevent employees from intercepting or interrupting personal information.
We see that there are many pitfalls surrounding the Safeway Club Card application process, and that a malicious customer could easily circumvent the loose identification protocols in place. Grocery identification cards are typically overlooked and considered to be about as dangerous as a library card (hint: future security review 🙂 ). Considering the severely lax security protocols involved with Safeway Club Cards, I argue that there is a great potential for risk, as illustrated by the article provided in the beginning of this post. For more information on why grocery cards such as the Safeway Club Card are bad, visit this website: http://www.nocards.org/.
Comment by Naveen Kanukuntla
August 30, 2008 @ 12:14 pm
Hi im a student who has come from India to persue my master. I have come to know that Safeway card will decrease the cost of purchasing groceries and took one.
Since im a student , i now fear that the information i have provided might be used by a malicious employee in the store .
But despite of this fact i also feel that through some authentication and authorization of this card can prevent furher adversaries and people are really benifited using this card.
Comment by Jenny
October 13, 2008 @ 4:27 am
Its a very interesting and cool post about online shopping. people are using online shopping to buy any product.