Security Review: Costco
Summary:
In order to shop at Costco, one must have a membership and proof of that membership. When an individual purchases a membership at Costco, they and their spouse may use the membership at any Costco. Otherwise, no one else is allowed to use that me mbership. If you have ever been to Costco, you know that they check for membership cards at the door and when making purchases at the register. They do not, however, check the name on the membership against another ID to verify you are the person on the card. At the front door, they glance to make sure you have a card, so they do not ever examine the fine details at this stage.
Assets:
– Lower prices on household goods. Costco is known to be cheaper when it comes to buying household products, and individuals can also buy them in bulk which is valuable because they can come back less often.
– Access to an assortment of services and larger-ticket items in which Costco offers competitive deals. These items and services include automobiles, automobile insurance and parts, pool tables, snowmobiles, etc.
Potential Adversaries/Threats:
– A individual who does not have a membership, but can borrow one from someone they know. Friends or non-immediate family members might share a membership card to save on membership costs, and Costco might not catch on to this.
– The issuers of the Costco cards. They could potentially make or issue cards to their family or friends by cooking the books and having no repercussions.
– Large groups of people could share one card amongst themselves, thus all enjoying the benefits of shopping at Costco, while Costco only gets the benefit of one membership
Weaknesses:
– Minimal effort to check membership cards at the door. If more effort to check at the door was given, then less policy violators would make it into the store and to the second round of checks.
– At the register when Costco membership cards are checked, they do not match them against another ID. This would increase the difficulty of using a membership card that is not owned by the customer at the register.
Potential Defenses:
– When the Costco card is checked at the register, they could ask for another ID to match the names. This would provide another layer of defense on top of just checking that an individual has a Costco card.
– Right now, a large group of people can enter Costco as long as one of them has a card to show (like when my family goes together and only my dad needs to flash his card). They could require one card per person to enter the store, as opposed to just one card in a group of people.
Risks and other issues:
Out of the threats above, the first and third are very real. Friends mention often that they borrow their parents’ Costco card to make purchases. At other times, friends mention that they have one membership, but they go shopping at Costco together. By doing this, Costco sells one membership, but have multiple individuals using it. This behavior might be typical with roommates who shop together. The second adversary listed could be real, but I would not know. Depending on how good Costco’s accounting when it comes to membership, this task of creating a membership that is not paid for could be difficult or easy.
If Costco changed their practices when it comes to checking memberships and crunched down on violators, it might actually be detrimental to business. People might react adversely because they are used to using their parents’ membership, roommate’s, or other friend’s. Perhaps Costco sees this and makes an active choice not to change their methods.
Conclusion:
Costco memberships are often abused, but the degree of their abuse might be at an acceptable level since Costco has not changed their system in response for many years. They could see the violations of their policy as acceptable and expected, so they do not care. I am sure their are exceptions, but this seems to be the general trend at every Costco. I think there is room for improvement in Costco’s security of cracking down on policy violators, but as to whether it would be a good choice is not so black and white.
Comment by zaxim
March 16, 2008 @ 11:50 pm
You make an excellent point about the costs Costco might incur if they clamp down on membership violators. It’s an observation that can be extended to many other situations. For example, copyright protection; there are methods to “ensure” that a CD can’t be read by a computer, like the Michael Jackson CD from several years back. This was an attempt to prevent people from ripping the songs and distributing them. Instead it caused an outcry and drastically reduced sales. Record companies obviously want to minimize piracy, and one way to do so is by increasing the security of their product, but people may not want to go along with it.
This can actually be applied to any security policy deemed to stringent or hampering. Such as people deliberately trying to get shortcuts around security measures, like long passwords (sticky notes) and other issues.
Basically a company needs to ask how important security is to them, and whether or not the benefits of security will outweigh the cost. Sure there are some places where we demand high security, such as online credit card transactions, but even that has a limit. One way to reduce credit card fraud would be to abolish the use of credit cards online, and require a physical presence, but we’re not willing to go that far.
Comment by rybolov
March 20, 2008 @ 9:16 am
Costco is a retailer, don’t forget that. They make money by selling goods, not by selling membership cards. In that sense, it’s in their best interest to get as many people into the store.
Of course, you might wonder what value Costco gets from selling cards. At $50/person/year, it’s hardly any income for them at all. Considering the labor to run and maintain a card system, it probably is at the break-even point: the costs to Costco are about the same as the income it generates in membership fees.
My theory is that Costco cards do the following things:
#1 They fulfill the same purpose as a customer loyalty cards: you look online for the nearest Costco because “yeah, I have a membership”.
#2 By requiring people to pay for their cards, customers attach value to the Costco shopping experience. Think about what would happen if they gave away cards for free: the ratio of “real shoppers” to “tourists” would change from 1:0 to maybe 1:1 with increases in costs to Costco because they lose money on tourists.
#3 By restricting shopping to cardholders, Costco has turned membership into an “elite” category with an illusion of exclusivity. People like that.
#4 Membership allows Costco the ability to track you and do trend analysis on what you buy.
So yes, Costco does get value out of a membership system, but is it any security? No, nor do I think it was designed to be a security feature–I think it’s a very strong marketing gimmick and nothing more.
Good job, keep it up.
Comment by Liam Greenwood
March 21, 2008 @ 6:17 am
My understanding is that there is a requirement, at least in some states, for certain types of discount operations to be only for ‘members’. So Costco has a need to have a membership scheme, and to be seen to be enforcing it.
Secondly, every Costco card does have a photograph of the member on it, as well as a name.
Comment by Randy
March 21, 2008 @ 9:50 am
I haven’t been to a Costco, so forgive my ignorance if this is wrong. I remember back in the day with a wholesale club, they would simply look at the card, there was no barcode or mag stripe. If this is still the case, then it would be possible to easily forge a card, as the authentication of the card is very weak (they just look at it).
Even if a magstripe/barcode is present, it could be possible to forge a card, and then copy a legitimate barcode /magstripe onto the forgery. It seems these arguements are all centered around the weakness of the authentication scheme however.
Comment by vsync
March 21, 2008 @ 12:43 pm
Wow. You realize the Costco ID has a photo on it, right? If Costco really cared they could have the register actually display that photo from their database for the cashier when swiped, to guard against duplicated ID barcodes.
Comment by Rick Mach
March 21, 2008 @ 2:13 pm
rybolov, do note that Costco makes a fairly large percentage of their profits from membership sales. This is from some business articles I have read regarding their very low markups on merchandise. Another ‘security item’ to consider is the checks they do on receipts to reduce theft. This is one I have considered and it would be very easy to circumvent this as well.
Comment by Anthony
March 25, 2008 @ 9:27 am
VSYNC: Some Costco cards have photos, some don’t. It depends on how you got your Costco card if it has your photo on it.
Comment by Justin
March 26, 2008 @ 8:17 pm
I agree with comment #2 that the main function of Costco’s membership cards is not to earn money directly through the annual fee, but to increase customer loyalty and revenue per visit. It also increases the importance of going to Costco, so you’re more likely to spend a lot when you go and make fewer trips. For a store that’s crowded most of the time, this is important.
Also, it’s worth pointing out that you need the card to check out, not just when you enter the store. The card is swiped at the register and kept by the cashier until they give you a receipt. That’s plenty of opportunity to look at the picture on the card.
So, I’m not sure exactly what is being protected by the “security” provided by the Costco membership card. After all, they do give guest passes if you just want to go in and look around.