ISCAP Proceedings: Abstract Presentation
Cybersecurity Threats in Commercial Implementations of Self-Checkout Technology
Anthony Serapiglia
St. Vincent College
Abstract
The widespread adoption of self-checkout (SCO) technologies in retail, driven by promises of efficiency and reduced labor costs, has introduced a complex landscape of security challenges and customer privacy concerns. While initially celebrated for convenience and labor cost savings, these systems have proven to be more vulnerable to theft, with some reports indicating a 65% increase in theft at self-checkout compared to traditional lanes, and self-checkout machines causing 16 times more "shrink" (inventory loss) than cashier checkouts. This has prompted major retailers like Dollar General, Target, and Walmart to either remove SCOs, impose item limits, or restrict their use, directly impacting commercial implementations.
Beyond physical theft, the increasing reliance on digital payment platforms (e.g., Apple Pay, Google Pay) and Internet of Things (IoT) devices within SCO systems has led to a significant expansion of the cyber-attack surface. Point of Sale (POS) systems, often central to SCO, utilize a complex array of external hardware, software, and cloud components, creating numerous opportunities for cybercriminals to deploy malware, ransomware, harvest financial data, or use devices for botnet attacks. The use of legacy IoT devices and reliance on third-party software components further exacerbate these vulnerabilities, potentially circumventing newer security measures and exposing sensitive client information. Furthermore, a reduction in visible staff at checkout points can lead to increased opportunities for physical tampering with machines, such as the installation of skimmers or direct port access by threat actors.
Customer privacy is also significantly impacted by these commercial implementations. The deployment of advanced surveillance, such as AI-powered cameras, designed to combat theft by monitoring transactions and identifying missed scans, raises substantial privacy concerns. A prominent example is a proposed class action lawsuit against Home Depot in Illinois, alleging the company secretly scanned shoppers' faces at self-checkout kiosks without their knowledge or consent, violating the state's Biometric Information Privacy Act (BIPA). The lawsuit highlights a lack of clear disclosure regarding facial geometry collection and indefinite data retention, which may be illegal under state law without explicit written consent. The collection of purchasing information coupled with customer movement data through IoT devices creates rich datasets that, if compromised, could reveal extremely private habits and lead to legal recourse for damages against retailers.
In response, retailers are compelled to invest in robust cybersecurity measures including system updates, comprehensive security plans, and employee training on threat identification. Simultaneously, legislative efforts, such as California's proposed Senate Bill 1446, aim to mitigate theft by enforcing safe staffing levels, item limits, and banning age-restricted product purchases at SCOs, while also addressing worker safety and the implications of understaffing. The evolving landscape underscores the critical need for a balanced approach that integrates advanced security technologies with stringent data privacy protocols and thoughtful commercial implementations to ensure both loss prevention and consumer trust.
This author is looking for feedback on direction for further development. Current work includes exercise development for penetration testing and risk analysis leading to possible case scenarios based on specific features of SCOs.