CHICAGO -- Supermarket operators could be more vulnerable to computer hackers than they think they are.
That was the message Gordon E. Smith, president of the computer security consulting firm Canaudit, Simi Valley, Calif., gave during the 2001 FMI Show here earlier this month.
Pharmacies, gas station payment systems, human resources programs and Web sites can often be penetrated by using a few simple hacking programs if companies do not take adequate precautions, Smith said.
His presentation was titled: Cyber Terrorism and Electronic Espionage.
Weaving an imaginary tale of cyber-revenge by "Saddam Insane," Smith demonstrated how acts of terrorism -- including blowing up buildings and crippling police dispatches -- could be perpetrated using some password-cracking tools available through the Internet.
He also detailed how supermarkets could be hacked using the same simple scanning and cracking tools, which allow hackers to get behind security firewalls.
"The thing I like about grocery stores is they are so easy to hit," he said, gleefully demonstrating how he once accessed the pharmacy records of a client through the Internet.
"I can find out which of your customers take AIDS cocktails ... I can find out which men take Viagra."
In addition to establishing secure protocols that make it difficult for hackers to guess passwords, companies also should put computer security under the control of an "asset protection" group and take it out of the realm of the information technology group, he said.
He noted that 82% of hacking attacks come from within the network.
"Basically, you have to turn your loss prevention department into an asset protection department," Smith said.
"The real secret here is that asset protection is not just a few cans on the shelf and a couple of dollars in the till, it's your information ... it's your customers' credit card numbers."
Some simple things retailers can do to thwart hackers include making computer passwords difficult to guess, he said.
For example, he said the store manager's password should not be "stormgr" or something similar, and cashiers' passwords should not be "cashier1," "cashier2," etc.
He also suggested that if employees have trouble remembering passwords, companies should consider using biometric technologies, which employ eye scans or use other physical characteristics to screen computer-system users.
He said many software programs commonly used by supermarket chains, including PeopleSoft, a human resources solution, can be hacked easily if users do not change the default user name and password.
Vulnerable access points in supermarkets' computer systems can also include their fuel stations.
Although files containing customers' credit card numbers are encrypted when they are transmitted from computer to computer, sometimes the merchant-fee files that are sent to the credit card companies are not encrypted.
Similarly, credit-card encryption does not necessarily occur between the checkout lane and the store's central computer, giving hackers another potential target once they gain entry to a retailer's system.
Although Smith said the Internet itself is a very secure medium, a company's Web site can still be used as a conduit into corporate systems.
"People say, 'It's just a page; it's just like paper advertising,' but it's not," he said. "It's an entry point into your network."
Even companies that don't have Web sites can still be penetrated through the Internet if they have e-mail, as Smith demonstrated by obtaining the Internet Protocol address of one attendee whose company did not have a Web site.
At least one of the attendees said the session inspired him to take action.
"I've got to convince the store owner to do a security audit," said Scott Dorman, director of services at Webster's United Foods, operator of a Pick 'N Save in Ripon, Wis. "Personally, I know a few hackers, so I was familiar with a lot of what he was talking about."
