Allegedly Creative Vulnerability Diagnosis
By Charles Parker, II; InfoSec Architect

Retailers do not have the most pleasant sets of responsibilities. There are pressures from the staff, management, corporate office, and customers. There may be a mismatch viewed with what is sold and revenue, in that the goods and services may last for multiple years, while the revenue from the sale only appears in the first year, and the sales budgets continue to climb.

For instance, a customer may purchase AV with a three-year time span now or a Mac Air. These last multiple years and are not recurring expenses for the consumer, while the expected increase in revenue has to come from somewhere.

At times, the management may feel the need to work within the grey area of sales to secure the transaction. This may not be ethical in its entirety. An example of this may be considered in 2008 when Circuit City filed bankruptcy. Up until the end, the store warranties were sold to consumers without the disclosure of the potential filing.

Post-bankruptcy filing and store closings, the stores were not able to service the products under their warranty, in comparison to the manufacturer’s warranty. Others have elected to take this a bit further.

Office Depot’s Allegedly Questionable Practices
The massive base of non-IT consumers provides a very large customer base to target and sell goods and services to. For the most part, this segment of the economy has much to learn.

The consumers have read a headline regarding a breach, however, their IT and InfoSec knowledge base tends to be rather shallow, naturally with variances per person.
Due to the Office Depot being directly involved with selling computer systems and related services to this market, the staff members should be acting in a fiduciary capacity. They are the subject matter expert (SME). If consumer Joe has an issue with his computer, he may simply unplug the laptop and take the equipment into the local Office Depot for advice.

The systems are scanned by the Office Depot application. Allegedly the Office Depot’s tech teams then inform these customers there is malware on the customer’s computers when there is not. Although this generates revenue, it is not exactly prudent…

The staff was allegedly being pressured to sell computer protection plans per a news story by KIRO in Seattle. This was per a prior employee who was now a whistleblower. This Washington example, however, is not isolated.

This treatment of customers was also reported by WFXT in Boston. With the Boston case, there was also the same false positive report by the Office Depot staff members.
Sample

In following the scientific method of research, KIRO staff members purchased six new computers. These were unboxed and brought to the Office Depot for a PC Health Check.

After asking a few questions and scanning the computer, the “customer” was told by the Home Depot tech, in four of the six systems, their computer showed “symptoms of malware”. The tech diligently attempted to sell the “customer” the services to fix the computer, costing from $149 to $199.

To validate the brand new, directly out of the box computers did not actually have malware, the systems were brought to an InfoSec firm, IOActive. The report from the actual SMEs was the systems did not need any repair services.

Per the KIRO news story, the workers were told to sell the programs and were following corporate directives. The statistics for sales were posted in the breakroom and it was noted the staff without suitable levels of sales may not be needed.

Follow-Up
Office Depot apparently is investigating the issue and has stated they do not support the alleged actions and will take the appropriate steps. With the corporate environment, the extent of the investigation may vary greatly dependent on the number of variables. To ensure this is actually investigated fully, Senator Maria Cantwell (D-WA) has requested the FTC review these claims.

About The Author
Charles Parker, II began coding in the 1980s. Presently CP is an Information Security Architect at a Tier One supplier to the automobile industry. CP is presently completing the Ph.D. (Information Assurance and Security) with completing the dissertation. CP’s interests include cryptography, SCADA, and securing communication channels. He has presented at regional InfoSec conferences.
Charles Parker, II can be reached online at charlesparkerii@gmail.com and InfoSecPirate (Twitter).