{"id":216,"date":"2008-03-16T21:13:18","date_gmt":"2008-03-17T05:13:18","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/03\/16\/security-review-costco\/"},"modified":"2008-03-16T21:13:50","modified_gmt":"2008-03-17T05:13:50","slug":"security-review-costco","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/security-review-costco\/","title":{"rendered":"Security Review: Costco"},"content":{"rendered":"<p><font size=\"2\"><strong>Summary:<\/strong><br \/>\nIn order to shop at Costco, one must have a membership and proof of that membership.  When an individual purchases a membership at Costco, they and their spouse may use the membership at any Costco.  Otherwise, no one else is allowed to use that me mbership.  If you have ever been to Costco, you know that they check for membership cards at the door and when making purchases at the register.  They do not, however, check the name on the membership against another ID to verify you are the person on the card.  At the front door, they glance to make sure you have a card, so they do not ever examine the fine details at this stage.<\/font><\/p>\n<p><!--more--><font size=\"2\"><strong>Assets:<\/strong><br \/>\n&#8211; Lower prices on household goods.  Costco is known to be cheaper when it comes to buying household products, and individuals can also buy them in bulk which is valuable because they can come back less often.<br \/>\n&#8211; Access to an assortment of services and larger-ticket items in which Costco offers competitive deals.   These items and services include automobiles, automobile insurance and parts, pool tables, snowmobiles, etc.<\/font><\/p>\n<p><font size=\"2\"><strong>Potential Adversaries\/Threats:<\/strong><br \/>\n&#8211; A individual who does not have a membership, but can borrow one from someone they know.  Friends or non-immediate family members might share a membership card to save on membership costs, and Costco might not catch on to this.<br \/>\n&#8211; The issuers of the Costco cards.  They could potentially make or issue cards to their family or friends by cooking the books and having no repercussions.<\/font><\/p>\n<p><font size=\"2\">&#8211; Large groups of people could share one card amongst themselves, thus all enjoying the benefits of shopping at Costco, while Costco only gets the benefit of one membership<\/font><\/p>\n<p><font size=\"2\"><strong>Weaknesses:<\/strong><br \/>\n&#8211; Minimal effort to check membership cards at the door.  If more effort to check at the door was given, then less policy violators would make it into the store and to the second round of checks.<br \/>\n&#8211; At the register when Costco membership cards are checked, they do not match them against another ID.  This would increase the difficulty of using a membership card that is not owned by the customer at the register.<\/font><\/p>\n<p><font size=\"2\"><strong>Potential Defenses:<\/strong><br \/>\n&#8211; When the Costco card is checked at the register, they could ask for another ID to match the names.  This would provide another layer of defense on top of just checking that an individual has a Costco card.<br \/>\n&#8211; Right now, a large group of people can enter Costco as long as one of them has a card to show (like when my family goes together and only my dad needs to flash his card). They could require one card per person to enter the store, as opposed to just one card in a group of people.<\/font><\/p>\n<p><font size=\"2\"><strong>Risks and other issues:<\/strong><\/font><\/p>\n<p><font size=\"2\">Out of the threats above, the first and third are very real.  Friends mention often that they borrow their parents&#8217; Costco card to make purchases.  At other times, friends mention that they have one membership, but they go shopping at Costco together.  By doing this, Costco sells one membership, but have multiple individuals using it.  This behavior might be typical with roommates who shop together.  The second adversary listed could be real, but I would not know.  Depending on how good Costco&#8217;s accounting when it comes to membership, this task of creating a membership that is not paid for could be difficult or easy.<\/font><\/p>\n<p><font size=\"2\">If Costco changed their practices when it comes to checking memberships and crunched down on violators, it might actually be detrimental to business.  People might react adversely because they are used to using their parents&#8217; membership, roommate&#8217;s, or other friend&#8217;s.  Perhaps Costco sees this and makes an active choice not to change their methods.<\/font><\/p>\n<p><font size=\"2\"><strong>Conclusion:<\/strong><\/font><\/p>\n<p><font size=\"2\">Costco memberships are often abused, but the degree of their abuse might be at an acceptable level since Costco has not changed their system in response for many years.  They could see the violations of their policy as acceptable and expected, so they do not care.  I am sure their are exceptions, but this seems to be the general trend at every Costco.  I think there is room for improvement in Costco&#8217;s security of cracking down on policy violators, but as to whether it would be a good choice is not so black and white.<\/font><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: In order to shop at Costco, one must have a membership and proof of that membership. When an individual purchases a membership at Costco, they and their spouse may use the membership at any Costco. Otherwise, no one else &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/16\/security-review-costco\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":27,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-216","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=216"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/216\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}