I really hate shopping at Target, which is probably why I end up spending so much time there every week. Every time I go to one it's like going on safari: you never know what you'll see, but you're hopeful you'll get something good. And, frankly, it's absolutely maddening. I've lost count of the number of times that I've purchased something trivial there (soap, for instance) only to come back to restock and find that the product is out or, more likely, not carried any more.
In thinking about it, the Target shopping experience is a lot like dealing with the faithful opposition in information security. There's a method to their madness, all designed to help drive up profitability, such as through increased spontaneous purchases. Following are three attributes of Target stores that can be generalized to our own infosec industry.
- Inconsistency: If you've visited a few Target stores, one of the things you'll notice is that seemingly no two are laid out exactly the same way. There are about a half-dozen here in the area that I visit on a somewhat regular basis, depending on convenience, and every single one has a unique layout. In infosec - and particularly as regards phishing, spam, and web appsec - we find that inconsistency leads to confusion, which in turn leads to user error and compromise. Spam filters, URL filters, AV, IDS/IPS... these all rely on being able to match a consistent pattern. When the consistency isn't there, then the tools aren't overly useful. As for the attackers, they love to leverage off inconsistency to optimize their attacks. We need to find better ways to establish consistency in key areas (such as with authentication, reputation, identity, warnings, and errors) that can be used universally without limiting developer creativity.
- Randomness: I swear, Target must use some sort of randomization engine in determining what products get sent to what stores, and for how long a given product will be carried. Randomness, of course, causes me to wander around looking for a suitable alternative, increasing the likelihood that I'll see other things and buy them. Similarly, attackers online use randomness to help evade security controls and to attract your attention.
- Driving Spontaneity: Bouncing people around, causing them to browse just to find their normal purchases, helps increase spontaneous purchases. This effect is similar to "limited time only" sales, which is, of course, a popular phishing and spammer technique to drive people to make a hasty, bad decision. Every purchase you make at Target that was not planned or necessary is a win for them, just as every spam link you click is a win for the bad guys. It all comes down to finding the right triggers to cause you to react automatically instead of with forethought and planning.
The next time you make a shopping trip to Target, consciously look at the end-cap displays. Note how much you have to wander, or even criss-cross, the store just to find the few things you're seeking. The entire situation is skewed in their favor with the intent toward causing you to do something you wouldn't, under consideration, really need or want to do. Now compare this to common online attacks. The similarities are interesting, and suggest that these bad guys are as well-versed in influence, social engineering, and marketing as the supposed "good guys" are in the retail industry. :)
