Thief with crowbar

Caught Red Handed…. Using Splunk to Catch Retail Theft Rings

Last Updated on July 8, 2020

According to The National Retail Federation, retail theft costs U.S. companies $30 Billion a year, with “professional/habitual shoplifters” responsible for 10% ($3b) of all retail theft.  And the problem is only getting worse, with losses increasing at 7% year per year.

How can you defend yourself against these losses?

In this blog we will discuss how you can use Splunk to monitor your DHCP data, and determine if people connected to your public wifi are increasing your risk.

Splunk makes it easy to turn something as simple as a MAC address and/or hostname into a value fingerprint so you can identify a perpetrator in your midst.

Working in conjunction with our customer’s Loss Prevention team, we created a dashboard that can track in near real time if an active shoplifting ring is operating within certain stores. We did this by tracking when the same MAC address discovered in multiple stores, during periods of known thefts.

Step 1: Who is in the Store?

First we to need isolate DHCP Acks and requests from the guest wifi range. The point here is to weed out as much data as you can to make the search faster.

Then if we capture a device as the src, we just call it the dest. The reason being it’s doesn’t matter who made the contact, we just need to know contact was made.  It also makes it easier going forward, as we can have one less column in our results.

Wrapping up, we do all our lookup correlation, Cidr range to store number, store number to City and State location or province, and then for lat/long data we correlate the location to a geo coordinate.

To make the data look nice we table it to ensure only what we want will be summary indexed.

Step 2:  Correlating known Thefts to Individuals

The dashboard we designed for the loss prevention team allows an investigator to input dates of known thefts they believe to be related. Some of the commonalities they might look for include, description of suspects, items stolen, or method items were removed from the store.  The goal being to find a common device among the cases.

Once the investigator finds a potential culprit they can refine their search by correlating the time the items were stolen, to the time the device was active and pinging a store access point. The goal being to isolate a MAC address that was present during multiple events.

Looking to optimize Splunk?

Step 3:  You’re on the List!

Once a device has been found present at an unusually high number of known thefts it’s identified as a probable bad actor it goes on a list, and then an alert is created for that specific MAC address.

Step 4: Getting the Results to the Right People

With the alerting running every 5 minutes we can compare the suspicious MAC list, to MACs currently active in the stores.

If a suspicious MAC address is identified as active within a given store, a notification will be sent to the loss prevention team on-site and will alert  them to watch for suspicious activity.

In summary:

Although it may be impossible to prevent all retail theft.  By leveraging Splunk, and working in conjunction with the Loss Prevention team, you can take proactive measures to prevent “professional/habitual shoplifters” from taking advantage of your organization.  Thus, potentially saving your organization millions in lost revenue.

About Aditum

Aditum’s Splunk Professional Services consultants can assist your team with best practices to optimize your Splunk deployment and get more from Splunk.

Our certified Splunk Architects and Splunk Consultants manage successful Splunk deployments, environment upgrades and scaling, dashboard, search, and report creation, and Splunk Health Checks. Aditum also has a team of accomplished Splunk Developers that focus on building Splunk apps and technical add-ons.

Contact us directly to learn more.

Nic Haag
Share this Article