SCout: Prying Into Supply Chains via a Public Query Interface

Abstract

The distribution network, including its flow information, in a supply chain system is usually a business secret to ensure the supply chain security and hold on to a favorable position in commercial competition. When more and more organizations deploy tracking systems to facilitate users, most of them focus much on the business growth but ignore the protection for the secrets. This paper therefore shows how we can pry into supply chains based on publicly acquired data via a public query interface. We design SCout, which crawls messages in social network services (SNSs) to acquire tracking numbers of an express company, and automatically retrieve the supply information from a public query interface, and then set up the distribution network of the target express company. SCout can also provide the flow information between any two distribution points. Furthermore, based on these obtained data, we analyze the relationship between the number of tracking numbers and the information of a distribution network. These experiments show that some express companies need to improve their awareness of data security. In particular, poor coding rules of tracking numbers can help adversaries obtain more tracking numbers easily. Thus, we provide some security countermeasures for express companies to defend from the above snooping. To the best of our knowledge, this paper is the first research to study the data security issue of logistics query systems from the business aspect.