While it's cool to reverse engineer stuff like this and talk about the vulnerability, the final part of the blog post indicates that the person intends to 'test it'. This is just a 'modern' equivalent of the old scam of removing price labels (remember those) from cheap items and sticking them on expensive ones. That was commonplace enough that the labels themselves were made in multiple parts so that removing them was messy.
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
If the supermarkets were losing a lot of money on this then I'd imagine they'd move to a more secure barcoding scheme.
Also, I wouldn't be surprised if the 'red' number was related to the weight of the item as this would be needed for the self-checkout tills.
My wife (a regular Tesco customer) notes that Tesco has price scanners located around the stores so you can check the prices of items on the go. In theory, you could run a test using one of those scanners and simply have a picture of the barcode on an iPhone/printed/whatever. No fraud necessary.
That's not how self checkout systems normally work - they build up their own internal databases of average weights over time. This has a number of benefits - it saves time and money for the store (you don't have to pre-program the machines with weight values) and it also allows for varying tolerances by item.
Is that why new self checkout systems are immensely frustrating, but after a few months they're fine to use? I'd assumed that the tolerances were lowered because too many customers were getting so frustrated that they were refusing to use them.
Yes, but they have to recalibrate them every so often and they get overly sensitive again.
Problem is, every time it beeps at you and the cashier overrides it, it averages your item's reported weight with the ones its seen before. So if a cashier is overriding it all the time (as tends to happen with constantly beeping things) the weights drift off, and the whole thing is quite useless.
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
I was just going to chime in a with a similar comment.
I'd love to know if a friendly Tesco store manager would get in trouble for helping to run an experiment with this though. If head office got wind - or were informed by the manager - I'd presume they'd either go mad and threaten/fire the manage in question, or congratulate them. I couldn't predict it either way.
A Tesco store manager has a lot of responsibility and is likely a well-paid, long-running member of staff. If they investigated something like this then I'd be surprised if head office looked upon it negatively.
Having found credit card leaks in databases I can assure you that all but the most top level people would try to sweep this under the rug. I couldn't push my find up the chain until the C-level came to visit.
> the final part of the blog post indicates that the person intends to 'test it'.
Someone testing the hack could buy two of the same item, one of which has the hacked barcode. The tester could then immediately point out the error, so no fraud actually occurs. A better way of doing this might be to use two people pretending to be a couple, with the first person checking out separately with the correct price. Then the second person could check out with the hacked barcode, then immediately point out the error.
This also gives a good control for the "experiment."
The more secure barcoding scheme is RFID. This problem revolves around barcodes just being a database reference, with no better way to tie the physical item to the database reference. Usually the weight of an item is in the database.
The current "modern" equivalent of swapping price labels is to buy expensive produce at the self-check, but to indicate you're purchasing low-cost produce.
Many of the self-scan checkouts, definitely those at Tesco, struggle to read barcodes from phone screens as the glass is too reflective. I have my Clubcard barcode stored on my Galaxy Note, but it can only be read by the handheld guns at the manned checkouts.
Hence the "So to find out, I'm teaming up with someone with an iPhone" at the end of the text. Seeing the number of complaints saying he is going to rob, I guess nobody read the whole text?
This would be the only sane way to test this out, worst case your going to get done for defrauding yourself as apposed to something worse. Makes the defence more believable and obvious.
So, he's swapping real bar codes with fake bar codes? I would not recommend publicly disclosing that you'll be defrauding a store. It's a lot more common than you'd think and there was even a Silicon Valley exec who recently got caught doing this: http://news.yahoo.com/blogs/technology-blog/incredibly-wealt...
I used to be a Tesco employee for a fair while, and it wasn't difficult to notice this pattern purely because those barcodes don't always scan (typically due to dodgy equipment).
It would often be the case that you couldn't see the whole code on the sticker, but could infer it by removing it and using the original barcode and a bit of guesswork.
I don't advocate the testing of this, and any observant member of staff will have no difficulty catching you out.
Yes, you can print your own barcodes and name your own price, yes its been done before [1] and you can and will get arrested. As this becomes more widespread the folks in shops will get better with their software.
Why bother paying at all? This is basically the same as just walking straight out the store with your goods. A guard won't accept a receipt that says your flat screen tv only cost 49p.
A minor detail here, but British stores don't typically have guards who check receipts (unless you set the alarms off by having a tag left on an item by mistake/shoplifting).
Funnily enough if you buy Tesco's electrical goods online and pick up at store you don't get a paper receipt. The security guard (through lack of training) wasn't keen on letting me out without one.
Also, with the possible exception of membership-based stores like Costco, the "guards" at the front of American stores like Best Buy don't actually have any authority to prevent you from leaving without checking your stuff. Of course, some of them are not correctly instructed on this fact and will break the law and illegally try to obstruct your exit from the store/parking lot anyway.
I've wondered about this for a while, so I looked it up. The Internet (always a trustworthy source, I know...) seems to disagree with you - or at the very most think it's a grey area, leaning towards that they're allowed:
Well I certainly didn't say that they can't ask you to look at your bags. As long as the search is voluntary, they can ask pretty much whatever they like. But you can surely say "no" and then leave. If they physically block you from leaving, they are violating the law in many jurisdictions (they're trying to make a citizen's arrest, which you can't just do without any reason, and refusing to let them look in your bag isn't a reason). If they actually touch you, then you may even have claim of assault. From what I can tell, this has not actually been tested directly, but it is a reasonable expectation of how things would play out, if you took it all the way to court.
On the other hand, the store is also perfectly within their rights to ban you from the premises once you've left. So even if they can't arrest you, they can certainly put a picture up that says "Don't let this guy in the store." It is private property, after all.
The main case mentioned in the thelegality.com article you linked ended with Righi settling with the police so that they dropped the charges in exchange for him giving up the right to sue. Given the balance of resources and power between an individual and a police department, I think that's pretty good evidence that the police department themselves didn't think they were going to win that battle.
The Legal Lad article, on the other hand, seems to just wring its hands about various scenarios without addressing the question everyone cares about: You walk out of a Best Buy, nobody has any reason to believe you stole anything, and when they ask to check your bags, you say "no thanks" and walk out.
I don't know the absolute stats but in 12 years of adulthood I've never had to show a receipt to anyone in the UK and in about 12 weeks of vacations in the US, I've done it several times. So yeah, it might not be a standard thing there, although it does seem to be more of a "thing" people accept.
Ah man, I can't remember all the stores I've been in while on vacation ;-) But yeah, definitely Walmart, and another I remember in particular is Fry's.
The only store of any kind I'm aware of around here that checks receipts every time is Sam's. A lot of places will have "less than friendly" staff by the exit, but explicit security is fairly rare in my experience.
I have a lot of fun with my local Fry's and their "security checks". In reality all I do is briskly walk past, and wish them good morning/day/evening. Most of the time this throws them enough for the moment. They seem to do the math that they're not paid enough to deal with my shit. But the few times it has been raised as an issue, I've always (of course) properly paid for my merchandise.
I know it's a bit immature, but as a result of those minor confrontations, it always gives me the jollies every time I stroll out with just a "Good evening!"
We don't have Fry's on this side of the country. Our Best Buys has toughs right by the door, but they've never stopped me (then again, can't remember the last time I've bought anything particularly expensive from them vs. Amazon...)
In case anyone is interested, I've spoken to a friend of mine who was once a manager at Tesco and I can shed a little more light on the matter. The red number which the author had so far been unable to decipher is the "discount-reason-code", which represents the reason for the discount. These reasons represent things like "damaged" or "short date (nearly out of date)".
IANAL, but a careful reading of the case does not support the first part of your sentence. Anderton was convicted, and he did not "take the goods". He did not even complete the transaction, he just switched the bar code and went to the checkout.
It makes me wonder if, under UK law, it's lawful to eat part of a box of cookies (not measured by weight) while rolling your trolley thru the store, and then paying for the box at checkout.
"A person is guilty of theft if he dishonestly appropriates property belonging to another with the intention of permanently depriving the other of it"
In most cases, it is dishonesty that is the key factor (normal shopping would satisfy the other requirements), and is largely determined by the jury. I would say that there is no dishonesty in your example, and so it is not theft, but I am unsure if there is case law to support this.
Excellent point, but it only states that a person _may_ be dishonest (i.e. it is not a defence to offer to pay when caught).
To determine dishonesty, one must first look to s.2(1). It doesn't really apply here, so the jury must apply the two stage Ghosh test, of which only the first stage usually matters:
1) Is the person's behaviour dishonest by the standards of ordinary, honest people? If not, then there is no theft.
I would argue that most juries would not find a person to be dishonest in these circumstances (though it is possible that they might).
I'm in the UK and I have, a few times, picked up a can of coke because I was thirsty and opened it while in the store, gone and grabbed more items and then scanned everything (including the coke I drank a bit of) through. It isn't illegal.
British law is all about intent, if I intend to deprive the store of that can of coke then it is indeed theft. However, if I drink a little bit before paying it doesn't. The store have to prove I intended to deprive them of it (which I wouldn't do)
There is no need to actually take the goods. If you dishonestly appropriate the item (and switching the price tags is an appropriation) with _intent_ to permanently deprive, then the theft has has taken place.
Typically, it is much easier to show intent if the person actually leaves with the goods (rather than, for example, being stopped at the till), but there is no need for them to do so as a matter of law.
Can you go in to this a bit. The Theft Act 1968 requires you to appropriate the goods at least. I don't think you do this until you exit the premises with the goods.
Indeed in the current situation if I were to intend to test whether the price would be accepted at the till and then leave the goods in the store it can be seen clearly that in verity there was no intent to permanently deny even if the goods were considered to be appropriated.
I'd argue that switching the tag is not yet an appropriation - only departing with the goods when having failed to pay [through deception] the right amount.
Here it seems the mens rea can't be demonstrated to exist - beyond reasonable doubt - unless the actus rea of leaving the store with the goods is shown.
"intent to defraud" would be very difficult to defend yourself against. Publishing the means by which others could commit fraud might be classed as "incitement". I'd say Tesco's lawyers are about to have a little fun.
A howto is not incitement. If I tell you how to tie a noose I'm not inciting you to commit suicide, nor even to tie a noose. Very expensive barristers can probably twist a situation sufficiently to get an incitement charge though.
Yes. It's already somewhat common elsewhere in the world, by simply printing new barcodes for other sku's, sticking it on an expensive product, then hoping the cashier won't notice (they often don't in a store with a lot of different products, like Wal-Mart).
The charges are different, though, since it's fraud and not outright shoplifting.
In Prague they are still called 'Tesco', but the UK Loyalty card doesn't scan, shoots an error message instead, and you find yourself explaining in terrible Czech why you even tried to scan it.
Tesco frequently has attendants monitoring the self service checkouts; if someone sees that your items are going through for £0.01 (the prices are displayed on the monitoring screen that the attendant can see) you're probably going to have a bad time (banned from the store at the very least).
Once again, depends where you go. I've been in supermarkets where the self checkout registers mess up so frequently that the attendants basically rush over, swipe their card, whack something on the keypad, then disappear to the next red flashing light. They rarely check anything!
Don't discount it to £0.01, that is just stupid. The obvious scam here is to take high value items and mark them down dramatically. For example, marking a £200 phone down to £20.
The mention of an iPhone suggests a more elaborate version of the old "sticker" scam.
With a suitable smartphone app you could dynamically generate the appropriate barcode on screen, with a set discount (say, 50%). Then just hold your phone over the actual barcode as you scan each item.
This should be relatively hard to spot for any cashier watching, and the weights and stock etc. would all match up.
Of course the CCTV cameras are likely to see you and they're likely to spot what's going on soon enough to cross reference before the footage is wiped.
I've just commented about this elsewhere - the Tesco self-scan tills completely fail to register my Clubcard barcode stored in an app on my phone. An assistant said it rarely works - seems the phone screens are too reflective.
A similar, simpler method is used by the deli, bakery, meat, seafood, and produce departments in most US grocery stores. Usually they use 2 sets of 6 digits for these bar codes, with the price as digits 8-11 in the bar code. The bar code doesn't work with items, such as holiday roasts, costing more than $100.
Just in from Twitter (@mtdevans): "Chatting with a #Tesco insider, looks like they do store any discounts in a local db which is wiped every morning ~3am. #phew"
How do you know that it doesn't validate the discounted price against its database? Encrypting the barccode doesn't make it any more secure as you could simply swap with a completely different barcode. Encoding the price just makes it easier to develop handheld label printers.
If they had verification against a database there would be no point in printing these in the first place, they could just get the discount info from the DB.
Based upon my experiences working at Tesco, and the understanding I had of how their systems worked, I don't think any validation was done when I worked there (from 2004 until a few years ago). I can't see any reasons why they would have changed it as they still appear to use the same technology (Windows CE PDAs).
The main issue is they just didn't have the infrastructure to do this, remember this was before wifi was abundant. The PDAs which were used for printing discount labels and scanning out-of-stock products (and appear to still be used) synced over Bluetooth. So unless you could setup a Bluetooth network over the whole store it wouldn't have been feasible.
Worth mentioning that most people trying this would probably go for the self-checkout, so you'd have to swap barcodes with something that weighed the same amount.
Yes, this does work, but it would be far easier to use the standard zero-weight "Grocery item" barcode that most supermarkets have (Sainsburys and Coop do) which prompts for a price with no checksum.
(* if you were just intending to scam your supermarket anyway...)
This way when you scan the item, it will be identified as the product you are purchasing. Supermarkets frequently discount items by an extra order of magnitude by accident and if you were caught doing it this way they may not immediately think you're scamming them.
No mention here, of the obvious tie between your reciept and your debit card (assuming you can't use cash.) A nice audit trail. And you probably swiped your clubcard too.
You claimed to have "cracked" a barcode, but have merely interpreted some of the numbers. Of course this has been done theoretically as you haven't actually proved that it works.
And it won't work.
Why? Because it's unlikely that a complicated logistics chain such as Tesco that employs half a million employees worldwide and has banking and mobile subsidiaries would let the barcode dictate the price at the register, rather than call it up from their stock management database - the way all POS enabled stores run in the 21st century.
So in your giddy, sensationalist haste, I pray that you "discount" your TV to 1p and get stopped at the gates for sheer idiocy.
The whole point is that 'clearance' barcodes don't have a price stored in the database.
Every grocery store I've consulted for or worked at in my youth was operated the same way - there were "manager special" barcodes where the price was part of the barcode, and the price in the database was recorded as 0 with a flag of "barcode encodes price".
He may not be an idiot for that, but he'd have a hard time defending himself in court from being accused of aiding and encouraging persons unknown to commit theft (or fraud, depending on which is the more serious offence). Now placing yourself in that position would be idiotic.
Thanks, this will be very useful when I decide to become a criminal! If you have any tips on pickpocketing or insurance fraud, please post those as well.
Downvoted and flagged not for your opinion, but for your apparent lack of common decency. Go back to lurking and keep your casual discrimination to yourself.
There is an awful lot of useless chatter going on here so to straighten out some facts:
- the 0 is not padding
- this will be harder to pull off with alcohol, electrical items or anything else that requires a checkout assistant to approve as they will likely spot the scam
- a list of barcodes for items can be found online, and these stickers can be printed off at home and then applied in store under the cover of shelves
- the reduced item barcodes are only stored until around 3am the next day, meaning it is easy to pull off this scam without getting caught
So to go over the numbers again...
971 - means the item is discounted
5000221503354 - is the original barcode for the item (if you pass a 14 digit number to the checkout this causes a buffer overflow)
6 - this is the reason for why the item is discounted (damaged, out of date, end of line, etc)
000070 - the price you want to pay in pence (000070 = 7p, 000170 = 17p, 001170 = £1.17, etc)
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
If the supermarkets were losing a lot of money on this then I'd imagine they'd move to a more secure barcoding scheme.
Also, I wouldn't be surprised if the 'red' number was related to the weight of the item as this would be needed for the self-checkout tills.