While it's cool to reverse engineer stuff like this and talk about the vulnerability, the final part of the blog post indicates that the person intends to 'test it'. This is just a 'modern' equivalent of the old scam of removing price labels (remember those) from cheap items and sticking them on expensive ones. That was commonplace enough that the labels themselves were made in multiple parts so that removing them was messy.
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
If the supermarkets were losing a lot of money on this then I'd imagine they'd move to a more secure barcoding scheme.
Also, I wouldn't be surprised if the 'red' number was related to the weight of the item as this would be needed for the self-checkout tills.
My wife (a regular Tesco customer) notes that Tesco has price scanners located around the stores so you can check the prices of items on the go. In theory, you could run a test using one of those scanners and simply have a picture of the barcode on an iPhone/printed/whatever. No fraud necessary.
That's not how self checkout systems normally work - they build up their own internal databases of average weights over time. This has a number of benefits - it saves time and money for the store (you don't have to pre-program the machines with weight values) and it also allows for varying tolerances by item.
Is that why new self checkout systems are immensely frustrating, but after a few months they're fine to use? I'd assumed that the tolerances were lowered because too many customers were getting so frustrated that they were refusing to use them.
Yes, but they have to recalibrate them every so often and they get overly sensitive again.
Problem is, every time it beeps at you and the cashier overrides it, it averages your item's reported weight with the ones its seen before. So if a cashier is overriding it all the time (as tends to happen with constantly beeping things) the weights drift off, and the whole thing is quite useless.
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
I was just going to chime in a with a similar comment.
I'd love to know if a friendly Tesco store manager would get in trouble for helping to run an experiment with this though. If head office got wind - or were informed by the manager - I'd presume they'd either go mad and threaten/fire the manage in question, or congratulate them. I couldn't predict it either way.
A Tesco store manager has a lot of responsibility and is likely a well-paid, long-running member of staff. If they investigated something like this then I'd be surprised if head office looked upon it negatively.
Having found credit card leaks in databases I can assure you that all but the most top level people would try to sweep this under the rug. I couldn't push my find up the chain until the C-level came to visit.
> the final part of the blog post indicates that the person intends to 'test it'.
Someone testing the hack could buy two of the same item, one of which has the hacked barcode. The tester could then immediately point out the error, so no fraud actually occurs. A better way of doing this might be to use two people pretending to be a couple, with the first person checking out separately with the correct price. Then the second person could check out with the hacked barcode, then immediately point out the error.
This also gives a good control for the "experiment."
The more secure barcoding scheme is RFID. This problem revolves around barcodes just being a database reference, with no better way to tie the physical item to the database reference. Usually the weight of an item is in the database.
The current "modern" equivalent of swapping price labels is to buy expensive produce at the self-check, but to indicate you're purchasing low-cost produce.
Many of the self-scan checkouts, definitely those at Tesco, struggle to read barcodes from phone screens as the glass is too reflective. I have my Clubcard barcode stored on my Galaxy Note, but it can only be read by the handheld guns at the manned checkouts.
Hence the "So to find out, I'm teaming up with someone with an iPhone" at the end of the text. Seeing the number of complaints saying he is going to rob, I guess nobody read the whole text?
This would be the only sane way to test this out, worst case your going to get done for defrauding yourself as apposed to something worse. Makes the defence more believable and obvious.
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
If the supermarkets were losing a lot of money on this then I'd imagine they'd move to a more secure barcoding scheme.
Also, I wouldn't be surprised if the 'red' number was related to the weight of the item as this would be needed for the self-checkout tills.