While it's cool to reverse engineer stuff like this and talk about the vulnerability, the final part of the blog post indicates that the person intends to 'test it'. This is just a 'modern' equivalent of the old scam of removing price labels (remember those) from cheap items and sticking them on expensive ones. That was commonplace enough that the labels themselves were made in multiple parts so that removing them was messy.
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
If the supermarkets were losing a lot of money on this then I'd imagine they'd move to a more secure barcoding scheme.
Also, I wouldn't be surprised if the 'red' number was related to the weight of the item as this would be needed for the self-checkout tills.
My wife (a regular Tesco customer) notes that Tesco has price scanners located around the stores so you can check the prices of items on the go. In theory, you could run a test using one of those scanners and simply have a picture of the barcode on an iPhone/printed/whatever. No fraud necessary.
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
I was just going to chime in a with a similar comment.
I'd love to know if a friendly Tesco store manager would get in trouble for helping to run an experiment with this though. If head office got wind - or were informed by the manager - I'd presume they'd either go mad and threaten/fire the manage in question, or congratulate them. I couldn't predict it either way.
> the final part of the blog post indicates that the person intends to 'test it'.
Someone testing the hack could buy two of the same item, one of which has the hacked barcode. The tester could then immediately point out the error, so no fraud actually occurs. A better way of doing this might be to use two people pretending to be a couple, with the first person checking out separately with the correct price. Then the second person could check out with the hacked barcode, then immediately point out the error.
This also gives a good control for the "experiment."
The more secure barcoding scheme is RFID. This problem revolves around barcodes just being a database reference, with no better way to tie the physical item to the database reference. Usually the weight of an item is in the database.
The current "modern" equivalent of swapping price labels is to buy expensive produce at the self-check, but to indicate you're purchasing low-cost produce.
So, he's swapping real bar codes with fake bar codes? I would not recommend publicly disclosing that you'll be defrauding a store. It's a lot more common than you'd think and there was even a Silicon Valley exec who recently got caught doing this: http://news.yahoo.com/blogs/technology-blog/incredibly-wealt...
I used to be a Tesco employee for a fair while, and it wasn't difficult to notice this pattern purely because those barcodes don't always scan (typically due to dodgy equipment).
It would often be the case that you couldn't see the whole code on the sticker, but could infer it by removing it and using the original barcode and a bit of guesswork.
I don't advocate the testing of this, and any observant member of staff will have no difficulty catching you out.
Yes, you can print your own barcodes and name your own price, yes its been done before [1] and you can and will get arrested. As this becomes more widespread the folks in shops will get better with their software.
Why bother paying at all? This is basically the same as just walking straight out the store with your goods. A guard won't accept a receipt that says your flat screen tv only cost 49p.
In case anyone is interested, I've spoken to a friend of mine who was once a manager at Tesco and I can shed a little more light on the matter. The red number which the author had so far been unable to decipher is the "discount-reason-code", which represents the reason for the discount. These reasons represent things like "damaged" or "short date (nearly out of date)".
Yes. It's already somewhat common elsewhere in the world, by simply printing new barcodes for other sku's, sticking it on an expensive product, then hoping the cashier won't notice (they often don't in a store with a lot of different products, like Wal-Mart).
The charges are different, though, since it's fraud and not outright shoplifting.
In Prague they are still called 'Tesco', but the UK Loyalty card doesn't scan, shoots an error message instead, and you find yourself explaining in terrible Czech why you even tried to scan it.
Tesco frequently has attendants monitoring the self service checkouts; if someone sees that your items are going through for £0.01 (the prices are displayed on the monitoring screen that the attendant can see) you're probably going to have a bad time (banned from the store at the very least).
Once again, depends where you go. I've been in supermarkets where the self checkout registers mess up so frequently that the attendants basically rush over, swipe their card, whack something on the keypad, then disappear to the next red flashing light. They rarely check anything!
Don't discount it to £0.01, that is just stupid. The obvious scam here is to take high value items and mark them down dramatically. For example, marking a £200 phone down to £20.
The mention of an iPhone suggests a more elaborate version of the old "sticker" scam.
With a suitable smartphone app you could dynamically generate the appropriate barcode on screen, with a set discount (say, 50%). Then just hold your phone over the actual barcode as you scan each item.
This should be relatively hard to spot for any cashier watching, and the weights and stock etc. would all match up.
Of course the CCTV cameras are likely to see you and they're likely to spot what's going on soon enough to cross reference before the footage is wiped.
I've just commented about this elsewhere - the Tesco self-scan tills completely fail to register my Clubcard barcode stored in an app on my phone. An assistant said it rarely works - seems the phone screens are too reflective.
A similar, simpler method is used by the deli, bakery, meat, seafood, and produce departments in most US grocery stores. Usually they use 2 sets of 6 digits for these bar codes, with the price as digits 8-11 in the bar code. The bar code doesn't work with items, such as holiday roasts, costing more than $100.
Just in from Twitter (@mtdevans): "Chatting with a #Tesco insider, looks like they do store any discounts in a local db which is wiped every morning ~3am. #phew"
How do you know that it doesn't validate the discounted price against its database? Encrypting the barccode doesn't make it any more secure as you could simply swap with a completely different barcode. Encoding the price just makes it easier to develop handheld label printers.
If they had verification against a database there would be no point in printing these in the first place, they could just get the discount info from the DB.
Based upon my experiences working at Tesco, and the understanding I had of how their systems worked, I don't think any validation was done when I worked there (from 2004 until a few years ago). I can't see any reasons why they would have changed it as they still appear to use the same technology (Windows CE PDAs).
The main issue is they just didn't have the infrastructure to do this, remember this was before wifi was abundant. The PDAs which were used for printing discount labels and scanning out-of-stock products (and appear to still be used) synced over Bluetooth. So unless you could setup a Bluetooth network over the whole store it wouldn't have been feasible.
Worth mentioning that most people trying this would probably go for the self-checkout, so you'd have to swap barcodes with something that weighed the same amount.
Yes, this does work, but it would be far easier to use the standard zero-weight "Grocery item" barcode that most supermarkets have (Sainsburys and Coop do) which prompts for a price with no checksum.
(* if you were just intending to scam your supermarket anyway...)
This way when you scan the item, it will be identified as the product you are purchasing. Supermarkets frequently discount items by an extra order of magnitude by accident and if you were caught doing it this way they may not immediately think you're scamming them.
No mention here, of the obvious tie between your reciept and your debit card (assuming you can't use cash.) A nice audit trail. And you probably swiped your clubcard too.
[+] [-] jgrahamc|13 years ago|reply
'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.
If the supermarkets were losing a lot of money on this then I'd imagine they'd move to a more secure barcoding scheme.
Also, I wouldn't be surprised if the 'red' number was related to the weight of the item as this would be needed for the self-checkout tills.
[+] [-] petercooper|13 years ago|reply
[+] [-] omh|13 years ago|reply
The original barcode (which is still present as part of the discounted code) should allow the tills to look up the weight.
[+] [-] mootothemax|13 years ago|reply
I was just going to chime in a with a similar comment.
I'd love to know if a friendly Tesco store manager would get in trouble for helping to run an experiment with this though. If head office got wind - or were informed by the manager - I'd presume they'd either go mad and threaten/fire the manage in question, or congratulate them. I couldn't predict it either way.
[+] [-] stcredzero|13 years ago|reply
Someone testing the hack could buy two of the same item, one of which has the hacked barcode. The tester could then immediately point out the error, so no fraud actually occurs. A better way of doing this might be to use two people pretending to be a couple, with the first person checking out separately with the correct price. Then the second person could check out with the hacked barcode, then immediately point out the error.
This also gives a good control for the "experiment."
[+] [-] stephengillie|13 years ago|reply
The current "modern" equivalent of swapping price labels is to buy expensive produce at the self-check, but to indicate you're purchasing low-cost produce.
[+] [-] TamDenholm|13 years ago|reply
[+] [-] earl|13 years ago|reply
[+] [-] sgk284|13 years ago|reply
[+] [-] lurker14|13 years ago|reply
http://www.mercurynews.com/business/ci_20684481/silicon-vall...
DA: "I think he also obviously had way more than any one human could possibly enjoy on their own in a legally acceptable way."
[+] [-] FuzzyDunlop|13 years ago|reply
It would often be the case that you couldn't see the whole code on the sticker, but could infer it by removing it and using the original barcode and a bit of guesswork.
I don't advocate the testing of this, and any observant member of staff will have no difficulty catching you out.
[+] [-] lucaspiller|13 years ago|reply
[+] [-] markfenton|13 years ago|reply
[+] [-] ChuckMcM|13 years ago|reply
[1] http://www.nbcbayarea.com/news/local/VP-of-Palo-Altos-SAP-Ar...
[+] [-] rhizome|13 years ago|reply
[+] [-] highace|13 years ago|reply
[+] [-] ori_b|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] MartinMcGirk|13 years ago|reply
[+] [-] stordoff|13 years ago|reply
[+] [-] pbhjpbhj|13 years ago|reply
[+] [-] splatzone|13 years ago|reply
[+] [-] dorianj|13 years ago|reply
The charges are different, though, since it's fraud and not outright shoplifting.
[+] [-] icebraining|13 years ago|reply
[+] [-] TazeTSchnitzel|13 years ago|reply
Edit: They also have international operations, but sometimes under different names. In the US they are "Fresh & Easy" according to Wikipedia.
[+] [-] JacobAldridge|13 years ago|reply
In Prague they are still called 'Tesco', but the UK Loyalty card doesn't scan, shoots an error message instead, and you find yourself explaining in terrible Czech why you even tried to scan it.
[+] [-] motoford|13 years ago|reply
We need more of these gentlemen thieves here in the states.
[+] [-] ktizo|13 years ago|reply
[+] [-] citricsquid|13 years ago|reply
Not worth it...
[+] [-] liedra|13 years ago|reply
[+] [-] Kudos|13 years ago|reply
Not that I approve of this...
[+] [-] omh|13 years ago|reply
With a suitable smartphone app you could dynamically generate the appropriate barcode on screen, with a set discount (say, 50%). Then just hold your phone over the actual barcode as you scan each item.
This should be relatively hard to spot for any cashier watching, and the weights and stock etc. would all match up.
Of course the CCTV cameras are likely to see you and they're likely to spot what's going on soon enough to cross reference before the footage is wiped.
[+] [-] linker3000|13 years ago|reply
[+] [-] stephengillie|13 years ago|reply
x x-xxxxx-x$$$$-x x
[+] [-] primatology|13 years ago|reply
[+] [-] 7952|13 years ago|reply
[+] [-] icebraining|13 years ago|reply
[+] [-] lucaspiller|13 years ago|reply
The main issue is they just didn't have the infrastructure to do this, remember this was before wifi was abundant. The PDAs which were used for printing discount labels and scanning out-of-stock products (and appear to still be used) synced over Bluetooth. So unless you could setup a Bluetooth network over the whole store it wouldn't have been feasible.
[+] [-] ZoFreX|13 years ago|reply
[+] [-] estel|13 years ago|reply
(* if you were just intending to scam your supermarket anyway...)
[+] [-] Kudos|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] progrock|13 years ago|reply
[+] [-] RoryH|13 years ago|reply