Self-Checkout or ATM?

by Bob Krinkle

The author of this article cannot be held accountable for the actions of readers.  This article was written with the best intentions, helping secure self-checkout machines everywhere by pointing out their obvious flaws.  Do not attempt to do what may sound suggestive in this article; they are only examples.

Introduction

There are inherent flaws in many self-checkout systems.

Also, company politics may inhibit companies from securing these stations.  These stations show an image of you and a scanner as well as a short message saying you are being watched.  But this is just a webcam relay that does not save any images.  They are NCR E-series.

Background Information

If you ever walk up behind the operator of these stations, you'll find a screen that watches what is scanned at each station.

Also, if there are any warnings like improper weight of items (e.g., putting two items after scanning one), age restrictions, etc.; these warnings can be overridden at the main terminal or at each station with the Self-Checkout Operator Key.

The key consist of a barcode (without printed numbers) that can be scanned (like a product) which clears warnings or brings up a menu of options.

Obtaining the Self-Checkout Operator Key

Many times the operator key is left hanging on the main terminal or left close by.

Many managers also have their own override key on their keyring and often wear their key on the outside of their pants (on a D-ring or similar).  Obtaining a copy of the key is easy because the operator station is usually left unmanned in the interest of saving labor hours.  Another cashier is responsible for keeping track of a real checkstand and the self-checkouts.

With no one around, it would be easy for anyone to walk up and take a picture of the barcode with a camera phone or scan it with a PDA and a barcode reader, the latter being the more expensive.

After scanning the barcode, either at home with a picture or at the store with a PDA or laptop, one could generate the same barcode with numbers given by scanning the barcode with their own scanner.

Some example software for EAN-13 codes are: gLabels, GNU Barcode, and KBarcode

Or try this online barcode generator: bisqwit.iki.fi/barcode.html

Mischievous Activities

After returning with your new operator override key, several things can be done such as overriding "free" coupons that ask for a price or entering the PLUs of store coupons and other PLU codes.

After logging into the machine one great option is Assist Mode which brings up a POS keyboard and allows the employee to assist you with products that may not ring up right.  Many of the store coupons at some chains do not let you enter a quantity for coupons.

But if you have the time and no one is watching the station you could potentially enter a limitless amount of these coupons.  This would look suspicious to anyone around though and it does say that you are logged into store mode on the operator station.  Be sure that the operator is preoccupied and spend the least amount of time at the station as possible.

Making Other Barcodes

You can make your own UPCs to scan regularly entered PLUs by preceding all the rest of the barcodes with zeroes.

So to make a barcode to scan a store coupon with the PLU 9171 you would make a UPC-A barcode 00000009171 and let it generate the checksum.

Example:  After printing 100 labels with a $3.00 meat coupon on it, place those stickers on individual packets of Kool-Aid or something small and cheap, return to the store, pick up something else, and place a label with the override barcode on it.

After scanning a couple of items, and the override barcode on the product, you should be able to scan your modified packets taking the coupon of your total for each.

Once logged in as an employee regulating the machine it will not complain about anything you do.  The machine has not been configured to realize your total is below zero dollars and will give you the correct amount of change.

Preventing Theft

There are several ways for stores to prevent these kinds of theft.

Stores should keep these override barcodes out of the sight of customers.  Managers' keys should be kept inside the pockets at all unnecessary times.

Do not believe in security by obscurity (it never works).

Just because there are no printed numbers doesn't mean you should feel safe that no one can figure it out.  Man these operator stations at all times even if that means division managers verifying that someone is in there occasionally (or making store managers' bonuses conditional on it).

Work with software developers to redesign aspects of software to log photos for anyone logging into Store Mode and perhaps using Smart Cards or RFIDs instead of EAN-13 barcodes.

It might also be wise to keep some of the PLUs and barcodes for store coupons out of the public eye.

Last, but certainly not least, always listen to your employees who work on these machines for suggestions and warnings.