I'm Not a Number

by Poacher

The more complex a system is, the more difficult it is to know its vulnerabilities.

This is an axiom that every hacker instinctively knows.  As new technologies emerge, they are often bolted onto existing processes, creating a Frankenstein's monster of stitched together technologies and procedures.

Such is the modern supermarket.

The relatively simple concept of a customer selecting groceries and taking them to a checkout, where they are totaled up and paid for, is now complicated by a large number of add-ons.

What we're looking at here is a convergence of three of these; the barcode pricing system, the loyalty card, and the self-service till.  The three of these produce the conditions for two exploits.  Both of these are dishonest and crimes, and I don't advocate carrying them out.  The information presented here is merely to illustrate how a multi-billion dollar industry can inadvertently leave itself open to loss.

I'll start with barcodes, which I'm sure most readers will be familiar with.

The basic system, still in use today in much of the world, is a 12- or 13-digit number, called either an UPC or an EAN, encoded in black and white lines.

This number, often also written in decimal beneath, is used to uniquely identify the item and can have information such as the country of origin and manufacturer encoded into it.  In the next few years, we should begin to see slightly larger, more complex codes come into widespread use.  Such technologies are already being used by a number of shipping companies.

Interesting information on barcodes can be obtained from these websites:

en.wikipedia.org/wiki/Barcode - General information on the "humble" barcode.

www.upcdatabase.com - The UPC database project

barcode.wikia.com/wiki/Main_Page - A barcode product database

When the item's barcode is read by the till scanner, obtaining the UPC code, the till then accesses the company's database for the item description and current price.  This is then added to your receipt and your total bill goes up the requisite amount.

The first and simplest exploit here requires a laser printer, a stack of sticky labels, and some bare faced audacity.

Find yourself an online barcode generator, such as Barcode Maker Online, or just search for one, as there are many available.  Alternatively, you could obtain a custom barcode label printer.

Next, obtain the UPC for a low-price item in stock at your local global corporation supermarket.  A tin of baked beans is a good choice that costs pennies.  Now, you're probably ahead of me here, print out as many labels as you think you will need.  Shop till you drop and go to the checkout.

At this point, the beauty and simplicity of the self-service checkout becomes blindingly apparent.  Going through a checkout manned by a clerk runs the (albeit very small) risk that they will notice the DVDs, laptops, fillet steak, champagne, etc. that is bagged up appears as baked beans on the till each time.  The self-service till runs no such risk.

There are, however, a few caveats.

Many supermarkets have a supervisor overlooking a bank of self-service tills with a screen showing what's happening on each till.  The trouble is they are often pulled away most of the time to deal with customer queries and in practice are not monitoring what's going on.

Also avoid items which require an EAS security tag to be removed as that will draw a staff member to your till.  The same goes for items which require age verification.

Some stores also use a system that senses items being placed in the bags.  I'm not sure yet if it uses weight, vibration, or an electromagnetic field, but it beeps annoyingly if too many or too few items land in your bag.

The biggest challenge in all of this is replacing the original barcode with your sticker.  I leave how to do this to the reader's inventiveness.  Price tag swapping is as old as the hills and any half-decent store detective should be alert to that.  But all problems are there to be solved and, off the top of my head, ways around this could range from sleight of hand to getting a job at the store (or at least looking like you do).

The beauty of this exploit is that any losses will not be discovered until a stock take, or until the store orders a thousand cans of beans because they think they have been selling so many.  Even then, there will be no way of knowing how and when the items left the store, so CCTV will be useless.

Just to reiterate, doing this is fraud.  If you actually did this and got caught, you could go to jail.

Anyway, onto the second exploit, which to my mind is much more elegant and amusing.

Many stores offer loyalty cards.

On the face of it, this is to reward loyal customers.  In reality, it's a cynical method of obtaining large amounts of corporate intelligence on you and your family.  Which, by the way, is sold off to one of a couple of large, multinational companies that keep huge databases about everyone in the Western world and thence into the hands (for a price) of the government.  But that's a whole other story...

One of the largest retailers local to me has an extensive loyalty system that basically gives you 1% of what you spend back to you every so often to spend at the store.  On the self-service tills for this store, you can input your loyalty card details by scanning the barcode on the back of it.

Here is vulnerability number two.

Obtain a loyalty card and, using the barcode generator, produce a large number of stickers with its barcode.  Place these on a large number of products, more or less at random around the store.

This time, you are not putting them over the original barcode.  What you are aiming to do is place them above, below, or to the side of the barcode.  This is so that, when the item is scanned, the reader will pick up the proper code but, as the item is rotated or passed over the sensor, it will also read your loyalty card number, thus tying that whole transaction to your account.

Done correctly, and with a little luck on a busy Friday or Saturday, in a large store, you could run up tens of thousands of points, giving you 1% of that back to spend as you wish in the store.  With the additional benefit that you are corrupting the data on customers' buying habits that the store is painstakingly building up.

This is still fraud and, eventually (particularly if you use the same account for too long), the store will pick up on this strange customer who comes into the store 400 times a day and spends hundreds of thousands a week.

You can't spend loyalty points in prison!

The large print giveth and the small print taketh away..." --- Tom Waits Step Right Up 1976.

Return to $2600 Index