Point of Sale Shenanigans: Authorized Unauthorized Transactions
by Ryan Clarke
The Defense Commissary Agency operates the commissaries on U.S. military bases.
For those unfamiliar, the commissary is the supermarket on a base. An important difference between a commissary and a civilian supermarket is that the baggers are volunteers. The baggers will also offer to bring your newly purchased groceries to your car and it is normal to tip them a few dollars for their efforts.
Considering most people do not carry cash on their person these days, it is common for a customer to ask for cash back during the transaction in order to tip the baggers. Many times the customer wants to use a credit or charge card, because don't we all want those points? Unfortunately, the Point of Sale (POS) system does not allow cash back on anything except debit cards. You must notify the cashier to split the transaction between a debit card for the cash back and a charge or credit card for the remainder of the total. Easy stuff.
Then it changed.
Recently, the commissary at my local base changed their POS system to a newer version, and now the customer can request cash back themselves using the customer-facing terminal. I know, I know, this has existed for a long time, but the U.S. government is not always up to speed with modern systems.
Here is the glitch.
I informed the cashier that I needed cash back for the tip, and she advised me of the new procedure. I placed my AMEX in the machine's chip reader to begin splitting the transaction. However, after reading the chip, the device asked me if the total transaction amount was correct. I selected "No," thinking it would allow me to then enter a new value.
The computer canceled the transaction and asked for a new card. It irritated me slightly, but it was not a big deal and I got my debit card out of my wallet to place in the chip reader.
I informed the cashier what happened, and she gave me a confused look, considering the receipt printer output a receipt. I told her that I canceled the transaction, and that I never entered my PIN or submitted a signature. She said it went through and handed me the receipt. There it was, a confirmed charge on my AMEX, seconded by my AMEX app chiming in with a notification of a new transaction. I walked away with my bagger, and I was utterly confused, but also curious.
Unfortunately, I am one of those people who doesn't carry cash. I had to sheepishly inform my bagger, walking with me to my car, that I could not tip her and that it would be unfair for me to allow her to unload my groceries into the car. Embarrassing, but I generally don't like them helping anyway; I'm perfectly capable of loading my car.
So there you have it.
A POS system that allows a transaction to complete without proper PIN entry or signature input.
I think the readers of this magazine could think of the nefarious shenanigans a ne'er-do- well could do if they had a card in their possession that they did not own and came upon a POS with the same flaw in its design.
Of course, I also trust that no one reading this magazine would do such a thing.
So, that begs the question: is the software problem unique to the commissary on my base, or does this work at other locations, specifically non-Department of Defense locations?
Happy shopping.