Schneier on Security
A blog covering security and security technology.
« Horrible Identity Theft Story |
| Keeping America Safe from Terrorism by Monitoring Distillery Webcams »
October 31, 2008
UPC Switching Scam
It's not a new scam to switch bar codes and buy merchandise for a lower value, but how do you get away with over $1M worth of merchandise with this scam?
In a statement of facts filed with Tidwell's plea, he admitted that, during one year, he and others conspired to steal more than $1 million in merchandise from large retailers and sell the items through eBay. The targeted merchandise included high-end vacuum cleaners, electric welders, power winches, personal computers, and electric generators.
Tidwell created fraudulent UPC labels on his home personal computer. Conspirators entered various stores in Ohio, Illinois, Indiana, Pennsylvania and Texas and placed the fraudulent labels on merchandise they targeted, and then bought the items from the store. The fraudulent UPC labels attached to the merchandise would cause the item to be rung up for a price far below its actual retail value.
That requires a lot of really clueless checkout clerks.
EDITED TO ADD (11/7): Video of talk on barcode hacks.
Posted on October 31, 2008 at 6:43 AM
• 71 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Not if the clerks are cut in on the scam.
". . . clueless checkout clerks."
If you pay peanuts, you get monkeys.
To be fair, they only conspired to steal $1m. Nowhere does it say they succeeded. Integral journalism for the win!
I'm curious to know whether the fake code rings up the same stock item at a lower price, or a different, cheaper stock item.
If the former, then why is the price encoded in the UPC? Shouldn't it be looked up in a database from the till? I wouldn't blame the checkout staff in that case - it's not their job to argue with the system what a generator should cost.
If the latter, then why didn't (a) the checkout staff occasionally notice that they were scanning a generator, not a teaspoon, and (b) the stock control system notice that they were 7 generators short and tell people to be especially careful when they see a customer with a generator?
"clueless checkout clerks" is the wrong description of the problem. They need procedures that survive cluelessness. Clerks swipe the UPC code in 1 second or less, and are mostly judged on speed and giving the right change. They need a system to help them, not blame them.
I find even peanuts is not enough for monkeys...
Seriously though. I worked at a petrol station/store during my uni years part time. Its not the pay, its the treatment. Everyone, assumes your a dumb ass (aka management or upper management). You say anything, like the customer did not give me a $100 bill just a $20 and they won't believe you, even if you have *zero* $100 bills in the till. Your stuck with a till thats down $80, and you told them so. And it will still be your fault.
So something that won't even show up till a inventory check.... Why bother?
Ok I would have, even just to alleviate the boredom. But most would not.
You may be underestimating how much prices on very similar items can vary, and how often they can change. Okay, sure, if the fake UPC label causes a high-end appliance to ring up for a buck and a half, the clerks certainly ought to notice that if they're paying attention, particularly if somebody's checking out with multiple items like that. But if the crooks are at all clever, they could regularly give themselves 70% discounts on the right kinds of things and probably not get noticed until the store does inventory. And while even 30% of retail is too much to pay used for some things, other things do regularly sell on eBay for 70% or more of retail. That's more than a wide enough margin to allow for significant profits. You just have to pick the right stuff. And then there's the option of reselling it as new.
I'm assuming here that the counterfeit barcodes are of good quality and appear to be a normal part of the product packaging. That's the hard part really. Obviously if the tack-on barcodes are chintzy that would be easy for any even vaguely intelligent checkout clerk to notice, if they're paying attention at all. Most of them aren't, of course, but if you were the crook, would you want to chance it, or would you spend the extra effort and make the higher quality counterfeit barcodes?
If you want plausible deniability, you don't plaster the fake barcodes just on the one you're taking, but some additional ones as well, so some other shoppers will get an unexpected bargain just like you. It costs the store more than you're making, but you're not doing this in the first place if you care deeply about the store's profitability.
If you don't want to be discovered ex post facto by statistical analysis (for buying too many of the fake-barcode items too often) you just pay cash. Nobody requires ID when you're buying with US currency because we trust the money to be genuine, or if not we use the pens or infrared lights or whatever.
Like I said, the hard part is making the barcodes look, at a glance, like they're genuine and legitimately belong on those items. Which brings us around to the undeniable fact that UPC barcodes aren't exactly designed with security in mind.
UPCs are set up by the manufacturer (and only to identify the good). The association to a price is in a database. And I imagine it is easy to buy the most expensive vacuum cleaner at the price of the cheapest one with no-one noticing.
And the last thing is, they did get caught. So /someone/ noticed.
I can see both sides. It would be possible to pull the scam off pretty well if you took the time to research proper merch swaps, make custom labels, and maybe research checkout clerks.
The problem is that it seem most criminals invariably get lazy, or greedy, or both. And then you've got to unload the goods in a way that won't attract suspicion.
It wouldn't be easy, but it's possible.
WalMart and Home Depot both have self-checkout, so you don't even need a clueless clerk for this to work.
"That requires a lot of really clueless checkout clerks."
Not really. Sadly, in the "Customer is King" environment many store managers will let scammers get away with it even if the clerk realizes the scam, just to avoid them raising a fuss and scare away potential other customers. Just yell about "mislabeling" or "bait and switch" loud enough and the managers will bow to your every demand.
It's sad but because a lot of the American corporate structure is built and trained like this, the register people can usually not influence the final decision on the sale.
SteveJ: Making a generator ring up as a teaspoon is what you do if your goal is to prove that the system is vulnerable to this technique. If your goal is to steal, you make a $1500 television ring up as a $450 television.
I have no experience of Walmart/Home Depot but supermarkets in the UK also have self-checkout. Here the goods must be placed (usually in a bag) on part of the scanning station. This weighs the scanned good as is is added and issues an alarm if there is a discrepancy.
So, it's going to be more bothersome to do the same at these supermarkets. I suppose the best leverage would be putting a cheap wine UPC on a nice Chateau Lafite.
I don't really think it does require clueless clerks...
Take Target for example. I don't know what vacuum cleaners go for, but I wouldn't be surprised if a top-of-the-line one was, say $200, while a cheap piece of crap was $30. If you make a UPC for the $30 vacuum cleaner and stick it on the $200, the clerk will most likely just see that it's for a vacuum and not verify that it's actually the right brand and model.
I strongly doubt every minimum-wage Target register jockey has memorized the prices of every appliance in the store.
"That requires a lot of really clueless checkout clerks."
Other explanations are that they don't care, or that they are angry at their employer.
Come to think of it, I bought really cheap Guniess 4-packs for a while due to clueless checkout. And it was even legal. The thing is these 4-packs have 5 barcodes, one on each bottle and one on the cardboard packaging. If you turn all the bottle ones to the outside, chances are they get scanned first. I discoverd this by accident when trying to figure out why I had to pay so little, and then verified it. Took about 6 months for them to wise up and start checking whether this particular item was scanned right.
As someone that works as a just above minimum wage employee in retail, let me give you my perspective on this. Our vacuum cleaners run the gamut from maybe $100 to $500. When you ring something up at the register, you don't see anything specific about the item, the most specific it would be is "vacuum cleaner". So someone who is working at the register would have no idea they were doing this unless they had a good idea of how much each different vacuum cleaner would cost. Since I work in housewares, I would be able to figure this out, but if I was someone who spent all my time at the registers, I doubt I would really even know the difference.
To top it all off, even if we do notice this, we as employees are told not to do anything confrontational. We are to contact LP, and he will deal with it. If our LP guy isn't there, then nothing will get done about it since we are too small to have more than one person in LP. If this was noticed at the register, we have almost no chance of catching the guy, though a description will be shared with the other stores in the area to give them a good chance of catching him.
Funny, I was just about to write the same thing with regard to vaccum cleaners and Target. Some were expensive and some were not, but they all looked the same to me. I guess some really suck. Ha ha.
But yeah, I don't think a clerk is going to catch something like that.
It's a *job*, Bruce, not a career or a profession. You want people to exercise independent judgment? Fine. Pay them for it.
For a guy who seems to get it about the TSA, you really put on the blinders with this one.
The issue is not "clueless" people in the trenches. It's the decisions made by executive management about how far up the org chart one needs to go before deviation from the script is permitted. And BTW, if you don't think retailers watch shrink like hawks, you haven't worked in retail.
I wonder how cost-effective it would be to have the registers (which often appear to be fairly decent systems with far more display capability than they really need) look up not just the price of the item you just scanned, but a picture of it too to flash at the checkout clerk.
The economics of that are somewhat interesting... For early adopters, the system would be likely to be more expensive because of economies of scale, development costs, etc..., but the savings will be the rate of this type of fraud (no idea how much that is) times the probability that the fraudsters would choose a different store if you were to field that system. If it proves successful and becomes more widely adopted, then the cost will go down (because of the economies of scale for the lookup system), but the savings will become the rate of fraud times the fraud detection rate (which would hopefully be higher than without the system at all, but probably not all *that* high).
Although this is not immediately on-topic, my wife and I were both astounded by the careful scrutiny which clerks in the UK brought to bear on our credit card signatures. We live in the US, and I cannot recall a clerk checking my signature in at least fifteen years. (I am aware that this is not especially secure..just sayin'..)
* Usually the barcode is read from the bottom or (lower) side of the packaging, facing away from the clerk.
* As such, the clerk rarely looks closely at the barcode, except peripherally to position it for scanning.
* Speed is the name of the clerk game.
* Originally, barcode scanning was sold to the retail industry for its speed and accuracy benefits. Those benefits have become a crutch -- a dependency.
1. compensate clerks that catch errors
2. add play of audio description of product as it is being scanned for higher priced items.
3. add packaging recognition video system at the checkout station to match the container with the scanned barcode.
Joe: That's an interesting possibility, but you would have to keep the database of images up to date every time a product's packaging changes. That could get to be a real treadmill (particularly if you've got a grocery section), unless you can get the manufacturers to supply the product-image updates as a service.
I think detection ex-post-facto and prosecution is likely to be the better option. Anybody who does this once and makes a profit on it is going to be sorely tempted to keep doing it until they get caught. Jail enough of them and you've got a meaningful deterrent. It'll still happen from time to time, but running the averages it might work out cheaper than keeping the product image database up to date.
Ah, the scene from "My Blue Heaven" in which Steve Martins character gets his hands on a pricing gun come to mind.
Yes, it would be reasonable to expect clerks to notice discrepancies but as several of you pointed out, you get what you pay for (baseline competency) in cashiers, and the checkout systems are built for speed over accuracy. It is indeed not the clerks job to argue with the POS (point-of-sale) system.
However, we seem to forget that in most systems these days a description of the item does appear after it is scanned. Can most people register the difference between a five hundred dollar Dyson and a forty dollar Hoover? We would hope so. I mean, the con doesn't rely on defeating the POS so much as duping the "machine-human interface".
Old Con, new wrinkle.
In response to several of the questions raised above, it would seem to me that the obvious approach here would be to switch UPC codes such that a $349 premium Hoover vacuum rings up as a $99 basic Hoover model, a $1699 high-end Amana refrigerator rings up as a $1199 low-end Amana, etc. The clerk glances at the display, it says Hoover vacuum and some model number, glances at the box, it says Hoover vacuum and some model number that quite likely starts with the same characters...
This would seem to have a good likelihood of not being detected at the checkout if the checkout clerk isn't paying close attention — which, honestly, most of them aren't, most of the time.
I know we're all security geeks here... but has anyone stopped to think that it's actually being handled correctly given the amount of fraud that occurs?
It is probably much more profitable for companies to give up some product to fraud than to lost customers when actual mistakes happen. Some amount of security failures are an acceptable part of business.. If the security failures cost less that the security measures, they shouldn't be implemented.
Paying employees enough to know and care enough to actually stop this would cost a lot. How much of this fraud is actually occurring?
Losing a few hundred on an appliance here and there probably costs a lot less than the amount you'd lose from pissing off a substantially higher percentage of customers when an actual mislabeling occurs.
"That requires a lot of really clueless checkout clerks."
You need to consider also that large stores also have many departments and a till jockey in one department is not likley to be at all switched on about product from a different department.
Further it is quite normal for customers to pick up goods in several departments and pay just in one.
Then there are special offers and discount cards and all sorts of other transitory things that can cause your average till jockey to be information overloaded.
"but supermarkets in the UK also have self-checkout"
You have told me which stores you frequent and which you don't in the U.K. and what sort of shoping you do ;)
Some stores like Tesco's, sainsbury's do use weigh out tills though my limited experiance with them indicates they are easily defeated by a fairly obvious means that most will discover by accident (100g of cheap butter weighs the same as 100g of expensive butter and multiple lot buttons sure make this easy to do etc ;)
Secondly some stores like waitrose have a different price it up yourself and pay for it method with a little hand gun. Now I have not tried those systems (as they appear to want you to register with a credit card or store loyalty card which I am most definatly not interested in), but I should think they are farily easy to beat in one way or another
You have to remember that these systems like the UPC barcodes themselves are designed to cut down on payroll costs not stock lost costs and that means they are very very likley to all have exploitable faults...
Remember this story, it will be used to place RFID chips in everything, to fight this scam. If the RFID tag for the product is embedded inside the packaging, it can't be covered up or replaced with another sticker. And two rfid chips should be able to be detected easier than two stickers.
Indeed, I knew someone who did this and other larcenous things in stores. He had a team so there was plausible deniability built in as well. He was not clever enough for the UPC label gambit, but he would switch items from one box to another or put additional items in a large box (some have considerable empty space), and another member of the team would go in later to buy the item (it was marked or placed in such a way so the teammate could ID it quickly). He was eventually arrested, but on other charges. Altering the UPC code is just a new wrinkle on an old con. Slicker, less work, but not new.
If I was designing the RFID scanner and price lookup system, then I would add in the price for *both* RFID tags and let the customer flag the error.
That should eliminate this type of fraud.
The "clueless check-out clerk" is part of the drive to maximize economic efficiency at the cost of resiliency and security. With the use of UPC labels and laser scanners, the intelligence at the check-out line is pushed downwards, allowing the use of lower and lower education levels for the staffing.
So, economic efficiency was more important than the idea of having someone who had a rough idea of what things "usually cost" and double-checking what is on the screen in front of them (I think they are seldom trained to do more than check the bottom line, just like most executives do), and, in some cases, will have the change displayed as images of coins and bills.
Remember, economic efficiency precludes resiliency and flexibility.
Yeah, clerks aren't really in a good position to detect these types of frauds in most cases.
I've had the experience of buying items which ought to cost around $40, but were on clearance. They rang up as $4. This store never marks something off that much so I asked the clerk. She seemed confused that I questioned it and hurried along to the next. :)
I can only imagine that it would be even easier to get by if that was your intention.
I would point out that the 'clueless clerk' may well be an intelligent, observant clerk who is angry at being stuck in a job paying minimum wage. I certainly wouldn't go out of my way (as such a clerk) to protect the interests of a company that locks me into the store to work unpaid overtime.
From a security point of view, I noticed two comments that were spot on-
1) As Mongo says, "They need procedures that survive cluelessness.".
If security against this type of threat is important enough, it should survive that kind of attack, but...
2) Tito asks, "has anyone stopped to think that it's actually being handled correctly given the amount of fraud that occurs?".
It could well be that this is being caught by the businesses' security watching Ebay and Craigslist for just such occurrences.
I don't see any option at the purchase end of the problem that wouldn't impede the flow of customers through the register. Perhaps (as with Best Buy) require customers purchasing high-end items to pick them up curbside after they are paid for (by having a store-produced card to be handed to the cashier to record the purchase...)
I work for a large POS vendor. Our nicer products support full-color images for every item. They can be zoomed to any size. They are provided by the manufacturers usually as part of a content management system (designed for online retailers but provided for POS systems as well).
Problem is, I haven't met a cashier yet who actually looked at the pictures.
Yep. I tried the same trick to get some goofy toy that I wanted when I was a kid. The "trick" didn't work though the clerk caught it immediately when he scanned the item and I left empty handed. Oh well maturity is good for something...
I've seen a few stores where the checkout clerks are more interested in making sure that the large boxes are still sealed, and if not, that nothing has been stuffed into them.
Don't forget that in some cases, checkout clerks collaborate with the shoplifters.
It's really easy, say your local Staples sells an model ES300, model ES500 and model ES700 UPS. Make a UPC code for the ES300 and slap it on the ES700. Instant 55% price reduction. You might even get away with a cross-model price change for an even higher discount if you can pick the checkout counter for the least experienced person. Doesn't work on some of the more high dollar stuff because a manager generally checks purchases over a set amount, unless they know you really well.
And at a local Walmart where this was happening, the clerk was arrested and convicted for being the in house conduit for allowing cross-commodity where you are dumb enough to use a chewing gum UPC to buy a piece of furniture. Cross-commodity swaps usually always are inside job scams, though with the inattention after a full workshift running a checkout stand can turn anyone into a mindless drone where one or two might slip through.
@ Spider, Randy
I can think of at least four ways just off the top of my head to subvert an RFID-tag tagging system. They're all considerably more complicated than "print a UPC label out on my home laser printer", but the barrier to entry in terms of supplies isn't all that much higher.
As a tangent, whatever hack you can come up with to break a system that looks like this except with RFID instead of UPC is pretty much irrelevant; if a retailer switches over entirely to RFID they're going to change a metric crapton of business processes anyway. A hack similar to this is probably going to be lessened, but I'll bet you dollars to donuts the new processes will have just as many glaring security holes as this one :)
Inside job. Has to be. And/Or, that million dollar is horribly inflated. Add to all this that this seems like a ridiculously inefficient way to steal a lot of stuff.
According the report they were buying the merchandise and selling it on ebay. Unless they choose their targets very, very carefully (which they probably did) they would still face the hurdle of having to purchase the item at a price low enough to make a profit and high enough so that even a stupid clerk wouldn't notice. So, no $500 Dyson vacs for $1.50. Let's say they bought that $500 Dyson vac for $250. They sell it on ebay for maybe 30% off list (which is pretty optimistic). That means they made fifty bucks on the deal and then had to ebay and paypal about 10% of that for processing the deal. So forty bucks from a $500 vacuum? That's a lot of bullshit work for forty bucks.
Not clueless, just un-motivated.
I'm in a record store looking at a nice 4-CD boxset but there's no price marked on it so I ask the clerk to scan it. It comes up $3.00 which both of us recognize as absurd even if it were some discounted clearance item which it's not. The clerk just says "Hey, looks like it's your lucky day!" and I bought it. He apparently had no reason to care.
I suppose it makes sense that a lot of folks who have never been poor would post here. Imagine a job where you pass thousands of different items across a scanner every hour, all day. Why should you be expected to memorize the prices of everything in the store and check that the labels you're scanning are accurate?
You still have the problem of two different TVs from the same manufacturer, same size and weight, except that one is $2200 and the other is $3100 because of different feature set.
Clever crooks would legitimately (and separately) purchase both the items they want to steal, and likely "replacement" items, and would weigh them to make sure they are actually the same weight, and would then return them a few days later.
I would focus on passing the "shrink" tab on to China.
@ice weasel "And/Or, that million dollar is horribly inflated"
Note that it was more than $1 million worth of products, not that the crooks made more than $1 million off their heist. Four people indicted equals $250K of products over the course of a year. That's only 500 items at $500 per item per person - sounds like a reasonable haul if you're picking up 3 or 4 items per event and doing it at a different store every 2 or 3 days.
Especially with the heavy-ish equipment, there's also a huge difference in price depending on the precise internals of the object. So a $1400 welder and a $400 welder might look almost identical on the outside (except for model number) because the difference is in the power-conversion hardware and the conductors inside. Same for generators and so forth. Furthermore, such items often sell much closer to list on ebay because the people buying them know exactly what they're getting.
(Interestingly enough, there reportedly is/was a security problem associated with such equipment and the big-box retailers: many contractors will tell you that the XYZ Model 123 you buy at a home center is in fact not the XYZ Model 123 sold to professional outlets, but rather a derated or de-spec'ed version. Whether true or false, the existence of the belief opens up the opportunity for all kinds of arbitrage.)
About selling on Ebay: the thieves would gross more than some 70% onsome idiot always bids the full store selling price ore even more, unless everyone waits to snipe the item in the last minute.
I worked in a small store doing checkout when I was a kid way back when they still had cash registers (I can still run a National Class 6000 register like a pro) and saw UPC codes come in around 1975. The idea of scanning items was interesting, but I did think that the knowledge of what the store carried would be lost eventually since the checker only had to know bulk item prices and not the coded ones. The supermarkets lobbied to eliminate individual pricing of items and got it, so they actually lobbied themselves (and other businesses) into this problem in relying totally on UPC codes, and nonprofessional checkout clerks. I have no pity for them.
The first time I became aware of this issue was when someone (not me nor my brother) had put a professional-grade NFL football in a box meant for a much cheaper ball. We noticed the switch (the football was actually visible in the box), and we took the item ourselves and it scanned for a bit over half the price of the pro ball. Yes, we got away with it. When I found someone doing those switches professionally many years later, my only thought was that it must have been going on a very long time.
You knew it was the wrong price, you knew how exploit the system and you kept doing it for 6 months. That makes you a thief.
Shame on you sir.
@Will: *the* Will Shetterly?
@Spider: Typically, the RFID tags used to deter shoplifting are physically destroyed at checkout by a high-power electromagnetic signal. (You can see clerks "swiping" items over a piece of equipment next to the register, sometimes more than once.)
If RFID tags are added for the purpose of product identification, it may be feasible to create a portable device that can destroy them in this fashion. A substitute tag can then be planted on the item -- voila, new identity.
Even in the tags are signed in order to prevent forgery, hackers have had great success in cloning a wide range of RFID tags, so it is necessary only to obtain a single valid tag for a suitable substitute (lower-priced) item. Again, it may be feasible for the purpose of cloning to use a portable device that can read the specimen tag in a store.
@Rex: The reason UK shop assistants looked closely at your signature is because signing for a card transaction is a *weird* thing to do. UK cards use a PIN to validate the transaction -- that's what all those secretive little keyboards were for.
The banks decline to accept the risk of signature transactions -- if it's queried, they charge it back and that's that. It's like cardholder-not-present.
So yes, they do look carefully at signatures. But before PINs, they hardly bothered.
Kind of reminds me of the time in highschool that I found a vending machine that could have the prices reprogrammed through the front panel. It did have a password, but it had of course been set to "1234".
My friend's mother bought a $300 vacuum cleaner at Target. It rang up as $30. She told the clerk that the price was not right, and the clerk didn't care.
The clerk's excuse - "That's what the computer says".
The clerks don't listen when you tell them the price is wrong, what would lead you to believe the clerk is actively looking for fraud?
I've worked retail, and for what we were paid, you get a bunch of bodies capable of performing simple tasks and (generally) showing up on time. We were paid enough to keep the honest ones honest and not enough to really care.
This reminds of a great scam at Barnes & Noble - find a "Bargain Book" (front of store usually) wrapped in plastic, buy it for the bargin price, walk outside, unwrap it, and return it for store credit for the non-bargain price.
I watched a guy do this with a bargain book selling for $6.95 that we had a copy of on the shelves for the full price of $100.
Do cashiers even look at the price?
In most stores, there is the big LCD screen that is attached to the register, and a smaller LCD on a pole that faces the customer. When they're scanning items, they're facing the scanner, away from the register. They grab an item, scan , listen for the beep, then grab the next item. Rarely do they turn around, the only time is when the item doesn't scan properly.
> Potential solutions:
> 1. compensate clerks that catch errors
I worked retail when I was in college. If we caught a shop-lifter (or other fraudster), we received a bonus equal to $100, or the value of the goods that were being stolen, whichever was higher.
I worked in a high loss department (had high-end designers, targetted at young people), and as such, I wound up making more off of the shoplifting bonuses than I did off of salary + commission combined.
I really want to know how the journalist arrive at the $1 million figure. Is it just sensationalist reporting or the guy printed out so much labels that the potential merchanise will be worth $1 million. And did he actually flipped $1mill worth of merchanise?
Bruce, you may be interested in this talk (if you haven't seen it before). The talk is pretty long, but its excellent - covering issues like this along with synthesizing the stubs from soda return machines for free cash, getting around 1d and 2d barcodes.
A few months ago I was shopping at Lowes and noticed a document taped to the wall beside the cashier. It was a warning to carefully check all purchases of generators, chainsaws, and various types of powered hand tools for this exact UPC switch scam.
"> 1. compensate clerks that catch errors"
In the UK the credit card companies offered about the equivalent for people who pulled cards on the hot list.
However quite a few companies decided that the employees vigalence should not go unpunished. In one particular case not only did the company keep the reward the also did not pay the employee for the time they where away from the till talking to the police etc, and then cut their bonus pay for failing to meet "check through" targets....
With motivation at that level I'm not at all surprised that shops have till staff who turn up check through and go home without "noticing" anything, it just does not pay.
Your employer was obviously one who had thought things through a little bit, which makes me think they were an independent retailer.
I do not think the clerks are clueless, I guess at the rates they get payed that they just don't care...
How many retail outlets actually allow cashiers to do anything about price discrepancies? Antipathy towards one's employer or lack of intelligence has nothing to do with it - the customer is always right. Go to Kinkos and make 20 copies on 11X17 paper on the color copier and tell the cashier "oopsies, I really only wanted 2 copies on the black & white copier on normal paper" and you'll get rung up for 20 cents rather than 20 dollars. You can do this as many times as you want because any cashier that doesn't give you what you want will be fired and replaced with someone who will.
Same thing works at fast food restaurants (anywhere you pay before receiving the food). Order a burger off the 99 cent menu, then when it arrives INSIST that you wanted a quarter pounder deluxe. Be all peeved and they won't charge you the difference. It doesn't matter if the cashier knows you by sight because if the cashier tries to do anything they'll be tossed to the curb for "upsetting a customer".
Yes, I have been that cashier, and all I got was threatened with firing. That shut me up.
To understand this scam you have understand something about the retail systems that allowed it to happen. First to answer the question how did a cashier not know that the items were scanning wrong, I have a simple answer. In retail there is a merchandise life cycle. For the corporation I work for it is 6 months. For the first there months the buyers have the item, it is being shipped, warehoused, and moved to the store. By the time the item reaches the store it only has three months to sell before it is written off completely. I have seen $ 3,000 rungs sold for $ 150 to get some money for the product in the final weeks before it is written off. It seems insane to the public and it probably is regardless of the accounting principles behind it. What this does is condition the cashiers to be desensitized to large markdowns. They trust the system despite the insanity of it. Second, the perpetrators of this scheme don’t just present a single high priced item at the checkout. They present a dozen or more low to mid priced items in combination with the high priced item and sneak it into the transaction. Besides scanning the items, our cashiers are graded on more than 10 other things that they do during a transaction. They are so worried about selling credit and getting to the talking points that they miss the finer points of the transaction.
Information about UPC-A codes:
First six digits from left are manufacturer's code.
Next five digits are product classification code.
Last digit is check sum to make sure it all adds up.
There is no price included in the bar code on the product. Since the store must have the UPC in thier database for the checkout system to come back with a price, it's obvious the thief copied the UPC from an item currently in the store or one the store sold previously.
Simply find a cheap similar item in the store and take a picture of UPC in .gif format. Run the numbers into online tool for printing bar codes and compare image to output. Print a thin label and congratulations you're a high tech fraud!
This vulnerability is not new, some even did research and tried to expose the scam. Want something more insidious? Google "XSS injection via barcode"...
There are black hats that get arrested and then there are black hats who you never hear about.
Somebody came to me and tried to buy a Zorbeez for the price of a ShamWOW!! What a foolish person.....
My friends used to do a variation on this with beer, ripping a hole in a 24-pack case and scanning the can (instead of the box) at a u-scan. It then rang up as a 6-pack.
I figured I'd chime in for those that don't understand HOW the scheme works. If you examine many assorted packages at your local retailer, many have stickers that have been applied to the bar codes. This is sometimes done because of a manufacturer error and some times done by the store itself if two similar products inadvertantly have the same bar code (for instance, a case was ordered of a product and then the same product receives some kind of upgrade and the company simply uses the same code instead of generating a new one. ) Wal-Mart would be a prime targetfor this scheme, since wal-mart has an array of products to scan and mixed in to a decent assortment of other products nobody would ever notice. Further, if you consider that the fake codes correspond to a real product likely already on the shelves, then nobody would even have to worry about the price.
Suppose they took the barcode from a cheap vaccum cleaner, say a 20.00 junker. They then copy the barcode (photocopy and use stickers for the print out) then they can now apply these stickers to ANY priced vaccuum cleaner and buy it at the Wal-Mart set price of $20.00. If they get a 90.00+ vaccuum for only $20.00, then selling it for anything over $20.00 is a profit, but unless it is worth a lot more the benefit isn't likely orth the risk. I'm sure this crime counts as some for of shop lifting and shop lifting carries high fines and jail time I think. Is it worth it for only $20.00? I doubt it.
Works great! What's nice is that you actually buy something before leaving. Someone else puts on the label, then another person buys the product. Only an idiot would get caught. It looks much better than shoving something down your pants, and walking out.
I am a cashier and had this just happen to me today a guy came through with screen doors in boxes and i rang them up only to find out after he left that they werent screen door they were storm doors and thyey cut and glued the label perfectly on the box to pay $33 instead of over 200
why would people do something like this ????
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.