Bar Code Switching

A particularly clever form of retail theft -- especially when salesclerks are working fast and don't know the products -- is to switch bar codes. This particular thief stole Lego sets. If you know Lego, you know there's a vast price difference between the small sets and the large ones. He was caught by in-store surveillance.

EDITED TO ADD (6/12): I posted about a similar story in 2008.

Posted on May 31, 2012 at 6:17 AM • 62 Comments

Comments

D0RMay 31, 2012 6:35 AM

Happened in Italy years ago, too. The guy was busted after some surveillance cameras were put into place. He carried with him a huge book of barcode stickers from which he chose the barcode to put over the legitimate one.

karrdeMay 31, 2012 6:41 AM

Oh, yes. I remember that Lego has a steep price curve between small kits and large kits.

One of my thoughts was, haven't we seen this method mentioned here before?

My second thought is, how hard is it to check that store clerks will catch situations like this? Random quizzes on what price should come up for various items from the shelves?

TomMay 31, 2012 6:46 AM

It's not clear to me from that article that he was actually switching barcodes so that large sets were being put through as small sets. He may have actually been creating barcodes that matched the set's description and name, but were at discounted prices (as they might be in a sale). That would explain how he managed to sustain it so long.

dalek from skaroMay 31, 2012 6:51 AM

According to police, Langenbach not only placed his own bar codes on several items, he checked them on the store's aisle scanners to make sure he was getting the low, low price. He put stickers on three boxes but put two of them back on the shelves. When he walked out with one set he didn't pay full price for, store security nabbed him and called the cops.

I guess he put the two back so that if store employees or security wanted to check whether the price/label was correct, they would find more incorrectly priced/labeled boxes, making him less suspect.

AnonMay 31, 2012 6:58 AM

This isn't something I look back on proudly, but back when I was in my freshman year of High School (mid 90's) I experimented with low-level shoplifting for the thrills (I could afford what I took without question).

Switching bar-codes was one of the more effective techniques, and Target (where this story also takes place) was one of the easier ones to do it with because they largely used their own bar-codes placed over the manufacturer one. You could cover it up, or even peel off one and place it on another product.

I got caught the first time I tried switching back to more conventional shoplifting, and I'm lucky they decided not to press charges after I paid the raw total. They never caught on to the bar-code switch until I told them at the time I was caught. If done in small amounts, I still suspect it would be hard to detect and counter.

TomMay 31, 2012 6:59 AM

I'm not exactly clear what crime is being committed here. The article says he is being charged with burglary, but it's hard to fit that to his actions. IANAL, but, at least under English law, the way a store purchase works is you go around and grab the things you want, take them to the checkout and say, "I want to buy these." The attendant tots up the total and says, "That'll be £X." At that point he has made an offer to form a contract for sale of goods at a specific price. You say, "Yes, okay," and hand over the money; you've accepted the contract. This contract has formed validly and courts have been very reluctant to rule on whether the amount paid was fair.

This is not theft. He has paid for the goods, just not as much as the retailer probably intended. About the nearest I can think of as a crime is fraud, but even then it is a bit tenuous. It's sort of analogous to starting a rumour that property has chemical contamination so you can buy it cheap; sharp practice, but only on the very edge of crime.

gingerpenguinMay 31, 2012 7:03 AM

An SQL injection attack written into a barcode is a "clever" attack anything less is mundane. Bar code switching has been around for decades.

DetunizedGravityMay 31, 2012 7:04 AM

The names and descriptions of the items are not stored in barcodes. Barcodes cannot handle that much information. A barcode is nothing more than a glorified product serial number, encoded using one of a few well known international standards. Any additional information displayed on the point of sale comes from some back office that is queried once the barcode is scanned.

Moreover, discounted articles are usually not granted new barcodes. The information about their price is just temporarily updated in said database.

All this doesn't mean that a thief cannot show some cleverness, though. One may use barcodes from products which name and description are generic enough to trick a cashier, for example. Especially as said cashier may not be knowledgeable about the kind of product one steals. Or refrain from trying to steal items which packaging make a poor fit for the price tag associated with the chosen barcode (p.e. a 30" LCD for 20 bucks...).

Now... All this is really an old trick. First heard about it more than 20 years ago.

Bob May 31, 2012 7:19 AM

Tom, in Australia this is certainly a crime, a type of fraud called Obtaining A Benefit By Deception.

It has been around in the retail business since well before I was a store security manager beginning in 1995.

jon doh!May 31, 2012 7:58 AM

My second thought is, how hard is it to check that store clerks will catch situations like this? Random quizzes on what price should come up for various items from the shelves?

Cashiers are usually ranked based on how fast they get a customer in and out. Some store registers will show a running average of how fast the cashier is going in between sales. We had our scores posted in the breakroom each week, although not everyone looked at them. Plus, depending on the size of the store, you're talking literally tens of thousands of unique products and IDs. there's only so much room they give on the screens for the product description, so "LGSET GRN" could mean "Leggings, extra tall, green", or "Lego Set, Green Lantern, 516 Pieces".

Clive RobinsonMay 31, 2012 8:13 AM

This is just a slightly more modern version of swaping the product price tag which must be more than 50years old by now.

I remember bar codes coming into book shops and back then the till did not display the book name, I know a whole bunch of students out of UCL used that fact to lift a bargode printed sticky from one (cheaper text book) onto another (more expensive text book). And unless you were very very familiar with the book printers it would be difficult to tell.

For instance a well known publisher "Oxford Books" could have two books the same size and thickness and even (in some series such as maths the same colour) where one would back then have been less than 10GBP the other 50GBP or more (and back then 30 odd years ago 50GBP was room rent for a couple of weeks in some parts of london).

AdrianMay 31, 2012 8:13 AM

Some time ago (decades!) I heard a story where a guy would go in to a store and note down the prices of several items. He went back to his hotel, where he had a Commadore Pet and a small thermal printer. He made up a fake till roll receipt for the store.

On return, he picks up the items, takes them to the returns desk, and presents his receipt at proof of purchase. The store had a policy that any unopened goods could be returned, no questions asked, and cash refunded. So the returns desks scans the items, checks the price and gives him the money. He then leaves.

What crime has been committed?

Theft? No, because at no stage did he remove the goods from the store, and thus did not deprive them of their use.

Burglary? No, there was no break in.

Fraud? No, because at no stage did he actually ask for money, the returns desk would do this with no comment apart from "have a nice day". Anyway, it is conspiracy to defraud and a conspiracy needs more them one party.

He was eventually caught by a smart store clerk who noted that earlier in the day the till thermal printers had run out of black ink and had moved to blue cartridges. Our perpetrator had not. So it was, again, the human element that caught him.

He was charged with handling stolen goods and convicted. On being searched, Police found 1000's of dollars, first class air stubs, and hotel receipts from top hotels around the US. Clearly this had been going on for some time.

The Judge did ask how long he had been learning how to use the computer to do this? The, now convicted felon, admitted he had no experience with computers at all, except

10 Print "Invoice"
20 Print " "
30 Print .......

slwMay 31, 2012 8:18 AM

Knowing the type of scanner used at the checkout desk, you can use the programming barcodes to put the scanner into code 128 mode, rather than ean 13 and then exploit a buffer overflow in their cash register software to run your shellcode(which you have previously encoded into a barcode, of course).

That would be a clever attack if someone successfully pulls it off. This however, not so much.

Adam TrickettMay 31, 2012 8:29 AM

I believe this has been done many times before.

It's trivially easy to do to any retailer that uses their own barcodes or hires the cheapest check-out staff that aren't paid enough to care...

We use barcodes a lot at work to help automation and move stuff about within the factory. These days it's dead easy to print and test barcodes, a few years ago it was more of a pain.

It's probably just as easy to do with RFIDs, in fact anything that takes away from the sale person the "thinking" element...

Go into a shop and buy something for 1.25. Had the sales person 10.25 and look at the surprise on their face as to why you handed them a note and some coins, only when the till says change of 9.00 will the penny drop - if you pardon the pun.

RadicaMay 31, 2012 8:30 AM

It's just me that see it, or there's a largest theft implied here?
"salesclerks are working fast and don't know the products"
Ok, is not like a medical doctor or rocket scientist working in hurry without knowing what they are doing, but anyway what quality of service can you expect by a serial worker with no clue?
It is quality of service stolen to the customers, and quality of workplace stolen to workers.
In recent decades more and more stress is put on "quality of service", "customer satisfaction", "user experience", more and more is being spent to advertise those values... but there is no reason to spend in advertising for something it is actually perceived by consumers, the need in advertising those concepts is plainly because they were stripped away by "optimization", replacing the real added value of trained workers with some advertising.

PenTesterMay 31, 2012 8:33 AM

Invitatio ad offerendum - Invitation to treat
could be the culprits emergency exit. Although, the same applies to Germany, § 145 BGB, the act of changing the barcode is a forgery of documents according to § 267 I 2 StGB.

How to detect it? Use larger screens at the checkout that show a picture of the scanned goods.

paulMay 31, 2012 8:44 AM

I'm surprised we don't see more of this kind of thing at self-service checkouts, especially the ones where the customer is required to identify bulk items by hand. Of course, only certain kinds of goods are typically considered worth shoplifting.

AlexMay 31, 2012 8:48 AM

I'm not sure on the burgulary vs. fraud aspect.

From the above, it states the store agrees undertake a contract with the purchaser at the checkout. I agree. The store agrees a price, and the fee is paid.

But the store is agreeing to undertake transaction based documentation changed to no good knowledge of the store - the bar code.

In this case, an agent creating a fake bar code which is then used in a transaction by the same agent or conspirators is fraud.

So is entering the premises with the intent to manipulate / switch documents burglary? Classic definitions of common law have been expanded considerably in modern times. I believe this passes under modern legal definitions of burglary and / or trespass, but that might vary by jurisdiction.

I'd view burglary a lesser offense than fraud. Perhaps fraud is being kept as a reserve charge, perhaps they're being easy going, perhaps the lawyers don't want to be too harsh this time, or perhaps IANAL.

wMay 31, 2012 8:49 AM

@ paul "I'm surprised we don't see more of this kind of thing at self-service checkouts, especially the ones where the customer is required to identify bulk items by hand."

You mean the 'pay as much or as little as you feel like' checkouts?

I would love to see the figures for the amount of say, onions bought & sold by Tesco or similar. Since the introduction of self-service checkouts they're probably selling about 130% as many onions as they buy.

The sad fact is, of course, that with the wage savings they're probably making more profit off the self-service checkouts even allowing for the greater shrinkage.

JMay 31, 2012 8:59 AM

I'm surprised nobody commented on the fact that the guy shoplifting (?) Legos was a high-ranking VP at SAP. He almost certainly makes six figures; what's he doing ripping off a Toys R Us for $100 per transaction?

KemalMay 31, 2012 9:02 AM

I am thinking that this attack can be prevented using RFID instead of barcode. Am I wrong?

wMay 31, 2012 9:05 AM

@ J - Google 'kleptomania'.

It's typically more about the buzz than for financial gain.

Habit forming, and escalating in severity, like many things involving endorphin release.

It could also be argued that on some deep-seated psychological level he felt he deserved punishment for being involved in inflicting SAP on the world.

No OneMay 31, 2012 9:37 AM

@Adrian: I would call theft and fraud -- he did not own the product and he presented the product as if he owned it. Even if the exchange happened without word there is definitely an implied request for payment in return for goods when you go to the returns counter and present your receipt. Also, according to Wikipedia on larceny it does not necessarily require that you remove product from the premises only that you move it with intent to steal.

Now, of course, this would all be subject to the exact law on the books in your jurisdiction, of course.

James SutherlandMay 31, 2012 9:38 AM

It would be riskier with self-service checkouts: they check the weight matches the expected figure. If I hand a big box of Lego to a checkout operator, who scans it as "Lego in space $9.99" the fact it's supposed to come up as "Lego space station $99.99" is easy to miss; with self-scan, even a few grams of difference will make the checkout suspicious and request operator intervention. Even if nobody notices at the time, do it too often and it will stick in their mind that you keep buying big boxes of Lego which come up wrongly...

Another scam in the UK was using blank pieces of paper. For coupons, you scan the barcode, then put the coupon - or, since the slot only checks for the presence of a piece of paper, a blank piece of paper - into a slot to prevent reuse. Rather stupidly, a cop did this often enough to get caught - thus trading his career and pension for a sentence and criminal record.

(Many home-made coupons are being sold now on eBay, too. Some are probably legitimate download and print your own offers, but I very much doubt all of them are!)

Dean WinchesterMay 31, 2012 9:50 AM

common sense. yeah, that's how you beat this. you think a lego the size of a fridge would be priced at $10 ?? c'mon!

HR people should be blamed here for hiring idiots.

Nick PMay 31, 2012 10:08 AM

@ Bruce

That's not that clever. Manipulating barcodes is kind of an obvious idea that's been going on since I worked retail. It's especially useful for things that have printed stickers on them like in the grocery store, from gourmet meat to markdowns. Talk about innovative: one group had managed to imitate/steal our unique markdown stickers & figure out how to print valid markdowns on them. Nobody ever figured out how. (Insiders, probably.)

Another facet of it is using different PLU codes for produce at self-checkout to reduce one's bill. If attendant isn't paying attention, you can get organic stuff for the price of inorganic, etc. An even older trick is swapping stuff out of containers so expensive stuff is hidden in boxes of cheap stuff. Then, there's fake receipts combined with stolen merchandise, although I think people do that less these days.

This crook's one mistake is he robbed Target. He should have hit a different store. Target is the leader in retail security, especially video surveillance. Around half their headquarters' surveillance work is pro bono for police departments. Their checkout camera's are also good enough to make out the personal info on a check. So I've been told. Not the place to try to go on an undetected robbing spree.

wMay 31, 2012 10:13 AM

@ James Sutherland - hence my comment above regarding onions. You don't scan the barcode of the Lego at all, you put it through as loose weighed fruit & veg.

Onions tend to be cheaper by weight than Lego, or fillet steak, or single malt whisky. Or almost anything sold in a supermarket, I believe.

A huge box of Lego would be risky only because you usually have an operator watching over the bank of self-service tills, who can presumably see a list of everything being scanned as well as view the customers on CCTV. The system relies on (minimum wage) humans to spot the theft.

scottnottheotherscottMay 31, 2012 10:43 AM

I find it interesting that discussion focuses on whether or not this is illegal by the letter of the law.

That is the wrong direction for a discussion on morality (and its security implications) to take. The fact that it is destructive to the relationship between the man and the store should be evidence enough that it is wrong.

The barcode switcher should be punished for violating the relationship by causing harm to the store - which, in fact, is the very thing that *all* the applicable laws (fraud, theft, etc) are designed to prevent.

Just look at Bruce's previous article for an example of how the establishment of proper relationship is an effect deterrent to harm - it's tough to hurt someone you care about! The barcode switcher doesn't appreciate this fact, and by destroying a part of the social fabric he should be punished.

Slightly O/T:
Interesting story about how a company handled the relationship damages of counterfeiting on the BBC - http://www.bbc.co.uk/news/business-18231922

I think Target should try hiring schoolteachers to teach children, "If dad comes home with 'great-deal' legos, tell him he's destroying the social fabric of your world." It would definitely be cheaper than their current security and could possibly more effective.

NobodySpecialMay 31, 2012 10:47 AM

@ karrde - yes it was Target/Walmart/etc in the USA people were swapping the tickets from $100 Sony headphones for Sony 40in Plasma TVs.
The till just said "Sony-electronics" and the minimum wage workers on the checkout either didn't care or were quite happy for "the man" to be ripped off.

abadideaMay 31, 2012 10:53 AM

karrde: In any store with a large inventory, trying to get the cashiers to remember random numbers (which are pretty much the worst thing in the world to remember) is entirely useless, especially since things go on and off sale all the time and for luxury goods (Lego, brand-name clothes, media, wine, etc) the price has little correlation to the base cost of the material. The best you can do is to warn them that barcode swapping is a real thing and that IF they think a price is suspiciously low, not to be afraid to check. There's no use in getting upset if they don't notice though - it's inevitable.

Devin BaillieMay 31, 2012 11:07 AM

To those saying it isn't theft because there's a sales contract:

The sales contract lists one item (the cheaper one) and the thief takes a different item (the more expensive one) from the store. This is theft, as there's no agreement on the sale of the more expensive item.

NobodySpecialMay 31, 2012 11:25 AM

@w - funnily enough the problem when self serve checkouts were first installed in the UK was the opposite.

They were put in upmarket stores in nice neighbourhoods - on the principle that the English middle class don't steal (the rich do but we knew that!)

The problem was that these people was so terrified of being accused of theft because they (or the machine) made a mistake we couldn't get anyone to use them.

Henning MakholmMay 31, 2012 11:35 AM

The best thing the cashier can do is probably to be suspicious when an item that's pretty obviously being sold in factory-designed retail packaging has the barcode on a STICKER rather than being printed on the packaging itself like such barcodes usually are.

Michael BradyMay 31, 2012 11:45 AM

This goes way back before barcodes. This hack has been used by shoplifters since price tags were first attached to retail goods.

VickiMay 31, 2012 12:15 PM

It's not that the retail staff are stupid: it's that they are trained not to think. In a lot of places, their options are to go ahead with a transaction, or call a manager. (And in some, as noted above, they are penalized for taking "too long," and deciding whether to call a manager takes time even if the time once the manager arrives isn't counted against the cashier.)

I don't know about Target, but there are retail jobs where any customer complaint, however dubious, will harm an employee. That sort of policy leads to cashier's not calling out suspected thieves, because "s/he accused me of theft" is a complaint.

Broadly speaking, you get what you reward. A company that rewards efficiency and punishes speaking up will get employees who treat all transactions as valid because that's fastest and makes the fewest waves.

MadnessMay 31, 2012 1:02 PM

@w

Bananas are cheaper than onions for their weight. In fact, I think they're one of the cheapest per weight items in the store. I've heard of people ringing up steak as bananas in self-checkout lanes.

GopiballavaMay 31, 2012 1:41 PM

I saw an interesting barcode at Target a few months back. I used an app to do an online price comparison for a Leatherman tool. It had a few hits for the bar code, all at the same price as Target.

But I noticed that Target had put their own bar code sticker on top of the original Leatherman one. There was a gap, and I scanned the original. Lots of hits, at 30% to 50% off retail.

Why did they do that? Was the sticker really just there to make online shopping comparisons harder?

I know that for awhile, different model numbers were used to make online vs. retail price matching impossible. e.g.: iPad h5005 was sold online, h5000 was sold at retail. Same pattern for different model numbers - the last digit was used to indicate the type of store.

(I also think that's one of the reasons that printers don't come with USB cables. Yes, they save a little bit of money, but the store also gets to try to sell you a $40 USB cable for your $60 printer...)

BryanMay 31, 2012 2:15 PM

@Tom
@Adrian

Here in California, the definition of burglary is "entering [a building] with intent to commit a felony". If someone carries pre-printed barcodes or a false-bottomed purse or something similar into the store, the crime is compete upon entry. Any additional fraud, theft, hiding, or mislabeling of merchandise is a further crime.

WaelMay 31, 2012 2:19 PM

IMHO there is a way to mitigate or reduce the risk of the "print your own bar code attack" and derivatives of it.

Threat: People switching bar codes with different ones

Problem: Skill set / education / training of clerks / huge number of inventory items do not allow for dependable human judgment

Possible solution:
1- Use QR codes instead, or in addition to bar codes
2- Have a backend server compare the QR code with an image of the container (box) that holds the item - this minimizes human error in judgment
3- If the bar code or the QR code is tampered with, the server in the backend will flag the irregularity if the saved image of the container does not mach the expected QR code.

Naturally this requires a camera.

If you want to play with QR codes, there are applications for Android and iOS - some are free, and they also let you generate your own QR codes.

Bad solution:
Have Sam Harris advise us to profile the customers and only check the bar code / suspicious prices when the customer fits a "profile" :)

wMay 31, 2012 2:31 PM

@ Wael: I don't see what QR codes gain over barcodes in your system, could you elaborate?

Also I doubt the implementation cost would pay off versus the company's losses from the specific type of attack it mitigates.

DMay 31, 2012 3:02 PM

The problem with the Lego sets in particular is that every product description begins with "Lego -" or in the case I'm familiar with "LEGO STAR WARS -" which on most limited character displays means that the actual description of the product cannot be properly displayed and as long as you change the barcodes within the various product lines there's no way for the cashier to catch it other than having personal knowledge of the price of things.

karrdeMay 31, 2012 3:37 PM

@reply to self,

I later searched Bruce's archives, and found this.

http://www.schneier.com/blog/archives/2008/10/upc_switching_s.html

So not only is this not new, it is not new on Bruce's blog.

On everything else...I agree, the clerks aren't incentivised to spot this kind of fraud. They are incentivised to reduce costs by increasing processing speed.

And a store that covers UPC's with its own bar codes is at a higher risk for this style of attack.

@J, I did notice, but didn't comment at the time. It is unexpected that a man who is apparently high-income (and has a $2000000 price-tag on his home) does this kind of thing.

WaelMay 31, 2012 4:01 PM

@ w,

This was a very high level suggestion. However, QR offers higher density of information, can code encrypted text that is hard to achieve with bar codes and also not easy to forge (you can expand on that idea as well). Arguably, you can also use this scheme without QR, only using Bar codes. The idea is to keep a database of key-value pairs. Key-value pairs being a QR / Bar code, value being a digital image of the the item. The back end server can do the matching and trigger a flag to the cashier that something is suspicious, perhaps paging or texting the manager as well. The assumption also is that the check is done redundantly.
1- The backend server does the image difference check with an automatic trigger.

2- The cashier is also presented on the screen of what that bar code / QR code corresponds to (a picture of the image).

WaelMay 31, 2012 4:08 PM

@ w,

forgot to address the cost / benefit tradeoff. But I "believe" that depends on the vendor and the item inventory average cost. May not be fit for everyone. This is not a prohibitive cost. A server that may already exist, some extra storage space - cheap these days, an image processing solution - open source exists, and a camera per cash register. If the establishment can quantify their losses per unit time, they can judge whether such a solution makes sense. Normally though, one would suggest a solution to the problem, evaluate that it really does address the attack, then move on with cost benefit analysis. I would think ...

WaelMay 31, 2012 4:20 PM

@w,

Clarification...
"Not easy to forge" refers to the encrypted QR text, and not to QR in general...

Dirk PraetMay 31, 2012 5:27 PM

@ w

It could also be argued that on some deep-seated psychological level he felt he deserved punishment for being involved in inflicting SAP on the world.

Or for being part of SAP believed himself to be intellectualy superior to Target staff.

As pointed out by several commenters, this type of fraud is as old as price tags themselves. I am surprised so many folks focussing primarily on the legal and technical controls (to be) put in place to mitigate this phenomenon. Why not offer the shop clerks a decent incentive by cutting them in for half the value of the falsely labeled goods every time they catch someone ? This amount can easily be recovered by the store in the form as an administrative fine to be paid by the perp on top of the real value of the items. Everybody wins, and at zero extra cost. I've always been surprised at how efficient and creative people can become given the right motivation.

WaelMay 31, 2012 5:34 PM

@ Dirk Paret,

"Why not offer the shop clerks a decent incentive by cutting them in for half the value of the falsely labeled goods every time they catch someone ?"

Maybe because that system has been abused in the past. A juvenile accomplice can be abetted to do the switch, s/he is immune from legal prosecution, and then they can split the "incentive". Then again, perhaps it's because business owners are freaking greedy :)

WaelMay 31, 2012 5:35 PM

one more comment ...
"I've always been surprised at how efficient and creative people can become given the right motivation?

Perhaps TOOOO creative ;)

Dirk PraetMay 31, 2012 6:07 PM

@ Wael

A juvenile accomplice can be abetted to do the switch, s/he is immune from legal prosecution

I don't know how this works in your country, but over here parents or legal guardian would be charged in the case of a juvenile delinquent.

Which is not to say that staffers would not at least explore other possibilities to make this work even better for them. But at which point they would become fraudsters too, with all risks and liabilities that come with the territory.

It reminds me of the time that many pizza delivery services gave out a 5€ discount if the delivery guy didn't make it in half an hour. Many people I knew made a deal with these guys that by definition they were always late, splitting the fiver fifty-fifty. That is until management caught up with this practise and stopped doing the discount.

WaelMay 31, 2012 6:50 PM

@ Dirk Praet,

"I don't know how this works in your country".

I don't know either. (USA)

hatMay 31, 2012 8:28 PM

@Wael,

You still don't explain how you expect QR codes to help. Unless you are very narrowly focusing on a particular type of "print the label at home" scam, the particular type of bar code (or label, really, it could be even be an RFID) matters not. Also, it really does nothing to prevent the particular scam described in the article: Fundamentally, the guy was putting labels meant for cheap things onto expensive things with the twist (and I think this the part that Bruce thought was creative) that the item descriptions for both the cheap and expensive things were identical for the first n characters. The only novel aspect of the system you describe is having a picture of the item rather than descriptive text, although many systems already do that.

WaelJune 1, 2012 12:53 AM

@ hat,

Sometimes it helps to share information one knows. This saves us from "googling". It would be nice to give a link to such a product - thats number one. Number two, I am not claiming any novelty here. That solution may already exist, and could be used for this "clever attack".

Back to your question ...
The basic idea is to create a binding between the tag and the item. And to add automated tag / image correlation. In addition to a detection mechanism that detects a break in that binding.

QR tags can:
1- Carry more information, or automatically point to a local URL which fetches a detailed description of the item and its image, then displays it to the cashier for further inspection.
2- Save cost by eliminating the need for a specialized back end server
3- Cheaper than RFID for fruits and vegetables. Some fruits are expensive - cherymoya for example is over $5 a piece, probably more expensive in Europe, and not as well known to cashiers. a QR tag can display a description to the cashier - bar codes cannot on their own without the help of a database server, due to the limited capacity of information that can be encoded on them - hence the attack:
"that the item descriptions for both the cheap and expensive things were identical for the first n characters.".


RFID has advantages:
Can be embedded inside the box (I am using the Lego box example), so a potential "thief" would be forced to open the container, which hopefully will be easier detected during the act, if done onsite. If done offsite (buy a cheap item, remove the tag, go to the store and stick it on a more expensive item), the break in the tag/item binding would still be detected.

Disadvantages: Can not be embedded in a piece of meat, say a steak, for obvious reasons.
Operational cost may not be justified for cheaper items. Assumption is that printing a label should be cheaper than a passive RFID tag.

Probably that attack can be succesful against non-bound (tag to item) RFID as well if stratgically placed. I have not experimented with that...

BTW, before I get pinged on the cost / benefit analysis, I only spoke of "implementation cost" as a direct answer to Mrs. "w". Deployment and operational costs were omitted ...

WaelJune 1, 2012 1:22 AM

This problem has been addressed in different ways. Some stores do not leave the items on the shelves. They leave a blank box, with "order papers". A customer uses that paper to write the item number. then goes to the cashier. Subsequently the item is fetched for the customer from a location that is accessible only by "trusted" employees. Even that can be "Scammed". Let's discard with Tags all together... and assume that you have a cashier with a perfect scanner, OCR software, image recognition, etc... Even that can be scammed as well. We just try to make it more painful for the "bad guys" ... I guess this cat and mouse game is what keeps us in business :)

short changeJune 1, 2012 2:49 AM

So if this isn't a crime is it OK for a store to shortchange customers?
They hope you'll walk off without checking.
This technique works best at busy open markets where there are no electronic transactions.

MeJune 1, 2012 11:16 AM

@Tom:

The barcode only identifies the product, not the price, the price is stored in the database.

All products have a unique bar code, and this code is shared across retailers, the price differences are controlled by the retailers using their databases.

Thus, his attack must be in the form of switching the products barcode with that of a less expensive item.

kaszetaJune 1, 2012 2:52 PM

@Me

It's *often* the case that the barcode only identifies the product, and not the price, but not always.

I know of one major retailer (coat.com) that, for reasons that remain baffling to me, still encodes prices in their barcodes on the item tags. Really, go take a barcode reader app to the store and read the tags. Or even decode sample tags from their vendor spec and you'll find that they do indeed contain the price.

Baffling, since this is a risk, and it also requires them to print new labels to properly apply markdowns.

Russell JohnsonJune 1, 2012 3:53 PM

People have been swapping price tags ever since price tags have been on merchandise.

It's not new, clever, or particularly difficult.

JakeJune 8, 2012 4:04 PM

@ Henning Makholm at May 31, 2012 11:35 AM

I have seen plenty of legitimate products with bar codes affixed to the box - sometimes outside of the shrink wrap, even. this is a common practice in the USA.

Adam LoprestoJune 15, 2012 9:47 AM

Lots of good points in the comments here, but a lot seem to be missing a central point. As Bruce so often points out, security is always a trade off. Accusing customers of theft is never leads to a positive experience. Sometimes (when the customer actually is trying to steal something) it's the least bad alternative. But any system put in place to attempt to mitigate the risk is also going to catch innocents (when items are mislabelled by the store, when the database is out of date, whatever), and lead to more annoyed legitimate customers. So a key component of any mitigation strategy would be weighing false positives against false negatives, and deciding how much loss through theft is acceptable versus how much loss the store would incur through bad publicity if, say, they accused a VP at a large company of small scale theft incorrectly. And any new system would also have implementation costs, which may or may not be worthwhile.

That said, it seems the scales used in self-checkout kiosks could easily be extended to manned registers. If the weight of the item doesn't match, flag it in a way visible to the clerk, who would then be expected to eye it more critically, and decide whether to call over a manager ("sorry, the system seems stuck; let me call a manager to override it"). Ideally the system could also display a complete name of the item instead of an abbreviated form, and even a picture. But that would require upgrading the POS systems, and might not be worth the expense for the added security.

rusyocJanuary 25, 2013 10:23 PM

I have been doing this for years. I don't recommend it. of course I got away with it for years without a hitch... but I got geedy and went for more expensive stuff. I was stopped at the door and arresssted. charged and convicted of theft. so it is most definitely a crime. I would change the barcode with my home made one's... buy something that cost $50 for $4. then.. go return it without the receipt get a $50 gift card. then.. buy a $50 visa card with the store gift card. that was just part of the scam. Im not going to go into detail on the other things you can do with them because it is flawless and undetectable... I was busted trying something stupid. but there are ways to do this and never get caught... but again.. it is still theft no matter how u look at it. So whoever said if the clerk rings it up then it's on them is mistaken... You can and will be arrested and charged.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..