Dropsafe

by Alec Muffett

Tesco Discount Barcodes, Cracked – and Censored?

So, on Reddit’s Netsec group I found the following link:

Tesco (UK) discount barcodes cracked? (mtdevans.com)

…and the usual extended Reddit discussion of the link; but I clicked through and what did I find:

Tesco Discount Barcodes, Cracked

Understandably, Tesco weren’t best pleased. Here ends playing with their barcodes.

Sorry if you were too late.

Sunday 22nd July. Updated: Wednesday 25th July

…a message posted by “Matt Evans, a Physics student at the University of Manchester (you know, ‘the one with Brian Cox’).”

Hm. Professional Security Researcher (me) wants to know more. Google Cache to the rescue!

Tesco Discount Barcodes, Cracked

Tesco are dumb.

Ok, I’ll elaborate. In Tesco on Friday evening I spied a phenomenal bargain. Boost bars with a best before of that day for the measely sum of 7p. Looking at the barcode (isn’t that what everyone does?) I noticed something weird.

Boost bar multipack: £1.20
Barcode: 5000221503354

Boost bar multipack on 20th July: 7p
Barcode: 971500022150335460000708

Maybe it’s a little hard to see, so here it is highlighted.

971 5000221503354 6 00007 0 8

That green number is, actually, the price. To show it isn’t just a co-incidence, here’s the barcode for a fruit snack I bought the next day for 31p.

971 0000010097403 7 00031 0 2

Wait, That Means Free Stuff

So, I guess if you type the barcode into a self-service till rather than scan it, you could just put 00001 and get it for a penny?

[…remainder of article elided…]

…and I’m going to purposely edit this here because Tesco has deep pockets and people with deep pockets often have lawyers with little restraint; that said the discussion continues with how to compute the necessary checksum plus some speculation on the number formats.

However as I – a globally respected professional security researcher with an noted interest in all forms of computer vulnerability – as I see things, Matt is at most guilty of pointing out embarrassing facts.

It’s not necessary to walk away from Tesco with goods (thereby committing theft) in order to test how easy it would be to dupe their barcode scanners; and to my knowledge there is no statute yet pertinent to confusing a barcode reader so long as you don’t swipe (or even carry) a card or cash and/or try and make a transaction out of it. In the industry we call this “fuzz testing” – firing random crap at an API to see if it is accepted – and yes it’s inadvisable to do it without permission of the hardware owner but I can’t think how it can be made illegal without it being equally illegal to type in your ATM PIN incorrectly.

I am not a lawyer, in any case, but I daresay some lawyers could try to make a case to the contrary – that’s what they do, isn’t it?

I have not yet contacted Matt to see if he got Cease-and-Desisted or something, but I shall be amused to find out.

Comments

12 responses to “Tesco Discount Barcodes, Cracked – and Censored?”

  1. Elfie

    David says that in the first systems in the US (late 1970s), the price was encoded in all the barcodes with not even a check digit(!)

    The early UK ones he worked on with ICL were, in contrast, database lookup based, and this was a selling point.

    Reply
  2. max allan

    Sainsburys do something similar. Bottom line : its trivial to hack. But then its equally trivial if not more so to simply steal things (for small values of small things!). So whats the point/problem? If you want to be dishonest there are easier things to do than printing your own barcodes. If you go through an unmanned till I think there is a value limit and some stores (B&Q) wont let you take discount items through without a human verification. And I found out that if the discount is too high a percentage they need a manager. (i bought something broken for 60% discount and had to wait ages.

    Reply
  3. Jon R

    Be careful – in R v Morris the House of Lords decided that altering the price labels on products can *by itself* potentially be criminal theft even if you do not attempt to then buy the product.

    http://www.bailii.org/uk/cases/UKHL/1984/1.html

    Reply
    1. alecm

      Altering, yes; but what if you present a barcode with no item attached – ie: a bit of paper – just to see if the created barcode scans successfully?

      Reply
      1. Michael Jennings

        What do you then do if a charge comes up? Do you pay it, so creating a contract between the store and you *for something* but it is a bit hard to say what. Do you just walk out, with the machine (and possibly the people attending it thinking you owe them some money)? Do you at this point come clean and tell the staff what you have done, once again with the possibility of their not understanding and calling the police. I’m not sure I would want to try it.

        Reply
        1. alecm

          Swiping a barcode does not strike me as a contract because items can be cancelled or the whole transaction aborted.

          Reply
          1. Elfie

            Go to one of the places that does the handheld scanner system, then you can scan your barcode,see what it says, and then cancel the transaction without even blocking up a self-service checkout.

            (Also useful for pranks like when Yon palmed a barcode label from something expensive and managed to convince Carl that she’d ‘scanned’ his stripy shirt instead – he spent ages trying frantically to ‘unscan’ it 🙂 )

            Reply
          2. Michael Jennings

            No, there is no contract at the point when you scan it – this generally comes (if it does) when you pay.

            However, supermarkets are generally very watchful of you between the point when you scan and the point when you pay. Scanning something, and then walking out and not paying is very likely to lead to someone demanding an explanation before you leave the store. Stating that “I changed my mind about buying this stuff” will do, but they normally want to formally cancel the transaction on the machine in front of you, and see that you have returned the stuff. If you appear to have scanned something, and then walk off without paying, and the item that was apparently scanned is not visible when you walk off and the transaction has not been cancelled, then they are likely to assume that you stealing something. An explanation is going to be required as a minimum, and I can see various scenarios in which security and/or the police get called, even if (in this case) you may not have formally committed a crime. So I don’t think I would do this.

            If you do scan a bar code that you have made, pay, and walk off (without there actually being a physical good involved), then a contract possibly has been formed, due to money being exchanged. If the barcode is forged, then it is possibly a fraudulent transaction, even if there is no physical good involved. My hunch is that if you do this you are much more likely to be able to walk off without being stopped, but you are legally on much shakier ground. So I don’t think I would do this either.

            If there is a “Check the price” scanner in on of the aisles of the store, this is probably safe enough.

            Reply
  4. Michael Jennings

    Before barcodes, in Australia (and I suspect most other places) a small adhesive sticker with the price on it was attached to all the goods in the supermarket. You took the item to the checkout, and the cashier punched out the price written on the sticker. If you assume that the purpose of the bar-code is to automate this process, increasing speed and reducing errors – and you hadn’t previously had a problem with forgery of price tags – then the early system described in the first comment may have made some sense, particularly if providing database lookup was hard.

    Or perhaps it was just a lack of imagination. Do things the same way you do it now, only more efficiently, comes before thinking about doing it a different way.

    Reply
  5. Ken Brown

    If I go up to a shopkeeper and ask “Didn’t you say this was five pounds?” when I know perfectly well it was advertised for fifty, I doubt if I commit a crime. And if they accept the fiver, think I have a contract.

    Is the law different if the shop delegates that decision to a computer program?

    Reply
    1. Jon R

      Potentially I think you might have committed a crime (fraud) in that situation, yes. Even if you haven’t, the shop, if they realise what you have done, may well be entitled to insist you either pay the proper amount or return the goods.

      With regards to a computer program, you have to alter the price label/barcode in order to trick the computer, and I have already provided the reference which shows that you have committed theft if you do that.

      Reply
  6. Kai

    I understand parts of this but where do you get the rest of the barcode from like the 971 part

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts