

Tesco Discount Barcodes, Cracked - digitalclubb
http://mtdevans.com/projects/barcode/

======
jgrahamc
While it's cool to reverse engineer stuff like this and talk about the
vulnerability, the final part of the blog post indicates that the person
intends to 'test it'. This is just a 'modern' equivalent of the old scam of
removing price labels (remember those) from cheap items and sticking them on
expensive ones. That was commonplace enough that the labels themselves were
made in multiple parts so that removing them was messy.

'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually
gone and told everyone he's going to do it.

If the supermarkets were losing a lot of money on this then I'd imagine they'd
move to a more secure barcoding scheme.

Also, I wouldn't be surprised if the 'red' number was related to the weight of
the item as this would be needed for the self-checkout tills.

~~~
omh
_Also, I wouldn't be surprised if the 'red' number was related to the weight
of the item as this would be needed for the self-checkout tills._

The original barcode (which is still present as part of the discounted code)
should allow the tills to look up the weight.

~~~
objclxt
That's not how self checkout systems normally work - they build up their own
internal databases of average weights over time. This has a number of benefits
- it saves time and money for the store (you don't have to pre-program the
machines with weight values) and it also allows for varying tolerances by
item.

~~~
DrStalker
Is that why new self checkout systems are immensely frustrating, but after a
few months they're fine to use? I'd assumed that the tolerances were lowered
because too many customers were getting so frustrated that they were refusing
to use them.

~~~
qeorge
Yes, but they have to recalibrate them every so often and they get overly
sensitive again.

Problem is, every time it beeps at you and the cashier overrides it, it
averages your item's reported weight with the ones its seen before. So if a
cashier is overriding it all the time (as tends to happen with constantly
beeping things) the weights drift off, and the whole thing is quite useless.

------
sgk284
So, he's swapping real bar codes with fake bar codes? I would not recommend
publicly disclosing that you'll be defrauding a store. It's a lot more common
than you'd think and there was even a Silicon Valley exec who recently got
caught doing this: [http://news.yahoo.com/blogs/technology-blog/incredibly-
wealt...](http://news.yahoo.com/blogs/technology-blog/incredibly-wealthy-
silicon-valley-exec-arrested-complicated-high-185525605.html)

~~~
lurker14
Great quote in the Merc:

[http://www.mercurynews.com/business/ci_20684481/silicon-
vall...](http://www.mercurynews.com/business/ci_20684481/silicon-valley-tech-
executive-nabbed-flim-flam-involving)

DA: "I think he also obviously had way more than any one human could possibly
enjoy on their own in a legally acceptable way."

------
FuzzyDunlop
I used to be a Tesco employee for a fair while, and it wasn't difficult to
notice this pattern purely because those barcodes don't always scan (typically
due to dodgy equipment).

It would often be the case that you couldn't see the whole code on the
sticker, but could infer it by removing it and using the original barcode and
a bit of guesswork.

I don't advocate the testing of this, and any observant member of staff will
have no difficulty catching you out.

~~~
lucaspiller
+1 I can still remember the barcode for Cadbury's Creme Eggs even though I
left Tesco 5 years ago.

------
markfenton
If you really want to test it, surely raising the price by 1p is the best way?
That way, you get an answer and you aren't stealing anything.

------
ChuckMcM
Yes, you can print your own barcodes and name your own price, yes its been
done before [1] and you can and will get arrested. As this becomes more
widespread the folks in shops will get better with their software.

[1] [http://www.nbcbayarea.com/news/local/VP-of-Palo-Altos-SAP-
Ar...](http://www.nbcbayarea.com/news/local/VP-of-Palo-Altos-SAP-Arrested-in-
Lego-Scam-152320475.html)

~~~
rhizome
Yeah, that approach goes in the "James O'Keefe Voter Fraud Test" bucket. Yes
you can do it, and yes it's easy, and yes it's illegal.

------
highace
Why bother paying at all? This is basically the same as just walking straight
out the store with your goods. A guard won't accept a receipt that says your
flat screen tv only cost 49p.

~~~
ori_b
You're assuming that a guard will care or be alert enough to check carefully.
They're not expecting doctored prices on correctly labeled items.

~~~
petercooper
A minor detail here, but British stores don't typically have guards who check
receipts (unless you set the alarms off by having a tag left on an item by
mistake/shoplifting).

~~~
ars
American stores don't typically have guards either.

Some stores do, but it's not usual.

It's not really that hard to steal from a grocery store, but in general people
are honest.

~~~
mistercow
Also, with the possible exception of membership-based stores like Costco, the
"guards" at the front of American stores like Best Buy don't actually have any
authority to prevent you from leaving without checking your stuff. Of course,
some of them are not correctly instructed on this fact and will break the law
and illegally try to obstruct your exit from the store/parking lot anyway.

~~~
jrmg
I've wondered about this for a while, so I looked it up. The Internet (always
a trustworthy source, I know...) seems to disagree with you - or at the very
most think it's a grey area, leaning towards that they're allowed:

[http://www.thelegality.com/2008/03/12/stop-that-paying-
custo...](http://www.thelegality.com/2008/03/12/stop-that-paying-customer-the-
legality-of-compulsory-receipt-checking/)

[http://legallad.quickanddirtytips.com/store-security-and-
you...](http://legallad.quickanddirtytips.com/store-security-and-your-
rights.aspx)

~~~
mistercow
Well I certainly didn't say that they can't _ask_ you to look at your bags. As
long as the search is voluntary, they can ask pretty much whatever they like.
But you can surely say "no" and then leave. If they physically block you from
leaving, they are violating the law in many jurisdictions (they're trying to
make a citizen's arrest, which you can't just do without any reason, and
refusing to let them look in your bag isn't a reason). If they actually touch
you, then you may even have claim of assault. From what I can tell, this has
not actually been tested directly, but it is a reasonable expectation of how
things would play out, if you took it all the way to court.

On the other hand, the store is also perfectly within their rights to ban you
from the premises once you've left. So even if they can't arrest you, they can
certainly put a picture up that says "Don't let this guy in the store." It is
private property, after all.

The main case mentioned in the thelegality.com article you linked ended with
Righi settling with the police so that they dropped the charges in exchange
for him giving up the right to sue. Given the balance of resources and power
between an individual and a police department, I think that's pretty good
evidence that the police department themselves didn't think they were going to
win that battle.

The Legal Lad article, on the other hand, seems to just wring its hands about
various scenarios without addressing the question everyone cares about: You
walk out of a Best Buy, nobody has any reason to believe you stole anything,
and when they ask to check your bags, you say "no thanks" and walk out.

------
MartinMcGirk
In case anyone is interested, I've spoken to a friend of mine who was once a
manager at Tesco and I can shed a little more light on the matter. The red
number which the author had so far been unable to decipher is the "discount-
reason-code", which represents the reason for the discount. These reasons
represent things like "damaged" or "short date (nearly out of date)".

------
stordoff
Testing this is rather a bad idea. It is quite likely that, if caught, the
person would be convicted of theft (see R v Morris -
<http://en.wikipedia.org/wiki/R_v_Morris;_Anderton_v_Burnside>)

~~~
pbhjpbhj
In both cases at your link the vital part of "and takes the goods" can be
avoided whilst still testing the method as several have already pointed out.

~~~
mturmon
IANAL, but a careful reading of the case does not support the first part of
your sentence. Anderton was convicted, and he did not "take the goods". He did
not even complete the transaction, he just switched the bar code and went to
the checkout.

It makes me wonder if, under UK law, it's lawful to eat part of a box of
cookies (not measured by weight) while rolling your trolley thru the store,
and then paying for the box at checkout.

~~~
stordoff
The Theft Act 1968 s.1(1) defines theft as:

"A person is guilty of theft if he dishonestly appropriates property belonging
to another with the intention of permanently depriving the other of it"

In most cases, it is dishonesty that is the key factor (normal shopping would
satisfy the other requirements), and is largely determined by the jury. I
would say that there is no dishonesty in your example, and so it is not theft,
but I am unsure if there is case law to support this.

~~~
linker3000
Well, to be pedantic:

S.2(2) Theft Act 1968 states that a person may be dishonest notwithstanding a
willingness to pay.

You could also fall foul of "Doing an act inconsistent with the rights of the
owner"

(IANAL)

~~~
stordoff
Excellent point, but it only states that a person _may_ be dishonest (i.e. it
is not a defence to offer to pay when caught).

To determine dishonesty, one must first look to s.2(1). It doesn't really
apply here, so the jury must apply the two stage Ghosh test, of which only the
first stage usually matters:

1) Is the person's behaviour dishonest by the standards of ordinary, honest
people? If not, then there is no theft.

I would argue that most juries would not find a person to be dishonest in
these circumstances (though it is possible that they might).

------
splatzone
This is cool but it's basically just theft, isn't it?

~~~
dorianj
Yes. It's already somewhat common elsewhere in the world, by simply printing
new barcodes for other sku's, sticking it on an expensive product, then hoping
the cashier won't notice (they often don't in a store with a lot of different
products, like Wal-Mart).

The charges are different, though, since it's fraud and not outright
shoplifting.

~~~
travem
A VP at SAP was accused of swapping barcodes on lego sets recently and charged
with 4 counts of felony burglary [1]

[1] [http://www.nbcbayarea.com/news/local/VP-of-Palo-Altos-SAP-
Ar...](http://www.nbcbayarea.com/news/local/VP-of-Palo-Altos-SAP-Arrested-in-
Lego-Scam-152320475.html)

------
TazeTSchnitzel
For those unaware, Tesco is one of the largest supermarket chains in the UK,
if not the largest.

Edit: They also have international operations, but sometimes under different
names. In the US they are "Fresh & Easy" according to Wikipedia.

~~~
JacobAldridge
Yes, largest with just over 30% market share.

In Prague they are still called 'Tesco', but the UK Loyalty card doesn't scan,
shoots an error message instead, and you find yourself explaining in terrible
Czech why you even tried to scan it.

------
motoford
I like how the author feels the need to "dress up sophisticated" to steal
merchandise. How very old school.

We need more of these gentlemen thieves here in the states.

~~~
ktizo
They should wear monocles and time the movements of security with an antique
silver pocket-watch.

------
citricsquid
Tesco frequently has attendants monitoring the self service checkouts; if
someone sees that your items are going through for £0.01 (the prices are
displayed on the monitoring screen that the attendant can see) you're probably
going to have a bad time (banned from the store at the very least).

Not worth it...

~~~
Kudos
Don't discount it to £0.01, that is just stupid. The obvious scam here is to
take high value items and mark them down dramatically. For example, marking a
£200 phone down to £20.

Not that I approve of this...

~~~
bonzoesc
The less obvious and more ethical thing to do is to buy two identical
products, one for 10p more and one for 10p less.

~~~
dangrossman
Wouldn't it be more ethical to just scan the item without buying it?

------
omh
The mention of an iPhone suggests a more elaborate version of the old
"sticker" scam.

With a suitable smartphone app you could dynamically generate the appropriate
barcode on screen, with a set discount (say, 50%). Then just hold your phone
over the actual barcode as you scan each item.

This should be relatively hard to spot for any cashier watching, and the
weights and stock etc. would all match up.

Of course the CCTV cameras are likely to see you and they're likely to spot
what's going on soon enough to cross reference before the footage is wiped.

~~~
linker3000
I've just commented about this elsewhere - the Tesco self-scan tills
completely fail to register my Clubcard barcode stored in an app on my phone.
An assistant said it rarely works - seems the phone screens are too
reflective.

------
stephengillie
A similar, simpler method is used by the deli, bakery, meat, seafood, and
produce departments in most US grocery stores. Usually they use 2 sets of 6
digits for these bar codes, with the price as digits 8-11 in the bar code. The
bar code doesn't work with items, such as holiday roasts, costing more than
$100.

x x-xxxxx-x$$$$-x x

------
primatology
Just in from Twitter (@mtdevans): "Chatting with a #Tesco insider, looks like
they do store any discounts in a local db which is wiped every morning ~3am.
#phew"

------
7952
How do you know that it doesn't validate the discounted price against its
database? Encrypting the barccode doesn't make it any more secure as you could
simply swap with a completely different barcode. Encoding the price just makes
it easier to develop handheld label printers.

~~~
icebraining
If they had verification against a database there would be no point in
printing these in the first place, they could just get the discount info from
the DB.

------
estel
Yes, this does work, but it would be far easier to use the standard zero-
weight "Grocery item" barcode that most supermarkets have (Sainsburys and Coop
do) which prompts for a price with no checksum.

(* if you were just intending to scam your supermarket anyway...)

~~~
Kudos
This way when you scan the item, it will be identified as the product you are
purchasing. Supermarkets frequently discount items by an extra order of
magnitude by accident and if you were caught doing it this way they may not
immediately think you're scamming them.

------
progrock
No mention here, of the obvious tie between your reciept and your debit card
(assuming you can't use cash.) A nice audit trail. And you probably swiped
your clubcard too.

------
RoryH
Does the local Tesco have those price-checker barcode scanners in the
aisle's... That's a good place to check if the fake barcodes work.

------
redact207
Dear author,

you are an idiot.

You claimed to have "cracked" a barcode, but have merely interpreted some of
the numbers. Of course this has been done theoretically as you haven't
actually proved that it works.

And it won't work.

Why? Because it's unlikely that a complicated logistics chain such as Tesco
that employs half a million employees worldwide and has banking and mobile
subsidiaries would let the barcode dictate the price at the register, rather
than call it up from their stock management database - the way all POS enabled
stores run in the 21st century.

So in your giddy, sensationalist haste, I pray that you "discount" your TV to
1p and get stopped at the gates for sheer idiocy.

Sincerely, Me

~~~
gergles
The whole point is that 'clearance' barcodes don't have a price stored in the
database.

Every grocery store I've consulted for or worked at in my youth was operated
the same way - there were "manager special" barcodes where the price was part
of the barcode, and the price in the database was recorded as 0 with a flag of
"barcode encodes price".

~~~
epo
And there may be exemptions for high value, non-perishable goods.

------
bluesnowmonkey
Thanks, this will be very useful when I decide to become a criminal! If you
have any tips on pickpocketing or insurance fraud, please post those as well.

