While it's cool to reverse engineer stuff like this and talk about the vulnerability, the final part of the blog post indicates that the person intends to 'test it'. This is just a 'modern' equivalent of the old scam of removing price labels (remember those) from cheap items and sticking them on expensive ones. That was commonplace enough that the labels themselves were made in multiple parts so that removing them was messy.<p>'Testing it' is a bad idea on two fronts: (a) it's fraud and (b) he's actually gone and told everyone he's going to do it.<p>If the supermarkets were losing a lot of money on this then I'd imagine they'd move to a more secure barcoding scheme.<p>Also, I wouldn't be surprised if the 'red' number was related to the weight of the item as this would be needed for the self-checkout tills.
So, he's swapping real bar codes with fake bar codes? I would not recommend publicly disclosing that you'll be defrauding a store. It's a lot more common than you'd think and there was even a Silicon Valley exec who recently got caught doing this: <a href="http://news.yahoo.com/blogs/technology-blog/incredibly-wealthy-silicon-valley-exec-arrested-complicated-high-185525605.html" rel="nofollow">http://news.yahoo.com/blogs/technology-blog/incredibly-wealt...</a>
I used to be a Tesco employee for a fair while, and it wasn't difficult to notice this pattern purely because those barcodes don't always scan (typically due to dodgy equipment).<p>It would often be the case that you couldn't see the whole code on the sticker, but could infer it by removing it and using the original barcode and a bit of guesswork.<p>I don't advocate the testing of this, and any observant member of staff will have no difficulty catching you out.
Yes, you can print your own barcodes and name your own price, yes its been done before [1] and you can and will get arrested. As this becomes more widespread the folks in shops will get better with their software.<p>[1] <a href="http://www.nbcbayarea.com/news/local/VP-of-Palo-Altos-SAP-Arrested-in-Lego-Scam-152320475.html" rel="nofollow">http://www.nbcbayarea.com/news/local/VP-of-Palo-Altos-SAP-Ar...</a>
Why bother paying at all? This is basically the same as just walking straight out the store with your goods. A guard won't accept a receipt that says your flat screen tv only cost 49p.
In case anyone is interested, I've spoken to a friend of mine who was once a manager at Tesco and I can shed a little more light on the matter. The red number which the author had so far been unable to decipher is the "discount-reason-code", which represents the reason for the discount. These reasons represent things like "damaged" or "short date (nearly out of date)".
Testing this is rather a bad idea. It is quite likely that, if caught, the person would be convicted of theft (see R v Morris - <a href="http://en.wikipedia.org/wiki/R_v_Morris;_Anderton_v_Burnside" rel="nofollow">http://en.wikipedia.org/wiki/R_v_Morris;_Anderton_v_Burnside</a>)
For those unaware, Tesco is one of the largest supermarket chains in the UK, if not the largest.<p>Edit: They also have international operations, but sometimes under different names. In the US they are "Fresh & Easy" according to Wikipedia.
I like how the author feels the need to "dress up sophisticated" to steal merchandise. How very old school.<p>We need more of these gentlemen thieves here in the states.
Tesco frequently has attendants monitoring the self service checkouts; if someone sees that your items are going through for £0.01 (the prices are displayed on the monitoring screen that the attendant can see) you're probably going to have a bad time (banned from the store at the very least).<p>Not worth it...
The mention of an iPhone suggests a more elaborate version of the old "sticker" scam.<p>With a suitable smartphone app you could dynamically generate the appropriate barcode on screen, with a set discount (say, 50%). Then just hold your phone over the actual barcode as you scan each item.<p>This should be relatively hard to spot for any cashier watching, and the weights and stock etc. would all match up.<p>Of course the CCTV cameras are likely to see you and they're likely to spot what's going on soon enough to cross reference before the footage is wiped.
A similar, simpler method is used by the deli, bakery, meat, seafood, and produce departments in most US grocery stores. Usually they use 2 sets of 6 digits for these bar codes, with the price as digits 8-11 in the bar code. The bar code doesn't work with items, such as holiday roasts, costing more than $100.<p>x x-xxxxx-x$$$$-x x
Just in from Twitter (@mtdevans): "Chatting with a #Tesco insider, looks like they do store any discounts in a local db which is wiped every morning ~3am. #phew"
How do you know that it doesn't validate the discounted price against its database? Encrypting the barccode doesn't make it any more secure as you could simply swap with a completely different barcode. Encoding the price just makes it easier to develop handheld label printers.
Yes, this does work, but it would be far easier to use the standard zero-weight "Grocery item" barcode that most supermarkets have (Sainsburys and Coop do) which prompts for a price with no checksum.<p>(* if you were just intending to scam your supermarket anyway...)
No mention here, of the obvious tie between your reciept and your debit card (assuming you can't use cash.) A nice audit trail. And you probably swiped your clubcard too.
Dear author,<p>you are an idiot.<p>You claimed to have "cracked" a barcode, but have merely interpreted some of the numbers. Of course this has been done theoretically as you haven't actually proved that it works.<p>And it won't work.<p>Why? Because it's unlikely that a complicated logistics chain such as Tesco that employs half a million employees worldwide and has banking and mobile subsidiaries would let the barcode dictate the price at the register, rather than call it up from their stock management database - the way all POS enabled stores run in the 21st century.<p>So in your giddy, sensationalist haste, I pray that you "discount" your TV to 1p and get stopped at the gates for sheer idiocy.<p>Sincerely,
Me
Thanks, this will be very useful when I decide to become a criminal! If you have any tips on pickpocketing or insurance fraud, please post those as well.