The increased use of barcodes in a wider variety of applications has made them a suitable, if unlikely, target for hacking attacks. Having started out as a means to label cans of food in supermarkets, one-dimensional barcodes and two-dimensional matrix codes are now found in systems from pre-paid postage labels and airline …
"Readers and scanners for two-dimensional barcodes were still comparatively expensive"
My phone does it (n95)! It ain't difficult to do this with a cheap digital camera and a little knowledge about how barcodes work!
People shouldn't give these things implicit trust... Regardless of the imaginary barriers.
Using spoofed barcodes at the self checkout line is fun too.
or the self altering barcodes.
I managed to pick up a block of cheese at a supermarket once which when scanned from one angle it cost £450 and from another £2.50.
It seems the way the company had set the pricing stored in the barcode was open to tamper and in my case it was a small bit of cheese stuck on the barcode label.
I suppose now the supermarkets are going to wake up to how easy it is to bypass barcode and start demanding RFID tags for the checkout.
Not worth the risk
Make fake UPC labels is considered forgery, which is a felony. Doesn't seem worth the risk to save a couple of bucks on DVDs.
the more things change...
In the late 1980s, the ID cards at my university library were still based on modified punch cards. Easy to copy with a decoder table and a card punch.
Expensive equipment for scanning and printing 2d bar codes?
You mean an all-in-one printer for $50 after rebate? And maybe some pretty simple software...
I used to do this
Where I work, they have access cards with a black magnetic strip on the back. Staff are always losing the sods (I snapped mine in half, which was far more manly), much to the annoyance of the building manager.
Nothing new there, right? Well, one day I had my card on my desk, the sun hit it, and something in the strip caught my eye... They're not magnetic, there's a bloody low-contrast barcode embedded in the strip!
One quick lunchtime experiment with a scanner and some graphics kits, and I was printing my own access cards. Secure, eh?
It's amazing that companies think we can't replicate something that's printed on plain paper in black and white.
Reminds me of the old BT phone cards that used to print black dots on a white strip to account for how much had been spent. A bit of tippex on an abandoned card and you could talk for hours :)
I hate barcodes, I work with them...
"You mean an all-in-one printer for $50 after rebate? And maybe some pretty simple software..."
Think of a barcode scanner as seen in supermarkets, not a flatbed scanner used for copying images.
Intermec handheld corded 1D scanners start at around £100 and go up from there. Metrologic offer a hand-held PDA solution with both laser scanner and image scanner built in for £800.
Image scanners are by far and away the cheapest. Using any digital camera or image capture device the barcode is fed into a profiler as an image, the profiler then performs a number of operations to remove any tilt or distortion in the image and then decodes this to a string based upon the barcode type (for example Code128(A/B/C), EAN/UPC, these are barcode standard types that tell us how to turn the bars into a string). If your mobile phone can run java apps and has a digital camera built in then it's straightforward to write software to do the decoding.
Laser scanners are where the expense starts. Laser scanners have the resolution and range to be highly accurate. These devices typically operate as HID compatible and scanning a barcode with one of these will send the string sequence of the barcode back to the computer the device is connected to.
As one commenter pointed out, depending upon the angle of scan the price changed. This is a common problem with image scanners, the captured image can change dramatically if the angle is altered. If the angle is too far off, it doesn't matter how good the software analysing the image is. This problem is rarely encountered with laser scanners, either the code scans or it doesn't.
all too techy
all too technical, the local shoplifters around here soon worked out with a pair of scissors you can put a £0.59p coffee barcode onto a £2.99 one, and with selfscan checkouts coming online at supermarkets, how does it know as both jars weigh 500g etc................
Mine too... except I've never got the damn thing to work...
Then again, I've never really wanted to use it, I was just playing.
nipping into the local superstore (B&Q, Homebase, Comet, PC World, etc) and surreptitiously nicking the barcode from a £2.99 product, duplicating it at home and then sticking the duplicate on a product costing £299 before taking it through the checkout manned by the biggest bozo in the store.
Not that I've ever done anything like that, you understand officer. Certainly not.
... are these new Royal Mail black & white printed "stamps" particularly secure?
It's also quite easy to print a barcode for say a 4Gb iPod, attach this to a 8Gb iPod and get the fatter iPod for the price of the thinner one.
Works well for motherboards, hard drives, memory too.
Especially in PC World where the staff are too thick to notice the difference between a P4 Xeon and a Celeron or a nice motherboard and a cheap crap one or a 1Tb disk and a 40Gb disk..
Won't work in self checkout...
Ok so all of you suggesting swapping a cheap bar code for an expensive product, then using self check out.
Um, all the self checkouts I've see have a scale and know the product weight and require you place the product in a bag on the scale prior to purchase. If you put a UPC code for a stick of gum something more valuable (and heavier) the check out system will stop you saying the weights don't match.
Variation on an old trick
The pre-paid return envelopes that you get in the UK are read by the machines as first or second class depending on the distance between two black bars printed on the envelope.
When I worked there I heard plenty of stories about companies that would print "second class" envelopes that the machines would identify and sort as first class.
@ Won't work in self checkout...
"If you put a UPC code for a stick of gum something more valuable (and heavier) the check out system will stop you saying the weights don't match."
Unless you drop the gum pack on the scale and set the heavier item next to it. Funny how that works.
@Won't work in self checkout...
It works in the US...you only have to put vegetables or anything without a barcode on the scale. There is a scale in the bag holder, to make sure you put the item in the bag after scanning, not before.
I always use the self scan checkouts in my local Asda, I've noticed that if you don't place the item in the bag it recognizes this and allows you to select skip bagging resulting in it not weighing the item.
so in theory there is nothing stopping you from doing this!
Not that I am suggesting we try it :-P
Barcodes don't carry data directly. They hold arbitrary numbers which are usually referenced to a database in a standards based system.
Spoofing, corrupting and crashing systems ? Oh dear me no.
Barcodes are read by hardware decoder chips in a vibrating / rotating mirror device or wand scanner. They then pass the decoded number to a serial bus network. If the read code does not conform to the strict rules e.g. Code 39 or Interleaved 2 of 5 or the codes used for retailing then you just get an error beep and nothing is sent to the interface.
Barcodes are a wonderfully simple and robust system if used correctly. They can contain error checking data too.
If a system were contrived to embed data in a barcode by using a protocol compliant number format without reference to a database then the operators deserve everything they get for their negligence. The same goes if the back end can't cope with basic error handling.
It's like changing your name to "Number24AcaciaAvenue" and then complaining that people can hijack your identity.
Nothing like old news
I recall reading an essay titled Cracking [barcodes] as an art about 6-7 years ago ... describing how to take advance of barcodes. Nothing new in this article. I guess some people just like reinventing the wheel.
deposit on cans
Always wondered why people aren't sticking bar codes for deposit items on no-deposit cans and bottles-- in the US, they have machines which shred the bottle after reading the code, after shoving in all the bottles, the machine prints a stub of how much money the person gets. Bottle eater machine destroys the evidence... guess they figure that for usd0.05 to usd0.10, it isn't worth the effort for someone to subvert the system.
Still won't work in self checkout
"It works in the US...you only have to put vegetables or anything without a barcode on the scale. There is a scale in the bag holder, to make sure you put the item in the bag after scanning, not before."
Yeah, same here... but scale under the bag doesn't just check that something's there, but also measures the weight of the item placed in the bag and checks it against the stored weight for that item's barcode. You can't skip it that easily.
PCWorld on the other hand... that's both easier and more profitable. And equally illegal.
> I always use the self scan checkouts in my local Asda, I've noticed
> that if you don't place the item in the bag it recognizes this and
> allows you to select skip bagging resulting in it not weighing the item.
Expect, unfortunately it flags up as a potential security risk on the supervisor console in the middle of the tills, and they are normally required to override it before it will allow you to pay.
>> Barcodes don't carry data directly. They hold arbitrary numbers which are usually referenced to a database in a standards based system.
Not entirely true. Firstly, the numbers themselves are data - albeit usually just vendor and product ID numbers. Secondly, it is not uncommon for the barcodes of products in supermarkets to also contain the price of the item - just check out the last 4-5 digits on reduced items and prepacked weighed items.
Tippex !!! your having a larf mate,did the Tippex recreate the hologram that was actually embedded in the card and was what the card reader actually read ? The white strip was just for users to see how much credit they had left on the card,When I worked on Payphones we heard tales of people putting cards in freezers and in microwaves to somehow put the credit back on - Numptys.....
@Won't work in self checkout...
I've worked part-time for Asda as a self scan supervisor, and the number of customers who do not understand the operation of the weight system is remarkable.
>>I've noticed that if you don't place the item in the bag it recognizes this and >>allows you to select skip bagging resulting in it not weighing the item.
Not quite the same anymore, if you touch Skip Bagging then an alert is flagged up. If you do this too often, the system freezes until the supervisor has visually checked what has been scanned.
It's true that laser scanners rarely read a barcode incorrectly, however I've seen a fair share of reduced products scanning through at £600 or higher, much to the surprise of the customer!
We all love cake..
but my wife didn't notice once that a cake she'd bought at our local Asda scanned through at £75. She didn't notice until she got home, thinking the shopping was more expensive than usual, but £75 for a f**king cake???
Makes you wonder why the customers are all such fat dobbers (in this particular branch!) with cakes that much.
She took it back (naturally!) to be told "Oh, this happens sometimes". It's happened about 5 times in the last 12 months, not quite to that extreme, and it's happened to her mother a few times too.
I wonder how many other stores have this 'problem' and how much profit they make from people who don't check their receipts thouroughly.
Works for any product in most supermarkets
A common way to handle price reductions is a barcode containing the original product barcode with the new price appended. These are easy to print (buy a couple of reduced items and do a very easy reverse engineering job on the barcodes) and pretty transparent at the till. In Somerfield stores for example the product just scans as normal; product details are retrieved using the ID and the price from the barcode is used by the till. By the time this is noticed (if ever) you'll be long gone.
Just don't be an idiot and use your loyalty card or credit card! Heh. Of course if you don't do it often enough to get a reputation for it you can plausibly argue that you had no idea the replacement sticker was there.
Not that I'd advocate such fraudulent behaviour.
A very expensive true story
Many years ago, nameless Australian Univeristy, but lets just say it was in NEW SOUTH WALES.
It was the mid 90's and the uni was tranisitioning to the 20th Century by installing a new-fangled electro-gismological barcode system for the library. It was also used for the Student ID cards, which gave you access to to buildings, computer labs etc. The card used a 1-D barcode; you can see where this is going, but it got hilariously worse. The library used a self-checkout system for the new barcode system. Wonderfully efficient, they didn't need to pay human librarians to check books out! Glorious extravaganza of modernity ahoy!
The Students UNION was also part of the scheme, as scanning your card at food outlets and stores on campus gave you the student discount. No doubt some bean-counter figured that with everyone on the same database, they would save $23.47 off the annual budget!
Unfortunately, the same beancounters left the publicity to said Student Union, staffed by, well, amateurs and cushion-tossers who didn't know what a barcode actually does. To advertise the scheme they put posters made of laminated plastic (uh-oh) up ALL OVER campus, with a picture of the new cards. The picture on the card was not obscured, the barcode was not blurred out, and the card in the poster was life-size. The card in the photo was also the card of the student union president. OOPS...
In the next day or two, the student union president borrowed about 3,500 books from the library.
They put up new posters pleading for the books back, and maybe they got 1 or 2...
"The approach might be applied to print out fake airline boarding cards, although previous experience suggests that checks before boarding mean the approach would (at worst) only allow a miscreant past initial security checks and not actually onto a plane."
Maybe so, but some airlines *cough* BA *cough* still don't check ID for domestic flights if you print your own boarding pass. Unlike, for example, Easyjet*
For all we know, Bin Laden's been flying with BA all over the UK under the name Jim Smith for the past couple of years...
* based on a set of flights taken in December 2007, Manchester-Gatwick (BA), Gatwick-Inverness-Gatwick (Easyjet), Gatwick-Manchester (BA). And don't whinge about carbon footprint, the aircraft were flying anyway, and both airlines guilted me into paying for a tenner's worth of trees.
bloody hell, how sad. The opinions above suggest to me why we live in a nanny police state these days. Try spending your time doing something more useful and fulfilling, rather than trying to shoplift, and we all might be better off for it. If you can afford an iPod don't be such a w@nker that you try and get the 8gig for the 4gig price.
"the aircraft were flying anyway"
don't make me sick with your PH sense of logic.
@ anon. cow.
"don't make me sick with your PH sense of logic"
No, really, they were. They were already scheduled when I booked. OK, if nobody flew on them, the routes would probably get dropped, but by flying on a flight that was already scheduled, I was making it more efficient in terms of carbon emissions per person, if anything. And as all 4 flights were virtually full, my presence, or lack thereof, was unlikely in itself to make a difference to the future economic decisions made by the airlines.
If you could spend a total of 4 hours travelling from Manchester to Inverness* by air for £70 return, or 8+ hours by rail for a similar price, or by car for £100+, and you had limited time off work, what would you do? Waste an extra day travelling? I thought not. You only have to look at the WCML rail fiasco this week to understand why the shuttle flights between provincial airports and London are a necessity, and won't be dropped.
For the record I commute by rail on a daily basis and therefore have no such desires to spend 16 hours of my leisure time trapped on a train. Unless it's in 1st class. And then the price issue comes into it again.
*and Flybe are starting a direct route in March. If Ryanair hadn't dropped their Liverpool route, I'd have flown with them instead.
Fun > theft
Lots of ideas for nicking gear here, but I think I would prefer to print out a bucket load of bar codes and stick them on the wrong - but identically priced - items. Think of the fallout - the supermarket get the right amount of money so they won't catch on, but you'll get some secretary going out to get some milk and a box of biscuits, and handing in a recipt for olive oil and a box of Durex on her petty cash claim. Oh the rumours!
Need to get thinking of good swaps...
i can testify that the tippex trick *did* work on the first batch of green BT phonecards. i only had payphone access at the time (1990) and i saved a wee fortune.