don't like the price? change the barcode!

Thor Lancelot Simon tls at
Fri Apr 11 13:50:07 EDT 2003

On Fri, Apr 11, 2003 at 12:57:11PM -0400, Perry E. Metzger wrote:
> A trivial way to attack automated bar code scanners: change the
> barcodes on products you are buying. I think actually doing it is
> reprehensible, but on the other hand it does show what happens when
> people start applying lessons from computer security to the real world:

Does it?  It seems to me that it is only an example, as we've seen
so many recently, of an age-old con retooled for new technology.

Barcodes were never intended to be anything but a replacement -- in
fact, originally, merely a supplement -- for old-style peel-and-stick
printed price labels (I speak with some authority on this as my mother
was the Nabisco representative on the original bar-code committee).  Any
teenager with a label gun can practice this attack against old-style
arabic-numeral price labels -- and many have, and do -- so it does not
exactly surprise me that there's a barcode equivalent.  Ultimately,
the cashier is responsible for verifying that the price on an item
has not been changed; that's true no matter how the item is labelled,
and requires some common sense on the part of the cashier.  The inability
of cashiers to always make the right decision about whether they're
being conned or not is part of the usual allowance for shrinkage at
any retail operation.

Of course, the automated self-service cashier locations now showing
up at some stores are another story entirely; those attempt to use
weight and size to validate that an item matches its barcode, but
even those simple sanity checks turn out to be extremely difficult
to apply without a high false result rate.  There really is no good
substitute for the human being in the loop in this application, at
least not yet.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list