Hacking for Beer
by Yimir (roi_noir@hotmail.com)
Over the past few years most large grocery store chains have introduced "membership" or "club" cards.
These cards make it easy for corporations to create large databases of consumer spending habits. They also, presumably, allow the corporation to track an individual consumer's habits.
This article is about how to use this database against the corporations.
Background
On a recent trip to the grocery store, I decided to use one of their self-checkout machines for the first time.
I scanned my membership card and then started scanning my groceries. When I scanned my beer, a message popped up on the screen and a store employee came over. He asked for my driver's license, verified my age, scanned in a card dangling around his neck, typed in a PIN, and then my transaction was completed.
A few days later I went back to the grocery store and used the self-checkout machine. I scanned my membership card and then my beer.
To my surprise, no message popped up on the screen and no employee tried to verify my age. The database recorded the fact that I was over 21 and all I needed to do to purchase beer was scan my membership card.
The Hack
This article is for information purposes only, but if someone underage wanted to hack this system to buy beer it would be very easy.
One could take the membership card of anyone the system has previously authorized to purchase beer and use it (i.e., Mom, Dad, older sibling).
Alternatively, most of the membership cards have a membership number printed on them. This number is used to generate the barcode that the machine scans. It is also used to identify the person in the database.
One could take this number, and using various tools online, generate a barcode that could be printed out. Taping this onto other membership cards would in effect create a fake ID. There are different formats for barcodes, so some experimentation is necessary.
Another way to hack the system is to purchase a 12-pack of soda and cut out its barcode; soda and beer weigh about the same and should fool the weight sensor.
Then, on another trip to the store, tape the soda barcode over the barcode for a 12-pack of beer. When it is scanned, the system will think it is soda and not require an employee to verify the customer's age.
This hack is most effective when the employees are distracted or helping other patrons, as an obviously underage person scanning a case of beer that the machine reads as soda is suspicious. Also, this would only work with a self-checkout machine.
Conclusion
When I was underage (oh, so many years ago) it was difficult to purchase beer.
I spent many hours crafting fake IDs to fool people. Now all a kid needs to do is whip up a barcode and fool a dumb self-checkout machine.
This should be a lesson to corporations: go ahead and collect data on consumers, but be prepared for the consumer to find ways to use that data against you.
Shout out to Ghostie and his article "Singapore Library Mischief" in the Autumn 2006 issue of 2600.