I was in college when self checkout became a thing and it took us all of about 45 seconds to realize that you could just check everything out as bananas. Steak was weighed and priced at 4011 (banana code) as the stoned teenager cashier paid no attention. Everything on the receipt was literally Bananas
That's crazy. But coming from someone who wrote a book on retail fraud and worked as a retail fraud analyst for several years... you could have just walked straight out with those items.
Transacting was your way of leaving a calling card for the investigators/analysts to find you... You stole regardless of how you did it.
At least here, there are randomly triggered checks by shop staff where they have to manually rescan anything before they let you leave. And possibly, those checks are more easily triggered if you do certain very strange things like buying nothing but many separate instances of "bananas' with widely varying weights. Wouldn't be too hard to program a set of rules for the most obvious red flags.
And of course, the area is wide open and well covered by cameras, and usually self-checkout means paying by card or google pay or something, which will tie your identity to the purchase.
I saw a video where someone took banana bar code stickers wrapped around a bunch of bananas and put them on the TVs in their shopping cart and then checked out via self checkout.
I predict that self checkout will only remain in the more trustworthy areas…
That video was staged, at Target electronics need to be paid for in the electronics department where there is no self-check out. In addition Target has the best Loss Prevention in the business, including let shoplifters continue until they accumulate enough goods that their crime is a felony.
Every self checkout around here has an employee staffing ~6 terminals. They're supposed to be watching for things like that. Usually theyre just staring vacantly into space, which I get, that job pays nothing and provides 0 mental stimulation.
When you see a TV being purchased, though, it wouldn't be hard to just watch that it in fact got checked in as such.
IANAL and this depends on the jurisdiction, but in many places, the penalties for shenanigans like these are far steeper than for outright theft, as it's considered to be financial fraud.
Some retail chains, of which Dollar General is the poster child, have one price displayed on the shelf and a different, much higher price at the checkout register.
Links:
> Missouri Attorney General Andrew Bailey has filed suit against Dollar General, claiming deceptive and unfair pricing at its more than 600 retail stores throughout the state. The lawsuit alleges that Dollar General violated Missouri’s consumer protection laws by advertising one price at the shelf and charging a higher price at the register upon checkout.
> The joint investigation revealed that “92 of the 147 locations where investigations were conducted failed inspection. Price discrepancies ranged up to as much as $6.50 per item, with an average overcharge of $2.71 for the over 5,000 items price-checked by investigators.”
> All told, 69 of the 300 items came up higher at the register: a 23% error rate that exceeded the state’s limit by more than tenfold. Some of the price tags were months out of date.
> The January 2023 inspection produced the store’s fourth consecutive failure, and Coffield’s agency, the state department of agriculture & consumer services, had fined Family Dollar after two previous visits. But North Carolina law caps penalties at $5,000 per inspection, offering retailers little incentive to fix the problem. “Sometimes it is cheaper to pay the fines,” said Chad Parker, who runs the agency’s weights-and-measures program.
It sucks that we have to do extra labor and expose ourselves to this kind of legal risk all because a grocery store doesn't want to staff workers. It's not even like they pass these savings onto us...
That is something you can do in cahoots with a regular cashier and the reason places like Costco check your receipt. The cashier just has to fake scan an item, and nobody would notice. Receipt checking makes it possible to get caught.
Think about blaming the grocery store replacing workers with no one in particular before you blame some college pranksters.
Grocery stores in general consolidating, laying off workers, leaving them without pay/benefits, taking advantage of greedflation, etc., is a bigger drain on society.
Careful, the law is lenient if you steal from other normal people, but as soon as you steal from the wealthy, try to fraud them, you will see all sort of laws to make sure you are an example to others so they never think about doing the same, but a normal person? Oh well, you should have paid for insurance, or suck it up.
On the other hand, the wealthy can lobby, inflate the prices overnight just because, while also reducing the good weight aka double increase, and you can’t say anything because it’s legal!! It’s a one way “justice” system.
It's always funny when people publish source code and have a disclaimer saying "You CANNOT use it for bad!". When is the last time a criminal read such a disclaimer and thought "Oh right, guess this isn't for me"?
Sure, at least the developer can say they did say so, but it doesn't matter. To me it seems more like avoiding responsibility. You published the tool, and by doing so you changed the world, even minutely, and in ways you cannot predict.
As hackers we bear the responsibility of tools we publish. Even if you believe knowledge is the most important and that everything _should_ be published, we should at least be well aware of the consequences. Great power, great responsibility.
I think it’s trying to demonstrate intent. “This is cool and hacking is fun” vs “Here is a tool to do bad things”. I don’t think it would much protect you from consequences, but it can change perception of the intent of the project.
Usually the advertised price must be honored, because it may have brought the customer to your store.
For prices displayed on the shelf-label inside the store the law is usually not that strict (YMMV), as a shop-owner can refuse sale on check-out (otherwise I could put a pricetag on e.g. a shopping-basket and the shop-owner would be legally required to sell me the basket...).
Besides, most shops I've seen (in Europe) already moved from Infrared communication to RF (NFC or proprietary), for centralized shelf-label management without handheld devices. So all this study (and the underlying reverse engineering of the IR-protocol) might do is probably accelerate the transition from IR to RF-based ESL...
> Usually the advertised price must be honored, because it may have brought the customer to your store.
This is not the case for groceries in Massachusetts at least. If there’s a discrepancy between the tag’s price and the scanned price the store must charge the customer the lowest of the two: https://www.mass.gov/price-accuracy-information
I recently learned that in some cases fines of mispriced goods were very low, leading to companies repeatedly failing tests - and over/undercharging their customers.
That seems shocking to me, but I guess I live in a country where the prices on the shelves are "final" (with no need to add taxes) and I think it would be immediately obvious if I'd been charged the wrong price for goods.
It definitely varies by jurisdiction, but the register price always loses to any printed price in the US states I’ve lived in. This is a protection since retailers have used pricing mistakes to unfairly profit. Watch your receipt like a hawk at the dollar store[0]
To me this is about having protocols that are suitable so not anybody can write to these labels without knowing a store secret or using replay attacks.
it's mostly about efficiency. IR based, an employee needs to physically walk around. RF based, place a transmitter or two in the building and the system now works fully automated.
Probably mostly dangerous for the user, or are people routinely writing their own price signs in the store and then "buying" it for less? Walking up to the lot at the car store and crossing out some zeros? Don't see how this would be any different.
Back in the day people used to swap/edit price tags a lot. Also making fake coupons with the same knowledge. It was a pretty common and easy form of shoplifting since all barcodes used to do was just encode the pricing/discount information.
This is a big reason why retail product barcode stickers (not barcodes printed directly on a package as it comes from the manufacturer) are now commonly printed on frangible stock with built in slices in it which breaks apart in 3, 4 or more pieces if you try to peel it off.
I wonder if since IR is invisible you could theoretically, in an intellectual exercise, blast IR light in a room and mass change them surreptitiously if that was your goal.
I still don't think I've seen an actually useful application for a Flipper Zero. It's all just "use this to change store price tags" or "here's how to disconnect all bluetooth devices", but also "don't actually use this, because it would be illegal, this is just for educational purposes"
Beside of how the media often tries to present it, the value of Flipper Zero is not for everyone to "become a hacker with this simple app".
Its value is to provide a standardized hardware platform for (white hat) hackers for probing, prototyping, refining and sharing of security research in the fields its hardware supports (Sub-GHz RF, NFC, IR, and custom external boards via simple Input/Output pins).
Prior to that, everyone who wanted to research e.g. RF security had to either build/assemble something custom or buy much more expensive equipment. This created a barrier to collaborate on research, as everyone had to buy/build the same setup.
On top of that, Person A researching some RF topic selected an RF-transceiver from Company X, Person B used a component and a proprietary SDK of Company Y, so consolidating both work streams for a better foundation for all RF-related research required alot of time and effort from someone, breaking workflows of at least one group of researchers, etc.
In contrast, security research which utilizes Flipper Zero can be reproduced and built upon by everyone. All the work is harmonized on the same Hardware architecture, so it's easy for someone familiar with the platform to dive straight into a new idea without having to build a new breadboard, select a chipset, buy additional probing equipment etc.
I'm tired of the "security research" angle when it's all just kids playing with ESP32 deauther attacks presented to them on a silver platter.
I should not have to put up with children going "JUST SECURE YOUR NETWORKS BRO" because they spent $30 on some eBay "maurauder" dongle to be a pissant.
It's probably good to have kids with no big plans messing with your security now and then. Keeps you on your toes, and you can't really pass it off as an act of god if a teenager pwns you.
And a minority of those kids will get curious about the How and Why. Those are the security nerds of the future securing the networks against both the kids they were themselves and actual malicious actors.
Source: Early interest in wifi security, including in other people's networks, lead me down an education and career in security
I sure wish I was wealthy and had a fistful of RSUs. You wanna send me some? I make 5% over my area's 80% median income and I can't even get housing because I "make too much money" despite being $3000 too rich.
I'm pretty tired of being the network guy in the field playing remote hands having to be on the front lines of all of this bullshit having to explain to decision makers that a bunch of shitty kids are running around and there's no real solution that we can just "fix" this with.
I'm tired. If they're not deauthing our networks they're breaking into rooms with the goddamn card copying and fuzzing functionality and stealing shit.
I apologize. My response was a flippant attempt at humor and I didn't mean to personalize that at you. I have had those days where I had to clean up the mess left behind by a merry prankster. They aren't fun days.
Sometimes the deviant act will get a nod of appreciation from me, but not if an AI did all the heavy lifting. I keep a labor-of-love website up and am increasingly swatting away scrapers in an attempt not to get slammed with a bankruptcy-tier cloud bill.
I use mine for all sorts. I volunteer at a second-hand shop so use it to set up remotes for donated media devices, I've used it to run scripts to apply the same changes to many computers that aren't on a group policy via BadUSB, I've used it for toys-to-life games, and very much more. There are plenty of genuine uses if you're cluey.
This one provides the source and asks you to build it yourself so at least it has some credibility for the "education use only" claim.
I've seen similar things posted on here before that had a binary build only and zero technical documentation. It was really hard to see any kind of research or education value in those.
It’s been very useful to me in so many ways, from fob management, to one IR, to rf scanner and other stuff, it’s useful if it fits your needs, just like anything else out there.
Transacting was your way of leaving a calling card for the investigators/analysts to find you... You stole regardless of how you did it.
And of course, the area is wide open and well covered by cameras, and usually self-checkout means paying by card or google pay or something, which will tie your identity to the purchase.
I predict that self checkout will only remain in the more trustworthy areas…
Their Loss Prevention is so advanced that FBI has collaborated with them for case help
https://thehorizonsun.com/features/2024/04/11/the-target-for...
I also worked there briefly in my teens, they are a great employer.
When you see a TV being purchased, though, it wouldn't be hard to just watch that it in fact got checked in as such.
Links:
> Missouri Attorney General Andrew Bailey has filed suit against Dollar General, claiming deceptive and unfair pricing at its more than 600 retail stores throughout the state. The lawsuit alleges that Dollar General violated Missouri’s consumer protection laws by advertising one price at the shelf and charging a higher price at the register upon checkout.
> The joint investigation revealed that “92 of the 147 locations where investigations were conducted failed inspection. Price discrepancies ranged up to as much as $6.50 per item, with an average overcharge of $2.71 for the over 5,000 items price-checked by investigators.”
https://progressivegrocer.com/dollar-general-accused-decepti...
> All told, 69 of the 300 items came up higher at the register: a 23% error rate that exceeded the state’s limit by more than tenfold. Some of the price tags were months out of date.
> The January 2023 inspection produced the store’s fourth consecutive failure, and Coffield’s agency, the state department of agriculture & consumer services, had fined Family Dollar after two previous visits. But North Carolina law caps penalties at $5,000 per inspection, offering retailers little incentive to fix the problem. “Sometimes it is cheaper to pay the fines,” said Chad Parker, who runs the agency’s weights-and-measures program.
https://www.theguardian.com/us-news/2025/dec/03/customers-pa...
Categorising things as "bananas" tricks the checkout into accepting the weight of an item, and you pay the appropriate price per bananagram.
Reminds me a bit of the shopping cart theory.
Grocery stores in general consolidating, laying off workers, leaving them without pay/benefits, taking advantage of greedflation, etc., is a bigger drain on society.
On the other hand, the wealthy can lobby, inflate the prices overnight just because, while also reducing the good weight aka double increase, and you can’t say anything because it’s legal!! It’s a one way “justice” system.
Sure, at least the developer can say they did say so, but it doesn't matter. To me it seems more like avoiding responsibility. You published the tool, and by doing so you changed the world, even minutely, and in ways you cannot predict.
As hackers we bear the responsibility of tools we publish. Even if you believe knowledge is the most important and that everything _should_ be published, we should at least be well aware of the consequences. Great power, great responsibility.
For prices displayed on the shelf-label inside the store the law is usually not that strict (YMMV), as a shop-owner can refuse sale on check-out (otherwise I could put a pricetag on e.g. a shopping-basket and the shop-owner would be legally required to sell me the basket...).
Besides, most shops I've seen (in Europe) already moved from Infrared communication to RF (NFC or proprietary), for centralized shelf-label management without handheld devices. So all this study (and the underlying reverse engineering of the IR-protocol) might do is probably accelerate the transition from IR to RF-based ESL...
This is not the case for groceries in Massachusetts at least. If there’s a discrepancy between the tag’s price and the scanned price the store must charge the customer the lowest of the two: https://www.mass.gov/price-accuracy-information
https://www.theguardian.com/us-news/2025/dec/03/customers-pa...
That seems shocking to me, but I guess I live in a country where the prices on the shelves are "final" (with no need to add taxes) and I think it would be immediately obvious if I'd been charged the wrong price for goods.
[0] https://www.theguardian.com/us-news/2025/dec/03/customers-pa...
To me this is about having protocols that are suitable so not anybody can write to these labels without knowing a store secret or using replay attacks.
it's mostly about efficiency. IR based, an employee needs to physically walk around. RF based, place a transmitter or two in the building and the system now works fully automated.
With the same vulnerable protocol the RF system is easier to attack then it seems....
Its value is to provide a standardized hardware platform for (white hat) hackers for probing, prototyping, refining and sharing of security research in the fields its hardware supports (Sub-GHz RF, NFC, IR, and custom external boards via simple Input/Output pins).
Prior to that, everyone who wanted to research e.g. RF security had to either build/assemble something custom or buy much more expensive equipment. This created a barrier to collaborate on research, as everyone had to buy/build the same setup.
On top of that, Person A researching some RF topic selected an RF-transceiver from Company X, Person B used a component and a proprietary SDK of Company Y, so consolidating both work streams for a better foundation for all RF-related research required alot of time and effort from someone, breaking workflows of at least one group of researchers, etc.
In contrast, security research which utilizes Flipper Zero can be reproduced and built upon by everyone. All the work is harmonized on the same Hardware architecture, so it's easy for someone familiar with the platform to dive straight into a new idea without having to build a new breadboard, select a chipset, buy additional probing equipment etc.
I should not have to put up with children going "JUST SECURE YOUR NETWORKS BRO" because they spent $30 on some eBay "maurauder" dongle to be a pissant.
Source: Early interest in wifi security, including in other people's networks, lead me down an education and career in security
I'm pretty tired of being the network guy in the field playing remote hands having to be on the front lines of all of this bullshit having to explain to decision makers that a bunch of shitty kids are running around and there's no real solution that we can just "fix" this with.
I'm tired. If they're not deauthing our networks they're breaking into rooms with the goddamn card copying and fuzzing functionality and stealing shit.
Sometimes the deviant act will get a nod of appreciation from me, but not if an AI did all the heavy lifting. I keep a labor-of-love website up and am increasingly swatting away scrapers in an attempt not to get slammed with a bankruptcy-tier cloud bill.
I've seen similar things posted on here before that had a binary build only and zero technical documentation. It was really hard to see any kind of research or education value in those.
I smell prejudice