Automation is the new wave of the future. We have everything from our food to our own bodies implanted with RFID (Radio Frequency Identification) chips nowadays. RFID chips allow us to let machines handle the scanning and security. But while the machines can tell you if something hasn’t been paid for or what something is, they can’t tell you about social cues.
This new security through automation has led to a new wave of thieves who take advantage of your newfound confidence in “the system”. This is the framework for social engineering. In laymen’s terms, Social Engineering, involves using careful questions, methodical actions, and a knowledge of a system’s security to “hack” it.
So how are folks “hacking” their grocery stores? Self-Checkouts.
Where you had one person per register and often two if you counted the person bagging the groceries, now many grocery stores, like Super Walmart, have gone to a turn style type bagging system where the cashier now scans AND bags. Additionally, with the advent of self-checkout systems, you can have as many as 4 or 6 checkout kiosks with only one manager to help out all of those customers.
The issue here is, that in reality, you’re dealing with people who either don’t understand the way the checkout works or are doing something wrong. Which requires the self-checkout manager to leave his monitoring station to come and help. Often times, you can hit a security snag like having a different weight in the bagging section than what should be there, or an item that can’t be scanned, etc.
Rather than take the time necessary to monitor for security, the checkout managers are trained to monitor for speed and service, so such items are usually passed through as long as the person doesn’t appear to be doing something fraudulent.
Meet The Grocery Store Managers – Alan and Greg
I spoke with two grocery store employees this weekend to confirm what I’ve seen in my experience using the systems they’re tasked to manage. Both Alan and Greg, work at different stores. Both are in managerial positions at their stores. For their feedback, I’ve left out their details. Both expressed concern that this is just something you don’t talk about.
Alan works at a smaller community market (which he’s asked be left unnamed) that’s been around for over 20 years. Their systems have been retrofitted with RFID chips, self-checkouts, and basic door security with scanners at the exit which go off when items have not been marked paid. Alan’s store has two “older” gentlemen (who alternate shifts) at the door scanners to greet as well as act as a deterrent for theft. All lanes have a bagging clerk and the self-checkout section has 4 stations with single manager podium/station.
Greg works at a new Super Walmart that has been built from the ground-up less than 3 years ago. Much like Alan’s setup, there are several disabled and/or elderly employees who work as greeters and impromptu theft deterrents near the door scanners. Everything else is similar.
To be precise, regarding the greeters – both Alan and Greg admit that their presence is meant to be a deterrent. Neither company truly uses their greeters as security personnel. As the last employee a customer sees as they exit, they are just asked to greet, and to generally remain aware of suspicious behavior and to alert a floor manager if needed.
Three Ways Grocery Stores Are Getting ‘Hacked’
As a programmer, you inherently look at flaws in a system. It’s how you improve the systems you build on a daily basis. These are the three flaws I’ve seen in the system in my visits to both stores. Though Alan’s stores sells primarily groceries and Greg’s sells everything you could need (lawnmowers to bananas), it’s remarkable how similar their experiences with all three methods are.
Tactic #1: Misrepresenting An Item’s Weight
This seems to be a bullet proof system. You enter in the type of produce, place it on the scanner, and the scanner prices it based on the weight. However, because of the lack of attention by the manager in busy times, or because of the complete absence of a manager altogether, this is one more way thieves are getting a leg up on the machine. When scanning produce which as been bagged, some will hold the produce while on the scanner, letting it register at a fraction of it’s true weight. The scanner is also intended to weigh items placed in the center. Placing the bulk of an item’s weight closer to the edge also misrepresents the weight. On higher priced produce and goods measured this way, the price adds up very fast.
The truth is, that at my store, I can’t always be at my station. Most of the time people don’t follow the directions and I have to reset their station or help them navigate through the system’s instructions. Sometimes I’m called away and the station is left unmanned. If I’m there, I’ve been trained to focus on keeping the lines moving. I honestly can’t say I’ve kept an eye out for this, but it’s very possible. I’m more likely to see it as placing something on or off the scanner itself and as long as it seems you’re doing it right, I’ll get back to scanning the other 3 stations for problems.Greg:
I’ve actually caught one person doing this but only becuase they were teenagers, louder than normal, and becuase I overheard one of them tell the other teen to do this. Aside from that, while I’m at my station 95% of the time, I don’t check for it. I’m more concerned about helping customers getting through the lines. The teenager that was caught had $7.00 worth of apples and they registered for just under $1. If I hadn’t overheard him, I wouldn’t have caught him. If apples register as apples, I don’t pay attention to the price.
Tactic #2: Not Scanning The Item At All
This tactic works on the premise that most food is simply not tagged with security. Loss Prevention is all about the ratio of cost to secure vs cost of theft. For many “small ticket” items such as groceries, there is usually no security. Pharmacy goods, medicine, alcohol, and other items do get secured most of the time, but your loaf of bread, box of rice, and produce, isn’t.
When scanning items, these thieves will grab 2 or 3 of the items, let one scan and place them all in the bag before being seen. Or they will simply run the item over the scanner where the code cannot be read and the beeps from another station will give the checkout manager the assurance that the item was scanned. In other words, perception is reality.
At my store, the job of scanning in each item in the store into our computers is left to minimum wage teens. Some get lazy, some honestly miss items, and some are just following orders not to scan certain items. We have limited resources and when a scanner is broken or misplaced, the more tangible and visible efforts like customer service and attention have a higher priority placed on them. At my store I’m bouncing around between stations helping people out or resetting their screen. I may notice if you don’t scan something and leave it at the bottom of your cart like soda or dog food, but if you pretended to scan it most clerks would leave any suspicion up to the security at the exit.Greg:
At our particular store, we simply do not secure most foods. We cover alcohol, but mostly because of federal law regarding purchasing by minors. Technology items, toys, and more expensive items usually have RFID tags, but our food does not. If it looks like you’re scanning items correctly and not calling attention to yourself, I probably won’t pay attention to you. It’s the people that start getting agitated or that flag me that get the attention. We’re trained to make sure people scan all items in the cart, but as long as your cart is empty and everything looks to be in order, there’s no reason to be suspicious.
Tactic #3: Scanning A Different, Lower Priced Item
With produce and expensive cuts of meat such as steak and beef, they can be entered manually if their tag is missing or it won’t scan for one reason or another. When entering in the item code, you can enter in the code for a cheaper item, or a smaller item. As long as the item is scanned, the weight is mostly irrelevant. Expensive cuts of lean steak can be ringed in as a quarter pound of ground beef. Something jumbo sized can be entered as something a fraction as big. If the item looks like the item being scanned, brand, weight, or size is often ignored altogether.
With our produce, some are missing labels. This is notorious with bananas. We only sell one type of banana so most people still enter everything correctly. As far as the rest.. If it looks like you’re scanning in medicine, detergent, or whatever. As long as the item scans and you don’t call suspicion to yourself I honestly can’t say I’d give you a second look. It’s more about obvious theft like leaving things in your cart, moving the lines along, and helping customers with the system.Greg:
When I first got hired on I started out stocking items in the back of the store. Several of the employees back there routinely did this. They would buy hundreds of dollars of steak, key them in as ground beef and pay 10 or 20 percent of the true cost. If a fruit looked red or round, they would key it in as a tomato or apple, whichever was cheaper. They don’t work here any longer but for other reasons. That department has a high turnover rate. If it looks like you’re scanning what pops up on my screen, I’m more concerned with the other stations. If someone scans in a different TV or DVD player, we let the door scanner alarms handle things. So much gets scanned every minute, it’s nearly impossible to pay attention to specifics.
But Does The Door Security Really Work?
This question was the reason I couldn’t use Greg’s real name. He admitted that most of the door greeters were “nice old ladies” and that some rarely even left the electronic carts they sat in due to their disability, weight, or simply because it was easier that way. That many would just wave hello or goodbye while trying to stay awake. He said that Wal-Mart takes Loss Prevention and theft very seriously, but when the alarm goes off – there’s nobody nearby to second guess the greeter’s judgment.
Some of the electronic devices like the XBOX 360, Playstation 3, or Nintendo Wii grab additional attention in the associate meetings. But items like TVs, PC accessories, and other high ticket items do not. When the alarms sound, the greeter will usually check that the customer has a receipt and that the items are on the receipt, but only to see that something like that item was bought. Unless it’s very obvious, the customer is just waved on. If they recognize the customer as a frequent one or one that “looks normal”, as long as the customer looks confused and offers the chance to investigate, the greeters will just smile, chalk it up fussy computers, and let them go without checking.
As Greg put it, the folks working the door don’t really check to see why a $20 new release of 50 Cent’s CD rings up as a clearance-priced MC Hammer CD. It’s a rap CD, it must be the machines.
The security figures the cashiers caught the mistake. The cashiers figure the security will catch a mistake.
How Bad Does The Theft Get?
Because Greg had personal knowledge of employee theft, I figured he had heard other stories of people using the above system. He had indeed. He acknowledged that the third was by far the most expensive in terms of items stolen. Stealing that way at his store was often called “Oops’ing”.
What is Oops’ing?
During a non-company related Christmas BBQ a couple years back that many of the employees attended (including Greg), one of the stockers was tipsy and admitted to “Oops’ing” a few hundred dollars worth of the alcohol and steaks they were eating. The night manager coined the “Oops” term when items were mislabeled as the right type or brand of item, but at an incorrect price or size.
The host (the stocker), went through the self-checkout and each item was entered, but as a much smaller sized bottle or type of meat. When the numbers come back, or a duplicate item is later registered (when you enter in another item’s code and that item is later scanned, the purchase is flagged), it’s very easy to write the loss off as a mistake during inventory. Because the true items may be purchased with a large time difference between them, it rarely raises suspicion.
One of the department managers had overheard the boastful host and took him in the corner. Greg expected some loud words, but oddly enough after a few concerned questions were asked both came back smiling and ready to party.
When Greg asked the stocker what that was about, he was told the manager just wanted to know that nothing was “stolen” and that everything was just entered as something else as it had been. When that’s the case, it looks like computer error, and the numbers of items loaded and purchased still balance out. He was warned that if he ever heard that again he’d have to take action and that the employee should be smart and keep that kind of thing quiet.
Greg said the truth was that many of them read and post on sites like Walmart-Blows.com. He didn’t speak up about the BBQ theft because for the most part, if he keeps quiet and focuses more on his numbers and section, it’s better.
“You never know if you’re ratting to a manager about their friend”, said Greg. I suppose he’s right.