Unexpected item in the bagging area, or threat modeling at the supermarket
Unexpected item in the bagging area!
The phrase is a staple of everyday life in the UK, and I was familiar with it because of its ubiquity in British comedy. I understood that it was a common pitfall encountered when doing something wrong at the supermarket checkout -- one of life's many little indignities in an increasingly automated and inhuman world.
I had never encountered it myself, until one fateful day when I tried to pay for some shopping in Australia and I found myself trapped in a perplexing maze of bad user interface design, useless error messages, and above all, an approach to security that did not and does not make sense to me.
In my country, you scan your items at the self-checkout, you pay for them, and the machine prints out a receipt with a barcode that you use to open the gate so you can leave.
If you have a security mindset, you will immediately come up some ways this system can be exploited:
- All that is required to open the gate is a valid barcode, which can be generated by paying for a single item. You could ring up a single peanut and leave with thousands of euros worth of groceries.
- The gate allows more than one person through at a time, so you can just tailgate someone without paying at all.
The main countermeasure the supermarkets have deployed is that every time you use the checkout, there is a chance of maybe one in five that you will be subjected to a random spot check by the single overworked employee who is overseeing ten or more checkouts.
This system is hardly watertight; for one, it relies on the employee somehow detecting all the merchandise you have on you. I highly doubt that if I handed them the big plastic bag with cheap stuff that I paid for, they are going to think to check the inside pockets of my jacket or the backpack that has an expensive bottle of wine in it. If you have accomplices, one of them can create a distraction to keep the employee busy for a while, while the rest of you wheel out their haul in the background. (To prevent customers from being held up too long, the spot check times out after a while.)
Supermarkets know this, of course. They don't care about preventing 100% of theft, they only care if the reduction in labour costs is higher than the increase in lost revenue.
To me, this makes perfect sense as a threat model, and I've never had any trouble using this system.
In Australia and the UK, things are different.
There exists an extra step there; for every item you scan, you are expected to put this on a weighing platform. The machine then checks to make sure that you have put the expected amount of weight on there.
I am not sure what this is for. The only thing that it prevents you from doing is putting unscanned items on the weighing platform, but... if I was interested in stealing something, I wouldn't weigh it, I would just put it directly in my bag. I suppose in theory an employee could catch you doing this, but again the ratio of employees to checkouts is far too low and you hardly need Penn and Teller levels of misdirection in order to pull this off.
To make things worse, the system commits a multitude of user interface design errors that meant I was never able to figure out how to use it on my own. I had to be shown how to do it by a kindly native.
The infamous bagging area is completely unmarked. Checkouts will usually have two more or less identical metal platforms on either side, one of which is the bagging area. You can usually tell which is which because the bagging area has a tell-tale slit in it to allow the scales to work, and it may have some metal loops to hang your bags from. (In order to avoid the dreaded message, you have to tell the machine when you are putting a bag on. This adds further room for error, as well as potential exploits.)
Even which side the bagging area is on varies by supermarket. Woolworths Metro puts it on the other side as regular Woolworths. Ask me how I know.
Every error is unrecoverable. When the slightest thing goes wrong, the whole system locks up until a sullen teenager comes over, rolls his eyes and wordlessly unwedges it. There is no room for experimentation.
There are other security mechanisms that make no sense to me. Some checkouts have cameras that try to determine if you have left any items in your basket, which to my mind is another mechanism that adds complexity and is easily circumvented; if I wanted to steal stuff, why would I leave it in the basket to present it to the camera? I once had the whole thing lock up because I had left one of the handles on my basket pointing slightly upwards.
I have not been able to determine the historical reasons for this cultural difference. I suspect the thinking is that "more stuff" equals "more secure", a mindset which we in IT are not unfamiliar with.