Comments on: What’s a security problem?

By: Matthew

Matthew — Tue, 29 May 2007 14:14:05 +0000

Uh, that’s hardly anything to do with security! I work on the tills in Tesco myself, it doesn’t many how many items you buy as long as you have the 5 or more, it will take the cheapest item from your total 7 because it will class it as a one of the 5 items, It’s nothing bad and is pretty self explanitary…

By: giafly

giafly — Fri, 02 Jun 2006 17:18:55 +0000

Gavin is probably correct - I”ve seen this too.

“Buy n get cheapest free” offers are quite common, so I wonder what happens at other shops. If anyone reading this is a journalist in search of story ideas, how about trying them?

By: Gavin Jamie

Gavin Jamie — Tue, 30 May 2006 10:57:40 +0000

I seem to remember that the discount appears on the screen of the till after the fifth item, although the receipt gives the impression that it is calculated at the end.
You got the cheapest of the first five items that were passed through the tlll which is when I expect the calculation was made. No malice, simply bit of code.
If num_veg MOD 5 {total-=cheapest(last_five_veg}

Now this is a hypothesis which would be quite easily testable and I will see if they still have the same offer at my local store.

By: Markus Kuhn

Markus Kuhn — Tue, 30 May 2006 09:46:15 +0000

Since hiring a competent till firmware and database programmer can easily affect a retailer’s profits by an amount several orders of magnitude beyond the programmer’s salery, I’d rather expect that highly qualified software-engineering and operations-research teams are working on this subject for the bigger players today. I know from at least one large UK retailer, whose IT folks invited us for an interesting tour a few years ago, that they entirely maintain their own till software and update it several times each month.

By: Jean Everson Martina

Jean Everson Martina — Mon, 29 May 2006 21:56:15 +0000

A really usable attack (or maybe just the warranty that you will have you rights preserved) can be buy your items in 5 basis (five each bill). Then you can choose them in price basis sets, and warranty that each 4 costy ones you will have a 5th costy for free.

By: JR

JR — Mon, 29 May 2006 20:15:38 +0000

I guess most of the programmers doing till software are not as sophisticated as seems to be implied, and the software itself is quite likely 6,000 patches away from its conception - in short, it just came out like that. “Never attribute to malice that which can be adequately explained by stupidity”, and I would also suggest a certain involvement of sloth.

By: Nicholas Bohm

Nicholas Bohm — Mon, 29 May 2006 14:22:39 +0000

As Markus observes, there is an ambiguity in the offer. If more than five qualifying items are bought, does the offer require the five most expensive, or allow the five least expensive, to be used in determining the value of the offer? This is a matter of interpretation of the contract, and applucation of any background rules.

In a consumer context, the court is likely to apply in favour of the consumer the rule that an ambiguity is to be resolved against the party who put it forward (the “contra proferentem” rule). That rule would favour Ross in the case in point.

This is not certain, however, because of a background rule about appropriation. If you owe two debts to the same person, but for one of them you have a defence, and you want to make a payment of the other, you need to appropriate your payment to the one you want to pay, using express words. Otherwise, according to the rule, if the payer does not appropriate the payment, the recipient can do so; and your creditor will appropriate your payment to the dodgy claim, leaving the good one outstanding and enforceable.

So under Tesco’s offer, it might claim that unless you appropriate the five most expensive items to the offer, you leave it free to appropriate the five least expensive. Since you can go through the tills twice to achieve this effect anyway, enabling it to be achieved by words seems sensible.

By: Nick Towner

Nick Towner — Mon, 29 May 2006 09:54:54 +0000

And if the grapes had cost the same as the carrots, could you still have taken them back or would the store then claim you had been given them free?

A social engineer standing in a long checkout queue would see how many people he could persuade to redistribute their shopping to maximize the joint savings, reclaiming produce from each other after the checkout.

A programmer in the checkout queue would be distracted worrying about what would happen if you actually wanted to BUY one of those “Next Customer Please” batons …

By: Markus Kuhn

Markus Kuhn — Sat, 27 May 2006 20:37:37 +0000

Trading Standards? Unless you specify somehow, for which subset of five items you want to to take up this offer – paying separately for the five most expensive items may be the only way to do so – Tesco’s till firmware will obviously exploit the ambiguity by picking among the (7 choose 5) = 21 valid possibilities the one that maximises Tesco’s profit, not your savings. You didn’t seriously expect anything less from software developers at the nation’s profit-leading grocery store, right?

By: William

William — Sat, 27 May 2006 09:23:28 +0000

… and you didn’t even pick up the Clubcard points …