What's a security problem?

On Wednesday I was driving back from Oxford and dropped off at Tesco to buy some food. They had an offer ‘5 for 4’ — buy any 5 items of packaged fruit or vegetables and get the cheapest of them for free. I bought seven items. I would have expected to get the fifth cheapest item free, but their computer instead gave me the seventh cheapest item. Here is the evidence.

A few years ago, it was common for website designers to make errors in logic that enabled customers to get unanticipated discounts. These were seen as ‘security failures’. Nowadays it seems that programmers err on the other side. Thankfully, this has stopped the security problems.

Or has it? Here’s how to attack Tesco if you don’t like them. Go and buy six packs of fruit and veg, then take the receipt to your local Trading Standards and make a formal complaint. If a hundred people do that, it’ll cost them plenty.

The Internet allows the rapid dissemination, and anonymous exploitation, of vulnerability information, as Microsoft has learned over the last five years. Maybe there are variants of this lesson that will be even more widely learned.

16 thoughts on “What's a security problem?

  1. Whilst it’s anecdote time, its worth saying that sometimes the shop operators themselves spot the vulnerabilities in the pricing offers system and help you to exploit the other one.

    The other day I was hurrying through Stansted before a long trip to Istanbul, I picked up a book and a bar or chocolate quickly from WH Smiths airport side. The till operator saw the bar of Galaxy chocolate, pretty pricey at about £1.49 for the size it was.

    He said “Here, that bar of chocolate’s cheaper if I check through this magazine as well, only 99p, let me just blip it through”. He planned to blip through the same mag kept at the till for anyone who bought the chocolate.

    For some unknown reason I felt compelled to say “well if it’s cheaper with the magazine, I might as well have the magazine” … thinking that this must somehow be even better value for money for me. I ended up feeling mildly embarassed walking around with this tacky gossip mag, don’t think I read it in the end.

  2. In the US, Safeway supermarkets have a lot of buy X for $Y deals. For a long while I bought X items thinking that I had to in order to get the discount. In time I found out that you get the discount for any amount you buy, even less than X, but of course they never say that because the purpose is for them to get rid of inventory.

  3. My immediate reaction is “are you sure those aubergines and grapes were prepacked?” The receipt shows them in the “weight @ rate = price” format, suggesting they weren’t prepacked and therefore wouldn’t have been included in the promotion anyway… Which leaves five items: avocados, blueberries, carrots, peppers and shallots. Of course I may be quite wrong here; I’m only guessing.

    But I do know I too have occasionally believed I was buying items that qualified for a promotion when a bit more (or, indeed, any) thought would have made me realise they didn’t actually quite fit the spec.

  4. The grapes were indeed prepacked. Indeed the ones at the bottom of the pack were off, and my wife took them back to our local Tesco yesterday.

    I don’t know if the aubergine qualified – we ate it yesterday and it was OK – but even if not then the discount should have applied to the 5th most expensive item, not to the 6th

    Ross

  5. Trading Standards? Unless you specify somehow, for which subset of five items you want to to take up this offer – paying separately for the five most expensive items may be the only way to do so – Tesco’s till firmware will obviously exploit the ambiguity by picking among the (7 choose 5) = 21 valid possibilities the one that maximises Tesco’s profit, not your savings. You didn’t seriously expect anything less from software developers at the nation’s profit-leading grocery store, right?

  6. And if the grapes had cost the same as the carrots, could you still have taken them back or would the store then claim you had been given them free?

    A social engineer standing in a long checkout queue would see how many people he could persuade to redistribute their shopping to maximize the joint savings, reclaiming produce from each other after the checkout.

    A programmer in the checkout queue would be distracted worrying about what would happen if you actually wanted to BUY one of those “Next Customer Please” batons …

  7. As Markus observes, there is an ambiguity in the offer. If more than five qualifying items are bought, does the offer require the five most expensive, or allow the five least expensive, to be used in determining the value of the offer? This is a matter of interpretation of the contract, and applucation of any background rules.

    In a consumer context, the court is likely to apply in favour of the consumer the rule that an ambiguity is to be resolved against the party who put it forward (the “contra proferentem” rule). That rule would favour Ross in the case in point.

    This is not certain, however, because of a background rule about appropriation. If you owe two debts to the same person, but for one of them you have a defence, and you want to make a payment of the other, you need to appropriate your payment to the one you want to pay, using express words. Otherwise, according to the rule, if the payer does not appropriate the payment, the recipient can do so; and your creditor will appropriate your payment to the dodgy claim, leaving the good one outstanding and enforceable.

    So under Tesco’s offer, it might claim that unless you appropriate the five most expensive items to the offer, you leave it free to appropriate the five least expensive. Since you can go through the tills twice to achieve this effect anyway, enabling it to be achieved by words seems sensible.

  8. I guess most of the programmers doing till software are not as sophisticated as seems to be implied, and the software itself is quite likely 6,000 patches away from its conception – in short, it just came out like that. “Never attribute to malice that which can be adequately explained by stupidity”, and I would also suggest a certain involvement of sloth.

  9. A really usable attack (or maybe just the warranty that you will have you rights preserved) can be buy your items in 5 basis (five each bill). Then you can choose them in price basis sets, and warranty that each 4 costy ones you will have a 5th costy for free.

  10. Since hiring a competent till firmware and database programmer can easily affect a retailer’s profits by an amount several orders of magnitude beyond the programmer’s salery, I’d rather expect that highly qualified software-engineering and operations-research teams are working on this subject for the bigger players today. I know from at least one large UK retailer, whose IT folks invited us for an interesting tour a few years ago, that they entirely maintain their own till software and update it several times each month.

  11. I seem to remember that the discount appears on the screen of the till after the fifth item, although the receipt gives the impression that it is calculated at the end.
    You got the cheapest of the first five items that were passed through the tlll which is when I expect the calculation was made. No malice, simply bit of code.

    If num_veg MOD 5 {total-=cheapest(last_five_veg}

    Now this is a hypothesis which would be quite easily testable and I will see if they still have the same offer at my local store.

  12. Gavin is probably correct – I”ve seen this too.

    “Buy n get cheapest free” offers are quite common, so I wonder what happens at other shops. If anyone reading this is a journalist in search of story ideas, how about trying them?

  13. Uh, that’s hardly anything to do with security! I work on the tills in Tesco myself, it doesn’t many how many items you buy as long as you have the 5 or more, it will take the cheapest item from your total 7 because it will class it as a one of the 5 items, It’s nothing bad and is pretty self explanitary…

Leave a Reply to Nick Towner Cancel reply

Your email address will not be published. Required fields are marked *