How To Hack Barcodes: Is Your Business At Risk From Theft?
DISCLAIMER: This post may contain activities which could be in violation of your local laws if carried out. I do not condone illegal activity and this post is for information purposes only. I recommend that you contact your local law enforcement agency with regards to carrying out any activity from the information provided here. I do not guarantee that the information here is correct or factual. I am not responsible for, or assume liability for damages resulting from the use of the information on this site.
In this post I will take you through one of the most popular barcodes used in stores here in UK and Europe.
If you’re in America and think that this post rules you out then think again. America’s UPC version A works the same way as our EAN13 and EAN8!
The vulnerability in these barcodes are nothing new and have been known for many years but because they’re so mainstream and inconspicuous no one seems to care.
But let’s imagine for a second that we printed out our very own barcode stickers and placed them on random items in the store.. We could purchase any item we wanted for any price we wanted!
Shall we get too it? There’s a lot to get through.
Contents
1. Introduction
We all use barcodes every day of our lives, yet very few of us know just exactly how it works.
There are literally hundreds of different barcode types, from 2D to 3D and now QR or Quick Response barcodes which are very popular on the internet right now.
Here we will take a closer look at the European Article Numbering system (EAN).
The following image shows what we will be looking at in this post:
2. Where Are Barcodes Used?
There may be many different uses for barcodes but one reason is for stock control of inventory.
Using a barcode for stock control then, we can keep track of how many products of a particular type is available to purchase in the store at that particular moment.
This would indicate to the store manager that more stock may need to be delivered.
Sometimes the system will be fully automated, in that the computer system can re-order stock without any human intervention.
Another common reason for using a barcode is to reduce the time spent at the cashier’s till as it is very quickly and easily scanned and processed without looking for any price tag.
3. History Of The Barcode
Universal Product Code (UPC) was adopted for commercial use by the grocery industry in the USA.
Among the advantages were a rapid, accurate and reliable way of entering stock information into a computer and the possibility to replace jobs and make more profit.
The early success led to the development of the European Article Numbering System (EAN), a symbology similar to UPC, that is widely used in Europe and in the rest of the World.
This is the symbology we will be learning since I do not live in the States.
Keep in mind that there are different barcode symbologies, each with its own particular pattern of bars.
The UPC/EAN code used on retail products is an all-numeric code, and also the Interleaved 2 of 5 Code.
Code 39 includes upper case letters, digits, and a few symbols. Code 128 includes every printable and unprintable ASCII character code.
A later version is a 2D code. These are special rectangular codes, called stacked barcodes or matrix codes.
They can store considerably more information than a standard barcode. They require special readers which cost more than a standard scanner.
The practical limit for a standard barcode depends on a number of factors, but 20 to 25 characters is an approximate maximum.
For applications that need more data, matrix codes are used.
For example, the next time you receive a package from United Parcel Service look for a small square label with a pattern of dots and a small bullseye in the centre.
This is a MaxiCode label, and it is used by UPS for automatic destination sortation.
The manufacturer’s ID number on the barcode uniquely identifies products. These numbers are managed by the Uniform Code Council in Dayton, Ohio for the States and Canada and by the EAN authority (International Article Numbering Association) in Brussels, for Europe and the rest of the World.
The manufacturer’s ID number accounts for some digits of the code, which leaves other digits to be assigned in any way the producer wants.
He/She provides retail outlets with a list of their products and their assigned codes so that they can be entered in the cash register system.
Many codes are NOT on the products and are added by the supermarkets on the fly, using an internal code schema that may be non standard.
4. Let's Take A Closer Look
EAN 13 and EAN 8 are both the same, except.. yep you guessed it. one has 13 numbers, the other has 8.
They both work the same way.
EAN 8 is used for smaller items, such as rolling tobacco papers.
So for this we are just going to use EAN 13 but just apply the same principles for EAN 8.
Each EAN barcode label has 13 values.
In this post we will be counting from zero, as this is where computers usually start counting from. (the UPC American version has only 12).
Use the following to guide you:
#0, #1 and #2 indicate the origin of the product.
#0 to #11 give the article code
The final digit (#12) is a checksum value that is used to verify the validity of all the other numbers.
Now look at a barcode label..
Barcodes are supposed to have “quiet zones” on either side of the symbol. Quiet zones are blank areas, free of any printing or marks, typically 10 times the width of the narrowest bar or space in the bar code.
Failure to allow adequate space on either side of the symbol for quiet zones can make it impossible to read the bar code.
On the barcode there are two “borders”, left and right, and a “middle” longer line.
These three lines are longer than the others and are used to regulate the scanner to whatever dimension has been used for the barcode.
#0 dwells left of the first (left) border and has a special meaning, the other 12 numbers are written inside the code and are divided in two groups by the middle bar.
Each value is coded through SEVEN bars: black=1 and White=0. These form two couples (or pairs) of “optic” bars of different widths.
The following image shows a right angle bracket (>). This is sometimes used as an indicator to the quiet zone on the right.
5. The Checksum Algorithm
An algorithm is simply a mathematical equation.
The following demonstrates the algorithm used, and how it calculates the checksum:
#12 is calculated in 4 steps
VALUE A: You sum odd position numbers:(#0+#2+#4+#6+#8+#10)
VALUE B: You sum even position numbers and then multiply by 3:((#1+#3+#5+#7+#9+#11)*3)
VALUE C: You sum value A and value B
VALUE D: Value C is then modified. You divide by 10 and only keep the remaining units.
(This is a very widespread checking scheme.) Then if the result is not zero, you subtract it from 10.
6. The ABC's
If you look closely enough and compare two different barcodes, you will notice that the same numbers give completely different sized width bars.
This would encourage most people to give up trying to figure them out.
Barcode uses THREE different SETS of characters to represent the values through 0-9.
These code sets are indicated by: A, B and C.
The following chart shows the graphic codes of the three graphic sets.
The code set is in binary, with it’s decimal representation in parenthesis.
Borders: 101
Centre: 01010
– The C graphic set is a “NOT A” graphic set (inverted A)
– The B graphic set is a “XOR C” graphic set.
– each value has two couples of bars with different widths
Looking back at a barcode label, can you see the difference between the numbers left and the numbers right? The first “half” of the barcode is coded using sets A and B, while the second “half” uses set C.
As if that were not enough, A and B are used inside the first “half” in a combination that varies and depends from the First Digit (position #0), following TEN different patterns:
7. Example's Of How A Barcode Algorithm Works
Example 1
Okay now we will take as an example the codebar for a pack of 6 first class stamps:
BARCODE: 5 014721 112268
Let’s see, we have a 501. This indicates that the product was manufactured in UK.
Then a 014721. This uses the pattern of ABBAAB (because of the 5 at the beginning), and a 112268 as C.
5+1+7+1+1+2 = 17 (odd sum)
Then a 0+4+2+1+2+6 = 15 and 15*3=45 (even sum)
Then a 17+45=62
62 = keep the units, delete the tens(2),
10 – 2 = 8 = checksum
Pattern = 5 = ABBAAB CCCCCC
Example 2
OK, one more example: a loaf of white bread
BARCODE: 5 010003 000131
Let’s see: we have a 501 = UK
Then a 010003 as ABBAAB and a 000131 as C
5+1+0+3+0+1 = 10 (odd sum)
Then a 0+0+0+0+0+3= 3 and 3*3=9 (even sum)
Then a 10+9=19
keep the units, delete the tens = 9
if the result is not 0, then: 10 – 9 = 1 = checksum
Pattern = 5 = ABBAAB
8. Barcode Country Codes
Wikipedia has a list of country codes and their prefix’s here but for completeness I will include them in this article.
If you pick up any EAN coded item, you can match the first 3 numbers from this list and it will indicate the country of manufacture. eg. 500-509 range = UK.
List of countries and their corresponding prefix code:
000–019 UPC-A compatible – United States and Canada
020–029 UPC-A compatible – Used to issue restricted circulation numbers within a geographic region (MO defined)
030–039 UPC-A compatible – United States drugs (see United States National Drug Code)
040–049 UPC-A compatible – Used to issue restricted circulation numbers within a geographic region (MO defined)
050–059 UPC-A compatible – GS1 US reserved for future use
060–099 UPC-A compatible – United States and Canada
100–139 United States
200–299 Used to issue GS1 restricted circulation number within a geographic region (MO defined)
275 Palestine
300–379 France and Monaco
380 Bulgaria
383 Slovenia
385 Croatia
387 Bosnia and Herzegovina
389 Montenegro
390 Kosovo
400–440 Germany (440 code inherited from old East Germany on reunification, 1990)
450–459 Japan (new Japanese Article Number range)
460–469 Russia (barcodes inherited from the Soviet Union)
470 Kyrgyzstan
471 Republic of China (Taiwan)
474 Estonia
475 Latvia
476 Azerbaijan
477 Lithuania
478 Uzbekistan
479 Sri Lanka
480 Philippines
481 Belarus
482 Ukraine
483 Turkmenistan
484 Moldova
485 Armenia
486 Georgia
487 Kazakhstan
488 Tajikistan
489 Hong Kong
490–499 Japan (original Japanese Article Number range)
500–509 United Kingdom
520–521 Greece
528 Lebanon
529 Cyprus
530 Albania
531 Macedonia
535 Malta
539 Republic of Ireland
540–549 Belgium and Luxembourg
560 Portugal
569 Iceland
570–579 Denmark, Faroe Islands and Greenland
590 Poland
594 Romania
599 Hungary
600–601 South Africa
603 Ghana
604 Senegal
608 Bahrain
609 Mauritius
611 Morocco
613 Algeria
615 Nigeria
616 Kenya
618 Ivory Coast
619 Tunisia
620 Tanzania
621 Syria
622 Egypt
623 Brunei
624 Libya
625 Jordan
626 Iran
627 Kuwait
628 Saudi Arabia
629 United Arab Emirates
640–649 Finland
690–699 People’s Republic of China
700–709 Norway
729 Israel
730–739 Sweden : EAN/GS1 Sweden
740 Guatemala
741 El Salvador
742 Honduras
743 Nicaragua
744 Costa Rica
745 Panama
746 Dominican Republic
750 Mexico
754–755 Canada
759 Venezuela
760–769 Switzerland and Liechtenstein
770–771 Colombia
773 Uruguay
775 Peru
777 Bolivia
778–779 Argentina
780 Chile
784 Paraguay
786 Ecuador
789–790 Brazil
800–839 Italy, San Marino and Vatican City
840–849 Spain and Andorra
850 Cuba
858 Slovakia
859 Czech Republic
860 Serbia
865 Mongolia
867 North Korea
868–869 Turkey
870–879 Netherlands
880 South Korea
884 Cambodia
885 Thailand
888 Singapore
890 India
893 Vietnam (previously used by North Vietnam and South Vietnam before 1975)
894 Bangladesh
896 Pakistan
899 Indonesia
900–919 Austria
930–939 Australia
940–949 New Zealand
950 GS1 Global Office: Special applications
951 Used to issue General Manager Numbers for the EPC General Identifier (GID) scheme as defined by the EPC Tag Data Standard
955 Malaysia
958 Macau
960–961 GS1 UK Office: GTIN-8 allocations
962–969 GS1 Global Office: GTIN-8 allocations
977 Serial publications (ISSN)
978–979 “Bookland” (ISBN) – 979-0 used for sheet music (ISMN-13, replaces deprecated ISMN M- numbers)
980 Refund receipts
981–984 GS1 coupon identification for common currency areas
990–999 GS1 coupon identification
9. Barcode Database
The GS1 database holds every registered number on record.
The local corner store will only hold records for the items they sell, stored on a database, in that computer you always see when you glance through that open door labelled “staff only” at the back of the shop.
The barcode number is just that. A number. By its self it means nothing.
But once scanned into till, it searches the database in the back, and retrieves the relevant information from that database to the front till.
This way.. when a price changes for a particular item, (and the price is forever going up!) they just change the price once, in the database, rather than changing the packaging on every item in the store.
The bar code reading equipment have great tolerance because the scanners must be able to recognise barcodes that have been printed on many different media’s.
For all the scanner itself cares, your label could be pink with green stripes and with orange hand-written, numbers.
More info on the EAN barcode can be found at the following sites:
Interesting fact: The first item to be scanned at a cashier’s till using a barcode was Wrigley’s chewing gum.
Conclusion
In this post we learned how the barcode works on it’s own and how it plays it’s role in the system as a whole.
Now we know how the EAN13, EAN8 and UPC barcode works and we understand that these black and white striped bars with numbers are very easy to replicate.
The lesson to learn from all of this is that the vulnerability does not lie in the barcode it’s self but rather in the human who operates the checkout till and the way that the system works as a whole.
Rather than looking closer at RFID tags, facial recognition and security cameras on the store floor then maybe we need to pay attention to our old friend.. the barcode.
