I'm busy working on my blog posts. Watch this space!
Free Groceries! (SSS file)
November 15, 2019
Admittedly I'd been a little busy as of lately, and one unfortunate casualty has been the blog. Still, I just ran against a perfect illustration of Realistic Security Principle #1:
You cannot design a control that is dependent on the behavior of humans and expect it not to fail regularly.
Case in point: Safeway's self-checkout registers. I imagine it applies to every other grocery chain that has these, but the one I encountered today was at Safeway, and was particularly amusing.
To prevent loss by people tossing stuff into their bag without scanning it, these machines are super sensitive to any weight added to the scale. If it isn't expected, then it will throw an error, and a store employee has to come in and confirm that this was, in fact, an error.
And in that last bit lies the devil. Because all these chains want so much to save on labor costs that they understaff everything, including this area. Usually you have one person manning six or eight or twelve of these machines, constantly having to run around and fix "errors" that the registers "discover" and are no more than simply humans interacting with machines in unexpected ways, or otherwise doing things naturally (but in violation of the imaginary process that the person who designed them insisted is "the only way").
What this means is that there is a human who is constantly having to deal with false positives. One after another. False positive. False positive. False positive. If you've ever spent any time at all in a SOC (security operations center), you know how destructive repeated false positives can be; they rapidly inure you the expectation that the entire underlying alerting system is useless. So when an actual legit alert does come through, nobody pays attention, or just assumes it's another false positive. You end up with a bunch of unspoken but agreed-upon-by-everyone-involved policies in which step one is "ignore the alert, it means nothing", and anything past step one may as well be The Brothers Karamazov at 10PM in bed after a sixty-hour week.
In other words, you'll barely read two sentences before falling asleep.
The same scenario unfolds in the self checkout line.
Here is how to exercise this flaw (don't actually do this, please; I am just illustrating the point):
* Go to the self-checkout line, especially when it's busy.
* Wait your turn.
* Scan an item.
* Remember that you have nothing to put the item into.
* Grab a store bag, and place it on the scale.
* The machine is now beeping at you, because there is unexpected weight on the scale. Ignore it.
* Place the item in the bag.
* Scan the next item, and put it in the bag. The machine is still screaming. Continue to ignore it. Act natural. You're scanning all your items, after all - nothing seems out of order. The machine is even acknowledging them with the "scanner beep".
* Keep doing the above until you're done with your items. Try to keep it to ten or so items unless you have nerves of steel.
* Now is the time to raise your head and look around in confusion. Eventually, that poor employee will finally notice that you have an issue. Give them a pitiful look, and maybe even look in embarrassment at the line building up behind you of increasingly irritated and angry shoppers who are upset at you, the machine, the store, and the whole experience of being in an understaffed retail environment.
* Watch as the employee rushes over and scans their card to cancel the alert as quickly as possible.
Do you know what you have now?
A grocery bag full of items, a machine that is perfectly fine with said bag's weight, and a total charge that comes to the price of only the first item you scanned.
Admit to the machine that you are using a store bag and pay the extra ten cents because, you know, you're not a thief. Pay for your purchase. Take your bag. Leave the store. Trust me, no one will realize what took place.
When I ran across this today I ended up with a $1.37 total tab for a $50+ bag. I called the supervisor over and showed her what happened, and she ended up deciding she had to rescan all my items by hand, thereby defeating the entire purpose of having a self-checkout line, pissing everyone off around us even more, and giving me this little story to tell.
Because people will defeat your people-dependent controls every... single... time.
P.S. yes, I know that retail has the concept of "expected losses" by policy - it's the reason you often get things for free just because they want to keep you happy. I'm not entirely sure the above qualifies as falling into this bucket. And I still found it funny.