FR version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
56% Positive
Analyzed from 7426 words in the discussion.
Trending Topics
#price#store#tags#checkout#self#shelf#anything#don#more#item
Discussion (340 Comments)Read Original on HackerNews
I worked in retail many years, including doing store shelf tear downs and replacement and night shift stocking.
Back in the day we would get our planograms from HQ, then we’d print out all the labels on perforated paper, and walk the shelves moving product and updating the price tags, throwing out the old. The epaper tags are very clearly an improvement to that process in both time and waste. We would also check the prices using a Motorola price gun and do our fixes manually and then print out new tags or update the counts.
I’m surprised these tags are just IR blasted with no security. I would have expected they’d need some sort of code and you would simply save the code on your gun, pop a tag in front of a product, scan the product, then pair the tag all on your price gun in like 3 actions.
I also would have thought in these days we’d use Bluetooth beacons to triangulate the shelf slot too so that HQ could have a realtime map against their planos (it was not uncommon a product’s size would change and the layout would have holes or products that don’t fit on your real shelf).
Anyways, neat project! Triggered a walk down memory lane for me.
Previously, a criminal could just print their own shelf tags. They'd probably do this somewhere other than in the store to get the details right, but it was doable. (We've all probably seen rolls of blank shelf tags sitting around at the store, and thermal printers are inexpensive. So what if it's two crimes instead of one?)
And then, in the store, they could just switch out the shelf tag(s) and try to play their little scam.
Now with this new development, a criminal still needs to get the details right. Like a blank paper tag, the little screen is also a blank slate. It's just eraseable and rewritable in-situ.
The scam is the same. It's just shaped differently.
---
I do understand why the tags are simple to write. Maintaining some kind of revolving, PKI, or multi-factor auth would be harder than doing nothing, and probably slow. Fixed, basic auth would just get leaked (probably first by Home Assistant tinkerers who find some discarded electronic shelf tags somewhere and want a new display for their house).
One-way jnfrared is cheap and low-power compared to anything with RF. And resets would be a pain in the ass if things were forever associated with a certain product, or a certain place in the store.
The way it's implemented now, on reset (yay new planogram!): All the tags get pulled and put in a pile.
And then: One by one, they're removed from that pile, put on a shelf, and programmed.
That's fast and flexible, and therefore inexpensive. Inexpensive is good. If there's one thing that all retail establishments hate most, it is their labor expense.
It does fail to prevent obvious-scam from happening. But it'd probably cost more to do it "right" than to eat the losses when the scam actually works.
You know what, that is a great idea for a project of mine, where I want to display outside temp and weather forecast in the hallway next to the wardrobe. I have been musing about it for a while now: how to make it small and not stand out, how to handle power delivery, etc.
I was already leaning towards eink, and if I can get one of these price tags cheap plus hide an IR blaster in a corner that would be ideal. All controlled by Home Assistant of course. I'm going to search the usual Chinese online marketplaces tomorrow.
Thank you!
Lots of the tags I see though do have Bluetooth or maybe WiFi for updating as well.
I do really like eink things, I want to setup a nice 13 inch one which is now more like £160 so becoming more realistic for my to buy for fun.
I’m going to have to look more into these tags because if there’s cheap second hand ones they’d be awesome.
The sellers don't know anything about how they work so it will take some digging to find the right ones, but having to dig a bit is normal for eBay (or Aliexpress, for that matter).
Yep. For the physical "hackers" among us, a price sticker gun (those little orange or white stickers with a number on them that mom and pop shops use) was one of our first tools to mess around with
Yes it does, unlike before, a shits-and-giggles attacker could change all the tags in an aisle into "you're gay" without showing anything on surveillance cameras.
He wouldn't gain anything but the store would lose.
But actually: It's not that broad. It's still mostly one at a time, ish. Changing a lot of them would stand out if anyone were paying attention.
Although it could certainly be broadened...but an IR emitter that's skookum enough to reliably hit all of the shelf tags in an aisle at once would probably show up as an intensely-bright purple floodlight on the cameras. That would stand out quite a lot. :)
I’ve worked retail on and off for a decade and been friends with AP in most places and no one has ever mentioned this happening. Never been told to watch for it, or heard a rumor about it from another store.
It’s just not something that happens.
> Previously, a criminal could just print their own shelf tags.
Between your 'previously' and now is a period of at least two or three decades, where shelf tags have only be for your information in the store, while the real price came from computerized POS-Terminals with attached barcode-readers. Which of the two has priority for the customer may depend on country, law, store policy & good will.
Furthermore stores are completely cam covered nowadays, so much luck with being seen fumbling with your gadget in front of that label, or being seen on 'tape' putting another one over it, or things like that :-)
Me neither. If it parallels the arc of those restaurant buzzers [USA perspective]:
-Big chains first (Olive Garden) with quality industrial systems
-Then, small businesses with dinky systems sold on Bezos site
What do you think, someone would have to be fired if e.g. Best Buy tags were super flaky and reset at random nationwide?
Maybe wifi6 location based on the gun when setting the tag?
Transacting was your way of leaving a calling card for the investigators/analysts to find you... You stole regardless of how you did it.
Back when I was a kid it was common to still just have simple price tag stickers on every single item. We’d pull off a cheap sticker and put it on an expensive item. If they noticed, we’d just shrug and say “oh Nevermind then” when they found the right price.
The only problem was most cashiers actually knew all the prices of stuff and paid attention, believe it or not they even knew how to make change back in those days /s. So you couldn’t always get super aggressive.
So scan everything, then put it in the cart and walk off without putting in the credit card. Again, both are stealing but paying some fake, reduced rate is leaving your calling card at the scene of a crime.
Yup. I was in a local super market and saw Tomahawk steaks priced at $4-6 each. It had to be a mistake but I figured I would give it shot and see if they noticed. Cashier looked at the price, did a confused double take and immediately called over the manager. Turns out the decimal point was off by one so my $4.50 tomahawk was really $45. I bought it anyway and it came out great in the oven.
I was of the impression that, in our golden age of individualized surveillance, merely interacting with the kiosk was enough to leave a facial-geometry calling card these days.
I feel like I may have heard this from one of those Illinois BIPA class action suits [0], which reliably have a whiff of crackpot to them from a technical perspective. But it surely seems an obvious enough sort of application…
[0] https://www.law360.com/articles/2372764/home-depot-s-self-ch...
Depending on the value, the police probably aren't going to show up at your address, but use that card again at the store in the future and you might find the security guard coming over. Or, like many stores, they wait for you to do it repeatedly until it adds up to enough for a felony instead of just a misdemeanor, and then they bring felony charges...
The stores have cameras. Likely someone is well aware those weren't all bananas, and has it on video.
Play stupid games, win stupid prizes.
> wait for you to do it repeatedly until it adds up to enough for a felony instead of just a misdemeanor
Isn't there a concept in the legal system where you have to mitigate damages even if you're the victim? I can't think of the example off the top of my head that Steve Lehto (consumer lawyer on YouTube gave).
I'm guessing people who steal from the stores aren't able to afford a decent lawyer, but I imagine a decent lawyer would ask the Target witness(es), why didn't you stop him after the first theft? Why did you keep letting him steal?
Pre-paid gift cards would fall into the part where almost always doesn't cover. There's a reason scammers love gift cards
I once got stopped at self checkout because I put two vegetables (peppers, IIRC) of different types in the same bag and weighed them together.
They were the same price so it's not like I was trying to pull a fast one one anyone, but "the system" noticed and flagged me for someone to come over.
This was pre-pandemic, and I'm sure they're not less capable now than before.
Supermarkets actually factor breakage, theft, and spoilage into their books as "shrink", which averages between 2-3% of sales. There's no detective building a case, biding their time to bring down the banana bandit.
Although, modern self-checkouts have cameras on the scanner with ML-powered item detection, and they will alert the attendant if you incorrectly scan something that's sold by weight. (I've done this before on accident, fat-fingering the wrong PLU.)
(Not a lawyer, I'd imagine you know better here than I do)
I hope they’re losing money over it.
Stores just pass on the losses from theft into the price of everything else. You're not robbing a rounding error amount from a faceless billionaire, you're robbing a rounding error amount from the "sucker" paying full price next to you.
Either way, pretty stupid to incriminate yourself without plausible deniability on high definition cameras for stealing low price items.
we do not have to accept this decision to reduce staff and raise prices as a matter of course. plus, if you see somebody stealing food, no, you didn't.
People are responsible for their own actions. If you think shoplifting is morally acceptable, don't try to tell me that I didn't see it.
Don't tell me, in your view the cost of shoplifting is begrudgingly covered by those evil rich people who own everything, right? It's not passed down to customers, and therefore affects those who obey rules, and especially those who are in a precarious financial situation to begin with, right?
If I see someone stealing food, yes, I did. It's immoral for you to do otherwise.
But no, most people in the US aren't stealing from grocery stores to feed their kids, they're stealing from stores to resell on black markets.
Links:
> Missouri Attorney General Andrew Bailey has filed suit against Dollar General, claiming deceptive and unfair pricing at its more than 600 retail stores throughout the state. The lawsuit alleges that Dollar General violated Missouri’s consumer protection laws by advertising one price at the shelf and charging a higher price at the register upon checkout.
> The joint investigation revealed that “92 of the 147 locations where investigations were conducted failed inspection. Price discrepancies ranged up to as much as $6.50 per item, with an average overcharge of $2.71 for the over 5,000 items price-checked by investigators.”
https://progressivegrocer.com/dollar-general-accused-decepti...
> All told, 69 of the 300 items came up higher at the register: a 23% error rate that exceeded the state’s limit by more than tenfold. Some of the price tags were months out of date.
> The January 2023 inspection produced the store’s fourth consecutive failure, and Coffield’s agency, the state department of agriculture & consumer services, had fined Family Dollar after two previous visits. But North Carolina law caps penalties at $5,000 per inspection, offering retailers little incentive to fix the problem. “Sometimes it is cheaper to pay the fines,” said Chad Parker, who runs the agency’s weights-and-measures program.
https://www.theguardian.com/us-news/2025/dec/03/customers-pa...
It goes without saying however, that the customer himself is of course not allowed to alter the price on the shelf (like the Flipper Zero program in the featured link facilitates) and then pay the altered amount :P
So - if the state didn't have any blabbermouths on staff, and spent some time training, how many "inspections" could they speedrun in an hour?
I've sometimes toyed with the idea of an "open sourced" grocery store that's extremely transparent about every detail. Think electronic price tags that give you a complete breakdown of the cost of an item, cost of labor, cost to account for "loss", over/under-supply, etc.
I feel like there's a niche out there for hyperinformed consumers
What happens is that your identity is tied to these purchases and after a certain threshold you get flagged as a thief, essentially. At that point, you will get very increased attention (via checkout, purchases, and floor walkers), and after another threshold, will be trespassed and/or prosecuted.
But, you'll probably get away with a banana or few before you trigger the loss prevention threshold.
A major supermarket chain in Australia (Coles) is literally a client of Palantir.
https://investors.palantir.com/news-details/2024/Palantir-Pa...
I'm not sure it's the super system it's sold as.
I hate self checkout.
At my grocery store, it very often complains about something when I'm checking out. The person comes over, reviews the video and said you aren't doing anything wrong.
The answer is don't go to places where you self-checkout, and don't go to places with surveillance. There are still a couple of grocery stores in my town like that.
All this has done is train us to keep the carts out of the camera's viewing angle. It doesn't care if you keep pulling handfuls of groceries out of hammer space, as long as there's no cart in the frame.
I scanned a drink, heard the beep, put it in the bag. I scanned a loaf of bread, heard a beep, put it in the bag.
Now, instead of the typical "Unexpected item in the bagging area" it now shows the overhead replay and locks the system out until an employee comes over to review.
Combined with their exit gates that don't open if they think you've not paid for something, and cameras that track you through the store it's feeling very unfriendly.
So seems pretty good. Obviously erring on the side of having an employee double check makes sense when their profit margins are generally single digits. One missed tshirt means they lost money on your $300 cart.
Personally, I always just say “no thank you!” and walk past the receipt checker at non members stores. They know me at Walmart and know I’ll refuse the receipt check and stopped bothering me.
I predict that self checkout will only remain in the more trustworthy areas…
Their Loss Prevention is so advanced that FBI has collaborated with them for case help
https://thehorizonsun.com/features/2024/04/11/the-target-for...
I also worked there briefly in my teens, they are a great employer.
When you see a TV being purchased, though, it wouldn't be hard to just watch that it in fact got checked in as such.
That's far from my experience. Usually they're overworked with a backlog of customers having some kind of issue needing attention. It usually takes a few minutes to flag one down when I need them to take a coupon or check and ID, because they're already busy doing something for another customer.
And of course, the area is wide open and well covered by cameras, and usually self-checkout means paying by card or google pay or something, which will tie your identity to the purchase.
Reminds me a bit of the shopping cart theory.
Grocery stores in general consolidating, laying off workers, leaving them without pay/benefits, taking advantage of greedflation, etc., is a bigger drain on society.
Categorising things as "bananas" tricks the checkout into accepting the weight of an item, and you pay the appropriate price per bananagram.
Some places will detect a fly farting on the damn scale, others can take three or four kids climbing on it before it complains.
Then the receipt checker at the door checks his receipt and waves him on through.
I've had opportunity to hear many stories from people who have had largely unintended encounters with law enforcement. Many of these are for "shoplifting". That can be something as simple as forgetting something on the bottom of the cart. Walmart are super aggressive about this and rather than saying "sir, did you forget that thing or not want it anymore?" they prosecute.
Walmart is one of those publicly subsidized companies in the country. They don't pay employees enough so the government gives them food stamps. Those food stamps are largely spent at Walmart so Walmart is profiting on both ends. And then they displace checkout workers with self-checkout and pay for fraud detection systems and when people either intentionally or unintentionally didn't scan something correctly (or at all), they offload the costs of loss prevention onto the state by prosecuting. Walmart doesn't pay for that prosecution. TAxpayers do.
Walmart is a trillion dollar company. The stock has almost 3x'ed in less than 4 years. How long did it take to 3x to that level? About 23 years.
On the other hand, the wealthy can lobby, inflate the prices overnight just because, while also reducing the good weight aka double increase, and you can’t say anything because it’s legal!! It’s a one way “justice” system.
For prices displayed on the shelf-label inside the store the law is usually not that strict (YMMV), as a shop-owner can refuse sale on check-out (otherwise I could put a pricetag on e.g. a shopping-basket and the shop-owner would be legally required to sell me the basket...).
Besides, most shops I've seen (in Europe) already moved from Infrared communication to RF (NFC or proprietary), for centralized shelf-label management without handheld devices. So all this study (and the underlying reverse engineering of the IR-protocol) might do is probably accelerate the transition from IR to RF-based ESL...
This is not the case for groceries in Massachusetts at least. If there’s a discrepancy between the tag’s price and the scanned price the store must charge the customer the lowest of the two: https://www.mass.gov/price-accuracy-information
https://www.theguardian.com/us-news/2025/dec/03/customers-pa...
That seems shocking to me, but I guess I live in a country where the prices on the shelves are "final" (with no need to add taxes) and I think it would be immediately obvious if I'd been charged the wrong price for goods.
[0] https://www.theguardian.com/us-news/2025/dec/03/customers-pa...
Stores hate giving the product away and pricing errors are much lower in my experience.
To me this is about having protocols that are suitable so not anybody can write to these labels without knowing a store secret or using replay attacks.
it's mostly about efficiency. IR based, an employee needs to physically walk around. RF based, place a transmitter or two in the building and the system now works fully automated.
The extreme lack of cybersecurity for something as essential as (often legally binding) price indicators should shock the entire industry, although I feel like it comes to no surprise to anyone actually working on integrating these things.
Supermarkets all throughout my country have these labels add "35% off" to any goods that they need to remove from shelves (either because they expire soon or because they want to replace the product with something different). That's done outside of normal advertising campaigns, just in the price tags on the shelves (and the digital systems, if they actually work).
Supermarkets here are already on thin ice because they frequently do not charge the price listed on shelves already, without malpractice.
Of course, if you happen to have a cart full of wrongly discounted stuff that someone needs to go out and correct, the store will probably look through security footage. If you play the game well and can make it look like a glitch in the system, a store would probably not bother, though.
We've been able to take a price sticker off one object and put it onto another for a very, very long time.
It's not really a new issue and current law should already cater for it.
It's typically in-store policy.
Is Best Buy going to let you walk with a $10 Sony FX3 camera? Probably not. Are they going to fight you over a $10 difference in posted vs look up? Probably not.
From what I remember Connecticut laws used to require retailers to charge the lowest advertised and/or physically labeled price.
my favorite that I have set up is a tag in my bathroom that shows me today’s weather and chance of rain when im brushing my teeth - I haven’t been caught by surprise in the rain since :)
No.
In most jurisdictions this is covered by Contract Law 101 that lawyers learn in year 1.
A contract only forms when you have an offer, acceptance, consideration
The price on the shelf (or shown on the website or in a catalogue) is known as an “Invitation To Treat”.
“Invitation To Treat” means you are inviting the customer to come to you and make you an Offer. There is no obligation on the business to sell.
In the case of a supermarket in the context of this discussion, the agent scans the barcode, and the "real" price is displayed on the screen and added to your bill. This is the "Offer", the business is saying "we are willing to sell you this Tomato at this price, take it or leave it".
If you don't say anything and pay and leave, then "Acceptance" has occured and the "Consideration" is the act of payment itself.
(N.B. IANAL, so my description might not be precicely textbook, but that's the broad concept).
I don't know whether "usually" is accurate though; it may be that common law prevails as you say in most transactions despite the states with regulations.
As already mentioned IANAL, but I would take an educated guess as follows:
The specific regulations to which you refer are in effect consumer protection regulations.
Ergo, they are there to protect the consumer against malicious behaviour by unscrupulous traders such as false or misleading information.
Any reasonable judge in a courtroom will likely agree that incorrect display of pricing on a shelf (or website or catalogue) is (in the absence of evidence to the contrary) likely to be an inadvertent error with no malicious intent. And therefore the common law would prevail.
We do not want a world full of hyper-dynamic pricing, we should destroy these.
Sure, at least the developer can say they did say so, but it doesn't matter. To me it seems more like avoiding responsibility. You published the tool, and by doing so you changed the world, even minutely, and in ways you cannot predict.
As hackers we bear the responsibility of tools we publish. Even if you believe knowledge is the most important and that everything _should_ be published, we should at least be well aware of the consequences. Great power, great responsibility.
Because as we all know, if something "bad" is possible, but no one has published a GitHub about it, no one will ever be able to do the bad thing! Society is saved at last!
People online will kick up a fuss about GPL and shit but in real life no one bothers. Shoplift. Close an OSS project. Who cares.
Sometimes I even ride without a ticket. In Europe/Asia especially if you act like clueless American they’ll let you off every time. Done it so many times haha. Some of these places even they will put fruits outside. You can just take extra and hide it. They can’t tell.
One time on drive to Bury St. Edmunds small town in the UK I saw a little farm shop with some sign saying to leave payment there. Zero enforcement. I just took the fruits. No flipper zero needed.
Good life hack. Social hacks like these are not so common but if you’re clever you can get a lot.
I'm sorry, but I'm so sick of seeing "omg hacker man" mystique surrounding flipper, which is exactly what they want because it drives sales. Ofc you can muck about with open and unsecured stuff...like duh.
But it annoys me to no end when I have reasonably intelligent friends parrot claims like "flipper can clone the nfc in your credit card and you can steal people's money wow much hack!"
Its value is to provide a standardized hardware platform for (white hat) hackers for probing, prototyping, refining and sharing of security research in the fields its hardware supports (Sub-GHz RF, NFC, IR, and custom external boards via simple Input/Output pins).
Prior to that, everyone who wanted to research e.g. RF security had to either build/assemble something custom or buy much more expensive equipment. This created a barrier to collaborate on research, as everyone had to buy/build the same setup.
On top of that, Person A researching some RF topic selected an RF-transceiver from Company X, Person B used a component and a proprietary SDK of Company Y, so consolidating both work streams for a better foundation for all RF-related research required alot of time and effort from someone, breaking workflows of at least one group of researchers, etc.
In contrast, security research which utilizes Flipper Zero can be reproduced and built upon by everyone. All the work is harmonized on the same Hardware architecture, so it's easy for someone familiar with the platform to dive straight into a new idea without having to build a new breadboard, select a chipset, buy additional probing equipment etc.
The flipper is basically an Arduino pre built with a bunch of static antennas. It's fine and in a decent form factor, but I really haven't found it useful.
Do you have any links to actual research (not children playing "researcher") done with flipper hardware?
And they love the free advertising they get along the same lines by youtubers desperate for clicks.
Ultimately it just sells more devices. The flipper zero can't "hack" anything. It can only be used as a tool to perform hacking, by a skilled individual who is doing all the work/discovering an exploit.
Has nobody hooked one up to an agent loop yet?
I should not have to put up with children going "JUST SECURE YOUR NETWORKS BRO" because they spent $30 on some eBay "maurauder" dongle to be a pissant.
Source: Early interest in wifi security, including in other people's networks, lead me down an education and career in security
1. TOTP generator
2. As an extra garage door opener to let guests in from my desk
3. To avoid typing my long WiFi password in while setting stuff up (ducky or qr code)
4. Wrote a custom app that suggests meals/ restaurants so when the wife asks what we should eat this week I can just rattle off the random suggestions
Not to mention other random things on a less often basis
I've seen similar things posted on here before that had a binary build only and zero technical documentation. It was really hard to see any kind of research or education value in those.