This is a continuation of THIS post
I went down to one of the stores today that I used in my research, to tell them about my research, the problem and so on.
I asked for the store manager, and told him about it, and then I asked if he was okay with me testing if the receipt actually worked in the scanner at the checkout.
He seemed a bit skeptical at first, but eventually he told me to follow him to the checkout, and then he asked a cashier to take the receipt and use it as if it was a normal purchase (You can scan the receipt when you are scanning your products, and the machine will deduct the amount it says on the receipt).
The receipt worked, and a few SEK (Swedish crowns) was deducted from the price (Success o/).
After this I told them that they could keep the fake receipt to do with as they wished, like destroying it or something, but they decided to keep it intact and put up a warning sign in the store for the people who work there to keep a lookout for this kind of receipt (even though it would be close to impossible to tell them apart with a few adjustments and a proper receipt printer).
I also asked them if I could use them as a reference when contacting the company that makes these machines, which they approved of.
I didn’t get the approval on paper though, and I even forgot to take any pictures from the machine in the store when it had scanned the fake receipt, but you’ll just have to believe me 🙂
All in all this turned out pretty nicely, and I will make a few more changes to the receipt template and then generator script to make it a bit more complete, and then I will make a small proof-of-concept for my solution to the problem, and then send it to Tomra that makes the machines. After all that I will consider this little project done most likely, if nothing else comes up.
The next project in line after this one that I will be blogging about, is how to break the encryption on public transport cards that use the MIFARE Classic 1K standard (using already built tools, as the encryption was broken a few years ago), and then make copies of the card, as well as altering the data on them (like how much money they have on the card).
Bottom line here is, I’m happy they didn’t call the cops 🙂