SAP VP Caught Doing Very Original Research On Retail Security: Barcode-Swapping At Target

Written by Evan Schuman
May 23rd, 2012

When an SAP Labs VP was arrested this week—charged with multiple burglary counts for supposedly sticking fake barcodes on Lego sets in California Target stores—it was a wonderful reminder of how vulnerable today’s barcode security is.

On the down side: Police said they found “hundreds of unopened boxes of Legos” at the VP’s home, strongly suggesting that he had had considerable success using switched barcodes. On the plus side: Target’s loss prevention team coordinated with various stores and shared pictures of the VP, enabling him to be identified and followed before a barcode swap.

Here are the details of this bizarre case in brief: Thomas Langenbach, VP at the SAP Integration & Certification Center (ICC) at SAP Labs, used the traditional barcode sticker swap to get special discounts on various Lego sets, and he then reportedly sold those sets on eBay. How big were the discounts? One example: He was charged with placing a $49.99 barcode on a $139.99 Millennium Falcon Lego set. That was a nice move. At a glance, $50 is not a ludicrous price for a Lego set. (Actually, $140 is a ludicrous price, but let’s not go there.) So it was much easier to not get caught.

The Santa Clara County District Attorney’s office said Langenbach was organized about his efforts. “He allegedly kept plastic baggies containing the fake barcodes in his car, carefully organized with the name of the item on the bag,” Supervising Deputy District Attorney Cindy Hendrickson told the Los Angeles Times. “Some of the barcodes provided him a discount of just $20, others gave him a $100 discount, Hendrickson said. Langenbach never bought a lot of items at one time, she said, and he went to several Target stores to run his alleged scam.”

Hendrickson also seemed to find the Legos themselves eyebrow-raising. She told the San Jose Mercury News: “I think it seems clear he took some enjoyment from having Legos around. But I think he also obviously had way more than any one human could possibly enjoy on their own in a legally acceptable way.” Do we even want to know how one could enjoy Legos in a legally unacceptable way?

But on the pure loss-prevention issue, this crime is simply far too easy to do in 2012. Done carefully, with the price discounts not too extreme and the body covering the quick act of barcode placement, it is far too easy to accomplish. Unlike some of the more brazen barcode switches—putting a banana label on a flat-screen TV—if the item looks like the real item, most associates won’t notice a price change—given that they are used to constant price changes and rarely know the exact price of particular items.

How about making the stickers much more challenging for consumers to print, leveraging holograms or watermarks or similar approaches? This would need to involve manufacturers, too, of course, when the barcodes are printed directly on merchandise.

This gets back to the age-old shoplifter problem: It’s not merely associate apathy. It’s corporate strategy that places a high priority on keeping the checkout line moving as quickly as possible and on wanting to avoid any associate-shoplifter conflicts.

For associates to look at the screen’s garbled abbreviations and to then look at the product and figure out if it matches, that will factor in more delay-fueled costs (or losses) than the shoplifting would have.

In the grand spreadsheet scheme of things, the cost of making these frauds more difficult is probably not worth it. It’s far better to publicize the few arrests that are made and let that be your deterrent program. Still, this marks a disturbing trend. It just so happens that both Lego and Target are large customers of SAP. Whatever happened to tradition? SAP has always ripped off retailers via purchase orders, not fake barcodes. Oh well. Times must progress.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.