Tech

A Hacker Explains How to Shoplift

Hope Conference

On TikTok, a young woman looks into the camera and explains her problem: She bought a piece of clothing from Target, but it still has a security tag. Suddenly, the video cuts to another user and shows a desk covered in the same sort of red tag.

“Oh, you mean the Sensormatic InFuzion Tag?” a voice narrates over the video. “All you need is a big screwdriver.”

Videos by VICE

The person filming the video then proceeds to jam the screwdriver into the tag and pry it open. A satisfying pop shows that the tag has been removed. “There you go.”

This is the work of MakeItHackin, a security researcher who has dived into the world of shop security tags and who presented their work at the HOPE hacking conference this weekend.

“I’m not trying to steal stuff; I’m just interested in how these things work,” MakeItHackin told Motherboard in a phone call before the talk.

Do you have any more information on these tags or techniques? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.

MakeItHackin graduated from a California State university in 2010 with a degree in physics. In one of those classes, they learned about Faraday cages, which are objects that can block electromagnetic signals from a device. That can include mobile phones, for instance. MakeItHackin then did some experiments and found that a Faraday cage would block the signals emitting from a shoplifting tag.

Fast forward to 2020, during the pandemic, when one of MakeItHackin’s friends said he should make a TikTok. A user there had made a viral TikTok asking others to share information that isn’t illegal, but feels like it should be. In response, MakeItHackin made their own clip sharing information about wrapping a security tag in aluminum foil as a sort of DIY Faraday cage. His TikTok got around 3 million views.  

That was the start of MakeItHackin’s deep dive into bypassing security tags. He started to look more specifically into how the tags really worked, what different types were available, and the various bypasses, he said.

@makeithackin

#stitch with @Macy Dowell educational purposes only. Dont use this info on stuff you dont own

♬ original sound – MakeItHackin

On eBay, MakeItHackin brought around a thousand tags, sometimes with a bundle of a hundred being the same type, he said. At the time of the call, MakeItHackin said they had around 20 to 30 different types of tags in all. Ordinarily, many of these tags are opened by authorized employees with a powerful magnet as part of the system at the cashiers desk. But if you don’t have one of these magnets—MakeItHackin said Amazon and other online retailers don’t sell magnets of a certain strength—you’re going to need another way to get the tag off.

Part of the fun of putting his research on TikTok, MakeItHackin explained, was that commenters would suggest different bypasses to try. Some of them worked, including, most surprisingly to MakeItHackin, a non-lubricated condom for removing some of the tags attached to clothing. A rubber band can work, too, and a plastic bag will do the trick. For covering up the tag, criminals also use so-called “booster bags,” which are lined with aluminum for carrying items across the security line.

As well as removing the tag or covering it up to get passed security scanners, there is a third option: destroying the tag. MakeItHackin also looked into stickers which are often used to protect DVDs in shops. A knife can make quick work of them. 

As Motherboard has previously reported, TikTok has repeatedly removed videos from some cybersecurity-focused creators under different parts of the site’s terms of use. This has led to some users adapting their content in an attempt to not run afoul of TikTok’s content moderation, or stopping use of the platform altogether. MakeItHackin told Motherboard they have run into some of their own issues too, and TikTok has removed certain videos.

“Shoplifting is illegal. It’s theft, and I don’t condone or encourage it,” MakeItHackin said during his talk.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.