Fun at Costco
by nux
This article will cover the basics of hacking Costco's AS/400 or green screens.
First a little background: Costcos all over the United States all use AS/400 terminals for everything from adding new members to tracking inventory and inter-store e-mail. These terminals are dumb in every sense of the word. Each terminal has a unique ID and can be plugged in anywhere on the network. They are served by an incredibly fast group of machines, located in Issaquah, Washington. These terminals are scattered about the warehouse. There are several in membership, administration, front end (near the registers), on the dock, and in the optical department.
The keyboard layout and operation are slightly confusing at first, but - keep this in mind - many input fields need to be "exited," and this can be accomplished with the Field Exit key located either where the traditional Return key is, or the Enter key on the 10-key. The Form Submit, or Enter key is usually mapped to the right Ctrl. Should you make a mistake entering your request or otherwise foul up you will either get a flashing "X" in the lower-left of the screen, or an inverse flashing error code in the same region. Pressing the reset button can usually clear this; this is typically mapped to the left Ctrl.
With this in mind, you can attempt to gain access to the wonderful world of AS/400.
Recently, corporate headquarters attempted to shore up the security of these terminals. In the past, the generic login and password for the warehouse was either WXXXEDP, WXXXINA, where XXX is the warehouse number. (If you're not sure what the warehouse number is, go to membership and ask the friendly person there for a catalog of all the Costcos in the USA. Maps of the locations list all the warehouse numbers.)
With this new password policy, each department and manager received a new login and password. Some warehouses still keep a generic login around, a popular one around my area is:
If you are not so fortunate to find a working generic login, you are going to have to social engineer your way in.
If your target store has a terminal in its "Tech Center" (the corner of the store with all the computers and stereos), it should be very easy to obtain either access or access and a password. First, cycle the terminal on and off - this will bring it back to a login screen. Then find an item and ask one of the tech center employees to look it up at another warehouse. Most employees are not concerned with security, so surfing login and password should be no problem.
If you managed to get the login and password, you might want to check out the security of the receiving dock. In stores around my locale, in the evening (between 5:30 and close) the dock becomes a graveyard. There are terminals back there that you should be able to use relatively undisturbed. Worst comes to worst, you are chased off the dock. Have a lame excuse involving looking for fresher bananas ready and you will not be given another thought.
Once you are in you will be presented with about 36 options.
Most of them are pretty useless, unless you have some vendetta against trees and want to waste some paper. Most of the options involve firing up printers and spitting out lots of boring information. Option 92 is CHARLIE, a utility for ordering prescription lenses for glasses. This takes another password to enter and really has very few interesting options.
If you do enter this menu and don't have a password, you will have to reboot. From this menu, options CI2, ITM, and IAI can be accessed. They are not listed, but do work. CI2 gives information about departments by category and warehouse. ITM brings up all sorts of information about items via the item number. This is particularly useful if you want to find the status of a "last one" item. If the item is "pending delete" and you want to buy it, you can count on asking for money off, and you will probably get it. IAI is nice if you need to search for an item by description.
The really interesting menu is the membership menu: Option 51. Unfortunately, this requires yet another password. This can be obtained from the friendly people at the front end (the little desk or counter near the cash registers). My advice for obtaining this list is to first wait until the desk is deserted and check under the phone or calculator. The password is sometimes taped onto the bottom. Otherwise, be prepared for another social engineering adventure.
Wait until the terminal resets and is at the login screen. Find a supervisor or a manager on the front end and tell them that you have had problems with your card. Tell them that some kind of weird block came up the last time you shopped. Tell them that the block had something to do with a change of address and you want to make sure it's all cleared up. They will login and enter the membership screen. Surf the password and note the terminal number they enter (usually 99). Now you have everything you need to do some serious exploring.
From Option 51, the real fun begins.
Option 2 on this menu gives access to the membership database. Addresses, spouse info, phone numbers, etc. can be found here. Option 22 is fun; it fires up the membership card printer (only works from the terminals in membership) and allows printing of employee nametags. Option 24 give you all sorts of information about canceled memberships. Option 3 is rather powerful as well - more membership information can be found here.
From the menu that Option 3 brings you to, membership info, membership blocks, and member shopping info is available. Membership info is just more of Big Brother's tracking of you, your spouse, and anyone else who has a card on your account.
Membership blocks is a list of all the blocks on an account. From here, you can request that blocks be added or removed. For instance, if you pay your membership fees, and the records are never updated, the "expired" block will show up on your card. If proof that the membership was paid can be obtained, a supervisor will submit a request that the block be removed. As far as the terminal is concerned, you are the supervisor. Blocks can be added in a similar way, imagine the possibilities. Shopping info is another nice feature. Costco can monitor your shopping habits, what you buy, when and how much - a nice Big Brotherly touch.
Costco is pretty lax about security as a whole, and usually lax with intruders. Typically, Costco will eject a shoplifter rather than call the police, so a hacker should feel pretty safe. If you are caught, just make up a lame excuse, "Oh, I thought these were for everybody." The options I mentioned are just a few of the really fun things one can do, there is much more hidden away. This should give you a nice jumping off place and allow you to discover the truly interesting stuff like broadcast e-mail!