Maybe the existence of such toolkits is a Chesterton's Fence that says you can't make this work without something installed on the phone. But this would be possible without these trojans.
You can also do the same with Wifi access points: Phones are constantly broadcasting their MAC address during active scanning for networks. The location from signal strength isn't as good (a Bluetooth beacon can pin you down near the Yoplait yogurt, a Wifi beacon and signal strength measurement just put you in dairy) but it's getting better (worse?). See: https://www.crc.id.au/tracking-people-via-wifi-even-when-not...
I imagine it would not be perfect but would be acceptably easy to use these "anonymous" MAC addresses to connect you to a name and address on a debit card. If your MAC and 20 other people left the store Friday at 2PM, and you and 20 other people went through checkout, and then your MAC and checkout are seen with 20 different people next week it's pretty trivial to identify you.
The cynic in me, though, says that even a minor loss of fidelity in tracking data weighed against the minimal risk and cost of building the spyware makes it worth building both.
> Maybe the existence of such toolkits is a Chesterton's Fence that says you can't make this work without something installed on the phone. But this would be possible without these trojans.
Without these trojans the store would have on its hands a major networking infrastructure project. With these trojans, all they have to do is drop a few battery-powered beacons in their venue and store their IDs along with coordinates in a database.
"The store" that implements these is probably not a mom-and-pop. Places like Walmart succeed because of their ability to execute major logistics and networking projects.
If the beacons increased Wal-Mart's revenue by 1%, the "major networking infrastructure" project could be a $5 billion department, larger than Google's entire R&D operating expenses.
Sure, but the Beacon technology was designed for this cheaper type of use (dumb beacon, smart phone) from the get-go - people working on it probably may have wanted it to be useful not just for the biggest chains, but also smaller franchises and mom-and-pop stores (why limit your market prematurely?). In the alternate reality in which BLE beacons were never created, maybe Wal-Mart did its own major project to get the same results the hard way.
Can't compare revenue to operating expenses for funding a new department, should use earnings minus income taxes instead. It would be closer to funding a $1 billion department.
They have security cameras too. Correlate video with AP locations and you can probably figure out whos phone it. Tie that in with some facial recognition database and can really identify people.
Walmart has been adding cameras on high shrink isles that are almost eye level. At some point they might add even more cameras for "security" that are also used for eye tracking. Think of all the opportunities to optimize product and ad placement.
self checkouts already have eye level cameras and they know which items you actually purchase so really not that farfetched to assume they're also using beacons to track your phone as well.
And when you swipe your card to check out they have your name, even if you don't use a loyalty card. Name + Face, along with some bluetooth tracking data. They can now track you forever, even if you delete the app, stop using your credit cards, etc.
From your link, it looks like "Name" is in Track 1:
Start sentinel — one character (generally '%')
Format code="B" — one character (alpha only)
Primary account number (PAN) — up to 19 characters.
Field Separator — one character (generally '^')
Name — 2 to 26 characters
...
There is one store in my neigbourhod where the payment terminals show this field (my full name) on the screen during checkout. I was very surprised when I noticed this the first time.
But apparrently not all card issuers fill the field with correct data. One card, a prepaid Visa from a big fintech, has "N/A" programmed in the field.
This is absolutely happening at scale in Chinese malls and even those small 7/11 style corner stores. Correlating profiles with Alipay/facial recognition/WiFi/Bluetooth tracking.
A company I worked for was interested in installing these WiFi locators in its buildings to study how people move through them - it turns out it doesn't work that well outside of fully clear spaces (so it can't be crowded, there can't bee too much furniture - although you might be able to deal with the latter if you spend a long time calibrating) + it requires dedicated devices (with faster clocks). Definitely doable though.
Mobile devices (iPhones, probably most others?) randomize their MACs when looking for wireless networks, although that may not be enough to stop a determined snooper.
If the Bluetooth beacon configures itself as a master, and enters inquiry mode, phones that pass nearby will happily respond with their Bluetooth ID (see https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?d..., section 8.4).
You can also do the same with Wifi access points: Phones are constantly broadcasting their MAC address during active scanning for networks. The location from signal strength isn't as good (a Bluetooth beacon can pin you down near the Yoplait yogurt, a Wifi beacon and signal strength measurement just put you in dairy) but it's getting better (worse?). See: https://www.crc.id.au/tracking-people-via-wifi-even-when-not...
I imagine it would not be perfect but would be acceptably easy to use these "anonymous" MAC addresses to connect you to a name and address on a debit card. If your MAC and 20 other people left the store Friday at 2PM, and you and 20 other people went through checkout, and then your MAC and checkout are seen with 20 different people next week it's pretty trivial to identify you.
The cynic in me, though, says that even a minor loss of fidelity in tracking data weighed against the minimal risk and cost of building the spyware makes it worth building both.