Slashdot Mirror
Gift Card Hacking
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores.
One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
Theft happens all the time. Why is this news?
If security was doing their job, it wouldn't be such a problem.
gift cards want to be free!
Big deal - this is theft. Why does it get featured on ./ ? Because it involves something remotly technology related. Guess what - it's still stealing - this is no different than rummaging through an open cash register drawer.
Being in the UK, and in a countryside area at that, I haven't heard of Gift Cards before. Here we stick to paper-based vouchers, or indeed, just to send cheques to people in christmas cards. At least if they are posted and stolen before they are delivered, then it becomes "interfereing with her majesty's post" (Seeing as it belongs to the crown etc etc etc) and can carry up to 10 years in prison. Mmm...handy that...
I am the breaker of Chairs!
Interesting... after describing a company who is particularly lax in their security practices wrt the gift cards:
The company's name isn't being published to avoid giving criminals a too-easy target.
Swell. So there's no significant economic reason for that company to change their policies yet. -sigh-
At least Microsoft is internally consistant in their views on disclosure of security concerns... albeit consistantly wrong.
25% Funny, 25% Insightful, 25% Informative, 25% Troll
So, after spending hundreds of dollars in equipment, casing the store and memorizing the numbers, your reward is:
Books!
Cans of Paint!
Socks!
The risk/reward here is pathetic. They would be better off stuffing things into their oversized coats during the holiday rush.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
Ten to one says it's Walmart. The cards the article describe sound exactly like Walmart's. Another thing that makes me think it's Walmart is that although they are HUGE retailer, they aren't mentioned in the article.
posted anonymously for obvious reasons.
I worked at Barnes and Noble for a while a couple Christmases ago, and here's how their gift card system worked:
When you got the card, it was preauthorized with a certain amount of money in a certain account number, like any other debit card. The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.
Now, all that was necessary to redeem the gift card was that number. But most people just tossed the second receipt. Which meant that a quick swipe through the trash outside the store doors could probably yield a few hundred dollars worth of gift card credit as yet unredeemed.
Nice, eh? Even when we told people expressly not to do it, they still did. Wonder how many got burned.
--saint
I have worked in retail for many years and stores do not pay as much attention to gift cards as they should because they have no real value. They are like coins at amusement parks, they are only good at the respective stores. To put more money into safeguarding them, would destroy the supposed cost effeciency of these cards. Another point to consider is the switch from paper gift certificates. I believe that this was a much safer way to do business, but stores needed to "get with the times" and have a more electronic certificate. I guess this is one of those instances where advanced technology does not benefit us more than we think...
100% Insightful
OK, OK... it holds the *potential* to be a problem- big deal. They cited NO actual examples of theft other than the money laundering example, and there are many easier ways of laundering money if you use your imagination.
There have been several local stories about people stealing money order machines, or printing MOs on their PCs... this stuff actually happens all the time, but a nice "holiday piece" about gift cards without even anedotal "evidence" that this is a widespread problem? Gimme a break!
There are no named sources to the story, the internet site they reference is not given, and they only list retailers viewed as less problematic (and give us a nice caveat to explain why). Not only is the problem a "scenario"- the news story itself is a scenario. Boring journalism... might as well be an op-ed piece.
I'm more concerned about issues such as identity theft, etc... at least your gift card leaves no personal identification about you.
Those that suggest you "dance like no one is watching" really want to see you make a complete fool of yourself.
I fucking live in this town. I had no idea a vast conspiracy to defraud Best Buy was happening all around me this whole time. I figured this town had the collective IQ of a walnut. The whole time I lived here I could of been hanging out with sk1pt k1dd13z.
What, me worry?
Most places I know of keep the gift cards at least out of sight, but if they were to keep them out in the open, well that would be sort of stupid, given the scenario.
heck, I even wonder about the telphone cards, which I never use. I would have to go to a store to look at one to see if they have visible numbers on them.
"It is a greater offense to steal men's labor, than their clothes"
Which is a good thing, because at the Walmart in my area "Customer Service" more closely resembles the customs area of an east-African country than a place where you go to get helped.
Why not just assign a PIN number, stored in the store computer, not on the card, when the card is bought and charged?
Sure some yokels would write the number on the card and get it lifted or lose it, but the same could happen to cash.
Requiring extra information not available on the card would be ideal and would make the type of counterfeiting described in the article very difficult, as long as there was no simple way of resetting PINs. It wouldn't prevent inside jobs or people laundering stolen credit cards, but those types will always be hard to stop.
Magnetic stripe security expert "Tom Trusty"?? Awww...
An easy way out would be to put two account numbers with every card. One is printed on the card and is used for the 1-800 number to check the balance. The other number could be on the magnetic strip and be used to redeem the card. All that's left is to watch for shoplifters.
I got one of these at Christmas, and called the helpdesk hotline published on the card - Walmarts' official policy on "cashing out" the card is that it is up to the local store management.
You might want to get there before the run on cashing in the cards...
I can see why the retailers don't really care. If someone forges a paper gift certificate and redeems it, the store is out the money. The thieves are just printing money.
But when someone forges a stored-value card, they're stealing from other customers. The "value" has already been paid for, so the store doesn't lose anything.
-- Don't Tase me, bro!
this had occurred to me some time ago when i saw the ramping-up of these things. i think it kinda started with best buy and spread from there. now every major retailer has them.
one previous respondent had said something to the effect of, "..this is just like digging in a cash drawer.." this isn't just any kind of theft.. it's the ultimate kind! a better imperfect analogy would be: "..the store leaves $20, $50, and $100 dollar bills hanging from displays at the counter.."
if you walk into a store with the intention of stealing, what's the best thing to steal? small, high-cost items. and these items, while never as good as cash, are virtually untraceable if you use the common sense method described in the article.
also, i'm sure you'd be hassled by security if they noticed you jotting gift card numbers in your daytimer, but you don't technically have to shoplift to do this.
the shrink numbers on these things must be fantastic!
So the security expert here is named Tom Trusty?
yeah. i've been preaching this for a while. but some of the same problems go for credit cards. the credit card companies have yet to fix their system (to one using cards with little displays and public key encryption), for something like
user's card has a secret. the user also has a secret. then the merchant gives the user a transaction time (or number, or something that changes periodically), the balance, and the merchant identifier. then these are hashed together to give an "authorization number" which the user then uses as a signature. you've got the same physical theft problem (if the user writes down their secret), but you always have that.
why don't the companies implement this? too much of a pain in the ass to change all of their infrastructure. if my card is used fraudulently, i will never pay the first $50 or whatever because of these reasons. it is their negligence.
this would be harder to do with gift cards, but would still be feasible using assymetric cryptography, and some sort of electronic 'gift card wallet'. or you just dont allow consumers to play with the cards until they actually buy one, instead of the stores thinking it's "cool" to just have them sitting there, because they're not activated until you buy them!
You still need to reprogram the magnetic strip of a similar card for everything to work (assuming magnetic and not bar code cards).
The stereotypical "pickpocket" they mention ain't likely to have tools like that.
Remember what we did before all these plastic cards and shit came out? That's right...we went to the bank and took out pieces of paper with numbers printed on them and the words: this note is legal tender printed across the bottom...and we got along just fine. Wanna give someone an impersonal gift because you can't think of what to give them or can't be bothered shopping...put a couple of these pieces of paper in an envelope and give it to them! Need to send it through the mail? Write cheque or get a money order! I don't even like using my ATM card for purchases...I prefer withdrawing the cash and paying with that and nothing pisses me off more than having some dingbat in line in fromt of me trying card after card and none of them seem to work (especially the express lane at the grocery store, which is supposed to be cash only!). I especially love it when once in a while I encounter a merchant that's flirting with the idea of no longer accepting cash payments..."Uh, what part of this note is legal tender don't you understand?
No...those pre-loaded "gift cards" are a sucky idea that needs to go away. (I guess they're great if you're the merchant and it's your "policy" not to give out the balance left over on the card in cash...)
You're using her as bait, Master!
Whats to stop an employee from inputting half the money you give them into the card and pocketing the rest? There's no inventory the store could keep track off on these things, and no way for you to see what they are typing into the terminal. A barely supervised employee at a reatiler could easily pull this off. This is the much bigger risk than mass fraud by customers IMO.
I knew someone (who has now gone into hiding, imagine that) who used the equipment he had purchased for making "test" DSS cards to alter dollar values of BP gas cards. He could alter any "smart" card with a DSS-like interface, and in this case he wasn't hijacking money, he was actually creating it.
These people are getting the ID numbers from gift cards and re-using them. That's really no different from the old dumpster-diving-for-credit-card-carbons scheme, it just uses a new medium. I suspect if you could figure out how these numbers are generated it would be easy to create a program that spared you the effort of opening up trash bags full of store receipts and old Starbucks coffee cups.
You can't get ahead of the bad guys, you can only hope to keep up with them. The thing is, if you're not constantly working to keep up with them, you've already fallen behind.
Get off my virtual lawn, you damned virtual kids!
As such a gift card is as vulnerable to theft as anything else in your wallet, this isn't even an subject to write about. Unless...
Didn't you notice that MSNBC wants you to go to the safest shopping mall around: MSN shopping online! Pretty assimilated with the rest of the page is this clear message. Now we know the reason of the fud. I wonder how much of this poison goes unnoticed.
--------
* Sigh *
I generally get a gift card or two each year, usually to one of the major bookstore chains here in the US. One thing I notoce all the time is that if I have a $20 gift card and spend, say $17.45 I get the card back with $2.55 credit remaining. Care to speculate how many such cards are never fully redeemed? I buy alot of books, so I use them up, but I'd be willing to bet that a not-insignificant percentage of these cards are never fully spent. Back when I used to get Gift Certificates any small change was usually (though not always) returned as cash. Not any longer...
"Melt the ice; eat the moose; drill the oil; get it over with." -Max Boot
So, a few comments:
Slow news day, plain and simple.
/*
well some noteworthy news... Ron Griffiths, the CIO of Home Depot who despised Microsoft quit. a new CEO came in, and the CIO up and quit cuz he didnt wanna stick around under the new CEO. dont be surprised to see all the wonderful Linux POS and non Microsoft Home Depot stuff get chucked out in favor of Microsoft deals and software.
Rumor is that there already was a deal with Microsoft to kill off those Linux POS registers.
at which point, you could just hack the register and not need to bother hacking the gift cards...
In order to alter these cards you need a magstripe reader. These are VERY expensive. And you also need to decode the gift card format. So this isn't a hude deal, maybe one or two gift cards will be forged in the whole world. So what.
Sorry, I meant writer. You can get a reader that hooks up to a PS2 port for about $10.
Starbucks never has Raktajino, so they'd deserve it! :^)
One line blog. I hear that they're called Twitters now.
¦ ©® ±
From Dictionary.com:
escheat (s-cht)
n.
1. Reversion of land held under feudal tenure to the manor in the absence of legal heirs or claimants.
2. Law.
a. Reversion of property to the state in the absence of legal heirs or claimants.
b. Property that has reverted to the state when no legal heirs or claimants exist.
Gift Cards are not Gift Certificates, which are bound by escheating laws. (peruse if you want, a google search on "gift certificates escheating")
which means that to a retailer, gift cards are cheaper cuz they are not regulated.
Most retailers that do gift cards and gift certificates treat them both very similarly - aka have them electronically activated when purchased. The gift card allows the added bonus of havin them be stored value / re-chargable cards. the lack of escheating laws is also very good - less to report/ track to the government, less money lost to the government when the cards fail to be used.
I was intrigued and I did a little searching to try and find the discussion group quoted in the article. None of my searches gave valid hits in newsgroups or otherwise, though I used their direct quote as the search term. In fact, the only hit I did get was to the MSNBC article in question.
Obviously, if this reporter is quoting it, it has to be a fairly open source. The author's reluctance for full disclosure leaves me concerned for my Christmas goodies but, despite providing good quotes that should have yielded links to complete information, I have no other options on obtaining the info I want. I don't want to hear conjecture about what store it might be, I want to hear what store is actually being targetted.
The victims here are the consumers - not the stores. The stores get money for all goods sold and they're happy - the only people who get screwed are the people who's gifts get stolen.
No one's baming the consumers - they're blaming the stores for implementing idiotic policies and practices that benefit themselves at the cost of the consumer.
And if my mother had wheels she'd be a wagon.
That being said the has never been the case and (IMHO) will never be the case and people who deal and cash and goods need to be aware of this and deal appropriately.
You can bet these stores watch THEIR money carefully once it gets in the cash register - but they don't seem to care at all about protecting their customer's money or interest once they get their's.
It's like the store saying "it's our policy to leave your money on the counter while you shop - but if some one take's it before we ring it up it's your problem not ours."
=tkk
Bill Gates - Creationist?!?
Lord of the cards ...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I still wonder why the US still has such old-fasioned electronic payment system. e.g. Visa is problably one of the most insecure payment methods but is probably still the most popular in the US.
Here in Belgium (Europe) banksys [www.banksys.be] creates very secure payment-cards (on cooperation with the guys who invented rijndael). But with the upcoming Euro, Proton is becoming more and more popular. On that card, one can store up to 4000BEF (+- 100 Euro's) pre-paid, and it is very secure.
Why aren't doesn't the US adopt those systems?
I work at a Circuit City, and I can attest to the fact that I doubt this could be too hard.
I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:
We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").
My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.
if the retailer in question is in fact Best Buy, then they outsource the gift cards to american express
time to check ebay and see what a small card reader will cost me!!!!!!!
"The company's name isn't being published to avoid giving criminals a too-easy target."
Right. Sure. Of course. After all, there couldn't possibly be any other reason for not mentioning the name, now could there? Of course not.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Mag stripes are notoriously easy to crax0r. Not so with chips. It would mean replacing a lot of infrastructure at retailers, and the gift cards would be a lot more expensive to produce, but ultimately it's a better and more secure system.
Anyone know if anyone's working on an open-source Smart Card Authentication system?
Knowledge is power. Knowledge shared is power multiplied.
Some banks issue ATM and credit cards with sequential or nearly sequential numbers, and they may not require activation for some of the cards. Someone getting a card can make a guess at the next numbers in the sequence and start charging. This is apparently what happened to a card I got when I opened a new account: before I had even opened the envelope, several thousand dollars were gone. Sometimes, the stupidity of some of those supposedly security-conscious money institutions is just amazing.
While going through college I also worked at a retailer using these cards. When they first came out, we had a problem with good ole social engineering being used to get store associates to add money to gift cards. Several schemes were used for example.
1) Gift card is legitimately purchased for a small amount.
2) Purchaser Calls the store
Store Service Desk) How can I help You?
Thief) This is So and so at the home office. We had an upset customer call because she bought a widget at your location which injured her (didn't work whatever) and we told her we would refund the value on her gift card. Please add $150 to card 6004 4300 1357 9246
Spend dough, wash, rinse, repeat at another store
Pff, and everyone said finding a card reader/writer would be expensive. If this is a magstripe reader/writer like it says it is, $200 and a few hours of programming some software and you are set.
heyitsme
ha ha, that must be embarssing.
What would the stores do if you bought a Mag strip reader/encoder with the Gift Card you got?
I can just imagine.... Nothing.
There is absolutely no reason to panic.
So, how much do black-strip encoders and decoders go for?
How easy is this to start doing?
Here's what a gift card says:
If you're going to give a gift card, why not just give cash?
Because you're not only trying to "protect people from doing stupid things", you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime.
That's one way of looking at it. Another is that it creates a lot of "crime" by making stupid actions criminal. Now the criminals are not only the people trying to steal your stuff, but the stupid people leaving your info where it's not 100% safe. The police has to chase both groups. And pretty soon everyone is a criminal and at the mercy of the police.
[Yeah,I get carried away. So what?]
your sig doesnt make a whole lot of sense. If he pressed Alt-f4 it would give a quit IRC message not a left #slash method. now if you said Ctrl-F4 it might be the case.
An idea just came to me. I'm sure many of the triple-digit-IQ Slashdot readers would have already come up with this, but I'm sure the s'kiddies hould have no idea. So, kids, here's how to steal video games, and oh so much more: A lot of the stores that offer these gift cards also accept them online, by just typing in the number. Do the same thing as noted in the article, but you need NO EQUIPMENT! Just type in the number and get the stuff shipped to a P.O. box! Brilliant! Wow, I've gotta try this (and immediately report the issue to the proper authorities, of course...)
Sleep: A completely inadequate substitute for caffeine.
"1) The customer was able to swipe BEFORE clerk was finished.
2) It was faster for most customers (esp. younger ones) to enter their PIN then it was to wait for a receipt to print, and then sign it."
This is the way I do it. As fast as paying cash. It's a time managment issue really. Plus I also have an automatic record of all my expenditures without all the risk of carrying enough cash to satisfy my daily needs. Makes it easier to see were your money goes in a monthly as well as yearly basis. Lots of bookeeping when using cash.
So the question remains. Who has the bigger scam? The retailer, or the thief.
Your answer is both good and simple. It's a shame Best Buy and others couldn't come up with it too.
This begs the question: Is there any legitimate excuse for retailers who have several months of planning to not address the same basic security issues you did in 5 minutes?
This lack of security is negligence, and I think corporations should be forced to pay damages when they issue products which ignore security so blatantly.
Whether it's Microsoft or Best Buy, consumers should have a right to believe that their product is secure in the same way that they have a right to believe their product is safe.
Personally, I think someone should file a class action suit against these companies. Corporations should be forced to pay punitive damages when they issue products that violate reasonable expectations of security.
He who refuses to do arithmetic is doomed to talk nonsense.
When it comes to brick and mortar shops though, I think someone should teach the merchants to actually look at the back of the card because so many of them are too lazy to even bother taking a glance.
Sorry if it isn't about gift cards, I thought this was a useful tip. My suggestion for gift cards though - give cold cash instead if you trust the recipient not to buy weed, unless your intent is otherwise. ;)
At this video store i worked in last year we had a slightly dated interac machine that printed the account number AND exp date on a reciept.
So having one of these reciepts was as good as a having the credit card. Also, with one of these reciepts one could determine the exp date on a bank card (the exp date is something arbitrary) and, with knowledge of the pin, make purchases from an account without having the card present.
The funny thing is that people were always reluctant to let me see their credit card when creating an account. Yet these same people toss the receipts around or not even take them.
If one was dishonest, it would be no trouble obtaining a customer pin as 90% of people make no attempt to hide it, thinking their account is secure as long as they have the card. With a reciept and some equipment, a fake card could be produced that would work on interac machines and possibly atm's.
Many customers were amazed when i explained how insecure thier credit is.
if it's been badly printed, or there is an error... is the customer responsible?
burn all gift cards , they don't make sense they make good kindling