Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gift Card Hacking

Posted by CmdrTaco on from the where-do-I-swipe-it dept.

TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores. One retailer notes that the odds of this occuring are about at the level of being pickpocketed."

5 of 264 comments (clear)

  1. Re:Barnes and Noble. by Grimmtooth · · Score: 5, Informative
    The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.


    Which is EXACTLY why several states, California foremost among them, have begun to implement consumer protection laws that require that the receipt NOT display the account number and/or the expiry date (depending on the state). I believe in the case of California, it goes into effect on Jan 1 2002.

    My company's ready. I wonder how many other POS vendors aren't? :-)

    At any rate, it is the store's responsibility to comply, by using compliant POS software. Since it is easier to implement across the board than on a state by state basis, I presume that if a vendor has fixed it for CA, they will be prepared for the other states, too.

    Outside the US is not something I'm familiar with.
    --
    /* .sigs are irrelevant */
  2. Re:What are the odds by Chanc_Gorkon · · Score: 3, Informative

    Around here, the gift cards are just sitting by the register back by the candy (Meijer's and Walmart both did this). They were easy to get, even easier to swipe because they were just glued to the back of a bigger card. To swipe one, one would just have to drop a bunch of cards, and then while bent over, peel the card off the bigger card. Also, I don't know about Walmart, but Meijer's were all precharged. The UPC's on the bigger card were even all the same (probably something like 41250 *****, I used to work at Meijer and all Meijer Branded stuff including the gift cards start with the same 5 numbers.). Thing is most stores don't have the storage or available UPC's to give each card a separate UPC code (only way they could keep the cards as they have them and keep them deactivated until they are scanned). The only way I think they could make these things more safe is if you had to do what you used to do and go to Guest Services and buy the card and have the guest services folks charge a denomination on them by swiping the card. Most of the cards I have seen as of late all had how much money each card held printed right on the card! This was at every place I have been this season including even some of the nicer stores! Meijer did not even have cashier's type in a code or anything to activate them. They just swiped it and the appropriate figure was added to the total along with your groceries. This may have changed, but I agree with the article that it is easy. I doubt many would even have to have the card programmers to steal lots of cash.

    --

    Gorkman

  3. I hate nationally syndicated stupidity by Grimmtooth · · Score: 4, Informative
    By way of boda fides, I work for a POS (point of sale) vendor that just happens to support the processing of said gift / stored value cards. As a result I have had to become very familiar with the mechanics of the whole thing.

    So, a few comments:

    • Despite what MSNBC would tell you, Debit cards are not protected from theft by a lack of visible account number. Rather they are protected by encrypted PIN.
    • Despite what MSNBC would tell you, you can buy card writing equipment without going to the black market. They are perfectly legal. They just cost BIG bucks, and that's why most people don't have one :-)
    • The theft method described to lift account numbers is no different than what is done with credit cards, except in the case of the latter you have to work harder to get a valid account number. Anyone with a card writer WOULD know how to do that, trust me.
    • Credit cards are a far greater risk because they are unrestricted in where they may be used, unlike gift cards.
    • Be aware that most gift card processors allow for the process of 'cashing out' the card. Provided the store allows, there's no reason that there would be unclaimed cash left on the card. Of course, those merchants that do NOT allow cash-out are the ones to be concerned with.


    Slow news day, plain and simple.
    --
    /* .sigs are irrelevant */
  4. Re:Whee by Col.+Klink+(retired) · · Score: 3, Informative

    I guess you missed the part where they returned the goods for cash...

    --

    -- Don't Tase me, bro!

  5. Re:Big Deal by Brian+Kendig · · Score: 3, Informative

    Let's hear you say that next time your girlfriend gives you a $50 gift card for your favorite electronics store, and when you go to use it, the store clerk tells you there's no balance left on the card. He also points to the small print on the card which says (as quoted from the article) "We cannot be responsible for funds used without your knowledge."

    The hackers aren't just inflating the value of the card -- they're re-encoding the card so that it represents a card that someone else bought. Sure, they're "exaggerating the value of the gift card," but by lowering the value of someone else's card.