Slashdot Mirror
Gift Card Hacking
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores.
One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
Being in the UK, and in a countryside area at that, I haven't heard of Gift Cards before. Here we stick to paper-based vouchers, or indeed, just to send cheques to people in christmas cards. At least if they are posted and stolen before they are delivered, then it becomes "interfereing with her majesty's post" (Seeing as it belongs to the crown etc etc etc) and can carry up to 10 years in prison. Mmm...handy that...
I am the breaker of Chairs!
>> pisses off customers and ruins loyalty.
In a nondisclosure situation, nobody's going to get pissed or be at risk of losing their job until a significant amount of money is already ripped off.
If, on the other hand, MSNBC ran a list of 'top ten shittiest gift card security offenders', this would impel an immediate change be made by those ten offenders, lest they incur huge losses in reputation .
25% Funny, 25% Insightful, 25% Informative, 25% Troll
>> Most smart managers want to fix a problem before it bites them.
>> At least that's how it'd work where I work.
In my experience, most companies operate on some variation of the Fight Club 'formula'. In this case, if the cost of closing the security hole is more than the estimated value of the loss of customer loyalty plus the value of any out of court settlements, then it won't get fixed.
25% Funny, 25% Insightful, 25% Informative, 25% Troll
If law enforcement is able to crack down on pawn shops dealing in stolen goods, then in one fell swoop they've cut most of the profitability out from under bike theft, car breakins, home invasions, baggage theft (at airports, etc)...
Many police department have a pawn shop squad that regularly checks for stolen goods, primarily those with serial numbers.
There are many ways besides pawnshops to convert stolen goods: family, friends, neighbors, flee markets, black markets. There is a vast underground economy in stolen goods. It indicates that a high crime rate means there has to be a large number of otherwise honest people willing to break the law to get a good price on something.
My neighborhood computer store sells RAM at half the advertised discount retail price. It's probably stolen but I don't know for sure. The owner is a nice guy who works long hours, makes a modest living and makes minor repairs on my computer for free so why would I want to report him to the cops? He probably doesn't consider himself any more a criminal than the people he sells to.
Actually, I did a little study where in most cases a Debit card swiped by the customer (like a grocery store) is faster then any other payment method. My findings where that:
1) The customer was able to swipe BEFORE clerk was finished.
2) It was faster for most customers (esp. younger ones) to enter their PIN then it was to wait for a receipt to print, and then sign it.
3) Checks take forever (and are quite rude), and cash is pretty fast but many times there's an issue with change (either the person was digging around for exact change or they insisted on counting the change they got back - which is smart, but timely).
4) Debit cards became about the same speed as cash when the customer had to sign for it because there was no provision for entering their PIN.
5) Debit/Credit cards CAN be slower if the card they try doesn't work (duh!). Note: Quite frankly it seems that you don't have much of a clue over your personal finances if you don't know how close you are to your CC limit.
Cash is easier to steal, but I still welcome it over a check. Checks should be used for mailing payment to the phone company, not for your $35 groceries.
I work at a Circuit City, and I can attest to the fact that I doubt this could be too hard.
I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:
We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").
My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.
most retailers are setup to deal with employee fraud. Next time you're in a big grocery store or department store look up above the register. you'll likely see camera pods/windows. If they are using a flat scan barcode reader there will also likely be a light that flashes each time an item is scanned.
This is designed to prevent "sweethearting" by employees. This is where and item is waved across the scanner, but doesn't actually scan, and is then placed in the bag. Ever wonder why Best Buy (and others) check the contents of your bag against your receipt within 30ft of the register? It's not to stop independent shoplifters, it's to catch/prevent sweethearting.
What you suggest is even more difficult. The gift card is only loaded by the POS system with the amount punched into the register. Now unless the store doesn't have a total display that can be seen by the customer (or the customer has the IQ of a brick) there is no way the customer will hand over $100 when $50 is shown on the display. If the clerk tries to pocket cash that is properly shown on the display then the drawer will be short.
That may be true in America but is definitely not true in Australia (conditions apply). The conditions are that a big obvious sign is posted at the entrance to the store stating that bag searches are a condition of entry - you enter, you give them permission to search. The other restriction is that the sales assistant is not allowed to touch any of your possessions, they can ask you to open your bag and show them and open any compartment etc, but they must not do it themselves.
I would be exceptionally surprised if a similar set of laws were not in place in America and other countries around the world. I am guessing that most stores have a condition of entry, which would most likely hold up in court.
In the age-old /. tradition, IANAL.
alternatively, you can put "THIS CARD HAS BEEN STOLEN", they never fail to look then, and you usually get a laugh or a smile. they will sometimes blow off "See ID Please!", and they never look if you simply dont sign it.
schmoko.
I'm sure that whatever desk job you hold in the industry is a pretty junior one. One day you may discover the following about your own area of expertise.
1. Said gift cards are not always insecure. However, if you go to the largest retailers you can think of, get a few of each of their cards, and read them, you will discover that (a) one large retailer uses a 'secret code' which is added to the 15-digit PAN (BTW - another tip - digit 16 is a check digit) that gives you the number on the front of the card. (Remove the BIN first - ask your boss what that word means.) This means that you can reverse the process: observe the numbers in full view next time you go to said retailer, then you can whip up a new card yourself by simply subracting the secret code from the number printed on the face of the card. This entire technique is called 'eye skimming', and if it isn't a problem, then why the hell did banks stop printing the PAN on ATM receipts?
2. Phone cards have a scratch off PIN - bet you didn't notice, did you? Any idea why they are there? Right! To prevent eye skimming! In fact, the PIN is not even on the stripe - so you would need to, like, X-ray the card to get the PIN. Combine the difficulty of doing this with the fact that you'd have to sneak the cards out of the store and back in, plus the fact that they have limited value, and you see an emerging risk management model. Now, compare this with the other model: I can lift the value off a limitless amount of gift cards (and use some of that value to buy phone cards - if I want to), simply by eyeballing the cards on the shelf.
3. Reader / writer availability
I have an MSR206 (hi-co / lo-co [ask your boss]}, and AMC312 plus stacks of readers (including portable hand-helds - bet you didn't know those existed!). The most I've ever paid for an encoder is $400. There's a company in Dallas that sells MSR206 encoders for, I think, $700. The AMC312 requires Rencode (licensed - they want your real name etc.), but you can get it 'black market' from Canadian Bar Code with a fake name.
4. Some credit cards are as insecure as gift cards - some banks don't check CVC. It's easy to find out which ones (you probably know this if you're in the industry) by nudging a digit out of the stripe to see what happens at the point of sale: if the merchant calls the auth centre and hands the phone to you, the bank checks CVC. If the auth goes through in 2 seconds - successfully - they probably don't check CVC. If the auth goes through in a hundredth of a second, the merchant is standing in for the merchant. But who am I to tell you this - YOU'RE the expert!