Gift Card Hacking

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Saturday December 29, 2001 @03:24AM from the where-do-I-swipe-it dept.

TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores. One retailer notes that the odds of this occuring are about at the level of being pickpocketed."

1 of 264 comments (clear)

Min score:

Reason:

Sort:

Not hard at all... by UserChrisCanter4 · 2001-12-29 06:17 · Score: 5, Interesting

I work at a Circuit City, and I can attest to the fact that I doubt this could be too hard.

I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:

We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").

My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.