Slashdot Mirror
Gift Card Hacking
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores.
One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
Theft happens all the time. Why is this news?
If security was doing their job, it wouldn't be such a problem.
gift cards want to be free!
Big deal - this is theft. Why does it get featured on ./ ? Because it involves something remotly technology related. Guess what - it's still stealing - this is no different than rummaging through an open cash register drawer.
Being in the UK, and in a countryside area at that, I haven't heard of Gift Cards before. Here we stick to paper-based vouchers, or indeed, just to send cheques to people in christmas cards. At least if they are posted and stolen before they are delivered, then it becomes "interfereing with her majesty's post" (Seeing as it belongs to the crown etc etc etc) and can carry up to 10 years in prison. Mmm...handy that...
I am the breaker of Chairs!
Interesting... after describing a company who is particularly lax in their security practices wrt the gift cards:
The company's name isn't being published to avoid giving criminals a too-easy target.
Swell. So there's no significant economic reason for that company to change their policies yet. -sigh-
At least Microsoft is internally consistant in their views on disclosure of security concerns... albeit consistantly wrong.
25% Funny, 25% Insightful, 25% Informative, 25% Troll
So, after spending hundreds of dollars in equipment, casing the store and memorizing the numbers, your reward is:
Books!
Cans of Paint!
Socks!
The risk/reward here is pathetic. They would be better off stuffing things into their oversized coats during the holiday rush.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
I worked at Barnes and Noble for a while a couple Christmases ago, and here's how their gift card system worked:
When you got the card, it was preauthorized with a certain amount of money in a certain account number, like any other debit card. The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.
Now, all that was necessary to redeem the gift card was that number. But most people just tossed the second receipt. Which meant that a quick swipe through the trash outside the store doors could probably yield a few hundred dollars worth of gift card credit as yet unredeemed.
Nice, eh? Even when we told people expressly not to do it, they still did. Wonder how many got burned.
--saint
I have worked in retail for many years and stores do not pay as much attention to gift cards as they should because they have no real value. They are like coins at amusement parks, they are only good at the respective stores. To put more money into safeguarding them, would destroy the supposed cost effeciency of these cards. Another point to consider is the switch from paper gift certificates. I believe that this was a much safer way to do business, but stores needed to "get with the times" and have a more electronic certificate. I guess this is one of those instances where advanced technology does not benefit us more than we think...
100% Insightful
To get gift cards at Wal-Mart, you have to go to customer service and they take one out of a locked cabinet, charge it, and give it to you when you pay. At least, that's how it works at Wal-Marts in the southeast.
OK, OK... it holds the *potential* to be a problem- big deal. They cited NO actual examples of theft other than the money laundering example, and there are many easier ways of laundering money if you use your imagination.
There have been several local stories about people stealing money order machines, or printing MOs on their PCs... this stuff actually happens all the time, but a nice "holiday piece" about gift cards without even anedotal "evidence" that this is a widespread problem? Gimme a break!
There are no named sources to the story, the internet site they reference is not given, and they only list retailers viewed as less problematic (and give us a nice caveat to explain why). Not only is the problem a "scenario"- the news story itself is a scenario. Boring journalism... might as well be an op-ed piece.
I'm more concerned about issues such as identity theft, etc... at least your gift card leaves no personal identification about you.
Those that suggest you "dance like no one is watching" really want to see you make a complete fool of yourself.
I fucking live in this town. I had no idea a vast conspiracy to defraud Best Buy was happening all around me this whole time. I figured this town had the collective IQ of a walnut. The whole time I lived here I could of been hanging out with sk1pt k1dd13z.
What, me worry?
> Ten to one says it's Walmart
sounds about right, making them the microshaft of the retail world in security circles as well as business practices.
> they aren't mentioned in the article.
umm, not totally true. They are mentioned but only because of the $1/mo. charge on unused cards after a year
-- johnmc.
Most places I know of keep the gift cards at least out of sight, but if they were to keep them out in the open, well that would be sort of stupid, given the scenario.
heck, I even wonder about the telphone cards, which I never use. I would have to go to a store to look at one to see if they have visible numbers on them.
"It is a greater offense to steal men's labor, than their clothes"
Which is a good thing, because at the Walmart in my area "Customer Service" more closely resembles the customs area of an east-African country than a place where you go to get helped.
They sit right out in the open at the Wal-mart in Windsor, Ontario. Just hanging there in the checkout aisle begging to be taken.
Tells you something about:
A) Honesty of Canadians.
B) Trusting nature of Canadians.
or C) Intelligence of Canadians.
I'll let you pick
AWG
You think that I'm crazy, you should see this guy!
Why not just assign a PIN number, stored in the store computer, not on the card, when the card is bought and charged?
Sure some yokels would write the number on the card and get it lifted or lose it, but the same could happen to cash.
Requiring extra information not available on the card would be ideal and would make the type of counterfeiting described in the article very difficult, as long as there was no simple way of resetting PINs. It wouldn't prevent inside jobs or people laundering stolen credit cards, but those types will always be hard to stop.
Sounds to me more like target. I'd have to go look at the gift cards, but from everything they're stating in the article, it sounds like target. If it's not target, walmart would be my next guess.
An easy way out would be to put two account numbers with every card. One is printed on the card and is used for the 1-800 number to check the balance. The other number could be on the magnetic strip and be used to redeem the card. All that's left is to watch for shoplifters.
I can see why the retailers don't really care. If someone forges a paper gift certificate and redeems it, the store is out the money. The thieves are just printing money.
But when someone forges a stored-value card, they're stealing from other customers. The "value" has already been paid for, so the store doesn't lose anything.
-- Don't Tase me, bro!
this had occurred to me some time ago when i saw the ramping-up of these things. i think it kinda started with best buy and spread from there. now every major retailer has them.
one previous respondent had said something to the effect of, "..this is just like digging in a cash drawer.." this isn't just any kind of theft.. it's the ultimate kind! a better imperfect analogy would be: "..the store leaves $20, $50, and $100 dollar bills hanging from displays at the counter.."
if you walk into a store with the intention of stealing, what's the best thing to steal? small, high-cost items. and these items, while never as good as cash, are virtually untraceable if you use the common sense method described in the article.
also, i'm sure you'd be hassled by security if they noticed you jotting gift card numbers in your daytimer, but you don't technically have to shoplift to do this.
the shrink numbers on these things must be fantastic!
yeah. i've been preaching this for a while. but some of the same problems go for credit cards. the credit card companies have yet to fix their system (to one using cards with little displays and public key encryption), for something like
user's card has a secret. the user also has a secret. then the merchant gives the user a transaction time (or number, or something that changes periodically), the balance, and the merchant identifier. then these are hashed together to give an "authorization number" which the user then uses as a signature. you've got the same physical theft problem (if the user writes down their secret), but you always have that.
why don't the companies implement this? too much of a pain in the ass to change all of their infrastructure. if my card is used fraudulently, i will never pay the first $50 or whatever because of these reasons. it is their negligence.
this would be harder to do with gift cards, but would still be feasible using assymetric cryptography, and some sort of electronic 'gift card wallet'. or you just dont allow consumers to play with the cards until they actually buy one, instead of the stores thinking it's "cool" to just have them sitting there, because they're not activated until you buy them!
You still need to reprogram the magnetic strip of a similar card for everything to work (assuming magnetic and not bar code cards).
The stereotypical "pickpocket" they mention ain't likely to have tools like that.
Remember what we did before all these plastic cards and shit came out? That's right...we went to the bank and took out pieces of paper with numbers printed on them and the words: this note is legal tender printed across the bottom...and we got along just fine. Wanna give someone an impersonal gift because you can't think of what to give them or can't be bothered shopping...put a couple of these pieces of paper in an envelope and give it to them! Need to send it through the mail? Write cheque or get a money order! I don't even like using my ATM card for purchases...I prefer withdrawing the cash and paying with that and nothing pisses me off more than having some dingbat in line in fromt of me trying card after card and none of them seem to work (especially the express lane at the grocery store, which is supposed to be cash only!). I especially love it when once in a while I encounter a merchant that's flirting with the idea of no longer accepting cash payments..."Uh, what part of this note is legal tender don't you understand?
No...those pre-loaded "gift cards" are a sucky idea that needs to go away. (I guess they're great if you're the merchant and it's your "policy" not to give out the balance left over on the card in cash...)
You're using her as bait, Master!
I knew someone (who has now gone into hiding, imagine that) who used the equipment he had purchased for making "test" DSS cards to alter dollar values of BP gas cards. He could alter any "smart" card with a DSS-like interface, and in this case he wasn't hijacking money, he was actually creating it.
These people are getting the ID numbers from gift cards and re-using them. That's really no different from the old dumpster-diving-for-credit-card-carbons scheme, it just uses a new medium. I suspect if you could figure out how these numbers are generated it would be easy to create a program that spared you the effort of opening up trash bags full of store receipts and old Starbucks coffee cups.
You can't get ahead of the bad guys, you can only hope to keep up with them. The thing is, if you're not constantly working to keep up with them, you've already fallen behind.
Get off my virtual lawn, you damned virtual kids!
Got news for you: I'm in the Midwest U.S., and Sam's Club (the wholesale side of WalMart) does the same thing.
No country has a hammerlock on stupidity - it's so plentiful!
As such a gift card is as vulnerable to theft as anything else in your wallet, this isn't even an subject to write about. Unless...
Didn't you notice that MSNBC wants you to go to the safest shopping mall around: MSN shopping online! Pretty assimilated with the rest of the page is this clear message. Now we know the reason of the fud. I wonder how much of this poison goes unnoticed.
--------
* Sigh *
Damn, I thought that we held the record. Wanna count again, on a per capita basis this time?
AWG
4 out of 5 dentists think that the fifth one is a real jackass!
You think that I'm crazy, you should see this guy!
I generally get a gift card or two each year, usually to one of the major bookstore chains here in the US. One thing I notoce all the time is that if I have a $20 gift card and spend, say $17.45 I get the card back with $2.55 credit remaining. Care to speculate how many such cards are never fully redeemed? I buy alot of books, so I use them up, but I'd be willing to bet that a not-insignificant percentage of these cards are never fully spent. Back when I used to get Gift Certificates any small change was usually (though not always) returned as cash. Not any longer...
"Melt the ice; eat the moose; drill the oil; get it over with." -Max Boot
So, a few comments:
Slow news day, plain and simple.
/*
well some noteworthy news... Ron Griffiths, the CIO of Home Depot who despised Microsoft quit. a new CEO came in, and the CIO up and quit cuz he didnt wanna stick around under the new CEO. dont be surprised to see all the wonderful Linux POS and non Microsoft Home Depot stuff get chucked out in favor of Microsoft deals and software.
Rumor is that there already was a deal with Microsoft to kill off those Linux POS registers.
at which point, you could just hack the register and not need to bother hacking the gift cards...
Starbucks never has Raktajino, so they'd deserve it! :^)
One line blog. I hear that they're called Twitters now.
¦ ©® ±
From Dictionary.com:
escheat (s-cht)
n.
1. Reversion of land held under feudal tenure to the manor in the absence of legal heirs or claimants.
2. Law.
a. Reversion of property to the state in the absence of legal heirs or claimants.
b. Property that has reverted to the state when no legal heirs or claimants exist.
Gift Cards are not Gift Certificates, which are bound by escheating laws. (peruse if you want, a google search on "gift certificates escheating")
which means that to a retailer, gift cards are cheaper cuz they are not regulated.
Most retailers that do gift cards and gift certificates treat them both very similarly - aka have them electronically activated when purchased. The gift card allows the added bonus of havin them be stored value / re-chargable cards. the lack of escheating laws is also very good - less to report/ track to the government, less money lost to the government when the cards fail to be used.
The victims here are the consumers - not the stores. The stores get money for all goods sold and they're happy - the only people who get screwed are the people who's gifts get stolen.
No one's baming the consumers - they're blaming the stores for implementing idiotic policies and practices that benefit themselves at the cost of the consumer.
And if my mother had wheels she'd be a wagon.
That being said the has never been the case and (IMHO) will never be the case and people who deal and cash and goods need to be aware of this and deal appropriately.
You can bet these stores watch THEIR money carefully once it gets in the cash register - but they don't seem to care at all about protecting their customer's money or interest once they get their's.
It's like the store saying "it's our policy to leave your money on the counter while you shop - but if some one take's it before we ring it up it's your problem not ours."
=tkk
Bill Gates - Creationist?!?
Lord of the cards ...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I still wonder why the US still has such old-fasioned electronic payment system. e.g. Visa is problably one of the most insecure payment methods but is probably still the most popular in the US.
Here in Belgium (Europe) banksys [www.banksys.be] creates very secure payment-cards (on cooperation with the guys who invented rijndael). But with the upcoming Euro, Proton is becoming more and more popular. On that card, one can store up to 4000BEF (+- 100 Euro's) pre-paid, and it is very secure.
Why aren't doesn't the US adopt those systems?
I work at a Circuit City, and I can attest to the fact that I doubt this could be too hard.
I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:
We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").
My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.
"The company's name isn't being published to avoid giving criminals a too-easy target."
Right. Sure. Of course. After all, there couldn't possibly be any other reason for not mentioning the name, now could there? Of course not.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Having worked for Wal-Mart a few years back, you are welcome to steal as many of those gift cards as you want.... they do you no good unless you are going to change the mag strip to match another customers card... There is no money associated with that card until you run through the register and have them "activated." I used to use them all the time as gas at the gas station in the back of the parking lot was cheaper if you used a Wal-Mart gift card.
Mag stripes are notoriously easy to crax0r. Not so with chips. It would mean replacing a lot of infrastructure at retailers, and the gift cards would be a lot more expensive to produce, but ultimately it's a better and more secure system.
Anyone know if anyone's working on an open-source Smart Card Authentication system?
Knowledge is power. Knowledge shared is power multiplied.
Some banks issue ATM and credit cards with sequential or nearly sequential numbers, and they may not require activation for some of the cards. Someone getting a card can make a guess at the next numbers in the sequence and start charging. This is apparently what happened to a card I got when I opened a new account: before I had even opened the envelope, several thousand dollars were gone. Sometimes, the stupidity of some of those supposedly security-conscious money institutions is just amazing.
"In order to alter these cards you need a magstripe [writer]. These are VERY expensive."
I'm confident that I could build one with $100 worth of parts.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
most retailers are setup to deal with employee fraud. Next time you're in a big grocery store or department store look up above the register. you'll likely see camera pods/windows. If they are using a flat scan barcode reader there will also likely be a light that flashes each time an item is scanned.
This is designed to prevent "sweethearting" by employees. This is where and item is waved across the scanner, but doesn't actually scan, and is then placed in the bag. Ever wonder why Best Buy (and others) check the contents of your bag against your receipt within 30ft of the register? It's not to stop independent shoplifters, it's to catch/prevent sweethearting.
What you suggest is even more difficult. The gift card is only loaded by the POS system with the amount punched into the register. Now unless the store doesn't have a total display that can be seen by the customer (or the customer has the IQ of a brick) there is no way the customer will hand over $100 when $50 is shown on the display. If the clerk tries to pocket cash that is properly shown on the display then the drawer will be short.
Best buy is not legally allowed to check your bag against your recipt if you refuse to allow them, by the way. Legally speaking, after you leave the register, everything in your bag is yours, and if they honestly want you searched, they must detain you and call the police to do the search.
Seriously, how can you believe that the $7 an hour clerk at best buy has the authority to do "guilty until proven innocent" searches on everyone in the store, routinely?
While going through college I also worked at a retailer using these cards. When they first came out, we had a problem with good ole social engineering being used to get store associates to add money to gift cards. Several schemes were used for example.
1) Gift card is legitimately purchased for a small amount.
2) Purchaser Calls the store
Store Service Desk) How can I help You?
Thief) This is So and so at the home office. We had an upset customer call because she bought a widget at your location which injured her (didn't work whatever) and we told her we would refund the value on her gift card. Please add $150 to card 6004 4300 1357 9246
Spend dough, wash, rinse, repeat at another store
"they do you no good unless you are going to change the mag strip to match another customers card."
Right. Like the article says people are doing. Remember the article? The one you read before...oh.
Writers imply. Readers infer.
That may be true in America but is definitely not true in Australia (conditions apply). The conditions are that a big obvious sign is posted at the entrance to the store stating that bag searches are a condition of entry - you enter, you give them permission to search. The other restriction is that the sales assistant is not allowed to touch any of your possessions, they can ask you to open your bag and show them and open any compartment etc, but they must not do it themselves.
I would be exceptionally surprised if a similar set of laws were not in place in America and other countries around the world. I am guessing that most stores have a condition of entry, which would most likely hold up in court.
In the age-old /. tradition, IANAL.
> Sounds to me more like target.
:)
Hmmm... I think that the Target gift cards use barcodes instead of mag stripes. I'd check the one I gave my wife for Christmas but she redeemed and tossed it as soon as the store re-opened
-- johnmc.
It's called a reciept, genius. Whatever got loaded onto the card will show up on the reciept.
There is absolutely no reason to panic.
Here's what a gift card says:
If you're going to give a gift card, why not just give cash?
Uhh...did you even think to read the article?
Because you're not only trying to "protect people from doing stupid things", you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime.
That's one way of looking at it. Another is that it creates a lot of "crime" by making stupid actions criminal. Now the criminals are not only the people trying to steal your stuff, but the stupid people leaving your info where it's not 100% safe. The police has to chase both groups. And pretty soon everyone is a criminal and at the mercy of the police.
[Yeah,I get carried away. So what?]
An idea just came to me. I'm sure many of the triple-digit-IQ Slashdot readers would have already come up with this, but I'm sure the s'kiddies hould have no idea. So, kids, here's how to steal video games, and oh so much more: A lot of the stores that offer these gift cards also accept them online, by just typing in the number. Do the same thing as noted in the article, but you need NO EQUIPMENT! Just type in the number and get the stuff shipped to a P.O. box! Brilliant! Wow, I've gotta try this (and immediately report the issue to the proper authorities, of course...)
Sleep: A completely inadequate substitute for caffeine.
Your answer is both good and simple. It's a shame Best Buy and others couldn't come up with it too.
This begs the question: Is there any legitimate excuse for retailers who have several months of planning to not address the same basic security issues you did in 5 minutes?
This lack of security is negligence, and I think corporations should be forced to pay damages when they issue products which ignore security so blatantly.
Whether it's Microsoft or Best Buy, consumers should have a right to believe that their product is secure in the same way that they have a right to believe their product is safe.
Personally, I think someone should file a class action suit against these companies. Corporations should be forced to pay punitive damages when they issue products that violate reasonable expectations of security.
He who refuses to do arithmetic is doomed to talk nonsense.
When it comes to brick and mortar shops though, I think someone should teach the merchants to actually look at the back of the card because so many of them are too lazy to even bother taking a glance.
Sorry if it isn't about gift cards, I thought this was a useful tip. My suggestion for gift cards though - give cold cash instead if you trust the recipient not to buy weed, unless your intent is otherwise. ;)
At this video store i worked in last year we had a slightly dated interac machine that printed the account number AND exp date on a reciept.
So having one of these reciepts was as good as a having the credit card. Also, with one of these reciepts one could determine the exp date on a bank card (the exp date is something arbitrary) and, with knowledge of the pin, make purchases from an account without having the card present.
The funny thing is that people were always reluctant to let me see their credit card when creating an account. Yet these same people toss the receipts around or not even take them.
If one was dishonest, it would be no trouble obtaining a customer pin as 90% of people make no attempt to hide it, thinking their account is secure as long as they have the card. With a reciept and some equipment, a fake card could be produced that would work on interac machines and possibly atm's.
Many customers were amazed when i explained how insecure thier credit is.
I've always wondered about the bag searches here in Australia. All they get you to do is open up your bag so they can peer inside -- if your backpack happens to have three or four compartments, they're not going to check them all, coz it would take too much time if they had to do that with every Joe that came along. I suspect that a determined thief could easily hide something small and valuable in a backpack, and pass the usual cursory inspections.
So I figure, the "please present your bag for inspection" thing is more of a token gesture than anything really.
Simply allowing you access to the store does not amount to consideration for a contract, especially one you haven't signed.
Considering the Australian Consumer Commission (the organisation that watches out for consumer rights) has stated that condition of entry signs do have merit, I would hope you have some form of evidence that your claim is correct. In lack of evidence to the contrary, I am very much inclined to believe the ACC as opposed to a random /. comment. Others should obviously seek proper legal advice on the matter.
Shrinkwrap licenses are invalid because you don't see them until after the purchase. If they showed you the license at the counter and told you "by purchasing this product you indicate that you accept the terms of this contract," it would almost certainly be valid.
Aren't we cute, why yes I read the article but I was trying to clarify for the poster I was replying to that it wasn't just simply taking the cards that were, as he put it, "begging to be taken" were not piles of money waiting to be claimed. And they would actually have to put some effort into making the cards useful. And the fact that they are just laying there is no more a problem than the fact that they could get the cards legit and recode them after spending the $2 they put on them.
And if you have a problem with me trying to help out the reader which I replied to, without being a jackass and pointing out that had he read the article, the fact that they were just laying out did you no good, then you can well.. lick my balls.