Slashdot Mirror
Gift Card Hacking
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores.
One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
Being in the UK, and in a countryside area at that, I haven't heard of Gift Cards before. Here we stick to paper-based vouchers, or indeed, just to send cheques to people in christmas cards. At least if they are posted and stolen before they are delivered, then it becomes "interfereing with her majesty's post" (Seeing as it belongs to the crown etc etc etc) and can carry up to 10 years in prison. Mmm...handy that...
I am the breaker of Chairs!
Interesting... after describing a company who is particularly lax in their security practices wrt the gift cards:
The company's name isn't being published to avoid giving criminals a too-easy target.
Swell. So there's no significant economic reason for that company to change their policies yet. -sigh-
At least Microsoft is internally consistant in their views on disclosure of security concerns... albeit consistantly wrong.
25% Funny, 25% Insightful, 25% Informative, 25% Troll
So, after spending hundreds of dollars in equipment, casing the store and memorizing the numbers, your reward is:
Books!
Cans of Paint!
Socks!
The risk/reward here is pathetic. They would be better off stuffing things into their oversized coats during the holiday rush.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
Why didn't I think of that?
Now I can get everything on my christmas list and screw over a horde of people during the holiday season! Isn't technology great, even when it's old technology...
You think that I'm crazy, you should see this guy!
I worked at Barnes and Noble for a while a couple Christmases ago, and here's how their gift card system worked:
When you got the card, it was preauthorized with a certain amount of money in a certain account number, like any other debit card. The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.
Now, all that was necessary to redeem the gift card was that number. But most people just tossed the second receipt. Which meant that a quick swipe through the trash outside the store doors could probably yield a few hundred dollars worth of gift card credit as yet unredeemed.
Nice, eh? Even when we told people expressly not to do it, they still did. Wonder how many got burned.
--saint
OK, OK... it holds the *potential* to be a problem- big deal. They cited NO actual examples of theft other than the money laundering example, and there are many easier ways of laundering money if you use your imagination.
There have been several local stories about people stealing money order machines, or printing MOs on their PCs... this stuff actually happens all the time, but a nice "holiday piece" about gift cards without even anedotal "evidence" that this is a widespread problem? Gimme a break!
There are no named sources to the story, the internet site they reference is not given, and they only list retailers viewed as less problematic (and give us a nice caveat to explain why). Not only is the problem a "scenario"- the news story itself is a scenario. Boring journalism... might as well be an op-ed piece.
I'm more concerned about issues such as identity theft, etc... at least your gift card leaves no personal identification about you.
Those that suggest you "dance like no one is watching" really want to see you make a complete fool of yourself.
I fucking live in this town. I had no idea a vast conspiracy to defraud Best Buy was happening all around me this whole time. I figured this town had the collective IQ of a walnut. The whole time I lived here I could of been hanging out with sk1pt k1dd13z.
What, me worry?
They sit right out in the open at the Wal-mart in Windsor, Ontario. Just hanging there in the checkout aisle begging to be taken.
Tells you something about:
A) Honesty of Canadians.
B) Trusting nature of Canadians.
or C) Intelligence of Canadians.
I'll let you pick
AWG
You think that I'm crazy, you should see this guy!
Why not just assign a PIN number, stored in the store computer, not on the card, when the card is bought and charged?
Sure some yokels would write the number on the card and get it lifted or lose it, but the same could happen to cash.
Requiring extra information not available on the card would be ideal and would make the type of counterfeiting described in the article very difficult, as long as there was no simple way of resetting PINs. It wouldn't prevent inside jobs or people laundering stolen credit cards, but those types will always be hard to stop.
I can see why the retailers don't really care. If someone forges a paper gift certificate and redeems it, the store is out the money. The thieves are just printing money.
But when someone forges a stored-value card, they're stealing from other customers. The "value" has already been paid for, so the store doesn't lose anything.
-- Don't Tase me, bro!
this had occurred to me some time ago when i saw the ramping-up of these things. i think it kinda started with best buy and spread from there. now every major retailer has them.
one previous respondent had said something to the effect of, "..this is just like digging in a cash drawer.." this isn't just any kind of theft.. it's the ultimate kind! a better imperfect analogy would be: "..the store leaves $20, $50, and $100 dollar bills hanging from displays at the counter.."
if you walk into a store with the intention of stealing, what's the best thing to steal? small, high-cost items. and these items, while never as good as cash, are virtually untraceable if you use the common sense method described in the article.
also, i'm sure you'd be hassled by security if they noticed you jotting gift card numbers in your daytimer, but you don't technically have to shoplift to do this.
the shrink numbers on these things must be fantastic!
If security was doing their job, it wouldn't be such a problem.
/. blamed on the victims? Yes, they made a mistake. Yes, there are ways to counteract it. But the way blame is constantly shifted away from the actual criminals here is sickening.
No, if people had some sense of ethics this wouldn't be a problem. Why does every security lapse mentioned on
Remember what we did before all these plastic cards and shit came out? That's right...we went to the bank and took out pieces of paper with numbers printed on them and the words: this note is legal tender printed across the bottom...and we got along just fine. Wanna give someone an impersonal gift because you can't think of what to give them or can't be bothered shopping...put a couple of these pieces of paper in an envelope and give it to them! Need to send it through the mail? Write cheque or get a money order! I don't even like using my ATM card for purchases...I prefer withdrawing the cash and paying with that and nothing pisses me off more than having some dingbat in line in fromt of me trying card after card and none of them seem to work (especially the express lane at the grocery store, which is supposed to be cash only!). I especially love it when once in a while I encounter a merchant that's flirting with the idea of no longer accepting cash payments..."Uh, what part of this note is legal tender don't you understand?
No...those pre-loaded "gift cards" are a sucky idea that needs to go away. (I guess they're great if you're the merchant and it's your "policy" not to give out the balance left over on the card in cash...)
You're using her as bait, Master!
Around here, the gift cards are just sitting by the register back by the candy (Meijer's and Walmart both did this). They were easy to get, even easier to swipe because they were just glued to the back of a bigger card. To swipe one, one would just have to drop a bunch of cards, and then while bent over, peel the card off the bigger card. Also, I don't know about Walmart, but Meijer's were all precharged. The UPC's on the bigger card were even all the same (probably something like 41250 *****, I used to work at Meijer and all Meijer Branded stuff including the gift cards start with the same 5 numbers.). Thing is most stores don't have the storage or available UPC's to give each card a separate UPC code (only way they could keep the cards as they have them and keep them deactivated until they are scanned). The only way I think they could make these things more safe is if you had to do what you used to do and go to Guest Services and buy the card and have the guest services folks charge a denomination on them by swiping the card. Most of the cards I have seen as of late all had how much money each card held printed right on the card! This was at every place I have been this season including even some of the nicer stores! Meijer did not even have cashier's type in a code or anything to activate them. They just swiped it and the appropriate figure was added to the total along with your groceries. This may have changed, but I agree with the article that it is easy. I doubt many would even have to have the card programmers to steal lots of cash.
Gorkman
So, a few comments:
Slow news day, plain and simple.
/*
Let's hear you say that next time your girlfriend gives you a $50 gift card for your favorite electronics store, and when you go to use it, the store clerk tells you there's no balance left on the card. He also points to the small print on the card which says (as quoted from the article) "We cannot be responsible for funds used without your knowledge."
The hackers aren't just inflating the value of the card -- they're re-encoding the card so that it represents a card that someone else bought. Sure, they're "exaggerating the value of the gift card," but by lowering the value of someone else's card.
I don't know about Meijer's, but at my K-Mart (and, as far as I know, at Wal-Mart) you have to put money on the card when you buy it. Until then, it's simply empty. I scan the card, enter the amount, slide it through my credit card reader, then blammo, that card has money on it (or at least it does after the customer pays)--but not before. Someone could come along and take all the cards we had on the shelf--but none of them would be worth anything. It's the same for the long distance phone cards that hang along the impulse buying lanes--they have to be swiped through the register to activate them.
But even so, when I was checking out at a Wal-Mart a few months back, buying a $10 gift card because of their gas pump system that gave you a cheaper rate if you bought with a gift card, the checker said they'd had to move all their gift cards to one single island, because people kept stealing them. Yes, she said, they were valueless until they were activated, but people seemed to keep stealing them anyway. Go figure, eh?
Editor Emeritus and Senior Writer, TeleRead.org
Starbucks never has Raktajino, so they'd deserve it! :^)
One line blog. I hear that they're called Twitters now.
From Dictionary.com:
escheat (s-cht)
n.
1. Reversion of land held under feudal tenure to the manor in the absence of legal heirs or claimants.
2. Law.
a. Reversion of property to the state in the absence of legal heirs or claimants.
b. Property that has reverted to the state when no legal heirs or claimants exist.
Gift Cards are not Gift Certificates, which are bound by escheating laws. (peruse if you want, a google search on "gift certificates escheating")
which means that to a retailer, gift cards are cheaper cuz they are not regulated.
Most retailers that do gift cards and gift certificates treat them both very similarly - aka have them electronically activated when purchased. The gift card allows the added bonus of havin them be stored value / re-chargable cards. the lack of escheating laws is also very good - less to report/ track to the government, less money lost to the government when the cards fail to be used.
The victims here are the consumers - not the stores. The stores get money for all goods sold and they're happy - the only people who get screwed are the people who's gifts get stolen.
No one's baming the consumers - they're blaming the stores for implementing idiotic policies and practices that benefit themselves at the cost of the consumer.
And if my mother had wheels she'd be a wagon.
That being said the has never been the case and (IMHO) will never be the case and people who deal and cash and goods need to be aware of this and deal appropriately.
You can bet these stores watch THEIR money carefully once it gets in the cash register - but they don't seem to care at all about protecting their customer's money or interest once they get their's.
It's like the store saying "it's our policy to leave your money on the counter while you shop - but if some one take's it before we ring it up it's your problem not ours."
=tkk
Bill Gates - Creationist?!?
Crime and criminals have been with us from the beginning and will be with us until the end. Most people are honest, but there will always be a small minority that aren't. There's not much point in wringing one's hands over this fact and whining about "people not having some sense of ethics".
In this case the victims aren't the retailers, the potential victims are those who purchase the gift cards. Blaming the retailers for not taking adequate precautions against the theft of the funds in question isn't a case of "blaming the victim" (the person buying the gift card who has every right to assume that the vendor takes reasonable security precautions).
It makes perfect sense to blame vendors who don't take adequate precautions to protect their customers from theft. Remember that the customer can be ripped off even if they keep the card secured in Fort Knox, in other words the customer can't do a damned thing (short of not buying the product) to protect the card, only the vendor.
And also keep in mind that simple security measures are available that greatly increase the safety of the card, and the article points out a few retailers who implement such measures. Those who don't are fair game for criticism, IMO.
I work at a Circuit City, and I can attest to the fact that I doubt this could be too hard.
I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:
We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").
My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.
A lot more now :)
Your walmart sells gas?
Some banks issue ATM and credit cards with sequential or nearly sequential numbers, and they may not require activation for some of the cards. Someone getting a card can make a guess at the next numbers in the sequence and start charging. This is apparently what happened to a card I got when I opened a new account: before I had even opened the envelope, several thousand dollars were gone. Sometimes, the stupidity of some of those supposedly security-conscious money institutions is just amazing.
most retailers are setup to deal with employee fraud. Next time you're in a big grocery store or department store look up above the register. you'll likely see camera pods/windows. If they are using a flat scan barcode reader there will also likely be a light that flashes each time an item is scanned.
This is designed to prevent "sweethearting" by employees. This is where and item is waved across the scanner, but doesn't actually scan, and is then placed in the bag. Ever wonder why Best Buy (and others) check the contents of your bag against your receipt within 30ft of the register? It's not to stop independent shoplifters, it's to catch/prevent sweethearting.
What you suggest is even more difficult. The gift card is only loaded by the POS system with the amount punched into the register. Now unless the store doesn't have a total display that can be seen by the customer (or the customer has the IQ of a brick) there is no way the customer will hand over $100 when $50 is shown on the display. If the clerk tries to pocket cash that is properly shown on the display then the drawer will be short.
Best buy is not legally allowed to check your bag against your recipt if you refuse to allow them, by the way. Legally speaking, after you leave the register, everything in your bag is yours, and if they honestly want you searched, they must detain you and call the police to do the search.
Seriously, how can you believe that the $7 an hour clerk at best buy has the authority to do "guilty until proven innocent" searches on everyone in the store, routinely?
That may be true in America but is definitely not true in Australia (conditions apply). The conditions are that a big obvious sign is posted at the entrance to the store stating that bag searches are a condition of entry - you enter, you give them permission to search. The other restriction is that the sales assistant is not allowed to touch any of your possessions, they can ask you to open your bag and show them and open any compartment etc, but they must not do it themselves.
I would be exceptionally surprised if a similar set of laws were not in place in America and other countries around the world. I am guessing that most stores have a condition of entry, which would most likely hold up in court.
In the age-old /. tradition, IANAL.
So what happens when you walk into a store and your gift card crashes?
XML is like violence. If it doesn't solve the problem, use more.
There is absolutely no reason to panic.
Because you're not only trying to "protect people from doing stupid things", you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime.
That's one way of looking at it. Another is that it creates a lot of "crime" by making stupid actions criminal. Now the criminals are not only the people trying to steal your stuff, but the stupid people leaving your info where it's not 100% safe. The police has to chase both groups. And pretty soon everyone is a criminal and at the mercy of the police.
[Yeah,I get carried away. So what?]
Actually I checked out the cards today. It appears that Meijer changed their cards and they have to be rung and a code typed into the register to be activated. Must of had the problem I described above. So, you would have to have a card reprogrammer in order to steal off of the card. I think the article did describe how it could happen. It could still happen. It's just not very likely. I think the article raises some concerns, but nothing the average customer should worry about.
Gorkman
If you write See ID on the signature line of your card and try to use it at any Post Office, it will be rejected. Cards must technically be signed to be valid.
Profanity - The sign of a small mind trying to express itself.