Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gift Card Hacking

Posted by CmdrTaco on from the where-do-I-swipe-it dept.

TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores. One retailer notes that the odds of this occuring are about at the level of being pickpocketed."

8 of 264 comments (clear)

  1. Barnes and Noble. by saintlupus · · Score: 5, Insightful

    I worked at Barnes and Noble for a while a couple Christmases ago, and here's how their gift card system worked:

    When you got the card, it was preauthorized with a certain amount of money in a certain account number, like any other debit card. The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.

    Now, all that was necessary to redeem the gift card was that number. But most people just tossed the second receipt. Which meant that a quick swipe through the trash outside the store doors could probably yield a few hundred dollars worth of gift card credit as yet unredeemed.

    Nice, eh? Even when we told people expressly not to do it, they still did. Wonder how many got burned.

    --saint

    1. Re:Barnes and Noble. by Grimmtooth · · Score: 5, Informative
      The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.


      Which is EXACTLY why several states, California foremost among them, have begun to implement consumer protection laws that require that the receipt NOT display the account number and/or the expiry date (depending on the state). I believe in the case of California, it goes into effect on Jan 1 2002.

      My company's ready. I wonder how many other POS vendors aren't? :-)

      At any rate, it is the store's responsibility to comply, by using compliant POS software. Since it is easier to implement across the board than on a state by state basis, I presume that if a vendor has fixed it for CA, they will be prepared for the other states, too.

      Outside the US is not something I'm familiar with.
      --
      /* .sigs are irrelevant */
    2. Re:Barnes and Noble. by JordanH · · Score: 5, Insightful

      Sheesh... Why, oh why, do we need a law to protect people from doing stupid things?

      I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think?

      A lot of receipts have credit card numbers on them, too, which is why you should always dispose of receipts carefully. It's a real convenience to have this reference information on a receipt, and I imagine there's a good business case for having the gift card number on the receipt as well. Makes it easier to bring the card back and get it worked out if the magstrip goes bad, for example.

      What we need is a less paternalistic government to train people to be smarter and more responsible for themselves.

      Oh, never mind, most people with a public school education have been trained not to think for so long now that any arguments are useless. OK, I give up... What we NEED is for these gift cards to be implanted in a chip in your wrist so you don't accidentally throw them away. That's the law we REALLY need.

  2. HA! by BiggestPOS · · Score: 5, Funny
    According to the Tyler Morning Telegraph, teen-agers used a similar method for using gift cards to steal money from an electronics retailer in Tyler, Texas last December.

    I fucking live in this town. I had no idea a vast conspiracy to defraud Best Buy was happening all around me this whole time. I figured this town had the collective IQ of a walnut. The whole time I lived here I could of been hanging out with sk1pt k1dd13z.

    --
    What, me worry?
  3. Re:Wonder which LARGE retailer it could be? by Angry+White+Guy · · Score: 5, Funny

    They sit right out in the open at the Wal-mart in Windsor, Ontario. Just hanging there in the checkout aisle begging to be taken.

    Tells you something about:
    A) Honesty of Canadians.
    B) Trusting nature of Canadians.
    or C) Intelligence of Canadians.

    I'll let you pick

    AWG

    --
    You think that I'm crazy, you should see this guy!
  4. Why they don't care by Col.+Klink+(retired) · · Score: 5, Insightful

    I can see why the retailers don't really care. If someone forges a paper gift certificate and redeems it, the store is out the money. The thieves are just printing money.

    But when someone forges a stored-value card, they're stealing from other customers. The "value" has already been paid for, so the store doesn't lose anything.

    --

    -- Don't Tase me, bro!

  5. Not hard at all... by UserChrisCanter4 · · Score: 5, Interesting

    I work at a Circuit City, and I can attest to the fact that I doubt this could be too hard.

    I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:

    We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").

    My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.

  6. Re:What are the odds by SCHecklerX · · Score: 5, Funny
    What are the odds of something like this actually hapening? How many thieves are there out there with the technical know how to pull this off, compared to the public at large?

    A lot more now :)