Slashdot Mirror
Walmart Stored Value Cards Compromised
morcheeba writes "It appears that Walmart's pre-paid gift cards have been hacked. Customers are buying cards and finding that criminals have already emptied them of value. It seems someone has access to Walmart's database and/or registration data, and can create clones of recently activated cards. (via engadget)"
More and more stores are selling cards with no value displayed on them. When you buy one it is blank and the person at the register adds both activation information and the value at the time the card is purchased.
A key example of this is how the Starbucks cards work. You can choose to put $10 on it, or $100, or $8.13 or whatever. It runs down, you just add more funds to it much like a debit card.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Actually, in Washington State it is now illegal for companies to skim ANYTHING off of a gift card for any reason, and the balance can NEVER expire.
I know a little bit about Wal-Mart's Networking layout.
Your typical store has at least 6 sets of switches: UPC office (where the servers are kept), GM (general Merchandise), GRC (Grocery), Garden Center, PICS (In the electronics Department, and Receiving. These switches are laid out into at least 3 vlans: POS, Non POS, and Wireless. By Default, the POS vlans are set to ports 1-12 on the switch. The switches are connected by a fiber backbone that usually involves two separate physical routes...so if one is cut, the other will be able to pick up the load. They're concnentrated to some cisco routers, and it'll go out either a 56K modem line or a T1 line, using a Hughes Sattelite link as a backup.
You've got your usual mixture of IBM Cash register controllers (CC and DD), what they call their "SMART" system (I think it's running a flavor of AIX), BOSS (Best Optical Selling System), MMS (Multi-Media Server, runs the Wal-mart TV Network), and a few others.
It's trivial to get into a UPC office to gain access to these things. Most stores don't check ID's, let alone work orders. Default passwords are commonplace ("ma5t3r", "9052/9052" and the like), and it's very easy to get an employee to Log in for you if needed. WalMart keeps printed logs of just about every transaction that is created, as well as in electronic form.
If it were an inside job (which I doubt knowing the intellect of most Wal-Mart Workers. Do you want to be the squiggly?), all someone would have to do is gain access to the UPC office, bring yer good ole' hub, a WAP, and volia....no one would ever notice (usually because there are boxes stacked in the UPC offices, and well, no one really has a clue to what really needs to be in there, anyway).
(Posted AC to protect my job)
I'm pretty sure the case wasn't publicised by Walm*rt. I can't think of a single benefit they'd get by announcing to the world "our gift card customers are getting screwed." This was made public by an annoyed customer who went to her local TV station, and the reporter did a bit more digging (just like they're supposed to!)
John
There are two Walmarts "near" me. One is 20 miles to the north, the other is 15 miles to the south. They are the two closest "department" store operations near me, although I can drive 30 miles or so east to a Sears. I can't see how either of the Walmarts have put anyone out of business. There were no department stores here before Walmart, now, there are still none, but the Walmarts are at least within a days drive. Walmart does not have a very large selection in some areas, particularly computers. What they do have represents good "value", with no-names at the low end and HP and Compaqs at the "high" end. For online 3D game-play you probably need something a bit better than you are going to find at Walmart (in the stores at least, their mail-order selection is better). For what I do with a computer most of the time (web, email, photo and music collection, etc. these mid-range computers (some of which are available without the Microsoft tax) are more than adequate. For me and other people in my situation you are not going to get us to feel guilty for going to Walmart, so you might as well stop trying. You shop wherever you want to, and I'll do the same.
Um.... such Gift Cards appears to be a form of Debit card (and in some cases are exactly that), and would to my casual glance be prosecutable as fraud, and investigated by the Secret Service.
//Information does not want to be free; it wants to breed.
Not only that, but if you've ever looked up at a Walmart, you'll notice they have about a 1:1 ratio of black bubbles to checkout lanes. I'd dare to say every square inch of the store is under surveillance. The database should give them a time the card was used and at which register. They'd just need to find a camera that was pointing in that vicinity.
That is untrue. They only start to deduct a buck a month after 24 months of non-activity. So you still have 15 months yet until you start to lose your Christmas gift.
There's no point in being grown up if you can't be childish sometimes. -- Dr. Who
I'd dare to say every square inch of the store is under surveillance.
I'd say about 100 square feet of the store is under surveillance...
You see 20 registers and 20 black bubbles...
2 of those have cameras...
1 might be recorded...
there's probably someone watching them only on a very high volume weekend.
I worked in a wal-mart for a number of years, the bubbles are to scare people, like the "security tag detectors" on the doors...
Uh, yeah... that wasn't in the original article. Tami bought it for her church group, not for her transsexual group.
"Never attribute to malice that which can be adequately explained by stupidity." -- Hanlon's Razor
People have the right to form a union if they want to. If you don't like unions then don't join them. It's not anyone else's problem. Despite complaints from people about unions (including my own personal experience) their presence is better than their abscense. We've already seen what happens when we don't have the right to form unions.
How can you be "anti-competitive"? I don't know what you mean, mind explaining?
Do you know anything about predatory pricing, discriminatory pricing, and display fees? I didn't think so or you wouldn't be posting.
I have no experiences with the discriminatory behavior, so I can't really comment much on your final statement. In my area, there are more women working in Wal*Mart than there are men, so I don't know how true your statement is in terms of the entire company. Your area may have problems, but I would link that more to the poor managerial staff, and not Wal*Mart in general. But as I said, I don't have experience with that, so I can't comment much.
First of all, the CEO must ultimately take responsibility for the company. In fact CEO's have been arrested for offenses committed by their managers or even salespeople usually as a result of healthcode violations. Walmart also has a responsibility as a company to provide for a fair and non-discriminatory work environment and they haven't done that. Maybe you missed the news when Walmart had a class action lawsuit against them for disciminatory behaviour, concerning the lack of women who received promotions. Next time you are in a Walmart take a look at what positions the women usually hold as compared to the men.
Time makes more converts than reason
Unfortunately for WalMart, this is NOT true. Uncashed gift certificates are typicall subject to escheet laws -- meaning that if they haven't been used in some period of time (two years in some states), the money must be given _to the state_.
The only thing they have going for them is the interst they can raise on the uncashed cards. (Except in states not subject to escheet law.)
If you're not living on the edge, you're just taking up space!
Wal-marts gift-cards cards work like debit cards, with magnetic strips you swipe at the credit card machine. It then subtracts the balance from the amount stored in "account", you can readd money into this card at any point and use it over and over again. Several walmarts have associated gas stations where you can use this card at the pump and get a discount also.
Then you buy one coffee with it, and it's empty again :)
The greatest thing (for the company) about those Starbucks "debit-style" cards is that people who are putting their money in them by charging them up, are effectively combining their money and giving Starbucks a big cash loan that Starbucks can keep in the bank and make interest from until you use eventually use them. So they get your money AND all of the interest made from your money. Keep the cash in your own account and keep your interest as well.
Great business technique.
N.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
I can say that most of these folks have their heads well stuffed up their asses around security.
Most of the technical requirements are made up on the spot by demanding retailers, that do pre-load value on as yet unactivated cards. Activation is often as simple as simply the first swipe(!), and they rely on standard loss prevention and inventory control in the store to prevent theft as any other models for dealing with these types of inventories are completely beyond them.
Of course, we've been all too happy to go along with that, as long as their money is green.
Then of course there are the implementation details on the backend, and we've been losing data continually on the system we have here, due to plenty of design flaws and a serious rush-to-market. It's truly frightening what an afterthought security and data integrity is with these people.
All I can say is don't buy your stored value solution from any company that ends in "stone" or "rock"!
AC so I don't lose my job, bla bla
since i do work there, it is interesting how much information they divulge at meetings. I am also allowed into their server rooms, which i don't think i (or anyone without proper securtiy clearance) should be allowed in since there should be some physical security to the boxes. It humors me to see the servers. In a hot room with box fans on the servers to keep them from overheating. VERY INEFFICIENT. There is no A/C in the room where the servers are at my location and sometimes the store pretty much shuts down due to them overheating. Back to the subject, it does sound like an inside job. I don't know what the security is like at the home office (Bentonville , AR) but if it is anything like the store i work it, it is pathetic.
Check it out, it works http://www.
It's because they're confused -- "Walm*rt" is actually Wal*Mart. Don't blame them for not actually looking it up themselves, they're just sheep.
The Ezine Directory
"Careful legal planning can potentially reduce the risk of gift certificates becoming abandoned property. Incorporating the issuer of the gift certificate in a state that exempts gift certificates from its escheat can reduce liability since the state of incorporation is often the relevant state or determining escheat liability...Under Idaho law, gift certificates with an expiration date prominently displayed on their face will not be deemed abandoned."
Amazon.com states here that "Amazon.com gift certificates are issued and sold by A2Z Gift Certificates, Inc., an Idaho corporation. The risk of loss and title for gift certificates pass to the purchaser upon our electronic transmission to the recipient or delivery to the carrier, whichever is applicable."
Best Buy and Home Depot didn't even bother encrypting theirs some time ago. I imagine nowadays store managers aren't so technically inept to allow that to happen now, but then, we are talking about Walmart...
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Remeber that 100 base TX over cat 5 ethernet is rated only for a max of 150 meters per segment. If you've got to run further than that (and going up into ceilings, around ducts, etc., makes for a long run quickly) you need some kind of hardware to act as a repeater, be it a router, switch, hub, or booster. Those cost big money, since not only do you have to buy them, you have to install them, you have to power them from their own electrical outlet which also costs lots of money to install. You also have to pay to maintain them with service contracts, monitoring software, payroll costs, etc., which means that even a simple repeater ends up costing roughly the same as a full blown 24-port switch, while giving you only 1/24th the value.
The cheapest solution is to put a router and fiber switch at your building's service entrance. Run the fiber to a closet in each corner of the building, and in each closet put a switch. Then you can run the final wires from the closets to your devices over cat 5.
This eliminates "random repeaters" hanging unmaintainably in the ceilings. Fiber is high capacity, and unaffected by EM interference generated by other devices in the building, such as HVAC systems or lighting ballasts, and is well suited to the long portions of the runs.
10 years ago, if you were in a Walm*rt or other big retailer, chances are the wiring was completely different. IBM POS systems at the time used a "store loop" system, running over shielded two-twisted-pairs. Those runs were rated for 2000 feet, but I know of some installations that pushed them as high as 4000 feet. While it was a loop topology designed to run from register to register, for maintenance reasons many retailers found it simpler to run individual lines from a central switch panel (typically an Autoshunt device.) With 2000 foot cable lengths, this is possible, where the 300-375 foot cat 5 is not. NCR used a "Starlan" network topology, again all wires were brought back to a central closet. And Siemens Nixdorf ran yet another proprietary serial network in a hub-and-spoke topology through boxes called "star boxes".
It wasn't until the adoption of ordinary PCs as cash registers that ethernet caught on in the retail world. And since ethernet cards were way cheaper than token ring cards (no IBM tax) and far, far cheaper than store loop cards (for the proprietary register networking), ethernet was adopted on price alone even though other networking alternatives had their attractions.
While it may seem more complicated today, you should have tried to troubleshoot problems with any of those other "networking" technologies. The IBMs, in particular, acted a lot like a really slow token ring loop, and could talk only in one direction. Confuse just one computer, and the whole loop failed. Break two computers, and now none of the computers can even tell you where the break occurred anymore. Also, you have to train technicians on all the magic diagnostic commands, the electrians on the funny wiring requirements, and you have to have special software running on special hardware with a special OS; whereas ethernet is just ethernet. And everybody knows ethernet, which means service contracts and support staff just got way cheaper, too.
John
The SMART systems come in two varieties; the NCR version runs AIX and the HP version runs HP-UX.
The SmartSystem root passwords are always some lame number-substituted common word like G3or6e or Fr3e6ird, they're always the same at every store in the country (though they change every couple weeks) and they give everyone at the ISD the root password.
Regarding switches:
Garden Center is GDC. Receiving is RCV. You forgot Tire & Lube Express, which is TLE.
Regarding VLANs:
The new wireless network that's been rolled out to some stores (the one that uses Symbol access points and the new Symbol CSM handhelds) has two VLANs to itself 140 and 40. The access points are on VLAN 140, and nothing else is on that VLAN except for the AirBeamSafe units. The AirBeamSafe units have two ports, one to VLAN 140 and one to VLAN 40. There's also a port configured on UPC-1 and UPC-2 to VLAN 40 that's connected to the store's routers; and then the router connects VLAN 40 (and, indirectly, VLAN 140 through the ABS) to the rest of the network.
If anybody wants to try to accomplish anything by going through their wireless network, go ahead, but based on my knowledge of how the wireless network is connected to the rest, it's not going to be simple.
(Posing anonymously even though I don't have that job anymore)
You'd think that their needs would be simple enough to just run cable drops all throughout the store to one central location.
As I mentioned in another reply, Wal-Mart's maximum distance for twisted-pair cable runs is 325 feet. There really is no "central location" to put switches that everything would be within 325 feet of. The center of the store is reserved for merchandise and wouldn't really be a good place to put a huge bank of critical switches. All the switches are around the periphery.
Network devices:
1. Front-line registers.
2. Wireless access points, mounted throughout the store and run to the closest switch.
3. WYSE terminals at customer service & elsewhere.
4. Outlying registers, i.e. electronics, sporting goods, housewares, etc.
5. Back-of-store stuff, including layaway systems, managers' computers, more dumb terminals, a training lab, etc.
6. Time clocks.
7. Produce scales.
8. All the servers & stuff in the UPC office.
9. Other things I'm not remembering.
All connections between the switches are fiber (except for a couple of crossover cables between switches in the same set) and are redundant; all sets of switches connect back to the UPC office but also to one other set of switches for redundancy.
It's not Wal-Mart's maximum.. it's copper ethernet's maximum. http://www.duxcw.com/faq/network/cablng.htm