Walmart Stored Value Cards Compromised

morcheeba writes "It appears that Walmart's pre-paid gift cards have been hacked. Customers are buying cards and finding that criminals have already emptied them of value. It seems someone has access to Walmart's database and/or registration data, and can create clones of recently activated cards. (via engadget)"

Re:I think it's an inside job

[nacturation]

More and more stores are selling cards with no value displayed on them. When you buy one it is blank and the person at the register adds both activation information and the value at the time the card is purchased.

A key example of this is how the Starbucks cards work. You can choose to put $10 on it, or $100, or $8.13 or whatever. It runs down, you just add more funds to it much like a debit card.

Re:I think it's an inside job

I know a little bit about Wal-Mart's Networking layout.

Your typical store has at least 6 sets of switches: UPC office (where the servers are kept), GM (general Merchandise), GRC (Grocery), Garden Center, PICS (In the electronics Department, and Receiving. These switches are laid out into at least 3 vlans: POS, Non POS, and Wireless. By Default, the POS vlans are set to ports 1-12 on the switch. The switches are connected by a fiber backbone that usually involves two separate physical routes...so if one is cut, the other will be able to pick up the load. They're concnentrated to some cisco routers, and it'll go out either a 56K modem line or a T1 line, using a Hughes Sattelite link as a backup.

You've got your usual mixture of IBM Cash register controllers (CC and DD), what they call their "SMART" system (I think it's running a flavor of AIX), BOSS (Best Optical Selling System), MMS (Multi-Media Server, runs the Wal-mart TV Network), and a few others.

It's trivial to get into a UPC office to gain access to these things. Most stores don't check ID's, let alone work orders. Default passwords are commonplace ("ma5t3r", "9052/9052" and the like), and it's very easy to get an employee to Log in for you if needed. WalMart keeps printed logs of just about every transaction that is created, as well as in electronic form.

If it were an inside job (which I doubt knowing the intellect of most Wal-Mart Workers. Do you want to be the squiggly?), all someone would have to do is gain access to the UPC office, bring yer good ole' hub, a WAP, and volia....no one would ever notice (usually because there are boxes stacked in the UPC offices, and well, no one really has a clue to what really needs to be in there, anyway).

(Posted AC to protect my job)

Re:I think it's an inside job

[plover]

I'm pretty sure the case wasn't publicised by Walm*rt. I can't think of a single benefit they'd get by announcing to the world "our gift card customers are getting screwed." This was made public by an annoyed customer who went to her local TV station, and the reporter did a bit more digging (just like they're supposed to!)

They do have logs.

[nietzsche_freak]

They do log when and where the cards are activated and emptied. From TFA:

Carol's shopping card was purchased in Olympia, and days later, cashed out by a stranger at the Wal-Mart in Chehalis even though Carol still had the card.

"Here's my receipt," Carol points to the shopping card notation at the bottom which reads: "Shop card reception 0.00"

In Tami's case, her receipt shows the $150.00 card was activated at 11:32 in the morning, then cashed out three hours later in a another state!

My guess is they'll nail the ones responsible in short order, seeing as how they know dates, times, and locations, and no doubt have decent electronic surveillance inside their stores as well (for all those pesky shoplifters ).

Re:What't the penalty for this?

[abb3w]

It's probably not illegal.

Um.... such Gift Cards appears to be a form of Debit card (and in some cases are exactly that), and would to my casual glance be prosecutable as fraud, and investigated by the Secret Service.

Re:I think it's an inside job

[gasgesgos]

I'd dare to say every square inch of the store is under surveillance.
I'd say about 100 square feet of the store is under surveillance...

You see 20 registers and 20 black bubbles...
2 of those have cameras...
1 might be recorded...
there's probably someone watching them only on a very high volume weekend.


I worked in a wal-mart for a number of years, the bubbles are to scare people, like the "security tag detectors" on the doors...

Re:It won't bankrupt WalMart

[wcdw]

Unfortunately for WalMart, this is NOT true. Uncashed gift certificates are typicall subject to escheet laws -- meaning that if they haven't been used in some period of time (two years in some states), the money must be given _to the state_.

The only thing they have going for them is the interst they can raise on the uncashed cards. (Except in states not subject to escheet law.)

Re:I think it's an inside job

[Nogami_Saeko]

Then you buy one coffee with it, and it's empty again :)

The greatest thing (for the company) about those Starbucks "debit-style" cards is that people who are putting their money in them by charging them up, are effectively combining their money and giving Starbucks a big cash loan that Starbucks can keep in the bank and make interest from until you use eventually use them. So they get your money AND all of the interest made from your money. Keep the cash in your own account and keep your interest as well.

Great business technique.

N.