Slashdot Mirror


Walmart Stored Value Cards Compromised

morcheeba writes "It appears that Walmart's pre-paid gift cards have been hacked. Customers are buying cards and finding that criminals have already emptied them of value. It seems someone has access to Walmart's database and/or registration data, and can create clones of recently activated cards. (via engadget)"

12 of 450 comments (clear)

  1. I think it's an inside job by plover · · Score: 4, Interesting
    This has to be someone hacking from the inside of Walm*rt. Maybe not an employee, but it sure looks like someone is inside their network.

    First, look at how gift cards work. Many retailers use the model where their gift card records in their database created upon activation. This means they don't even ask the manufacturers for a list of "cards printed"; they simply direct the manufacturer to produce "a million cards in this number sequence, label them $20," that sort of thing. The value is added when the record is created at issuance. I'm assuming Walm*rt is operating in a similar fashion.

    It's theoretically safe, because a shoplifted card isn't redeemable. The cards never actually "store" their value, all the value is located only in the database (more correctly, the value is in the ability to redeem from the database.)

    So, if someone is redeeming the cards in a distant state just hours after issuance, they're doing it by sniffing the data real-time, somewhere on the inside of Walm*rt's systems. The article implies that the thief knows when the card is issued, and cashes it in within hours. Cashing the cards in distant states implies network access to at least run the scam (although that may be an email to a conspirator.) The fact that the victims were located in different states implies the perpetrators either have central access to the database involved, or have access to the POS systems that are selling and activating the cards.

    The points of access are numerous. This could be happening in the POS registers, the store POS servers, the networking gear, the central authorizing servers, the central sales logging servers, or the database. It could be someone in their security group looking at electronic journals on-line. It could be a hacker in the parking lot with 802.11 gear telnetting to any of the above equipment, emailing card info to his buddies. The redemption is probably being done via "forged" cards, which might be as simple as printing a barcode on a sticker, covering the existing barcode, and then keeping the cards after redeeming them to hide the evidence. A smart thief would redeem $149 on a $150 card to keep the card with the $1 balance on it in his pocket.

    That's a lot of ground to cover for their investigators. Given their M.O. I can think of a few traps they can set to catch these guys, but they're probably going to take time to implement. And with the high probability of an inside job, who do you trust in their systems end to help you catch the bad guys?

    --
    John
    1. Re:I think it's an inside job by jkeyes · · Score: 4, Interesting

      that wouldn't work because the card serial numbers have the golden stuff you have to scratch off with your finger nail.

    2. Re:I think it's an inside job by CodeMaster · · Score: 4, Interesting

      Don't overrule smart "consumers". As you pointed out they simply direct the manufacturer to produce a million cards in this number sequence The numbers ARE sequential (to some degree - they do need to pass some mod10 check or alike - not too different than credit cards), which means - you only ned one card number, and then a way to check the status of other numbers (available online). To redeem at store - get hold of a mag stripe writer and just use the same card (nicely branded) with your new numbers.

      Also - many retailers have the cards just lying around the store - flip them over and if you are lucky (B&N, Borders, CVS, etc...) the card number is just there. Write it down, and wait for someone to activate it (buy it). the rest is up to you.

      Again - all you have to do is be an observant shoper - what do the cards look like, are they sequential, is the card numbered covered with a scratch-off (better security), etc... Because most of these gift cards ride on the Visa/MC/AMEX networks, they have to conform to these rules, thus have easily guessable numbers, stupid PIN numbers etc...

      Just my $0.02

      get a free ipod! This really works... Only one GMAil invite left!...

    3. Re:I think it's an inside job by AsnFkr · · Score: 5, Interesting

      I know how this is being done, our local Walmart has a big problem with this over the last holiday, and after some investigation they figured out how it was being done. Here's the know-how:

      Quick background:
      -None of the "amount data" is stored on the gift card. It's all server side, interfaced by the cash registers when swiped. All the card has is a unique ID number to identify itself to the register when swiped.

      -The cards used have credit card type stripes on the back, easily readable by *many* cheap swipe readers. http://www.barcodediscount.com/cats/credit-card-re aders/ You can also by rather cheap swipe formatters/programmers with a quick google.

      -The cards are also sold on shells that anyone can get to, and they are on cardboard backing packaging where is it *very* easy to just bend the package and have full access to swiping the card.

      The procedure:
      -First the criminal buys a bunch of cards for the lowest possible amount. I think this is $5. They now have valid cards.

      -Next the criminal takes a small Credit Card swiper into the store, grabs a hand full of the cards and swipes a ton of them..stores the card info into memory on the device or a small laptop/pda in their pocket or purse. then they place the card back on the shelf and go home.

      -They go home and use the numbers they have taken from cards at the store and program them over the valid $5 card they had bought.

      -A few days later, under the assumption that the cards they had copied have been legitimately sold and not yet used they go into the store with their copies and use them. All it takes to verify the card is working is to find a stupid wal-mart drone and ask them to scan it and tell you the worth of the card. As far as the cash register system is concerned the card is valid because it has a valid ID number. If it comes back with more than $5 on the card available for spending, they criminal wins. Spend the card and go on their way.

      -Now when the actual owner of the card comes in it will appear to have been spent, as its ID number is the same as the one used by the criminal has been used, even though the card technically has not.

      Its rather ingenious actually, and works best at Xmas. You scan cards the 15-23 assuming they will be activated and you will have a few days until they are spent (at least until the 25th) as they are popular Xmas gifts. It's also hard but not impossible to track the criminal, as you have to find the time of the transaction and dig up video of the transaction taking place...and most walmarts have rather shotty video quality at the registers, but the chance of getting caught in the act are slim and none. But if you do it, don't be surprised if cops show up at your door a week later. Snoogins.

  2. I think this has been going on for a while... by Anonymous Coward · · Score: 5, Interesting

    I remember reading a while back that one of the major retailers, possibly walmart had gift cards with sequential serial numbers, stored on the magstripe in plaintext, so anyone with a card reader/writer can easily change the id stored on the gift card.

    Theres an 800 number you can call to find out the card's balance, so it just takes a little time and guesswork to find a card number with a balance on it.

  3. Re:What't the penalty for this? by gl4ss · · Score: 4, Interesting

    * It's probably not illegal. If walmart wants to sell snapple bottlecaps for $20 and accept them in their store to buy $20, it's not anyone's problem if their scheme doesn't work as intended.*

    where do you live, in a fairytale world where comic book legal logic prevails? of course it's illegal, probably goes under fraud too and depending on how it was done maybe some misuse of power or illegal telecommunications interception.

    or perhaps you say that stolen calling cards are legal to use as well and that it's legal to use credit card numbers you found from google? and that shoplifting is legal if you just manage to get out of the store? and that hacking into a bank is legal since they put their computer on the internet and you only used public protocols? sorry but that kind of logic only gets you in jail where you'd belong if you did those things.

    --
    world was created 5 seconds before this post as it is.
  4. Or system error... by plover · · Score: 4, Interesting
    Yeah, I know replying to yourself is bad karma, but I just thought of another possibility: system error.

    Walm*rt may have an error in their central authorizing servers that's "confusing" redemption replies. Imagine a server that accepts requests from tens of thousands of different registers (probably a mainframe.) All those responses have to go back to the place they came from. What if a response was corrupted and an approval went back to a wrong register?

    Or what if a request was corrupted? What if some stack corruption in their register changed a 12345 into a 22345, and they just happened to match a card issued elsewhere?

    Or, what if the manufacturers screwed up and printed duplicate serial numbers on the backs of a batch of cards? Jane Doe goes to buy a card, but that serial number was already purchased by John Smith in a different state. If Jane's purchase request was made "offline", the card would be given to her immediately, but the card activation would have to be made after she left. Now, if Jane redeems her card, she uses John's value. Walm*rt would have no way to go back to Jane to say "Sorry, we gave you a bad card."

    For these scenarios to work with a card being cashed within hours of being issued seems highly unlikely until you remember one thing: Walm*rt operates over 8000 stores, with probably over 200,000 POS registers, each of which is cranking through perhaps two or three hundred transactions a day. When you start factoring in just how many transactions might be corrupted, having a couple of "unlikely" coincidences seems more like a statistical certainty than a random chance.

    --
    John
  5. Not to interrupt your OT Walmart rant... by Chordonblue · · Score: 4, Interesting

    But, what's wrong with China changing it's laws to better support their own people? If you are seriously suggesting that we stop using Chinese products then you'd better look around. In electronics, there's hardly any other choice. Why do you single out Walmart for this? Open your eyes and look in ANY other retail store.

    The US simply can't compete with cheap labor like this so... We use it if they want to supply it.

    Perhaps it would be better for these people to slave and die in the fields instead of becoming industrialized, but I'm not sure. Every nation that has gone through this process started this way - out of necessity.

    Don't weep too uncontrolably for China. At the rate they're going their economy will soon dwarf the US. Pray that their governmental system changes before them or perhaps YOU will be working for .50 cents an hour.

    --
    "...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
  6. Wal-Mart expires these cards when? by grolaw · · Score: 4, Interesting

    Where one of the cards was empty in three hours the problem is within the control of Wal Mart. If the matter is considered as a glitch in the system and the cards just expire too fast, well that is one thing...an error that Wal Mart should have caught.

    If there is an insider trading information (that could NEVER happen, right?) then security is way off and Wal Mart still loses.

    If the system is open to outsiders to hack and they have the ability to grab the latest cards purchased and burn data and make purchases within three hours then the system is way too open.

    People who pull off these scams aren't interested in most goods - they want cash. I suppose that the easiest method is to buy a case or 10 of cigarettes or to try to return a high-dollar item. The former can be sold almost anywhere and the latter will give the thief cash, but only after a second pass at the Wal Mart chain. The latter is a high-risk approach and it isn't consistent with an ongoing breach...

    If only a few stories are out about these cards, but the breach of the cash control system is so complete that the funds can be diverted within three hours, then the problem is far more common and serious than Wal Mart wants to disclose. The system must have been compromised so thoroughly that only a complete replacement would eliminate the problem. Wal Mart data mines (last I read, they had the largest database of consumer purchases on the planet) and these cards are clearly an integral part of their data capture system. The cost of "fixing" the system must be far greater than the losses thus far. Of course, that could be hundreds of millions of dollars....

    1. Re:Wal-Mart expires these cards when? by reverse+flow+reactor · · Score: 4, Interesting

      If you don't spend the full value of the card, the balance should still remain on the card.

      If you return an item to the store, they don't typically return cash. I returned a ~ large item, and they would only give it back in terms of store credit - i.e. value stored with the card. They refused to return it as cash or a credit to the credit card used to purchase the item.

      Just be careful that they do give it back to you. I had a cashier try and keep my card even though it had $45 value left on it. She tossed it in the garbage after the transaction. I made sure she fished it out and returned it to me.

      I've seen more 'fishy' cash-register things at Wal-Mart than any other store. Things like the cost of a good mysteriously increasing in price up to 50% between the shelf and the cash register. And, according to those who this has happened to, is a regular occurance.

      Maybe it is just the Wal-Mart near here, but I really can't trust them.

      --

      The significant problems we face cannot be solved by the same level of thinking that created them. -Einstein

  7. Didn't we see this story before? by dougmc · · Score: 5, Interesting
    I could have sworn that I read a similar story somewhere a month or two ago ...

    In that case, people were writing down the number of a card still on the shelf, or taking pictures of the bar code or something, and then noting what the sequence is (they are in order, after all) and then going home, and using the 1-800 number to see how much money was on the card to see when it was sold.

    Once they found a number with money on it, they'd modify a card that they had (printing bar codes and reprogramming magnetic strips is easy) to have that number, and go and spend somebody else's money. Easy.

    Seems easy enough to track, as 1-800 numbers include caller ID type info, so just see what number was called to check the balance of the card before it was depleted of funds, and if the same number shows up a few times, call the police ...

    To make matters worse, the fine print basically said that this sort of loss was the customer's problem, not the retailer's. So the retailer was refusing to pay people for the lost money ...

    In any event, giving a gift card sucks, even without this scam. It has *all* the tackiness of giving cash, but with the additional tackiness of telling you where you can spend this money. If you're going to buy me a present, buy me a present. If you want to give me cash, I certainly like cash. But don't spend cash on a gift card ... either use it to buy me something, or just give me the cash.

    And if this does happen to you, scream bloody murder. Do not accept anything less than all the lost money, even if the fine print says that it's not their responsiblity. Call the local media if you have to. Make a scene in the store. Call the corporate office if you have to ... you'll probably eventually get your money.

  8. Re:What't the penalty for this? by wcdw · · Score: 4, Interesting

    Stored value cards are _NOT_ the same as debit cards, in many important respects. For one, the customer CANNOT get cash from the card.

    Stored value cards are classed exactly the same as paper gift certificates, as that is what they are. (They are also subject to escheet laws in most states.)

    I was part of a small team which created the first such card - Blockbusters - and am still amazed at how fast they've proliferated.

    http://www.theboyz.biz/ - Your source for computers, parts and more!

    --
    If you're not living on the edge, you're just taking up space!