Slashdot Mirror
Walmart Stored Value Cards Compromised
morcheeba writes "It appears that Walmart's pre-paid gift cards have been hacked. Customers are buying cards and finding that criminals have already emptied them of value. It seems someone has access to Walmart's database and/or registration data, and can create clones of recently activated cards. (via engadget)"
First, look at how gift cards work. Many retailers use the model where their gift card records in their database created upon activation. This means they don't even ask the manufacturers for a list of "cards printed"; they simply direct the manufacturer to produce "a million cards in this number sequence, label them $20," that sort of thing. The value is added when the record is created at issuance. I'm assuming Walm*rt is operating in a similar fashion.
It's theoretically safe, because a shoplifted card isn't redeemable. The cards never actually "store" their value, all the value is located only in the database (more correctly, the value is in the ability to redeem from the database.)
So, if someone is redeeming the cards in a distant state just hours after issuance, they're doing it by sniffing the data real-time, somewhere on the inside of Walm*rt's systems. The article implies that the thief knows when the card is issued, and cashes it in within hours. Cashing the cards in distant states implies network access to at least run the scam (although that may be an email to a conspirator.) The fact that the victims were located in different states implies the perpetrators either have central access to the database involved, or have access to the POS systems that are selling and activating the cards.
The points of access are numerous. This could be happening in the POS registers, the store POS servers, the networking gear, the central authorizing servers, the central sales logging servers, or the database. It could be someone in their security group looking at electronic journals on-line. It could be a hacker in the parking lot with 802.11 gear telnetting to any of the above equipment, emailing card info to his buddies. The redemption is probably being done via "forged" cards, which might be as simple as printing a barcode on a sticker, covering the existing barcode, and then keeping the cards after redeeming them to hide the evidence. A smart thief would redeem $149 on a $150 card to keep the card with the $1 balance on it in his pocket.
That's a lot of ground to cover for their investigators. Given their M.O. I can think of a few traps they can set to catch these guys, but they're probably going to take time to implement. And with the high probability of an inside job, who do you trust in their systems end to help you catch the bad guys?
John
The date of the article was June 10, 2004. Maybe this was in another time zone or something so it was more recent than I thought?
A NYC lawyer blogs. http://www.chuangblog.com/
Wal-Mart does not need anymore bad publicity, this should be a non-issue, if people got cheated, they need to provide recompense. It's not like they can't afford it.
What kind of geek buys their computer gear at Wal-Mart? I mean come on, even Best Buy would have been a step up. I bet he'd even opt for the Extended Service Plan. Either way, the culprit will be set for life when it comes to toilet paper and snacks.
I remember reading a while back that one of the major retailers, possibly walmart had gift cards with sequential serial numbers, stored on the magstripe in plaintext, so anyone with a card reader/writer can easily change the id stored on the gift card.
Theres an 800 number you can call to find out the card's balance, so it just takes a little time and guesswork to find a card number with a balance on it.
* It's probably not illegal. If walmart wants to sell snapple bottlecaps for $20 and accept them in their store to buy $20, it's not anyone's problem if their scheme doesn't work as intended.*
where do you live, in a fairytale world where comic book legal logic prevails? of course it's illegal, probably goes under fraud too and depending on how it was done maybe some misuse of power or illegal telecommunications interception.
or perhaps you say that stolen calling cards are legal to use as well and that it's legal to use credit card numbers you found from google? and that shoplifting is legal if you just manage to get out of the store? and that hacking into a bank is legal since they put their computer on the internet and you only used public protocols? sorry but that kind of logic only gets you in jail where you'd belong if you did those things.
world was created 5 seconds before this post as it is.
Man, I thought I was doing well without having to RTFA, but you made me read it anyway.
The injustice is that you now get *good* karma!
Cogito, ergo sig.
Walm*rt may have an error in their central authorizing servers that's "confusing" redemption replies. Imagine a server that accepts requests from tens of thousands of different registers (probably a mainframe.) All those responses have to go back to the place they came from. What if a response was corrupted and an approval went back to a wrong register?
Or what if a request was corrupted? What if some stack corruption in their register changed a 12345 into a 22345, and they just happened to match a card issued elsewhere?
Or, what if the manufacturers screwed up and printed duplicate serial numbers on the backs of a batch of cards? Jane Doe goes to buy a card, but that serial number was already purchased by John Smith in a different state. If Jane's purchase request was made "offline", the card would be given to her immediately, but the card activation would have to be made after she left. Now, if Jane redeems her card, she uses John's value. Walm*rt would have no way to go back to Jane to say "Sorry, we gave you a bad card."
For these scenarios to work with a card being cashed within hours of being issued seems highly unlikely until you remember one thing: Walm*rt operates over 8000 stores, with probably over 200,000 POS registers, each of which is cranking through perhaps two or three hundred transactions a day. When you start factoring in just how many transactions might be corrupted, having a couple of "unlikely" coincidences seems more like a statistical certainty than a random chance.
John
The cracker must be low on paper towels and socks.
law enforcement at the highest levels possible, to rectumfy the problem
Looks like the cuplrit is going to really get it in the ass...
From the parent: A corporate spokesman says the company, " is working with law enforcement at the highest levels possible, to RECTUMFY the problem and catch the people responsible." (all caps mine)
I wonder just what rectumfying is. Maybe it's like "radidzomai" in Greek (to be buggered by a raddish), or the Tossed Salad Man. I'll bet rectumfying would deter anyone else from hacking gift cards!
-Colin
There are two Walmarts "near" me. One is 20 miles to the north, the other is 15 miles to the south. They are the two closest "department" store operations near me, although I can drive 30 miles or so east to a Sears. I can't see how either of the Walmarts have put anyone out of business. There were no department stores here before Walmart, now, there are still none, but the Walmarts are at least within a days drive. Walmart does not have a very large selection in some areas, particularly computers. What they do have represents good "value", with no-names at the low end and HP and Compaqs at the "high" end. For online 3D game-play you probably need something a bit better than you are going to find at Walmart (in the stores at least, their mail-order selection is better). For what I do with a computer most of the time (web, email, photo and music collection, etc. these mid-range computers (some of which are available without the Microsoft tax) are more than adequate. For me and other people in my situation you are not going to get us to feel guilty for going to Walmart, so you might as well stop trying. You shop wherever you want to, and I'll do the same.
Given how Walmart mistreats its employees (forced unpaid overtime, automatic firing for even *thinking* of getting unionized, illegal immigrant janitors making well below minimum wage and locked in the stores at night, etc.) and how Walmart systematically ruins local economies, and who knows what else, would it surprise anyone at all if some Walmart executive would have the system set up to wipe out gift cards X% of the time? In Walmart's case assuming a system compromised by petty theft is just unwarranted--systematic and corporate-sanctioned theft may be more appropriate.
But, what's wrong with China changing it's laws to better support their own people? If you are seriously suggesting that we stop using Chinese products then you'd better look around. In electronics, there's hardly any other choice. Why do you single out Walmart for this? Open your eyes and look in ANY other retail store.
.50 cents an hour.
The US simply can't compete with cheap labor like this so... We use it if they want to supply it.
Perhaps it would be better for these people to slave and die in the fields instead of becoming industrialized, but I'm not sure. Every nation that has gone through this process started this way - out of necessity.
Don't weep too uncontrolably for China. At the rate they're going their economy will soon dwarf the US. Pray that their governmental system changes before them or perhaps YOU will be working for
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
they probably had their code written by a poor teenage girl in honduras who was getting whipped by a mean guard while she was trying to compile. I can just imagine it:
"more linking errors??? You are going to get it now BITCH!!!!" *whip* *whip*
Here's the simple solution. Ditch the high tech whizbang gift cards, and go back to good old-fashioned paper gift certificates. That would be simple and effective, so it will probably never happen.
How ya like dat?
Where one of the cards was empty in three hours the problem is within the control of Wal Mart. If the matter is considered as a glitch in the system and the cards just expire too fast, well that is one thing...an error that Wal Mart should have caught.
If there is an insider trading information (that could NEVER happen, right?) then security is way off and Wal Mart still loses.
If the system is open to outsiders to hack and they have the ability to grab the latest cards purchased and burn data and make purchases within three hours then the system is way too open.
People who pull off these scams aren't interested in most goods - they want cash. I suppose that the easiest method is to buy a case or 10 of cigarettes or to try to return a high-dollar item. The former can be sold almost anywhere and the latter will give the thief cash, but only after a second pass at the Wal Mart chain. The latter is a high-risk approach and it isn't consistent with an ongoing breach...
If only a few stories are out about these cards, but the breach of the cash control system is so complete that the funds can be diverted within three hours, then the problem is far more common and serious than Wal Mart wants to disclose. The system must have been compromised so thoroughly that only a complete replacement would eliminate the problem. Wal Mart data mines (last I read, they had the largest database of consumer purchases on the planet) and these cards are clearly an integral part of their data capture system. The cost of "fixing" the system must be far greater than the losses thus far. Of course, that could be hundreds of millions of dollars....
Um.... such Gift Cards appears to be a form of Debit card (and in some cases are exactly that), and would to my casual glance be prosecutable as fraud, and investigated by the Secret Service.
//Information does not want to be free; it wants to breed.
Cheers,
Erick
http://www.busyweather.com/
People have the right to form a union if they want to. If you don't like unions then don't join them. It's not anyone else's problem. Despite complaints from people about unions (including my own personal experience) their presence is better than their abscense. We've already seen what happens when we don't have the right to form unions.
How can you be "anti-competitive"? I don't know what you mean, mind explaining?
Do you know anything about predatory pricing, discriminatory pricing, and display fees? I didn't think so or you wouldn't be posting.
I have no experiences with the discriminatory behavior, so I can't really comment much on your final statement. In my area, there are more women working in Wal*Mart than there are men, so I don't know how true your statement is in terms of the entire company. Your area may have problems, but I would link that more to the poor managerial staff, and not Wal*Mart in general. But as I said, I don't have experience with that, so I can't comment much.
First of all, the CEO must ultimately take responsibility for the company. In fact CEO's have been arrested for offenses committed by their managers or even salespeople usually as a result of healthcode violations. Walmart also has a responsibility as a company to provide for a fair and non-discriminatory work environment and they haven't done that. Maybe you missed the news when Walmart had a class action lawsuit against them for disciminatory behaviour, concerning the lack of women who received promotions. Next time you are in a Walmart take a look at what positions the women usually hold as compared to the men.
Time makes more converts than reason
In that case, people were writing down the number of a card still on the shelf, or taking pictures of the bar code or something, and then noting what the sequence is (they are in order, after all) and then going home, and using the 1-800 number to see how much money was on the card to see when it was sold.
Once they found a number with money on it, they'd modify a card that they had (printing bar codes and reprogramming magnetic strips is easy) to have that number, and go and spend somebody else's money. Easy.
Seems easy enough to track, as 1-800 numbers include caller ID type info, so just see what number was called to check the balance of the card before it was depleted of funds, and if the same number shows up a few times, call the police ...
To make matters worse, the fine print basically said that this sort of loss was the customer's problem, not the retailer's. So the retailer was refusing to pay people for the lost money ...
In any event, giving a gift card sucks, even without this scam. It has *all* the tackiness of giving cash, but with the additional tackiness of telling you where you can spend this money. If you're going to buy me a present, buy me a present. If you want to give me cash, I certainly like cash. But don't spend cash on a gift card ... either use it to buy me something, or just give me the cash.
And if this does happen to you, scream bloody murder. Do not accept anything less than all the lost money, even if the fine print says that it's not their responsiblity. Call the local media if you have to. Make a scene in the store. Call the corporate office if you have to ... you'll probably eventually get your money.
Not that this will change where you shop, but the argument against Walmart isn't just that they put destroy other businesses that sell things, but that its overall effect on the businesses that it buys from and the government.
Walmart is notorius for squeezing every last panny out of the companies they buy goods from. While in the strictest economic sense, this is a great idea for Walmart, it is decimating other companies that pay a living wage to their employees, fueling outsourcing and bankrupsy in this country. I live within a two hour drive of towns with 20+% unemployment because the textile industry has been destroyed by foreign imports. No matter how libertarian/randian you may be, that kind of situation is very dangerous, because large numbers of unemployed (and unemployable) people leads to high crime and even civil rebellion.
Walmart also shifts expenses to the taxpayers. See a biased source and a collection of less biases sources.
If I lived out in the middle of nowhere, I'd prolly shop at Walmart, just because it would be the only option. I'm lucky to have a decent amount of money and to be surrounded by choices, and deal with small retailers and restuarants as much as possible rather than feeding the large corporate machines. It's not just feeling smarmy and alternative, it's good economic sense to make sure that money is circulated into your local economy. Absolutely pure capitalism is great only for big businesses - it's horrible for the inviduals.
Stored value cards are _NOT_ the same as debit cards, in many important respects. For one, the customer CANNOT get cash from the card.
Stored value cards are classed exactly the same as paper gift certificates, as that is what they are. (They are also subject to escheet laws in most states.)
I was part of a small team which created the first such card - Blockbusters - and am still amazed at how fast they've proliferated.
http://www.theboyz.biz/ - Your source for computers, parts and more!
If you're not living on the edge, you're just taking up space!
The guy who thought up gift cards/certificates was an evil genious. At what point does someone as a business person say "maybe people are willing to exchange their real money for store credit so that they have a non-cash gift to give?" I can't imagin thinking "I want my money to be acceptable at less places for the sake of forcing a friend or family member to buy something they don't want or need".
I'm a fan of capitalism, so I don't want them to ban gift cards, but I really hate them. Damn you, you evil genious!
http://brandonbloom.name
It seems to me that anyone who would pay a certain amount of money for a gift card or gift certificate worth the same amount, and give a gift that can only be used at a certain place and might expire, in this way shows even less thought than giving money, and deserves this.
I'm an American. I love this country and the freedoms that we used to have.
Why do people refer to Walm*rt with a star in the name?
Well, they might be using the star as a sphinctor symbol. Yessir. Heck, we used to put 'em by people's names on memos to denote sphinctorhood.
Wansu, th' chinese sailor