Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Retail Gift Cards Remains Scarily Easy (wired.com)

Posted by BeauHD on from the so-easy-a-caveman-can-do-it dept.

Willium Caput, a researcher for the firm Evolve Security, examined a stack of gift cards he obtained from a major Mexican restaurant chain and noticed a pattern: aside from the final four digits of the cards that appeared to be random, the rest remained constant except one digit that appeared to increase by one with every card he examined. Andy Greenberg explains how Caput plans to defraud the system in his report via WIRED (Warning: source may be paywalled; alternative source): "You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them," says Caput. To pull off the trick, Caput says he has to obtain at least one of the target company's gift cards. Unactivated cards often sit out for the taking at restaurants and retailers, or he can just buy one. (Not all cards change by a value of one, as that first Mexican restaurant did. But Caput says obtaining two or three cards can help to determine the patterns of those that don't.) Then he simply visits the web page that the store or restaurant uses for checking a card's value. From there, he runs the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the four random digits at the end of the card's number, a process that takes about 10 minutes. By repeating the process and incrementing the other, predictable numbers, the site will confirm exactly which cards have how much value. "If you can find just one of their gift cards or vouchers, you can bruteforce the website," he says.

Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer's ecommerce page, or even in person; Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card's balance, rather than spend any money from the cards belonging to actual victims.) "It's a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person's card says it has $50 on it, and then it's gone." Caput said he plans to present his findings at the Toorcon hacker conference this weekend.

108 comments

  1. I hacked my Nintendogs game by thesjaakspoiler · · Score: 0

    with a hex editor last week giving my kid $100,000,000 so he could buy a cat directly. Should I apply for doing a in-depth presentation on Toorcon as well?

    1. Re:I hacked my Nintendogs game by Anonymous Coward · · Score: 0

      Sounds like you put in actual effort.
      Make it a keynote.

    2. Re: I hacked my Nintendogs game by Anonymous Coward · · Score: 0

      Cheating in a game doesn't count, sorry.

    3. Re: I hacked my Nintendogs game by Anonymous Coward · · Score: 0

      They've done hacking games for fun and profit at defcon. Pretty sure other did cons too.

  2. Just bruteforce 10,000 requests in 10 minutes by Fly+Swatter · · Score: 5, Insightful

    I guess if the gift card website even allows part of that to happen, someone should be fired ?

    1. Re: Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      Sorry Pajeet, we have to let you go. We will finding another Indian willing to work for 10K a year.

    2. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 2, Interesting

      That's the obvious conclusion. Then a smarter hacker will just use a botnet to brute force it.

      This is password length 101. The longer the password the longer it takes to brute force. The fact that the numbers aren't even random is part of the problem.

      The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

    3. Re:Just bruteforce 10,000 requests in 10 minutes by lucm · · Score: 5, Informative

      The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

      Exponential backoff works like a charm for this. It doesn't annoy legitimate users who make mistakes, and it becomes increasingly costly for the nefarious ones

      --
      lucm, indeed.
    4. Re:Just bruteforce 10,000 requests in 10 minutes by Wycliffe · · Score: 5, Interesting

      The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

      Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds. The only real solution is a good quality captcha which is what most sites use but even that's pretty trivial to defeat with things like amazon turk or access to a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)

    5. Re:Just bruteforce 10,000 requests in 10 minutes by Applehu+Akbar · · Score: 1

      The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

      Hey, you just invented teergrube! Better swim to East Texas and find a patent lawyer who can file your case on Tyvek forms that will not deteriorate underwater.

    6. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 1

      Captcha is a good tool for this problem due to their cost. If it takes on-average 5,000 attempts to guess the 1:10,000 card number and each Turk request costs a penny, you are out $50 dollars for a card that may have already been spent - or has not been purchased yet.

    7. Re:Just bruteforce 10,000 requests in 10 minutes by ShanghaiBill · · Score: 1

      that's pretty trivial to defeat with things like amazon turk

      If you pay one cent each for 10,000 solutions, then you just spent $100 for a $50 gift card.

      a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)

      I have heard about this in theory, but no one has every been able to point to an actual site doing this. I don't think it would be so easy to get 10,000 people to solve a captcha, and you would need to do that for each gift card. To make it worthwhile, you would need to attract millions of users. Why should they put up with that hassle when there are plenty of porn sites with no captchas?

    8. Re:Just bruteforce 10,000 requests in 10 minutes by Gussington · · Score: 3, Interesting

      I guess if the gift card website even allows part of that to happen, someone should be fired ?

      Exactly. All the gift cards I've had require a PIN as well as the Card number, and a simple limit of 5 login attempts every hour ends this as a vulnerability. It's as if this article and/or technology was written in 1993...

    9. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 1

      FYI: Your solution cannot handle distributed attacks, unless it does a lot more than just annoy legitimate users.

    10. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      Since he is actually trying 10000 combinations for a single card, you can easily make a note in the database how many attempts there where.

      If the hacker would try a different card each time, to brute force by chance:
      You should also add canaries, create users/cards in the database that will never be used, if anyone touches such a card, you can use he details of the connection to penalise them.

    11. Re:Just bruteforce 10,000 requests in 10 minutes by thegarbz · · Score: 1

      Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds.

      In theory you're right. In practice you're wrong. The vast majority of attacks are not well targeted and will come from single IPs and take ages to switch. You can see that anywhere someone logs fail2ban hits on a Linux machine. There's so much low hanging fruit out there that even a simple scheme is likely to make people back off.

    12. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      You're an idiot. Mindless post after post after post. Just post to reddit, that's more your speed. Just because you can't imagine it doesn't mean it doesn't happen.

      Hint: the captchas are on sites where people are trying to stream/download pirated content.

    13. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      Imagine how much more difficult this attack would be if queries were limited to say 10 per hour per ip.

    14. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      I've worked with these things. It's just common in the dev industry. It takes an expert to know one. When I had these problems, first I tried random ids, then tried pregenerating those into pools and finally discovered and implemented FPE. A good engineer will at least recognise the problem up front and not use auto increment as well as ensure the search space is sufficiently sparse.

    15. Re:Just bruteforce 10,000 requests in 10 minutes by Rockoon · · Score: 4, Informative

      In what universe do you get a pin with a purchase of a gift card?

      You take the card off the rack. You go to the cash register. They ask how much you want on it. They activate it with that amount. You walk away with it presumably to give it to someone that you dont care much about because otherwise you would have put thought into their gift. There is no PIN.

      --
      "His name was James Damore."
    16. Re:Just bruteforce 10,000 requests in 10 minutes by feargal · · Score: 1

      Not that it matters but with Luhn checks there's only a thousand to check.

      --
      "A goldfish was his muse, eternally amused"
    17. Re:Just bruteforce 10,000 requests in 10 minutes by stinerman · · Score: 4, Informative

      Some have another number (PIN) that is hidden under a scratch-off area.

    18. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      Seems like the best solution would be to track the number of balance checks each card number receives and base a wait time off of that.

      Something as simple as make the wait time be X^1.5 where X is the number of attempts would quickly make repeatedly checking numbers infeasible

    19. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      $0.01 per captcha-solve may sound like a lot to you and me, but I bet you'd get laughed out of the evil genius headquarters if you suggested something with such a low payout. They're probably looking for dollars per captcha-solve.

    20. Re:Just bruteforce 10,000 requests in 10 minutes by Desler · · Score: 1

      All the ones I've ever received have never required a PIN to use.

    21. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      A third thing might be to have a separate PIN that is required to actually use the card. Fat lot of good it'll do anyone to find a card that has $100 on it if they need to visit the restaurant 10,000 times to learn the PIN required to actually spend any of it.

      Obviously this would not work for online purchases. But it's not like we need a single solution to solve all situations.

    22. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      Uh, the hacker is trying a new card each time. I don't know where you got the idea that he is trying the same card 10,000 times. I don't even know why you think that makes sense. If it wasn't right the first time, why the hell would it be right the next nine-thousand nine-hundred and ninety-nine times?

    23. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      1. Require PIN (most gift cards have PINs on them) to check the balance. Now you've got to spin through numbers and PINS.
      2. Too many bad pin attempts will lock the card.
      3. Use Captcha to slow down/defeat bots
      4. Block abusive IP addresses
      5. Block Tor exit nodes
      6. Require PIN on redeem

      There's more that can be done, but these are the basics.

      If the cards don't have PINs and/or WBI/redemption doesn't require PIN, the retailer/consumer IS BEING DEFRAUDED.

    24. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      A pin is just a longer card number at a logical level. Same with username and password.

    25. Re:Just bruteforce 10,000 requests in 10 minutes by Wycliffe · · Score: 1

      Seems like the best solution would be to track the number of balance checks each card number receives and base a wait time off of that.

      Something as simple as make the wait time be X^1.5 where X is the number of attempts would quickly make repeatedly checking numbers infeasible

      That doesn't work at all either. You only need to check a specific number once.

    26. Re: Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      Target has never been good at security. They used to store credit card information in plain text in a literal .txt file which an employee could access from any pc in the building.

      I know because I worked there and reported it to corporate IT Security. It took over a year to fix.

    27. Re:Just bruteforce 10,000 requests in 10 minutes by Wycliffe · · Score: 1

      I don't think getting thousands of users would be that difficult but once you have several thousand visitors then there is probably more profitable ways of using those eyeballs than trying 10k combinations to get a $50 gift card. That would be less than a penny per captcha so if it is a 1/10k payout for $50 then a captcha is probably pretty effective. On the other hand, if the numbers are sequential and/or some of the dollar amounts are larger then that changes. I regularly get $500 home depot gift cards. This would change the calculation significantly especially if you can figure out the pattern and not have to search the whole domain.

    28. Re: Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      This is slashdot, not 4chan. Act like a god damn adult.

    29. Re: Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      I can't remember the last time I saw a gift card that DIDN'T have a scratch off PIN.

    30. Re:Just bruteforce 10,000 requests in 10 minutes by networkBoy · · Score: 1

      Not most restaurant cards, which is what this is about.

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    31. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      He's trying to guess the CSV of the credit card, so he needs to use the full credit card number, which he suspects is a valid number, but to actually spend it he needs the CSV. So his cracker program inputs the credit card number and then runs all the possible CVS for that number until he gets a hit for a valid card. So he is effectively inputting the same gift card 10,000 times.

    32. Re: Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      The long numbers that show when you scratch off is not the pin. You scratch the card to reveal the number.

    33. Re: Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      And you got nothing for your effort. They saw your exploit and said it's not important we will fix it when we do. You made the guys up stairs look stupid. They don't like that. Basically did their job for free.

    34. Re:Just bruteforce 10,000 requests in 10 minutes by unrtst · · Score: 1

      Disclaimer: I didn't RTFA, but I did RTFS(ummary).

      The summary says they "cycle through all 10,000 possible values for the four random digits at the end of the card's number". AFAICT, that's the last 4 of the card number - like the part that gets printed on receipts. He's cycling through those numbers, not the CSC (Car Security Code) nor CVV (Card Verification Value).

      FWIW, while I did find pages labeled CSV in relation to that value (ex. https://www.teamline.cc/static...), I didn't find what that stood for. Even wikipedia page for that feature does not include CSV (https://en.wikipedia.org/wiki/Card_security_code). So, just to confirm... you were referring to he CSC/CVD/CVV/CV2/CVC/V-code/SPC thing, right? (my gut/guess is that CSV is the abbreviation in some non-English language, which would make perfect sense).

    35. Re:Just bruteforce 10,000 requests in 10 minutes by Anonymous Coward · · Score: 0

      Sure some of that is script kiddies, but that is also done by big players too. Spraying TCP packets and praying for a reply is easy to do from a single IP address. Stage two trying to measure relative ease of assault, one of which is doing reconnoiter, such as testing how they respond to a single IP address brute forcing them, which if you happen to get low-hanging fruit, even better; but if you start getting drops or rejects, then that gives you more information as to what sort of protective steps they've taken. Plus, filling logs with garbage also gives your real assaults cover to work with by lowering the SNR.

    36. Re:Just bruteforce 10,000 requests in 10 minutes by Gussington · · Score: 1

      In what universe do you get a pin with a purchase of a gift card?

      In my universe. I used to work in retail, and all the gift cards had a scratch off PIN on the back for accessing online balances and stuff...

    37. Re:Just bruteforce 10,000 requests in 10 minutes by Gussington · · Score: 1

      Not to use, but to access the online account you do. Or maybe you just live in country with third world banking standards (cough*USA*cough)...

  3. Pretty Anonymous by Anonymous Coward · · Score: 0

    Walk into restaurant, in person, on camera, and obtain an unusual number of gift cards.
    Send 10k suspicious requests to the gift card website from your home IP.
    Go to restaurant again, in person, on camera, greet host, interact with waitstaff and/or customers, eat meal, use gift card.
    Risk balance disappearing or true owner eating at same time/ day.
    All this for a modest sum, unless you want to load up a suspicious amount.
    Also do this with a blank card that would never be accepted for actual payment.

    Yup, pretty anonymous.

    1. Re:Pretty Anonymous by Bert64 · · Score: 4, Interesting

      Well that's the difference between a white hat researcher who's trying to demonstrate a point, and a nefarious actor who's trying to commit fraud...

      Someone out to commit fraud will not take the cards to the restaurant themselves, instead they'll do other things with gift cards like:

      Spend them online to have goods sent to a suitably anonymous location.
      Recruit mules to do the risky work of actually using the cards in person.
      Sell the cards to unsuspecting third parties.

      And probably do all of these things while operating in a country outside of the reach of the law enforcement agencies that their victims are likely to contact.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    2. Re: Pretty Anonymous by Anonymous Coward · · Score: 1

      I'm guessing you don't own a business or have ever worked front of house at a nice restaurant. Walking in and buying a 1000 dollars worth of gift cards happens more often than you think and is not out of the ordinary. Shit just a couple months ago I bought 500 bucks in Tim Hortons gift cards.

    3. Re: Pretty Anonymous by Anonymous Coward · · Score: 0

      ... just a couple months ago I bought 500 bucks in Tim Hortons gift cards.

      You don't think much of your family and/or friends, do you?

    4. Re: Pretty Anonymous by Rockoon · · Score: 1

      I'm guessing you don't own a business or have ever worked front of house at a nice restaurant.

      I was thinking the same thing. My employer easily gives out a thousand dollars worth of Dunkin' Donuts gifts cards each month to employees as part of various incentive programs (the Dunkin' cards are the runner-up prizes)

      --
      "His name was James Damore."
  4. Low losses = Low security. by Anonymous Coward · · Score: 2, Insightful

    Bluntly, the reason that these do not have better security is that, while the security is crap, the amount of fraud done against gift cards is relatively small (and a lot of the people who perpetrate the small amount of fraud they do find have not taken care and get caught)

    As long as it costs companies less to fix and write off the fraud than it would cost to implement a more secure system, then they are likely to stick with the cheap, easy to hack system.

    1. Re: Low losses = Low security. by Anonymous Coward · · Score: 3, Informative

      No loss at all. None what so ever. For the business that is. If the card has a balance. That means someone has already given them the money for it. The business would be more than happy for that card to never get used. Money for nothing for them. They will not care at all about a thief stealing customers balances unless they get enough complaints.

      Then it wouldn't be hard to track down the thief. Get the card details from the legit customer. See who used that card as that is tracked. And have the cops show up to their door. Done. Or if at a restaurant post the pictures of thief on the local news.

    2. Re: Low losses = Low security. by Anonymous Coward · · Score: 0

      How exactly are gift cards tracked?

    3. Re: Low losses = Low security. by Anonymous Coward · · Score: 0

      unique id. and exact time and place when redeemed, find the video at the moment...

    4. Re: Low losses = Low security. by Anonymous Coward · · Score: 0

      Or look up the address you shipped the product to for an online purchase. It might be easy to steal someone's gift card balance. But it would be child's play to catch the thief.

    5. Re: Low losses = Low security. by Anonymous Coward · · Score: 0

      I'm guessing you've never actually carded anything. Fucking noob.

    6. Re: Low losses = Low security. by Anonymous Coward · · Score: 0

      I ran a retail shop with a POS system, not unlike any other retailer or restaurant. Lining up the gift card transaction (these are tracked at any and all major retailers and restaurants) with a camera snap shot would take about 20 minutes, lining it up with an online transaction would take about 5 minutes. Yes, total child's play you fucking noob.

  5. Should be a simple problem to solve by Krishnoid · · Score: 2

    Since these gift cards have to be printed out individually anyway, couldn't they be produced using uuidgen (or the like)? Seems like a single algorithm would solve the problem for all retailers at once.

    1. Re:Should be a simple problem to solve by Rockoon · · Score: 1

      You are proposing no security prior to card activation. They use a sequential or systematic series so that they dont need to maintain a database of unactivated cards.

      --
      "His name was James Damore."
    2. Re:Should be a simple problem to solve by flink · · Score: 2

      What "security" does having a predictable set of account numbers bring? These aren't bank routing numbers, they are just keys to a stored value. The only requirement is that they be unique and hard to guess. When the card is being activated, just check to see the uuid has never been used before and record the value of the now active card.

      Alternatively, cards should have a PIN on a scratch off window on the back of the card which is not magnetically encoded but is associated with the card number when activating. Make the user enter the PIN when checking the value online. This would prevent the attack on the website described in the article since the attacker won't have access to the PINs.

    3. Re:Should be a simple problem to solve by Rockoon · · Score: 1

      What "security" does having a predictable set of account numbers bring?

      Detecting and limiting insider fraud requires knowing what cards are still awaiting activation and only allowing those cards to be activated.

      People often forget about the most common fraud of them all....

      --
      "His name was James Damore."
    4. Re:Should be a simple problem to solve by Sloppy · · Score: 1

      They use a sequential or systematic series so that they dont need to maintain a database of unactivated cards.

      God forbid a business spring for a pair of $80 hard disks.

      Yeah, I think I would relax the "we don't want to maintain a database of unactivated cards" requirement. How hard can that be? And it solves the fraud problem too? Pays for itself on the first day.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
    5. Re:Should be a simple problem to solve by Anonymous Coward · · Score: 0

      There is absolutely a database of unactivated cards.

    6. Re:Should be a simple problem to solve by Anonymous Coward · · Score: 0

      Since these gift cards have to be printed out individually anyway, couldn't they be produced using uuidgen (or the like)? Seems like a single algorithm would solve the problem for all retailers at once.

      If you want more peace of mind, when you want to fix or increase your score up to date, kindly contact:creditrepairman@hackermail.com.i want to publicly appreciate the effort of this guru for helping me to increase my credit score when I was suffering from low score 450 and was unable to meet up to my standard level.my score suddenly shot up 850 plus excellent result within 24 to 48 hours using a technique. I found through public record about,creditrepairman@hackermail.com and I was pleased after everything, you can also contact him for all sort of hacks...he would be willing to help you.

  6. Something Blockchain by Anonymous Coward · · Score: 0

    There's my suggestion.

  7. OMGDUDES I JUST HACKE by Anonymous Coward · · Score: 0

    figured out how to count

  8. Thanks for the heads up... by ddtmm · · Score: 4, Funny

    The restaurant chain will probably reward him for bringing it to their attention by giving him a gift card to the restaurant.

    1. Re:Thanks for the heads up... by ddtmm · · Score: 2

      No, I have to say I did not.

    2. Re:Thanks for the heads up... by Anonymous Coward · · Score: 0

      or almost as probable charge him with hacking and try and get him thrown in jail.

    3. Re:Thanks for the heads up... by Anonymous Coward · · Score: 0

      what's more likely to happen is the guy gets arrested and tossed in jail for 15 years for 'hacking'. welcome to the u.s.a.

    4. Re:Thanks for the heads up... by Anonymous Coward · · Score: 0

      Deja vu in the Matrix!

    5. Re:Thanks for the heads up... by Anonymous Coward · · Score: 0

      Or have him arrested...

  9. The last 4 digits are a checksum by FeelGood314 · · Score: 2

    I've help some smarter vendors with this in the past but I would guess that the vast majority are still using a checksum. It makes the verification easy and most companies are not organized enough to keep track of the cards that don't have money on them.

  10. It's happened to me by Coldeagle · · Score: 1

    Something very like this happened to me during the holidays last year. My manager gave me a $100 gift card, and when I went to use it the card had been drained. A colleague (who reported to the same manager) experienced the same thing. When we contacted the gift card company we were given the run around and didn't get our balances back. Nice of them isn't it? Pro tip: Make sure that they use the card immediately, order it online or give them cash instead :)

    1. Re:It's happened to me by Gussington · · Score: 3, Insightful

      Pro tip, never ever buy a gift card.
      If offers worse flexibility than cash, costs more and less secure. Gift cards are for schmucks...

    2. Re:It's happened to me by wierd_w · · Score: 2

      Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)

      If you are gonna give something, give something with some actual utility yo.

    3. Re:It's happened to me by Zontar+The+Mindless · · Score: 1

      They also work nearly anywhere in the world, and can be posted to your near and dear ones overseas at the usual letter rate.

      --
      Il n'y a pas de Planet B.
    4. Re:It's happened to me by mark-t · · Score: 1

      If your reloadable credit card gets drained because it was compromised somehow, you are usually SOL for the money that was on it that you did not use. Maybe that might not amount to a lot of money, but it's still something... and it's beside the point. If your regular credit card is compromised because of some company's poor security practices that you had no previous reason to suspect, a respectable credit card company will not charge you even a penny for the fraudulent activity.

      --
      File under 'M' for 'Manic ranting'
    5. Re:It's happened to me by tlhIngan · · Score: 2

      Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)

      If you are gonna give something, give something with some actual utility yo.

      Visa/MasterCard gift cards are terrible gifts.

      First, the fees are terrible - you usually get a year, then after that they cost anywhere from $2.50-5/month "account maintenance charge", regardless of whether you actually use it or not. (That's a $30-60 annual fee).

      You're also stuck with fractions you can't spend - most places that accept gift cards will accept multiple gift cards as payment so you can drain them all to 0 (and pay with a credit card or cash for the remaining balance). Though some places (Google was one of them a while ago - I couldn't use my $2 credit to buy $3 worth of stuff because it had to be single-funded) are still brain dead in that way.

      It is a lot rarer to find places that will accept multiple charge cards at once - at best, you can do credit-and-cash payment but rarely can you do two or more cards at once. This is because obviously the fee is doubled since they have multiple cards.

      I have lots of drained gift cards - I use them all up and pay the difference in cash or credit. The remaining balance on my Visa gift cards usually drains away because of the fees so it is really hard to drain them to zero.

    6. Re:It's happened to me by wierd_w · · Score: 2

      Firstly, to use a "buffer card" effectively, you plan your purchases. (Yes, that dreaded budgeting thing!) You then load the card, then make the purchase. You dont carry a large balance on the card, just enough to keep it active. It requires that you have some discipline with your online purchasing, but you get some extra protection that way.

      If a retailer gets compromised, you lose just that min holding balance, and dont have to miss a day of work to file dispute forms to the sometimes hundreds of merchants claiming you owe them shitloads of money. (since you have to dispute each and every fraudulent charge, you can be there for a very long time doing the dispute process. Been there, done that. Sony Hack got me a few years back.)

    7. Re:It's happened to me by Anonymous Coward · · Score: 0

      Huh. With American Express I just click on a button next to the transaction in dispute and the amount is credited back to my account. If they finish their investigation and determine I really did make the purchase they will reinstate the charge, but otherwise I never hear from anybody after clicking that button.

    8. Re:It's happened to me by torkus · · Score: 1

      I don't know what credit cards you're using, but missing a day of work to file dispute forms doesn't match any of my experiences ever. Maybe 15 years ago?

      I've had a few cards compromised over the years (business travel overseas, etc.) and never once had to fill out any actual paperwork. In fact, in the last ~5 years the CC companies have caught the fraudulent purchases even before I did, called me to confirm, and immediately logged them for dispute if they hadn't been denied when processed. All over the phone, and it never took more than 10 minutes. On a rare occasion I had a single charge to dispute for other reasons, it was a 15-ish minute phone call or (more recently) an online web form which took a few minutes at most.

      Using a buffer card removes any chargeback protection, fraud protection, and card rewards you could get. Other than being able to purchase semi-anonymously I see very little point in getting one.

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
    9. Re:It's happened to me by torkus · · Score: 1

      Some states don't allow those card-draining fees thankfully.

      And as for draining small balances off Visa/MC gift cards? Go to almost any major retailer. Their systems can and do immediately determine the balance and apply the maximum towards your bill. I've cleared off 3 or 4 cards I had sitting around in one shot quickly and easily a couple times this way.

      I'm sure there's ways to do that online (all the green dot card scams mean there's a very simple and quick way to move money off a visa/MC gift card) but it's easier to just use them for a purchase at w-mart or whatever the next time you're there.

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
    10. Re:It's happened to me by flink · · Score: 1

      Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)

      You don't need a reloadable card for this. May CC companies let you generate temporary numbers linked to your main account. These can be set to be valid for a limited amount of time, have access to a limited credit line, or both. If the site does something shady or you get a report of a breach, you can just delete the temporary number from your account.

    11. Re:It's happened to me by mark-t · · Score: 1

      [With a prepaid card], If a retailer gets compromised, you lose just that min holding balance,

      That wasn't my point... that it isn't a lot of money is irrelevant, you still lose it.

      I've never had to miss a day of work to file dispute forms because of fraudulent activity on my card, which thankfully has not happened often... only twice in my entire life. The first time was in the early 90's when I reported my card lost to the credit card company after noticing that I didn't have it one night when I had got home. There were apparently already charges on it that I had not authorized, all within just the past day. The credit card company reimbursed me right then and there, I never saw any of those charges on my monthly statement, and they issued me a replacement card. The second time my card was compromised, I hadn't lost my card or known anything about my card's number being used without my consent, but apparently there was a transaction that I didn't authorize which somehow triggered the bank's own fraud detection system and they contacted *ME*. I don't know how that works, exactly... but it was kinda cool to know they are watching my back.

      Total time spent on the phone dealing with the situation: ~ 10 minutes.

      --
      File under 'M' for 'Manic ranting'
    12. Re:It's happened to me by apoc.famine · · Score: 1

      I concur with the other two posters here. Have you not used a credit card in the last few years, or are you just tied to an incompetent bank?
       
      The last time there was fraud on my card, my credit union called and emailed me because it looked dodgy. I called back, confirmed that I didn't buy $35 of McDonalds in another country that morning, they canceled that charge and refunded the money. They requested I get a new card, so I walked over at lunchtime to the nearest branch where they shredded the current card and handed me a replacement one. The only real hassle was typing the new number into the few places that have my card saved on the internet.
       
      With the new chip cards, fraud is vastly reduced, and now if a merchant accepts a payment from a card without the chip, they are required to eat the fraud cost.

      --
      Velociraptor = Distiraptor / Timeraptor
  11. Re:Im a Security Resercher by Anonymous Coward · · Score: 0

    Donald... is that you?

  12. Wow... breaking the law is easy... by mark-t · · Score: 1

    News at 11. Who would have thought it, huh?

    Seriously... what the fuck difference does it make that it's easy to do? It's still fucking illegal. Speeding is easy to do too, easier, I would dare say, by no less than at least an order of magnitude than this hack, but that doesn't mean that you shouldn't be responsible for it if you do it.

    What's really sad about this is that the guy went out of his way to *deliberately* find a way to do something that anyone with half a brain should know is illegal.

    I have no words....

    --
    File under 'M' for 'Manic ranting'
    1. Re: Wow... breaking the law is easy... by Anonymous Coward · · Score: 0

      Because he was trying to show these companies how easy it is for someone to steal so that they can take measures to improve security and prevent fraud.

      How are you not getting this?

    2. Re: Wow... breaking the law is easy... by mark-t · · Score: 1

      Or you could just show them the old-fashioned way, and show them the pattern that you found that exists on their own cards, and then elaborate on that by adding that if a person with nefarious intent were to notice this pattern, that in only a relatively small number of attempts, and with perhaps only a handful of actual gift cards and the aid of a computer, that person may be able to guess the numbers of many cards they do not possess which may have a balance on them, and you wouldn't have to write any software at all (not to mention that the mere act of writing such software could make you liable for damages that you are not equipped to disprove that your software had nothing to do with, as your admission that you developed the software at all may be sufficient to incriminate you). Add that you were not even particularly deliberately trying to discover this pattern when you first noticed it, and suggest that it is is quite far from unlikely that somebody with any intent to commit fraud will not be able to do this, if they have not done so already.

      --
      File under 'M' for 'Manic ranting'
    3. Re: Wow... breaking the law is easy... by Anonymous Coward · · Score: 0

      You are very close minded. I bet you are a riot at parties.

      FUCK YOU DOLPHIN

  13. Increasing the randomness doesn't help. by Anonymous Coward · · Score: 1

    Most just hang on racks. "Borrow" them and copy the numbers. Or just take a picture. It's harder to do a bulk 10000 card search but the issue is still there. Some cards are now sold in cardboard envelopes. That's a partial solution.

  14. cycle 10,000 possible values by houghi · · Score: 1

    cycle through all 10,000 possible values for the four random digits at the end

    All nice what he did, but I would be impressed if he would not cycle through them, but where able to determine these last 4. My bet is that there is some sort of verification used. No idea how the numbers are build, but I can imagine that they use any of the known verifications.

    The fact that they increase by one is also normal. Having a random number (with verification) would need to be verified if it was not already handed out and if it where not already used.

    So what verification was used? Standard Credit Card would already reduce the 10.000 to 100. And that would be with the most ones if they use the last two as control.

    I can also imagine that these are handled by an external company and then you would get perhaps something like CompanyVoucherAmountVerification Some extra like branch could be in it as well, so to do some analysis on the vouchers coming in.

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:cycle 10,000 possible values by TechyImmigrant · · Score: 1

      >Having a random number (with verification) would need to be verified if it was not already handed out and if it where not already used.

      There are easy ways around this:

      1) Use a big enough random number. 256 bit uniform random numbers will not collide.

      2) Have a secret key and a counter and encrypt the counter through a decent block cipher (say AES, or Simon which you can easily extend to a 256 bit block size). Since the counter values never collide and the block cipher is a bijective mapping, you get numbers out the other side that are indistinguishable from random to anyone without the key, and they will never collide.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:cycle 10,000 possible values by TechyImmigrant · · Score: 1

      Argh, crap. Copied the wrong text and answered a different question. My defense is jetlag.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  15. counterfeit gift card by gsslay · · Score: 1

    "Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions."

    This is the scary part. And obviously counterfeit gift card, but accepted without question because it could be swipped?

    Would the retailer accept obviously counterfeit cash just because it said "Cash" on it?

    1. Re:counterfeit gift card by torkus · · Score: 1

      I don't know if you've used a CC in the US in the last several years but they virtually never look at them. Unless the computer randomly requires the last 4 digits to be verified literally no one bothers checking the signature. I've been asked to show ID occasionally (which is against the merchant agreement but some places insist anyhow) but that's about it.

      Going a step further, any place with a self-checkout makes this trivial.

      Not to mention there are several products on the market that consolidate multiple credit cards to one 'morphable' card and afaik the CC companies have not objected.

      --
      You can get rich if you own a politician, but you have to be rich to buy one in the first place.
    2. Re:counterfeit gift card by Anonymous Coward · · Score: 0

      This is the scary part. And obviously counterfeit gift card, but accepted without question because it could be swipped?

      So? Just steal a genuine, but empty gift card and overwrite the mag stripe.

  16. Manager training or warehouse solution by Anonymous Coward · · Score: 0

    The managers SHOULD take the case of cards and shuffle them.
    Better yet, the warehouse SHOULD shuffle the year's supply.
    Thus, finding the pattern would not be so easy.

  17. Won't work with a good processor by Enderxeno · · Score: 1

    Having worked with Credit, Debit and Gift Card processors they have security in place to make any gift card number void if it is ever had the balance checked before the card is activated. Also the online balance check would require the four digit security code which is random and only known to the processor. This might only work if a retail company was using an in-house card program and didn't implement their own security protections.

  18. Our former bank used serial numbers by Trailer+Trash · · Score: 1

    My wife and I both had debit cards, and hers was exactly mine + 1. In reality that means the last two digits were changed since the last digit is the checksum. I always wondered, though, if all their cards were numbered serially, since it would then be trivial to come up with a list of card numbers. With a three digit CVV it would be as easy to guess card numbers based on a single CVV value as vice versa.

    --
    Do you have ESP?
  19. The SIMPLE fix by rickb928 · · Score: 1

    Require the CSC or CVV2 for balance requests. THAT is not predictable, so far as I can see.

    There are a multitude of reasons why cards have predictable numbering, and none of these are going away. Just use the existing security (CVV2CSC) and let the fraud checking and auth systems do their work.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:The SIMPLE fix by Anonymous Coward · · Score: 0

      Yeah, I don't get why the balance requests are going through with just the card number. What's the point of the scratch off number on the back if they're not going to use it for anything?

    2. Re:The SIMPLE fix by Anonymous Coward · · Score: 0

      Or just double/triple the length of the check digits (from 4 digits to 8 or 12), if those digits are RNGed, that would make this attack must more costly. 100,000 minutes for 8 digits, 1,000,000,000 minutes for 12.

      If they then RNGed the ID digits, that would be make the chance of success after those 1M minutes unlikely as well.

    3. Re: The SIMPLE fix by rickb928 · · Score: 1

      The trick is to guess card numbers, get balances, then write a card with the track 1 days and spend the 'money'. The actual card gets debited, the actual owner is confused, and nobody asks for the CSC CVV2 on a swipe.

      Requiring the CSC or CVV2 stops this. Simple.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
  20. Stealing is stealing by nuckfuts · · Score: 1

    News flash: Being a thief is not difficult. That any particular thievery is based on technology does not make it cool, intrinsically interesting, or OK.

    I can think of dozens ways to steal things that are "scarily easy". Like knocking down an old lady and grabbing her purse.

  21. A /64 is still a lot of IP addresses by tepples · · Score: 1

    The second thing would be to put a time-activation lock on numbers tried by ip address

    So the criminal just switches to one of the other 18 quintillion IP addresses that his IPv6-aware ISP hands out.

  22. NFB v. Target by tepples · · Score: 1

    The only real solution is a good quality captcha

    If handled poorly, that's a good way to get sued by blind advocacy groups. See National Federation of the Blind v. Target Corp.

  23. HOW I GOT MY BLANK ATM CARD by Anonymous Coward · · Score: 0

    BE SMART AND BECOME RICH IN LESS THAN 3 DAYS....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine, anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago.. It has really changed my life for good and now I can say I'm rich and I can never be poor again. The least money I get in a month with it is about $50,000.(fifty thousand USD). Everyday I keep pumping money into my account. Though it is illegal, there is no risk of being caught, because it has been programmed in such a way that it is not traceable, it also has a technique that makes it impossible for the CCTV's to detect you.. For details on how to get yours today, email the hackers on: johnhart0022@gmail.com. Tell your loved ones too, and start to live large. That's the simple testimony of how my life changed for good... Love you all... The email address again is johnhart0022@gmail.com