Hacking Retail Gift Cards Remains Scarily Easy

Willium Caput, a researcher for the firm Evolve Security, examined a stack of gift cards he obtained from a major Mexican restaurant chain and noticed a pattern: aside from the final four digits of the cards that appeared to be random, the rest remained constant except one digit that appeared to increase by one with every card he examined. Andy Greenberg explains how Caput plans to defraud the system in his report via WIRED (Warning: source may be paywalled; alternative source): "You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them," says Caput. To pull off the trick, Caput says he has to obtain at least one of the target company's gift cards. Unactivated cards often sit out for the taking at restaurants and retailers, or he can just buy one. (Not all cards change by a value of one, as that first Mexican restaurant did. But Caput says obtaining two or three cards can help to determine the patterns of those that don't.) Then he simply visits the web page that the store or restaurant uses for checking a card's value. From there, he runs the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the four random digits at the end of the card's number, a process that takes about 10 minutes. By repeating the process and incrementing the other, predictable numbers, the site will confirm exactly which cards have how much value. "If you can find just one of their gift cards or vouchers, you can bruteforce the website," he says.

Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer's ecommerce page, or even in person; Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card's balance, rather than spend any money from the cards belonging to actual victims.) "It's a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person's card says it has $50 on it, and then it's gone." Caput said he plans to present his findings at the Toorcon hacker conference this weekend.

Just bruteforce 10,000 requests in 10 minutes

[Fly+Swatter]

I guess if the gift card website even allows part of that to happen, someone should be fired ?

Re:Just bruteforce 10,000 requests in 10 minutes

That's the obvious conclusion. Then a smarter hacker will just use a botnet to brute force it.

This is password length 101. The longer the password the longer it takes to brute force. The fact that the numbers aren't even random is part of the problem.

The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

Re:Just bruteforce 10,000 requests in 10 minutes

[lucm]

The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

Exponential backoff works like a charm for this. It doesn't annoy legitimate users who make mistakes, and it becomes increasingly costly for the nefarious ones

Re:Just bruteforce 10,000 requests in 10 minutes

[Wycliffe]

The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds. The only real solution is a good quality captcha which is what most sites use but even that's pretty trivial to defeat with things like amazon turk or access to a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)

Re:Just bruteforce 10,000 requests in 10 minutes

[Applehu+Akbar]

The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

Hey, you just invented teergrube! Better swim to East Texas and find a patent lawyer who can file your case on Tyvek forms that will not deteriorate underwater.

Re:Just bruteforce 10,000 requests in 10 minutes

Captcha is a good tool for this problem due to their cost. If it takes on-average 5,000 attempts to guess the 1:10,000 card number and each Turk request costs a penny, you are out $50 dollars for a card that may have already been spent - or has not been purchased yet.

Re:Just bruteforce 10,000 requests in 10 minutes

[ShanghaiBill]

that's pretty trivial to defeat with things like amazon turk

If you pay one cent each for 10,000 solutions, then you just spent $100 for a $50 gift card.

a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)

I have heard about this in theory, but no one has every been able to point to an actual site doing this. I don't think it would be so easy to get 10,000 people to solve a captcha, and you would need to do that for each gift card. To make it worthwhile, you would need to attract millions of users. Why should they put up with that hassle when there are plenty of porn sites with no captchas?

Re:Just bruteforce 10,000 requests in 10 minutes

[Gussington]

I guess if the gift card website even allows part of that to happen, someone should be fired ?

Exactly. All the gift cards I've had require a PIN as well as the Card number, and a simple limit of 5 login attempts every hour ends this as a vulnerability. It's as if this article and/or technology was written in 1993...

Re:Just bruteforce 10,000 requests in 10 minutes

FYI: Your solution cannot handle distributed attacks, unless it does a lot more than just annoy legitimate users.

Re:Just bruteforce 10,000 requests in 10 minutes

[thegarbz]

Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds.

In theory you're right. In practice you're wrong. The vast majority of attacks are not well targeted and will come from single IPs and take ages to switch. You can see that anywhere someone logs fail2ban hits on a Linux machine. There's so much low hanging fruit out there that even a simple scheme is likely to make people back off.

Re:Just bruteforce 10,000 requests in 10 minutes

[Rockoon]

In what universe do you get a pin with a purchase of a gift card?

You take the card off the rack. You go to the cash register. They ask how much you want on it. They activate it with that amount. You walk away with it presumably to give it to someone that you dont care much about because otherwise you would have put thought into their gift. There is no PIN.

Re:Just bruteforce 10,000 requests in 10 minutes

[feargal]

Not that it matters but with Luhn checks there's only a thousand to check.

Re:Just bruteforce 10,000 requests in 10 minutes

[stinerman]

Some have another number (PIN) that is hidden under a scratch-off area.

Re:Just bruteforce 10,000 requests in 10 minutes

[Desler]

All the ones I've ever received have never required a PIN to use.

Re:Just bruteforce 10,000 requests in 10 minutes

[Wycliffe]

Seems like the best solution would be to track the number of balance checks each card number receives and base a wait time off of that.

Something as simple as make the wait time be X^1.5 where X is the number of attempts would quickly make repeatedly checking numbers infeasible

That doesn't work at all either. You only need to check a specific number once.

Re:Just bruteforce 10,000 requests in 10 minutes

[Wycliffe]

I don't think getting thousands of users would be that difficult but once you have several thousand visitors then there is probably more profitable ways of using those eyeballs than trying 10k combinations to get a $50 gift card. That would be less than a penny per captcha so if it is a 1/10k payout for $50 then a captcha is probably pretty effective. On the other hand, if the numbers are sequential and/or some of the dollar amounts are larger then that changes. I regularly get $500 home depot gift cards. This would change the calculation significantly especially if you can figure out the pattern and not have to search the whole domain.

Re:Just bruteforce 10,000 requests in 10 minutes

[networkBoy]

Not most restaurant cards, which is what this is about.

Re:Just bruteforce 10,000 requests in 10 minutes

[unrtst]

Disclaimer: I didn't RTFA, but I did RTFS(ummary).

The summary says they "cycle through all 10,000 possible values for the four random digits at the end of the card's number". AFAICT, that's the last 4 of the card number - like the part that gets printed on receipts. He's cycling through those numbers, not the CSC (Car Security Code) nor CVV (Card Verification Value).

FWIW, while I did find pages labeled CSV in relation to that value (ex. https://www.teamline.cc/static...), I didn't find what that stood for. Even wikipedia page for that feature does not include CSV (https://en.wikipedia.org/wiki/Card_security_code). So, just to confirm... you were referring to he CSC/CVD/CVV/CV2/CVC/V-code/SPC thing, right? (my gut/guess is that CSV is the abbreviation in some non-English language, which would make perfect sense).

Re:Just bruteforce 10,000 requests in 10 minutes

[Gussington]

In what universe do you get a pin with a purchase of a gift card?

In my universe. I used to work in retail, and all the gift cards had a scratch off PIN on the back for accessing online balances and stuff...

Re:Just bruteforce 10,000 requests in 10 minutes

[Gussington]

Not to use, but to access the online account you do. Or maybe you just live in country with third world banking standards (cough*USA*cough)...

Low losses = Low security.

Bluntly, the reason that these do not have better security is that, while the security is crap, the amount of fraud done against gift cards is relatively small (and a lot of the people who perpetrate the small amount of fraud they do find have not taken care and get caught)

As long as it costs companies less to fix and write off the fraud than it would cost to implement a more secure system, then they are likely to stick with the cheap, easy to hack system.

Re: Low losses = Low security.

No loss at all. None what so ever. For the business that is. If the card has a balance. That means someone has already given them the money for it. The business would be more than happy for that card to never get used. Money for nothing for them. They will not care at all about a thief stealing customers balances unless they get enough complaints.

Then it wouldn't be hard to track down the thief. Get the card details from the legit customer. See who used that card as that is tracked. And have the cops show up to their door. Done. Or if at a restaurant post the pictures of thief on the local news.

Should be a simple problem to solve

[Krishnoid]

Since these gift cards have to be printed out individually anyway, couldn't they be produced using uuidgen (or the like)? Seems like a single algorithm would solve the problem for all retailers at once.

Re:Should be a simple problem to solve

[Rockoon]

You are proposing no security prior to card activation. They use a sequential or systematic series so that they dont need to maintain a database of unactivated cards.

Re:Should be a simple problem to solve

[flink]

What "security" does having a predictable set of account numbers bring? These aren't bank routing numbers, they are just keys to a stored value. The only requirement is that they be unique and hard to guess. When the card is being activated, just check to see the uuid has never been used before and record the value of the now active card.

Alternatively, cards should have a PIN on a scratch off window on the back of the card which is not magnetically encoded but is associated with the card number when activating. Make the user enter the PIN when checking the value online. This would prevent the attack on the website described in the article since the attacker won't have access to the PINs.

Re:Should be a simple problem to solve

[Rockoon]

What "security" does having a predictable set of account numbers bring?

Detecting and limiting insider fraud requires knowing what cards are still awaiting activation and only allowing those cards to be activated.

People often forget about the most common fraud of them all....

Re:Should be a simple problem to solve

[Sloppy]

They use a sequential or systematic series so that they dont need to maintain a database of unactivated cards.

God forbid a business spring for a pair of $80 hard disks.

Yeah, I think I would relax the "we don't want to maintain a database of unactivated cards" requirement. How hard can that be? And it solves the fraud problem too? Pays for itself on the first day.

Thanks for the heads up...

[ddtmm]

The restaurant chain will probably reward him for bringing it to their attention by giving him a gift card to the restaurant.

Re:Thanks for the heads up...

[ddtmm]

No, I have to say I did not.

The last 4 digits are a checksum

[FeelGood314]

I've help some smarter vendors with this in the past but I would guess that the vast majority are still using a checksum. It makes the verification easy and most companies are not organized enough to keep track of the cards that don't have money on them.

It's happened to me

[Coldeagle]

Something very like this happened to me during the holidays last year. My manager gave me a $100 gift card, and when I went to use it the card had been drained. A colleague (who reported to the same manager) experienced the same thing. When we contacted the gift card company we were given the run around and didn't get our balances back. Nice of them isn't it? Pro tip: Make sure that they use the card immediately, order it online or give them cash instead :)

Re:It's happened to me

[Gussington]

Pro tip, never ever buy a gift card.
If offers worse flexibility than cash, costs more and less secure. Gift cards are for schmucks...

Re:It's happened to me

[wierd_w]

Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)

If you are gonna give something, give something with some actual utility yo.

Re:It's happened to me

[Zontar+The+Mindless]

They also work nearly anywhere in the world, and can be posted to your near and dear ones overseas at the usual letter rate.

Re:It's happened to me

[mark-t]

If your reloadable credit card gets drained because it was compromised somehow, you are usually SOL for the money that was on it that you did not use. Maybe that might not amount to a lot of money, but it's still something... and it's beside the point. If your regular credit card is compromised because of some company's poor security practices that you had no previous reason to suspect, a respectable credit card company will not charge you even a penny for the fraudulent activity.

Re:It's happened to me

[tlhIngan]

Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)

If you are gonna give something, give something with some actual utility yo.

Visa/MasterCard gift cards are terrible gifts.

First, the fees are terrible - you usually get a year, then after that they cost anywhere from $2.50-5/month "account maintenance charge", regardless of whether you actually use it or not. (That's a $30-60 annual fee).

You're also stuck with fractions you can't spend - most places that accept gift cards will accept multiple gift cards as payment so you can drain them all to 0 (and pay with a credit card or cash for the remaining balance). Though some places (Google was one of them a while ago - I couldn't use my $2 credit to buy $3 worth of stuff because it had to be single-funded) are still brain dead in that way.

It is a lot rarer to find places that will accept multiple charge cards at once - at best, you can do credit-and-cash payment but rarely can you do two or more cards at once. This is because obviously the fee is doubled since they have multiple cards.

I have lots of drained gift cards - I use them all up and pay the difference in cash or credit. The remaining balance on my Visa gift cards usually drains away because of the fees so it is really hard to drain them to zero.

Re:It's happened to me

[wierd_w]

Firstly, to use a "buffer card" effectively, you plan your purchases. (Yes, that dreaded budgeting thing!) You then load the card, then make the purchase. You dont carry a large balance on the card, just enough to keep it active. It requires that you have some discipline with your online purchasing, but you get some extra protection that way.

If a retailer gets compromised, you lose just that min holding balance, and dont have to miss a day of work to file dispute forms to the sometimes hundreds of merchants claiming you owe them shitloads of money. (since you have to dispute each and every fraudulent charge, you can be there for a very long time doing the dispute process. Been there, done that. Sony Hack got me a few years back.)

Re:It's happened to me

[torkus]

I don't know what credit cards you're using, but missing a day of work to file dispute forms doesn't match any of my experiences ever. Maybe 15 years ago?

I've had a few cards compromised over the years (business travel overseas, etc.) and never once had to fill out any actual paperwork. In fact, in the last ~5 years the CC companies have caught the fraudulent purchases even before I did, called me to confirm, and immediately logged them for dispute if they hadn't been denied when processed. All over the phone, and it never took more than 10 minutes. On a rare occasion I had a single charge to dispute for other reasons, it was a 15-ish minute phone call or (more recently) an online web form which took a few minutes at most.

Using a buffer card removes any chargeback protection, fraud protection, and card rewards you could get. Other than being able to purchase semi-anonymously I see very little point in getting one.

Re:It's happened to me

[torkus]

Some states don't allow those card-draining fees thankfully.

And as for draining small balances off Visa/MC gift cards? Go to almost any major retailer. Their systems can and do immediately determine the balance and apply the maximum towards your bill. I've cleared off 3 or 4 cards I had sitting around in one shot quickly and easily a couple times this way.

I'm sure there's ways to do that online (all the green dot card scams mean there's a very simple and quick way to move money off a visa/MC gift card) but it's easier to just use them for a purchase at w-mart or whatever the next time you're there.

Re:It's happened to me

[flink]

Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)

You don't need a reloadable card for this. May CC companies let you generate temporary numbers linked to your main account. These can be set to be valid for a limited amount of time, have access to a limited credit line, or both. If the site does something shady or you get a report of a breach, you can just delete the temporary number from your account.

Re:It's happened to me

[mark-t]

[With a prepaid card], If a retailer gets compromised, you lose just that min holding balance,

That wasn't my point... that it isn't a lot of money is irrelevant, you still lose it.

I've never had to miss a day of work to file dispute forms because of fraudulent activity on my card, which thankfully has not happened often... only twice in my entire life. The first time was in the early 90's when I reported my card lost to the credit card company after noticing that I didn't have it one night when I had got home. There were apparently already charges on it that I had not authorized, all within just the past day. The credit card company reimbursed me right then and there, I never saw any of those charges on my monthly statement, and they issued me a replacement card. The second time my card was compromised, I hadn't lost my card or known anything about my card's number being used without my consent, but apparently there was a transaction that I didn't authorize which somehow triggered the bank's own fraud detection system and they contacted *ME*. I don't know how that works, exactly... but it was kinda cool to know they are watching my back.

Total time spent on the phone dealing with the situation: ~ 10 minutes.

Re:It's happened to me

[apoc.famine]

I concur with the other two posters here. Have you not used a credit card in the last few years, or are you just tied to an incompetent bank?
 
The last time there was fraud on my card, my credit union called and emailed me because it looked dodgy. I called back, confirmed that I didn't buy $35 of McDonalds in another country that morning, they canceled that charge and refunded the money. They requested I get a new card, so I walked over at lunchtime to the nearest branch where they shredded the current card and handed me a replacement one. The only real hassle was typing the new number into the few places that have my card saved on the internet.
 
With the new chip cards, fraud is vastly reduced, and now if a merchant accepts a payment from a card without the chip, they are required to eat the fraud cost.

Re:Pretty Anonymous

[Bert64]

Well that's the difference between a white hat researcher who's trying to demonstrate a point, and a nefarious actor who's trying to commit fraud...

Someone out to commit fraud will not take the cards to the restaurant themselves, instead they'll do other things with gift cards like:

Spend them online to have goods sent to a suitably anonymous location.
Recruit mules to do the risky work of actually using the cards in person.
Sell the cards to unsuspecting third parties.

And probably do all of these things while operating in a country outside of the reach of the law enforcement agencies that their victims are likely to contact.

Re: Pretty Anonymous

I'm guessing you don't own a business or have ever worked front of house at a nice restaurant. Walking in and buying a 1000 dollars worth of gift cards happens more often than you think and is not out of the ordinary. Shit just a couple months ago I bought 500 bucks in Tim Hortons gift cards.

Wow... breaking the law is easy...

[mark-t]

News at 11. Who would have thought it, huh?

Seriously... what the fuck difference does it make that it's easy to do? It's still fucking illegal. Speeding is easy to do too, easier, I would dare say, by no less than at least an order of magnitude than this hack, but that doesn't mean that you shouldn't be responsible for it if you do it.

What's really sad about this is that the guy went out of his way to *deliberately* find a way to do something that anyone with half a brain should know is illegal.

I have no words....

Re: Wow... breaking the law is easy...

[mark-t]

Or you could just show them the old-fashioned way, and show them the pattern that you found that exists on their own cards, and then elaborate on that by adding that if a person with nefarious intent were to notice this pattern, that in only a relatively small number of attempts, and with perhaps only a handful of actual gift cards and the aid of a computer, that person may be able to guess the numbers of many cards they do not possess which may have a balance on them, and you wouldn't have to write any software at all (not to mention that the mere act of writing such software could make you liable for damages that you are not equipped to disprove that your software had nothing to do with, as your admission that you developed the software at all may be sufficient to incriminate you). Add that you were not even particularly deliberately trying to discover this pattern when you first noticed it, and suggest that it is is quite far from unlikely that somebody with any intent to commit fraud will not be able to do this, if they have not done so already.

Increasing the randomness doesn't help.

Most just hang on racks. "Borrow" them and copy the numbers. Or just take a picture. It's harder to do a bulk 10000 card search but the issue is still there. Some cards are now sold in cardboard envelopes. That's a partial solution.

cycle 10,000 possible values

[houghi]

cycle through all 10,000 possible values for the four random digits at the end

All nice what he did, but I would be impressed if he would not cycle through them, but where able to determine these last 4. My bet is that there is some sort of verification used. No idea how the numbers are build, but I can imagine that they use any of the known verifications.

The fact that they increase by one is also normal. Having a random number (with verification) would need to be verified if it was not already handed out and if it where not already used.

So what verification was used? Standard Credit Card would already reduce the 10.000 to 100. And that would be with the most ones if they use the last two as control.

I can also imagine that these are handled by an external company and then you would get perhaps something like CompanyVoucherAmountVerification Some extra like branch could be in it as well, so to do some analysis on the vouchers coming in.

Re:cycle 10,000 possible values

[TechyImmigrant]

>Having a random number (with verification) would need to be verified if it was not already handed out and if it where not already used.

There are easy ways around this:

1) Use a big enough random number. 256 bit uniform random numbers will not collide.

2) Have a secret key and a counter and encrypt the counter through a decent block cipher (say AES, or Simon which you can easily extend to a 256 bit block size). Since the counter values never collide and the block cipher is a bijective mapping, you get numbers out the other side that are indistinguishable from random to anyone without the key, and they will never collide.

Re:cycle 10,000 possible values

[TechyImmigrant]

Argh, crap. Copied the wrong text and answered a different question. My defense is jetlag.

counterfeit gift card

[gsslay]

"Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions."

This is the scary part. And obviously counterfeit gift card, but accepted without question because it could be swipped?

Would the retailer accept obviously counterfeit cash just because it said "Cash" on it?

Re:counterfeit gift card

[torkus]

I don't know if you've used a CC in the US in the last several years but they virtually never look at them. Unless the computer randomly requires the last 4 digits to be verified literally no one bothers checking the signature. I've been asked to show ID occasionally (which is against the merchant agreement but some places insist anyhow) but that's about it.

Going a step further, any place with a self-checkout makes this trivial.

Not to mention there are several products on the market that consolidate multiple credit cards to one 'morphable' card and afaik the CC companies have not objected.

Re: Pretty Anonymous

[Rockoon]

I'm guessing you don't own a business or have ever worked front of house at a nice restaurant.

I was thinking the same thing. My employer easily gives out a thousand dollars worth of Dunkin' Donuts gifts cards each month to employees as part of various incentive programs (the Dunkin' cards are the runner-up prizes)

Won't work with a good processor

[Enderxeno]

Having worked with Credit, Debit and Gift Card processors they have security in place to make any gift card number void if it is ever had the balance checked before the card is activated. Also the online balance check would require the four digit security code which is random and only known to the processor. This might only work if a retail company was using an in-house card program and didn't implement their own security protections.

Our former bank used serial numbers

[Trailer+Trash]

My wife and I both had debit cards, and hers was exactly mine + 1. In reality that means the last two digits were changed since the last digit is the checksum. I always wondered, though, if all their cards were numbered serially, since it would then be trivial to come up with a list of card numbers. With a three digit CVV it would be as easy to guess card numbers based on a single CVV value as vice versa.

The SIMPLE fix

[rickb928]

Require the CSC or CVV2 for balance requests. THAT is not predictable, so far as I can see.

There are a multitude of reasons why cards have predictable numbering, and none of these are going away. Just use the existing security (CVV2CSC) and let the fraud checking and auth systems do their work.

Re: The SIMPLE fix

[rickb928]

The trick is to guess card numbers, get balances, then write a card with the track 1 days and spend the 'money'. The actual card gets debited, the actual owner is confused, and nobody asks for the CSC CVV2 on a swipe.

Requiring the CSC or CVV2 stops this. Simple.

Stealing is stealing

[nuckfuts]

News flash: Being a thief is not difficult. That any particular thievery is based on technology does not make it cool, intrinsically interesting, or OK.

I can think of dozens ways to steal things that are "scarily easy". Like knocking down an old lady and grabbing her purse.

A /64 is still a lot of IP addresses

[tepples]

The second thing would be to put a time-activation lock on numbers tried by ip address

So the criminal just switches to one of the other 18 quintillion IP addresses that his IPv6-aware ISP hands out.

NFB v. Target

[tepples]

The only real solution is a good quality captcha

If handled poorly, that's a good way to get sued by blind advocacy groups. See National Federation of the Blind v. Target Corp.