Slashdot Mirror
Hacking Retail Gift Cards Remains Scarily Easy (wired.com)
Willium Caput, a researcher for the firm Evolve Security, examined a stack of gift cards he obtained from a major Mexican restaurant chain and noticed a pattern: aside from the final four digits of the cards that appeared to be random, the rest remained constant except one digit that appeared to increase by one with every card he examined. Andy Greenberg explains how Caput plans to defraud the system in his report via WIRED (Warning: source may be paywalled; alternative source): "You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them," says Caput. To pull off the trick, Caput says he has to obtain at least one of the target company's gift cards. Unactivated cards often sit out for the taking at restaurants and retailers, or he can just buy one. (Not all cards change by a value of one, as that first Mexican restaurant did. But Caput says obtaining two or three cards can help to determine the patterns of those that don't.) Then he simply visits the web page that the store or restaurant uses for checking a card's value. From there, he runs the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the four random digits at the end of the card's number, a process that takes about 10 minutes. By repeating the process and incrementing the other, predictable numbers, the site will confirm exactly which cards have how much value. "If you can find just one of their gift cards or vouchers, you can bruteforce the website," he says.
Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer's ecommerce page, or even in person; Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card's balance, rather than spend any money from the cards belonging to actual victims.) "It's a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person's card says it has $50 on it, and then it's gone." Caput said he plans to present his findings at the Toorcon hacker conference this weekend.
Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer's ecommerce page, or even in person; Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card's balance, rather than spend any money from the cards belonging to actual victims.) "It's a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person's card says it has $50 on it, and then it's gone." Caput said he plans to present his findings at the Toorcon hacker conference this weekend.
I guess if the gift card website even allows part of that to happen, someone should be fired ?
Bluntly, the reason that these do not have better security is that, while the security is crap, the amount of fraud done against gift cards is relatively small (and a lot of the people who perpetrate the small amount of fraud they do find have not taken care and get caught)
As long as it costs companies less to fix and write off the fraud than it would cost to implement a more secure system, then they are likely to stick with the cheap, easy to hack system.
Since these gift cards have to be printed out individually anyway, couldn't they be produced using uuidgen (or the like)? Seems like a single algorithm would solve the problem for all retailers at once.
The restaurant chain will probably reward him for bringing it to their attention by giving him a gift card to the restaurant.
I've help some smarter vendors with this in the past but I would guess that the vast majority are still using a checksum. It makes the verification easy and most companies are not organized enough to keep track of the cards that don't have money on them.
Well that's the difference between a white hat researcher who's trying to demonstrate a point, and a nefarious actor who's trying to commit fraud...
Someone out to commit fraud will not take the cards to the restaurant themselves, instead they'll do other things with gift cards like:
Spend them online to have goods sent to a suitably anonymous location.
Recruit mules to do the risky work of actually using the cards in person.
Sell the cards to unsuspecting third parties.
And probably do all of these things while operating in a country outside of the reach of the law enforcement agencies that their victims are likely to contact.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Pro tip, never ever buy a gift card.
If offers worse flexibility than cash, costs more and less secure. Gift cards are for schmucks...
Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)
If you are gonna give something, give something with some actual utility yo.
Visa/MasterCard gift cards are terrible gifts.
First, the fees are terrible - you usually get a year, then after that they cost anywhere from $2.50-5/month "account maintenance charge", regardless of whether you actually use it or not. (That's a $30-60 annual fee).
You're also stuck with fractions you can't spend - most places that accept gift cards will accept multiple gift cards as payment so you can drain them all to 0 (and pay with a credit card or cash for the remaining balance). Though some places (Google was one of them a while ago - I couldn't use my $2 credit to buy $3 worth of stuff because it had to be single-funded) are still brain dead in that way.
It is a lot rarer to find places that will accept multiple charge cards at once - at best, you can do credit-and-cash payment but rarely can you do two or more cards at once. This is because obviously the fee is doubled since they have multiple cards.
I have lots of drained gift cards - I use them all up and pay the difference in cash or credit. The remaining balance on my Visa gift cards usually drains away because of the fees so it is really hard to drain them to zero.
Firstly, to use a "buffer card" effectively, you plan your purchases. (Yes, that dreaded budgeting thing!) You then load the card, then make the purchase. You dont carry a large balance on the card, just enough to keep it active. It requires that you have some discipline with your online purchasing, but you get some extra protection that way.
If a retailer gets compromised, you lose just that min holding balance, and dont have to miss a day of work to file dispute forms to the sometimes hundreds of merchants claiming you owe them shitloads of money. (since you have to dispute each and every fraudulent charge, you can be there for a very long time doing the dispute process. Been there, done that. Sony Hack got me a few years back.)