Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Retail Gift Cards Remains Scarily Easy (wired.com)

Posted by BeauHD on from the so-easy-a-caveman-can-do-it dept.

Willium Caput, a researcher for the firm Evolve Security, examined a stack of gift cards he obtained from a major Mexican restaurant chain and noticed a pattern: aside from the final four digits of the cards that appeared to be random, the rest remained constant except one digit that appeared to increase by one with every card he examined. Andy Greenberg explains how Caput plans to defraud the system in his report via WIRED (Warning: source may be paywalled; alternative source): "You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them," says Caput. To pull off the trick, Caput says he has to obtain at least one of the target company's gift cards. Unactivated cards often sit out for the taking at restaurants and retailers, or he can just buy one. (Not all cards change by a value of one, as that first Mexican restaurant did. But Caput says obtaining two or three cards can help to determine the patterns of those that don't.) Then he simply visits the web page that the store or restaurant uses for checking a card's value. From there, he runs the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the four random digits at the end of the card's number, a process that takes about 10 minutes. By repeating the process and incrementing the other, predictable numbers, the site will confirm exactly which cards have how much value. "If you can find just one of their gift cards or vouchers, you can bruteforce the website," he says.

Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer's ecommerce page, or even in person; Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card's balance, rather than spend any money from the cards belonging to actual victims.) "It's a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person's card says it has $50 on it, and then it's gone." Caput said he plans to present his findings at the Toorcon hacker conference this weekend.

10 of 108 comments (clear)

  1. Just bruteforce 10,000 requests in 10 minutes by Fly+Swatter · · Score: 5, Insightful

    I guess if the gift card website even allows part of that to happen, someone should be fired ?

    1. Re:Just bruteforce 10,000 requests in 10 minutes by lucm · · Score: 5, Informative

      The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

      Exponential backoff works like a charm for this. It doesn't annoy legitimate users who make mistakes, and it becomes increasingly costly for the nefarious ones

      --
      lucm, indeed.
    2. Re:Just bruteforce 10,000 requests in 10 minutes by Wycliffe · · Score: 5, Interesting

      The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

      Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds. The only real solution is a good quality captcha which is what most sites use but even that's pretty trivial to defeat with things like amazon turk or access to a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)

    3. Re:Just bruteforce 10,000 requests in 10 minutes by Gussington · · Score: 3, Interesting

      I guess if the gift card website even allows part of that to happen, someone should be fired ?

      Exactly. All the gift cards I've had require a PIN as well as the Card number, and a simple limit of 5 login attempts every hour ends this as a vulnerability. It's as if this article and/or technology was written in 1993...

    4. Re:Just bruteforce 10,000 requests in 10 minutes by Rockoon · · Score: 4, Informative

      In what universe do you get a pin with a purchase of a gift card?

      You take the card off the rack. You go to the cash register. They ask how much you want on it. They activate it with that amount. You walk away with it presumably to give it to someone that you dont care much about because otherwise you would have put thought into their gift. There is no PIN.

      --
      "His name was James Damore."
    5. Re:Just bruteforce 10,000 requests in 10 minutes by stinerman · · Score: 4, Informative

      Some have another number (PIN) that is hidden under a scratch-off area.

  2. Thanks for the heads up... by ddtmm · · Score: 4, Funny

    The restaurant chain will probably reward him for bringing it to their attention by giving him a gift card to the restaurant.

  3. Re: Low losses = Low security. by Anonymous Coward · · Score: 3, Informative

    No loss at all. None what so ever. For the business that is. If the card has a balance. That means someone has already given them the money for it. The business would be more than happy for that card to never get used. Money for nothing for them. They will not care at all about a thief stealing customers balances unless they get enough complaints.

    Then it wouldn't be hard to track down the thief. Get the card details from the legit customer. See who used that card as that is tracked. And have the cops show up to their door. Done. Or if at a restaurant post the pictures of thief on the local news.

  4. Re:Pretty Anonymous by Bert64 · · Score: 4, Interesting

    Well that's the difference between a white hat researcher who's trying to demonstrate a point, and a nefarious actor who's trying to commit fraud...

    Someone out to commit fraud will not take the cards to the restaurant themselves, instead they'll do other things with gift cards like:

    Spend them online to have goods sent to a suitably anonymous location.
    Recruit mules to do the risky work of actually using the cards in person.
    Sell the cards to unsuspecting third parties.

    And probably do all of these things while operating in a country outside of the reach of the law enforcement agencies that their victims are likely to contact.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  5. Re:It's happened to me by Gussington · · Score: 3, Insightful

    Pro tip, never ever buy a gift card.
    If offers worse flexibility than cash, costs more and less secure. Gift cards are for schmucks...