Forgot your password?
typodupeerror
News

Gift Card Hacking 264

Posted by CmdrTaco
from the where-do-I-swipe-it dept.
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores. One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
This discussion has been archived. No new comments can be posted.

Gift Card Hacking

Comments Filter:
  • Theft happens all the time. Why is this news?

    If security was doing their job, it wouldn't be such a problem.
    • Read the article buddy. Its about stealing the numbers off of cards in the stores and reprogramming legit cards to use them as they are activated by consumers.
      • Why didn't I think of that?

        Now I can get everything on my christmas list and screw over a horde of people during the holiday season! Isn't technology great, even when it's old technology...
      • Oh, I read the article.
        When I said security, I meant the people programming the cards in the first place. Not the rent-a-cop types you see at the mall store.
        Sorry for the misconception.
    • Because now little billy can get much more outta that bestbuy card his Mommy put in his stocking.
      =]
    • If security was doing their job, it wouldn't be such a problem.

      No, if people had some sense of ethics this wouldn't be a problem. Why does every security lapse mentioned on /. blamed on the victims? Yes, they made a mistake. Yes, there are ways to counteract it. But the way blame is constantly shifted away from the actual criminals here is sickening.
      • Why does every security lapse mentioned on /. blamed on the victims?

        The victims here are the consumers - not the stores. The stores get money for all goods sold and they're happy - the only people who get screwed are the people who's gifts get stolen.
        No one's baming the consumers - they're blaming the stores for implementing idiotic policies and practices that benefit themselves at the cost of the consumer.

        ... if people had some sense of ethics this wouldn't be a problem.
        And if my mother had wheels she'd be a wagon.

        That being said the has never been the case and (IMHO) will never be the case and people who deal and cash and goods need to be aware of this and deal appropriately.
        You can bet these stores watch THEIR money carefully once it gets in the cash register - but they don't seem to care at all about protecting their customer's money or interest once they get their's.
        It's like the store saying "it's our policy to leave your money on the counter while you shop - but if some one take's it before we ring it up it's your problem not ours."

        =tkk

      • Crime and criminals have been with us from the beginning and will be with us until the end. Most people are honest, but there will always be a small minority that aren't. There's not much point in wringing one's hands over this fact and whining about "people not having some sense of ethics".

        In this case the victims aren't the retailers, the potential victims are those who purchase the gift cards. Blaming the retailers for not taking adequate precautions against the theft of the funds in question isn't a case of "blaming the victim" (the person buying the gift card who has every right to assume that the vendor takes reasonable security precautions).

        It makes perfect sense to blame vendors who don't take adequate precautions to protect their customers from theft. Remember that the customer can be ripped off even if they keep the card secured in Fort Knox, in other words the customer can't do a damned thing (short of not buying the product) to protect the card, only the vendor.

        And also keep in mind that simple security measures are available that greatly increase the safety of the card, and the article points out a few retailers who implement such measures. Those who don't are fair game for criticism, IMO.
  • by Anonymous Coward
    gift cards want to be free!
  • Big Deal (Score:1, Funny)

    by mlknowle (175506)
    Big deal - this is theft. Why does it get featured on ./ ? Because it involves something remotly technology related. Guess what - it's still stealing - this is no different than rummaging through an open cash register drawer.
    • Of course it's stealing, but that's not to say it shouldn't be on slashdot. assholes using technology to do stupid things like this is normal and should be reported.


      Would you rather be in the dark to such activities? If so then why why the hell are you even coming to this website to begin with.

    • Big deal - this is theft. Why does it get featured on ./ ? Because it involves something remotly technology related. Guess what - it's still stealing - this is no different than rummaging through an open cash register drawer.

      I disagree. Although I'm probably alone in this opinion, I believe that hacking a gift card is not stealing, as nothing is taken out of the store. I am merely exagerating the value of the gift card, which isn't that bad considering how often corporations exagerate the value of their merchandise, thereby inflating inflating the prices to unreasonable numbers. Besides, the store will still receive the money that is used with the gift card. Nobody is hurt.

      • Re:Big Deal (Score:3, Informative)

        by Brian Kendig (1959)
        Let's hear you say that next time your girlfriend gives you a $50 gift card for your favorite electronics store, and when you go to use it, the store clerk tells you there's no balance left on the card. He also points to the small print on the card which says (as quoted from the article) "We cannot be responsible for funds used without your knowledge."

        The hackers aren't just inflating the value of the card -- they're re-encoding the card so that it represents a card that someone else bought. Sure, they're "exaggerating the value of the gift card," but by lowering the value of someone else's card.
  • by Maiko (534130)
    Being in the UK, and in a countryside area at that, I haven't heard of Gift Cards before. Here we stick to paper-based vouchers, or indeed, just to send cheques to people in christmas cards. At least if they are posted and stolen before they are delivered, then it becomes "interfereing with her majesty's post" (Seeing as it belongs to the crown etc etc etc) and can carry up to 10 years in prison. Mmm...handy that...
    • Personally I see gift cards as a very selfish gift. "I couldn't think of a real present to get you, so I'm giving you this gift of pseudo cash. btw you can only use it at XXX"


      Damn if your gonna be so impersonal as to give a gift of money then give something that can be used anywhere.

    • We have those vouchers here on the continent too. Of course they are generally protected through security measures and they are made by the same companies which print money, bank cards etc.

      It seems the merchants tried to reinvent the wheel with these gift cards. They could have used scratchcards such as for prepaid GSM phones, for instance. These contain a unique random number.
    • gift cards are basically a replacement for gift certificates. whomever came up with them was probably trying to solve a problem with paper certs fraud. the idea is you go to the store, ask for a card with N amount on it, pay, and you're given a card that can be used later. you give that card to the person you wish to. when making a purchase with the card, the amount is deducted from the balance on the card.

      the gift cards double for the store as store credit. return an item w/o a receipt? get the amount of your refund on a gift card.
  • Nondisclosure (Score:3, Insightful)

    by FauxPasIII (75900) on Saturday December 29, 2001 @11:35AM (#2762208)
    Interesting... after describing a company who is particularly lax in their security practices wrt the gift cards:


    The company's name isn't being published to avoid giving criminals a too-easy target.


    Swell. So there's no significant economic reason for that company to change their policies yet. -sigh-
    At least Microsoft is internally consistant in their views on disclosure of security concerns... albeit consistantly wrong.
    • Re:Nondisclosure (Score:4, Insightful)

      by swb (14022) on Saturday December 29, 2001 @11:46AM (#2762231)
      Swell. So there's no significant economic reason for that company to change their policies yet.

      Sure there is, its the internal economic justification of the manager in charge of the gift card program. The boss is likely to hear about this, and when (s)he does (s)he will either change the program or get canned.

      No one wants an easy-to-rip-off gift card system. It invites attack from other fraud artists (if this system is lax, then others likely are too), pisses off customers and ruins loyalty.

      The larger problem is that there's little financial incentive for stores to fix the problem generally (other than being seen as generally lax), since the losses aren't their own, they're someone else's, and even hijacked cards are money made for the store.
      • Re:Nondisclosure (Score:2, Interesting)

        by FauxPasIII (75900)
        >> pisses off customers and ruins loyalty.

        In a nondisclosure situation, nobody's going to get pissed or be at risk of losing their job until a significant amount of money is already ripped off.
        If, on the other hand, MSNBC ran a list of 'top ten shittiest gift card security offenders', this would impel an immediate change be made by those ten offenders, lest they incur huge losses in reputation .
        • Most smart managers want to fix a problem before it bites them. The fact that the name of the company ain't in the news has little to do with the amount of internal heat people are facing. You can bet your ass that the MSNBC called a lot of the company's management asking "Did you know how easy your gift cards are to rip off????" and the person in charge of the gift card program, who had probably touted its security previously, will be sitting in the boss' office on Jan 2 answering some hard questions.

          At least that's how it'd work where I work.
          • Re:Nondisclosure (Score:2, Interesting)

            by FauxPasIII (75900)
            >> Most smart managers want to fix a problem before it bites them.
            >> At least that's how it'd work where I work.

            In my experience, most companies operate on some variation of the Fight Club 'formula'. In this case, if the cost of closing the security hole is more than the estimated value of the loss of customer loyalty plus the value of any out of court settlements, then it won't get fixed.
            • In this case, if the cost of closing the security hole is more than the estimated value of the loss of customer loyalty plus the value of any out of court settlements, then it won't get fixed.

              Isn't this the way it should work? Why spend money to fix a problem that virtually no one cares about?

              In the case of fight club it's completely different, because we're talking about the loss of lives, not the loss of money. In this case we're talking about whether or not to spend money to stop losing money. A simple greater than or less than approach seems perfectly reasonable.

              • >> In this case we're talking about whether or not to spend money to stop losing money.

                No, we're talking about spending money to prevent your customers from being robbed due to deficiencies in your product. For an obvious (to slashdotters) analog, compare the total number of damages in billions of dollars caused by security deficiencies in Microsoft products, to the amount of actual financial liability incurred by Microsoft itself.
                Suppose the company in question is Circuit City. How many hundreds of thousands of customer dollars have to be stolen before the amount of dollars that the thefts cost Circuit City corporate warrants them doing something about it ?
          • Well, at the retail joints where I worked, nobody would have the guts to bring this up formally. The managers I've worked with are just putting in thier time like the rest of us, and are more interested in problems that stay under the bed where they belong than in seeking out more work.
      • "Sure there is, its the internal economic justification of the manager in charge of the gift card program. The boss is likely to hear about this, and when (s)he does (s)he will either change the program or get canned."

        Or not. There's a quote in the MSNBC article from one of the anonymous company's executives that dismisses the risks addresses in the article. It appears that they don't care enough to fix the problem, even now that it's been highlighted. If they'd been explicitly named in the article, it wouldn't have been nearly as easy for them to shrug it off, and prudent consumers could avoid the company if it continued to engage in such risky behavior.

    • And then there are plenty of dishonest people around who aren't inventive enough to think this up and would jump on the bandwagon if the retailer's name was mentioned. Banks keep stuff like this quiet all the time and just improve internal security.
      • >> And then there are plenty of dishonest people around who aren't inventive enough to think this up and would
        >> jump on the bandwagon if the retailer's name was mentioned.

        No doubt. And what do you think would give these companies a reason to change their policies and fix the problem faster than a thundering bandwagon of thieves armed with this groovy new idea to make easy money ?
    • Even worse, they act like they are doing consumers a favor by not spreading the information. The bad guys already know who the target is - they certainly don't get their info from MSNBC. Meanwhile, consumers who have cards from this retailer are oblivious to the fact that they are potentially vulnerable.
  • Whee (Score:3, Funny)

    by ErikZ (55491) on Saturday December 29, 2001 @11:37AM (#2762212)

    So, after spending hundreds of dollars in equipment, casing the store and memorizing the numbers, your reward is:

    Books!
    Cans of Paint!
    Socks!

    The risk/reward here is pathetic. They would be better off stuffing things into their oversized coats during the holiday rush.
    • >> Books!
      >> Cans of Paint!
      >> Socks!

      Easily pawnable goods !
      Books, DVDs, CDs, video games can practically be spent like cash money if you have a pawn shop closeby.
      • Easily pawnable goods ! Books, DVDs, CDs, video games can practically be spent like cash money if you have a pawn shop closeby.

        It's always amazed me the lack of ethics that one apparently needs to run a pawn shop: trafficking in stolen goods, and encouraging theft from others.

        • by sjames (1099)

          It's always amazed me the lack of ethics that one apparently needs to run a pawn shop: trafficking in stolen goods, and encouraging theft from others.

          Some pawn shops do no doubt traffic in stolen goods (knowingly). Others are just tryinmg to make a living and are victems of the theives as well.

          I'll bet that if police kept a net accessable database of serial numbers for stolen goods, many pawn shop owners would check that list for their own protection.

    • Well, if I were an evil &trade person doing this, I'd target someplace with good stuff like HomeDepot. Snag the numbers and walk out with a laser-guided compound power miter box. (Course H.D's IT group consistently has a clue so it's unlikely that they're vulnerable.). I'm also not evil :)
    • Re:Whee (Score:3, Informative)

      I guess you missed the part where they returned the goods for cash...
      • At the K-mart where I work, gift carded goods cannot be redeemed for cash--just for the same sum on another gift card. (It's the same way with goods brought in without a receipt--the customer gets the value of the lowest sale price, which usually isn't much, on a gift card--or else an even exchange.)

        On the bright side, one does have to have the actual card, not just the number--at least so far as I know.
  • Barnes and Noble. (Score:5, Insightful)

    by saintlupus (227599) on Saturday December 29, 2001 @11:42AM (#2762222) Homepage
    I worked at Barnes and Noble for a while a couple Christmases ago, and here's how their gift card system worked:

    When you got the card, it was preauthorized with a certain amount of money in a certain account number, like any other debit card. The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.

    Now, all that was necessary to redeem the gift card was that number. But most people just tossed the second receipt. Which meant that a quick swipe through the trash outside the store doors could probably yield a few hundred dollars worth of gift card credit as yet unredeemed.

    Nice, eh? Even when we told people expressly not to do it, they still did. Wonder how many got burned.

    --saint
    • Re:Barnes and Noble. (Score:5, Informative)

      by Grimmtooth (187628) <grimmtooth@gmail. c o m> on Saturday December 29, 2001 @12:14PM (#2762282) Homepage
      The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.


      Which is EXACTLY why several states, California foremost among them, have begun to implement consumer protection laws that require that the receipt NOT display the account number and/or the expiry date (depending on the state). I believe in the case of California, it goes into effect on Jan 1 2002.

      My company's ready. I wonder how many other POS vendors aren't? :-)

      At any rate, it is the store's responsibility to comply, by using compliant POS software. Since it is easier to implement across the board than on a state by state basis, I presume that if a vendor has fixed it for CA, they will be prepared for the other states, too.

      Outside the US is not something I'm familiar with.
      • by JordanH (75307) on Saturday December 29, 2001 @12:34PM (#2762307) Homepage Journal

        Sheesh... Why, oh why, do we need a law to protect people from doing stupid things?

        I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think?

        A lot of receipts have credit card numbers on them, too, which is why you should always dispose of receipts carefully. It's a real convenience to have this reference information on a receipt, and I imagine there's a good business case for having the gift card number on the receipt as well. Makes it easier to bring the card back and get it worked out if the magstrip goes bad, for example.

        What we need is a less paternalistic government to train people to be smarter and more responsible for themselves.

        Oh, never mind, most people with a public school education have been trained not to think for so long now that any arguments are useless. OK, I give up... What we NEED is for these gift cards to be implanted in a chip in your wrist so you don't accidentally throw them away. That's the law we REALLY need.

        • by Jeremi (14640)
          Sheesh... Why, oh why, do we need a law to protect people from doing stupid things?


          You could argue the same point for any product-safety law. Why do we need a law that forbids companies from selling cars with defective brakes? (and yes, the account-number-on-the-receipt is a defect: specifically, it's a security hole)


          I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think?


          Seems like common sense to me.

          • Common sense? Sorry, but I this "law" is already becoming a pain in my arse as retailers begin to implement it. I have six credit cards which I am constantly using. When I go to enter my transactions into my account register (MS Money), the number on my receipt is often the ONLY way I can recall which card I charged something to. Some retailers, luckily, are still printing the last four or five digits on the receipt, but with the others I now find myself having to write account info on my receipts just to keep my accounts straight.
            • >When I go to enter my transactions into my
              >account register (MS Money), the number on my
              >receipt is often the
              >ONLY way I can recall which card I charged >something to.


              the solution, of course, is for the receipt to only display the last four digits, as many do.


              I got a "rebate" check for $10 towards my credit card bill--identified by only the last 4 digits of the accdount . .


              hawk

          • Come again? The defective brakes don't require the consumer to be stupid to cause injury or death. The account number on receipt requires the consumer to be stupid, and certainly wouldn't cause injury or death.

            Quit insulting some of our intelligence, eh?

            • It doesn't just require the user to be stupid (although it does); it also makes it easy for the user to be stupid. In other words, it requires the user to be very careful in disposing of his receipts, or risk getting screwed. And the only reason for making things so error prone is for the business's convenience (it saves them the hassle of developing a more secure system); there is no advantage for the consumer.
        • A lot of receipts have credit card numbers on them, too, which is why you should always dispose of receipts carefully.

          They shouldn't. Putting the card number on the recipt changes it from a simple record of a transaction (which may be used for budget management, expense reimbursement, or proof of an expense in an audit) to a securety risk that should be carefully destroyed as soon as possable.Suddenly, a simple slip of paper that should have no value to anyone but the purchaser becomes the target of theft.

          The laws against putting the card number on a recipt are protecting you against the merchant's stupidity much in the way that DUI laws protect you from another motorist's stupidity.

          While we're at it, there are a few other numbers that should be protected. Credit card account numbers should be distinct from the credit card number. That way, my bill isn't worth stealing and I can write the account number on a payment check so that in the likely event that check and payment slip become seperated in handling, the payment may still be credited.

          All bank accounts should have two distinct numbers. One that only allows deposits. That way I could write my account number on the back of a check (same reasons as above) without wondering who will see it when the check clears and is returned.

          For that matter, account number shouldn't be enough to remove money from an account in the first place.

        • "Sheesh... Why, oh why, do we need a law to protect people from doing stupid things?"

          Because you're not only trying to "protect people from doing stupid things", you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime. In addition, remrmber that your "normal" street criminal doen't have access to gift card blanks or mag strip writers. Usually, these low-level types are merely information collectors and end-product purchasers for a more organized high-level operation. It's "penny ante" stuff like this that supports most organized crime in America.

          In the end, it's not only the "people who do stupid things" or the stores that enable them that get protected (though they receive a large amount of the benefit), it's you and me. Now you can debate whether people need protection from criminals, but it is a debate you're likely to lose...

          P.S. This sort of law also helps increase the use of this kind of financial instrument by increasing its security. This may actually improve the economy. And besides, I doubt that you're the one person in existance who has never done anything stupid. Maybe we all need protection from you :-).

          • Because you're not only trying to "protect people from doing stupid things", you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime.

            That's one way of looking at it. Another is that it creates a lot of "crime" by making stupid actions criminal. Now the criminals are not only the people trying to steal your stuff, but the stupid people leaving your info where it's not 100% safe. The police has to chase both groups. And pretty soon everyone is a criminal and at the mercy of the police.

            [Yeah,I get carried away. So what?]
        • Sheesh... Why, oh why, do we need a law to protect people from doing stupid things?

          What we need is a less paternalistic government to train people to be smarter and more responsible for themselves.
          Isn't this the same government that runs this funny country where you can sue the hell out of the maker of your microwave oven if they didn't include a strip of paper saying it's unsuitable for drying pets, or where people sue the hell out of McDonalds for not adding a notice on the cups for their steaming hot coffee saying that the coffee is hot?
          • The award was ratchetted way down in the coffee incident, but it was still excessive. And yes, McDonalds *should* put a warning label on the coffee:


            WARNING: Only a low grade moron would place this between her upper thighs and remove the lid in a moving vehicle!


            But then again, I favor a "darwinian" defense in product liability cases . . .


            hawk, esq., who doesn't see eye to eye with the tort lawyers

      • most places already do this. looking through a bunch of receipts from christmas, Texaco, ShopRite (a PA-area food store), Kmart, Walmart, and Bed Bath & Beyond print the last 4 digits, Levi's Outlet at Franklin Mills Mall prints the whole number.

        That's ok for me though, as I know how to protect myself. Dont trash the receipt at the store. At home, carefully cut up each digit individually using a pair of scissors, separate the piles into several seperate trash bins somewhere downtown, the more blocks apart the better.
    • a lot of stores are like that. I used to work for KMart back when their cards were intro'd, and it worked the exact same way. The plus for KMart is that (according to the article) is that there is a conf number in the stripe not found on the card and not given to the customer. The only loophole would be a card that had it's stripe damaged, as the clerk would have to punch in the card number printed on the front, nothing else. But this article talks about re-programming the the stripe on the card, which is made difficult by the conf code.
      • by delysid-x (18948)
        Unless you have access to blank cards, in which case you just punch the number into the plastic, put some bogus data on the stripe and have the clerk type the number in thinking it's a "bad card".
  • I have worked in retail for many years and stores do not pay as much attention to gift cards as they should because they have no real value. They are like coins at amusement parks, they are only good at the respective stores. To put more money into safeguarding them, would destroy the supposed cost effeciency of these cards. Another point to consider is the switch from paper gift certificates. I believe that this was a much safer way to do business, but stores needed to "get with the times" and have a more electronic certificate. I guess this is one of those instances where advanced technology does not benefit us more than we think...
    • From Dictionary.com:
      escheat (s-cht)
      n.
      1. Reversion of land held under feudal tenure to the manor in the absence of legal heirs or claimants.
      2. Law.
      a. Reversion of property to the state in the absence of legal heirs or claimants.
      b. Property that has reverted to the state when no legal heirs or claimants exist.

      Gift Cards are not Gift Certificates, which are bound by escheating laws. (peruse if you want, a google search [google.com] on "gift certificates escheating")
      which means that to a retailer, gift cards are cheaper cuz they are not regulated.

      Most retailers that do gift cards and gift certificates treat them both very similarly - aka have them electronically activated when purchased. The gift card allows the added bonus of havin them be stored value / re-chargable cards. the lack of escheating laws is also very good - less to report/ track to the government, less money lost to the government when the cards fail to be used.
  • fear mongering? (Score:3, Insightful)

    by filtersweep (415712) on Saturday December 29, 2001 @11:46AM (#2762227) Homepage Journal
    OK, OK... it holds the *potential* to be a problem- big deal. They cited NO actual examples of theft other than the money laundering example, and there are many easier ways of laundering money if you use your imagination.

    There have been several local stories about people stealing money order machines, or printing MOs on their PCs... this stuff actually happens all the time, but a nice "holiday piece" about gift cards without even anedotal "evidence" that this is a widespread problem? Gimme a break!

    There are no named sources to the story, the internet site they reference is not given, and they only list retailers viewed as less problematic (and give us a nice caveat to explain why). Not only is the problem a "scenario"- the news story itself is a scenario. Boring journalism... might as well be an op-ed piece.

    I'm more concerned about issues such as identity theft, etc... at least your gift card leaves no personal identification about you.
    • What bothered me most about the article was the mention that gift cards are selling on eBay for 75 cents on the dollar. They said they hadn't verified any of the current auctions as being fraudulent (how would they have gone about doing this, anyway?) but the article implied that every gift card on eBay is probably illegit.

      Gimme a break! I can't count the number of times I've been sent gift certificates to stores that don't exist here, or to stores I have no interest in visiting. Not every retailer will let you shop on their website, and some of the ones who do won't let you redeem gift certificates online. In cases like this, you wind up with a nice (and maybe expensive) gift that you can't use. The obvious solution is to sell it - cheaper than it would cost to buy at the store, of course, or else what's the point - to someone who does have a store in their area.

      Who'd have thought that there might actually be unwanted/unusable gifts for sale on eBay a few days after Christmas? Apparently not MSNBC...

      Shaun
      • An easy way for these eBay sellers to sell seemingly "legit" gift cards is to simply program them back. Buy the card, store the original info, reprogram the card and steal lots and lots of money, program the card back to the original, sell it on eBay so it's no longer in your possession. Repeat.
  • HA! (Score:5, Funny)

    by BiggestPOS (139071) on Saturday December 29, 2001 @11:50AM (#2762235) Homepage
    According to the Tyler Morning Telegraph, teen-agers used a similar method for using gift cards to steal money from an electronics retailer in Tyler, Texas last December.

    I fucking live in this town. I had no idea a vast conspiracy to defraud Best Buy was happening all around me this whole time. I figured this town had the collective IQ of a walnut. The whole time I lived here I could of been hanging out with sk1pt k1dd13z.

  • What are the odds of something like this actually hapening? How many thieves are there out there with the technical know how to pull this off, compared to the public at large? one hundred? one million?

    Most places I know of keep the gift cards at least out of sight, but if they were to keep them out in the open, well that would be sort of stupid, given the scenario.

    heck, I even wonder about the telphone cards, which I never use. I would have to go to a store to look at one to see if they have visible numbers on them.

    • Re:What are the odds (Score:3, Informative)

      by Chanc_Gorkon (94133)
      Around here, the gift cards are just sitting by the register back by the candy (Meijer's and Walmart both did this). They were easy to get, even easier to swipe because they were just glued to the back of a bigger card. To swipe one, one would just have to drop a bunch of cards, and then while bent over, peel the card off the bigger card. Also, I don't know about Walmart, but Meijer's were all precharged. The UPC's on the bigger card were even all the same (probably something like 41250 *****, I used to work at Meijer and all Meijer Branded stuff including the gift cards start with the same 5 numbers.). Thing is most stores don't have the storage or available UPC's to give each card a separate UPC code (only way they could keep the cards as they have them and keep them deactivated until they are scanned). The only way I think they could make these things more safe is if you had to do what you used to do and go to Guest Services and buy the card and have the guest services folks charge a denomination on them by swiping the card. Most of the cards I have seen as of late all had how much money each card held printed right on the card! This was at every place I have been this season including even some of the nicer stores! Meijer did not even have cashier's type in a code or anything to activate them. They just swiped it and the appropriate figure was added to the total along with your groceries. This may have changed, but I agree with the article that it is easy. I doubt many would even have to have the card programmers to steal lots of cash.
      • I don't know about Meijer's, but at my K-Mart (and, as far as I know, at Wal-Mart) you have to put money on the card when you buy it. Until then, it's simply empty. I scan the card, enter the amount, slide it through my credit card reader, then blammo, that card has money on it (or at least it does after the customer pays)--but not before. Someone could come along and take all the cards we had on the shelf--but none of them would be worth anything. It's the same for the long distance phone cards that hang along the impulse buying lanes--they have to be swiped through the register to activate them.

        But even so, when I was checking out at a Wal-Mart a few months back, buying a $10 gift card because of their gas pump system that gave you a cheaper rate if you bought with a gift card, the checker said they'd had to move all their gift cards to one single island, because people kept stealing them. Yes, she said, they were valueless until they were activated, but people seemed to keep stealing them anyway. Go figure, eh?
        • Your walmart sells gas?
        • Actually I checked out the cards today. It appears that Meijer changed their cards and they have to be rung and a code typed into the register to be activated. Must of had the problem I described above. So, you would have to have a card reprogrammer in order to steal off of the card. I think the article did describe how it could happen. It could still happen. It's just not very likely. I think the article raises some concerns, but nothing the average customer should worry about.
    • by SCHecklerX (229973) <thecaptain@captaincodo.net> on Saturday December 29, 2001 @02:33PM (#2762733) Homepage
      What are the odds of something like this actually hapening? How many thieves are there out there with the technical know how to pull this off, compared to the public at large?

      A lot more now :)

  • Why not just assign a PIN number, stored in the store computer, not on the card, when the card is bought and charged?

    Sure some yokels would write the number on the card and get it lifted or lose it, but the same could happen to cash.

    Requiring extra information not available on the card would be ideal and would make the type of counterfeiting described in the article very difficult, as long as there was no simple way of resetting PINs. It wouldn't prevent inside jobs or people laundering stolen credit cards, but those types will always be hard to stop.
    • PINs won't go over with gift givers. The benefit of a gift card is you can buy it, mail it to the nephew you never see and forget about it. Having to call your snot-nosed nephew to tell him the PIN would defeat the purpose.
    • Why not just assign a PIN number, stored in the store computer, not on the card, when the card is bought and charged?


      Because a secure PIN requires encryption devices on one end and decruption devices on another.

      But, good point on the PIN, if you HAVE a debit card, take the Gift Card and 'cash it out' immediately, then deposit the cash into your bank account. Viola, your money is as secure as your paycheck :-)
    • Why not just assign a PIN number, stored in the store computer, not on the card, when the card is bought and charged?

      That's a flawed suggestion. Gift cards are, typically, gifts. When I buy one at Borders it's not for me, it's for a cousin. And when my Uncle sends me 40 bucks in Best Buy Legal Tender, there's no frickin way I'm going to remember the arbitrary 4-digit number _he_ chose 4 months ago as I'm trying to purchase an extra nintendo controller. See? Gift cards aren't like debit cards. Nobody wants to put that much effort into them, especially the retailer and least of all the customer.
  • by anthony_dipierro (543308) on Saturday December 29, 2001 @12:03PM (#2762265) Journal
    ?In theory, I think there might be potential for what you?re concerned about here, but there?s concerns for peoples? pockets getting picked, too,? said the spokesperson.
    does not mean anything remotely close to
    One retailer notes that the odds of this occuring are about at the level of being pickpocketed.
  • An easy way out would be to put two account numbers with every card. One is printed on the card and is used for the 1-800 number to check the balance. The other number could be on the magnetic strip and be used to redeem the card. All that's left is to watch for shoplifters.
    • An easy way out would be to put two account numbers with every card

      Do you realize how difficult this would be to implement? We're not talking about a cottage industry here, we're talking about dozens of companys for processing, dozens for the POS systems used, hundreds of actual merchants ... sure, if we were redesigning our financial infrastructure from scratch I would be all in favor of cards with NO real account on the face, smart chips, and encrypted PINs for ALL transactions. but it ain't gonna happen this decade.
  • by Col. Klink (retired) (11632) on Saturday December 29, 2001 @12:21PM (#2762291)
    I can see why the retailers don't really care. If someone forges a paper gift certificate and redeems it, the store is out the money. The thieves are just printing money.

    But when someone forges a stored-value card, they're stealing from other customers. The "value" has already been paid for, so the store doesn't lose anything.
  • the perfect crime? (Score:3, Insightful)

    by bo0push3r (456800) <boopusher@gmxCOLA.co.uk minus caffeine> on Saturday December 29, 2001 @12:25PM (#2762294) Homepage
    this had occurred to me some time ago when i saw the ramping-up of these things. i think it kinda started with best buy and spread from there. now every major retailer has them.

    one previous respondent had said something to the effect of, "..this is just like digging in a cash drawer.." this isn't just any kind of theft.. it's the ultimate kind! a better imperfect analogy would be: "..the store leaves $20, $50, and $100 dollar bills hanging from displays at the counter.."

    if you walk into a store with the intention of stealing, what's the best thing to steal? small, high-cost items. and these items, while never as good as cash, are virtually untraceable if you use the common sense method described in the article.

    also, i'm sure you'd be hassled by security if they noticed you jotting gift card numbers in your daytimer, but you don't technically have to shoplift to do this.

    the shrink numbers on these things must be fantastic!
    • by tswinzig (210999)
      one previous respondent had said something to the effect of, "..this is just like digging in a cash drawer.." this isn't just any kind of theft.. it's the ultimate kind! a better imperfect analogy would be: "..the store leaves $20, $50, and $100 dollar bills hanging from displays at the counter.."

      No, that's a terrible analogy, since you're stealing from the customer that paid for the card, not the store, as you would be if they left money hanging around.
  • Remember what we did before all these plastic cards and shit came out? That's right...we went to the bank and took out pieces of paper with numbers printed on them and the words: this note is legal tender printed across the bottom...and we got along just fine. Wanna give someone an impersonal gift because you can't think of what to give them or can't be bothered shopping...put a couple of these pieces of paper in an envelope and give it to them! Need to send it through the mail? Write cheque or get a money order! I don't even like using my ATM card for purchases...I prefer withdrawing the cash and paying with that and nothing pisses me off more than having some dingbat in line in fromt of me trying card after card and none of them seem to work (especially the express lane at the grocery store, which is supposed to be cash only!). I especially love it when once in a while I encounter a merchant that's flirting with the idea of no longer accepting cash payments..."Uh, what part of this note is legal tender don't you understand?
    No...those pre-loaded "gift cards" are a sucky idea that needs to go away. (I guess they're great if you're the merchant and it's your "policy" not to give out the balance left over on the card in cash...)
  • by Grimmtooth (187628) <grimmtooth@gmail. c o m> on Saturday December 29, 2001 @12:58PM (#2762361) Homepage
    By way of boda fides, I work for a POS (point of sale) vendor that just happens to support the processing of said gift / stored value cards. As a result I have had to become very familiar with the mechanics of the whole thing.

    So, a few comments:

    • Despite what MSNBC would tell you, Debit cards are not protected from theft by a lack of visible account number. Rather they are protected by encrypted PIN.
    • Despite what MSNBC would tell you, you can buy card writing equipment without going to the black market. They are perfectly legal. They just cost BIG bucks, and that's why most people don't have one :-)
    • The theft method described to lift account numbers is no different than what is done with credit cards, except in the case of the latter you have to work harder to get a valid account number. Anyone with a card writer WOULD know how to do that, trust me.
    • Credit cards are a far greater risk because they are unrestricted in where they may be used, unlike gift cards.
    • Be aware that most gift card processors allow for the process of 'cashing out' the card. Provided the store allows, there's no reason that there would be unclaimed cash left on the card. Of course, those merchants that do NOT allow cash-out are the ones to be concerned with.


    Slow news day, plain and simple.
    • Some corrections:

      Despite what MSNBC would tell you, you can buy card writing equipment without going to the black market. They are perfectly legal. They just cost BIG bucks, and that's why most people don't have one :-)

      They're not that expensive. You can get one on e-Bay for around $300. And if you think that's a lot of money, consider how widespread magstripes are and how convenient it would be to be able to copy them. I have some buddies who routinely "back up" the contents of their credit card magstripes. Over time the data on the stripes degrades, so they periodically rewrite it to keep it fresh. I work for a company that uses magstripe-based ID badges to get into the doors, and I have a bad habit of losing my badge... Gift cards are just the tip of the iceberg, and many of the potential uses of this equipment are very legitimate.

      The theft method described to lift account numbers is no different than what is done with credit cards, except in the case of the latter you have to work harder to get a valid account number. Anyone with a card writer WOULD know how to do that, trust me.

      There is a value encoded on the magnetic stripe of credit cards called the CVV (card verification value) that is generated cryptographically, plus additional cardholder information that is not printed on the face of the card. In order to encode a valid credit card magnetic stripe you either need to read the stripe off the card you're copying or you need access to the production systems used to create the cards.

      Credit cards are a far greater risk because they are unrestricted in where they may be used, unlike gift cards.

      Yes but no. It's true their use is less restricted, but for that reason there are many other security measures applied, such as back-end systems that check for uncharacteristic buying patterns. Also, the consumer is pretty safe from credit card fraud, since your liability is limited to $50. That isn't as much protection as it might seem, though, because gift cards don't often have more than $50 in them anyway.

      Be aware that most gift card processors allow for the process of 'cashing out' the card.

      Some do, most don't. The reason is that many stores that sell gift cards use exactly the same technology for provided card-based in-store credits. When you return some merchandise without a receipt, they don't want to give you your money back (otherwise you could do a tidy business buying from mail order and "returning" to the more expensive place) so instead they give you a card. Allowing you to cash out the card would defeat the purpose.

      Plus, merchants and other issuers of cash cards *do* make a nice profit off of unused value, which is called "breakage". This is actually important to the feasibility of card-based solutions. Remember that the retailer has to buy equipment, software, cards, train their employees, audit the systems, track the liability pool, etc., all of which costs money. They can probably make this money back in increased sales, but that's hard to verify, while it's easy to show that the breakage value for the last year has exceeded the system cost.

      • Corrections to corrections: :-)

        [Card writers are] not that expensive. You can get one on e-Bay for around $300.

        Well, that's handy to know if the one we use in the lab conks out :-)

        There is a value encoded on the magnetic stripe of credit cards called the CVV (card verification value) that is generated cryptographically, plus additional cardholder information that is not printed on the face of the card. In order to encode a valid credit card magnetic stripe you either need to read the stripe off the card you're copying or you need access to the production systems used to create the cards.

        Track 1 of the card contains the carholder name, and the CVV2 information is not on the card but part of the back-end processing at the network side of the things. There is obscured information within the card account number that provides anti-counterfieting information, but aside from that the reset of the track info is largely ignored at the POS device and is problematic on the credit network side of things. There is one value that specifies the processor, for example, but most that I've seen have the same value. Furthermore, Track I information is often ignored and USUALLY not required to process a credit card. Most networks favor Track II over Track I and some just can't process Track I at all. In other words, they're not too secure and there is CERTAINLY very little in the way of protection outside of CVV2 -- which isn't even globally supported by all networks. Before you mention AVS, it is only valid for manually keyed accounts, or internet purchases.

        Yes but no. It's true their use is less restricted, but for that reason there are many other security measures applied, such as back-end systems that check for uncharacteristic buying patterns. Also, the consumer is pretty safe from credit card fraud, since your liability is limited to $50.

        The back-end processing protection is usually after the fact, and a clever thief would probably not be establishing a pattern, anyway. Of course, 'smart thief' is often an oxymoron :-)

        Some [allow cash out], most don't. The reason is that many stores that sell gift cards use exactly the same technology for provided card-based in-store credits. When you return some merchandise without a receipt, they don't want to give you your money back (otherwise you could do a tidy business buying from mail order and "returning" to the more expensive place) so instead they give you a card. Allowing you to cash out the card would defeat the purpose.

        Careful review will indicate that I was talking about the card processing networks themselves, not the individual merchant policies. Providing a gift card for a refund is a merchant policy (and a foolish one, whatever happened to 'no receipt, no return' anyway?). The capability is there, and it's perfectly reasonable to expect to get your money's worth out of it. We'll see how that court case goes, hopefully on the side of the consumer.
  • Coffee! (Score:3, Funny)

    by AndroidCat (229562) on Saturday December 29, 2001 @01:28PM (#2762490) Homepage
    I got a Starbucks gift-card for Christmas. I'm tempted to run the card through a reader to see what's on it. Hell, my apartment laundry card has better security (it's a "smart" card).

    Starbucks never has Raktajino, so they'd deserve it! :^)

  • Not hard at all... (Score:5, Interesting)

    by UserChrisCanter4 (464072) on Saturday December 29, 2001 @02:17PM (#2762682)
    I work at a Circuit City, and I can attest to the fact that I doubt this could be too hard.

    I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:

    We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").

    My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.
  • Some banks issue ATM and credit cards with sequential or nearly sequential numbers, and they may not require activation for some of the cards. Someone getting a card can make a guess at the next numbers in the sequence and start charging. This is apparently what happened to a card I got when I opened a new account: before I had even opened the envelope, several thousand dollars were gone. Sometimes, the stupidity of some of those supposedly security-conscious money institutions is just amazing.

All programmers are playwrights and all computers are lousy actors.

Working...