Gift Card Hacking 264
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores.
One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
Re:Barnes and Noble. (Score:5, Informative)
Which is EXACTLY why several states, California foremost among them, have begun to implement consumer protection laws that require that the receipt NOT display the account number and/or the expiry date (depending on the state). I believe in the case of California, it goes into effect on Jan 1 2002.
My company's ready. I wonder how many other POS vendors aren't?
At any rate, it is the store's responsibility to comply, by using compliant POS software. Since it is easier to implement across the board than on a state by state basis, I presume that if a vendor has fixed it for CA, they will be prepared for the other states, too.
Outside the US is not something I'm familiar with.
Re:the perfect crime? (Score:2, Informative)
No, that's a terrible analogy, since you're stealing from the customer that paid for the card, not the store, as you would be if they left money hanging around.
Re:What are the odds (Score:3, Informative)
I hate nationally syndicated stupidity (Score:4, Informative)
So, a few comments:
Slow news day, plain and simple.
Re:Whee (Score:3, Informative)
Re:Big Deal (Score:3, Informative)
The hackers aren't just inflating the value of the card -- they're re-encoding the card so that it represents a card that someone else bought. Sure, they're "exaggerating the value of the gift card," but by lowering the value of someone else's card.
Re:I hate nationally syndicated stupidity (Score:2, Informative)
[Card writers are] not that expensive. You can get one on e-Bay for around $300.
Well, that's handy to know if the one we use in the lab conks out
There is a value encoded on the magnetic stripe of credit cards called the CVV (card verification value) that is generated cryptographically, plus additional cardholder information that is not printed on the face of the card. In order to encode a valid credit card magnetic stripe you either need to read the stripe off the card you're copying or you need access to the production systems used to create the cards.
Track 1 of the card contains the carholder name, and the CVV2 information is not on the card but part of the back-end processing at the network side of the things. There is obscured information within the card account number that provides anti-counterfieting information, but aside from that the reset of the track info is largely ignored at the POS device and is problematic on the credit network side of things. There is one value that specifies the processor, for example, but most that I've seen have the same value. Furthermore, Track I information is often ignored and USUALLY not required to process a credit card. Most networks favor Track II over Track I and some just can't process Track I at all. In other words, they're not too secure and there is CERTAINLY very little in the way of protection outside of CVV2 -- which isn't even globally supported by all networks. Before you mention AVS, it is only valid for manually keyed accounts, or internet purchases.
Yes but no. It's true their use is less restricted, but for that reason there are many other security measures applied, such as back-end systems that check for uncharacteristic buying patterns. Also, the consumer is pretty safe from credit card fraud, since your liability is limited to $50.
The back-end processing protection is usually after the fact, and a clever thief would probably not be establishing a pattern, anyway. Of course, 'smart thief' is often an oxymoron
Some [allow cash out], most don't. The reason is that many stores that sell gift cards use exactly the same technology for provided card-based in-store credits. When you return some merchandise without a receipt, they don't want to give you your money back (otherwise you could do a tidy business buying from mail order and "returning" to the more expensive place) so instead they give you a card. Allowing you to cash out the card would defeat the purpose.
Careful review will indicate that I was talking about the card processing networks themselves, not the individual merchant policies. Providing a gift card for a refund is a merchant policy (and a foolish one, whatever happened to 'no receipt, no return' anyway?). The capability is there, and it's perfectly reasonable to expect to get your money's worth out of it. We'll see how that court case goes, hopefully on the side of the consumer.
Re:A thing I learned about using plastic (Score:2, Informative)