Gift Card Hacking 264
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores.
One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
Theft isn't new. (Score:1, Insightful)
If security was doing their job, it wouldn't be such a problem.
Nondisclosure (Score:3, Insightful)
The company's name isn't being published to avoid giving criminals a too-easy target.
Swell. So there's no significant economic reason for that company to change their policies yet. -sigh-
At least Microsoft is internally consistant in their views on disclosure of security concerns... albeit consistantly wrong.
Barnes and Noble. (Score:5, Insightful)
When you got the card, it was preauthorized with a certain amount of money in a certain account number, like any other debit card. The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.
Now, all that was necessary to redeem the gift card was that number. But most people just tossed the second receipt. Which meant that a quick swipe through the trash outside the store doors could probably yield a few hundred dollars worth of gift card credit as yet unredeemed.
Nice, eh? Even when we told people expressly not to do it, they still did. Wonder how many got burned.
--saint
fear mongering? (Score:3, Insightful)
There have been several local stories about people stealing money order machines, or printing MOs on their PCs... this stuff actually happens all the time, but a nice "holiday piece" about gift cards without even anedotal "evidence" that this is a widespread problem? Gimme a break!
There are no named sources to the story, the internet site they reference is not given, and they only list retailers viewed as less problematic (and give us a nice caveat to explain why). Not only is the problem a "scenario"- the news story itself is a scenario. Boring journalism... might as well be an op-ed piece.
I'm more concerned about issues such as identity theft, etc... at least your gift card leaves no personal identification about you.
Re:Nondisclosure (Score:4, Insightful)
Sure there is, its the internal economic justification of the manager in charge of the gift card program. The boss is likely to hear about this, and when (s)he does (s)he will either change the program or get canned.
No one wants an easy-to-rip-off gift card system. It invites attack from other fraud artists (if this system is lax, then others likely are too), pisses off customers and ruins loyalty.
The larger problem is that there's little financial incentive for stores to fix the problem generally (other than being seen as generally lax), since the losses aren't their own, they're someone else's, and even hijacked cards are money made for the store.
Reading comprehension (Score:3, Insightful)
Why they don't care (Score:5, Insightful)
But when someone forges a stored-value card, they're stealing from other customers. The "value" has already been paid for, so the store doesn't lose anything.
the perfect crime? (Score:3, Insightful)
one previous respondent had said something to the effect of, "..this is just like digging in a cash drawer.." this isn't just any kind of theft.. it's the ultimate kind! a better imperfect analogy would be: "..the store leaves $20, $50, and $100 dollar bills hanging from displays at the counter.."
if you walk into a store with the intention of stealing, what's the best thing to steal? small, high-cost items. and these items, while never as good as cash, are virtually untraceable if you use the common sense method described in the article.
also, i'm sure you'd be hassled by security if they noticed you jotting gift card numbers in your daytimer, but you don't technically have to shoplift to do this.
the shrink numbers on these things must be fantastic!
Re:Barnes and Noble. (Score:5, Insightful)
Sheesh... Why, oh why, do we need a law to protect people from doing stupid things?
I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think?
A lot of receipts have credit card numbers on them, too, which is why you should always dispose of receipts carefully. It's a real convenience to have this reference information on a receipt, and I imagine there's a good business case for having the gift card number on the receipt as well. Makes it easier to bring the card back and get it worked out if the magstrip goes bad, for example.
What we need is a less paternalistic government to train people to be smarter and more responsible for themselves.
Oh, never mind, most people with a public school education have been trained not to think for so long now that any arguments are useless. OK, I give up... What we NEED is for these gift cards to be implanted in a chip in your wrist so you don't accidentally throw them away. That's the law we REALLY need.
old news (Score:1, Insightful)
user's card has a secret. the user also has a secret. then the merchant gives the user a transaction time (or number, or something that changes periodically), the balance, and the merchant identifier. then these are hashed together to give an "authorization number" which the user then uses as a signature. you've got the same physical theft problem (if the user writes down their secret), but you always have that.
why don't the companies implement this? too much of a pain in the ass to change all of their infrastructure. if my card is used fraudulently, i will never pay the first $50 or whatever because of these reasons. it is their negligence.
this would be harder to do with gift cards, but would still be feasible using assymetric cryptography, and some sort of electronic 'gift card wallet'. or you just dont allow consumers to play with the cards until they actually buy one, instead of the stores thinking it's "cool" to just have them sitting there, because they're not activated until you buy them!
Re:Barnes and Noble. (Score:2, Insightful)
Gift Cards are not escheatable (Score:2, Insightful)
escheat (s-cht)
n.
1. Reversion of land held under feudal tenure to the manor in the absence of legal heirs or claimants.
2. Law.
a. Reversion of property to the state in the absence of legal heirs or claimants.
b. Property that has reverted to the state when no legal heirs or claimants exist.
Gift Cards are not Gift Certificates, which are bound by escheating laws. (peruse if you want, a google search [google.com] on "gift certificates escheating")
which means that to a retailer, gift cards are cheaper cuz they are not regulated.
Most retailers that do gift cards and gift certificates treat them both very similarly - aka have them electronically activated when purchased. The gift card allows the added bonus of havin them be stored value / re-chargable cards. the lack of escheating laws is also very good - less to report/ track to the government, less money lost to the government when the cards fail to be used.
Re:Barnes and Noble. (Score:3, Insightful)
You could argue the same point for any product-safety law. Why do we need a law that forbids companies from selling cars with defective brakes? (and yes, the account-number-on-the-receipt is a defect: specifically, it's a security hole)
I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think?
Seems like common sense to me.
wouldnt happen here... (Score:1, Insightful)
Here in Belgium (Europe) banksys [banksys.be] [www.banksys.be] creates very secure payment-cards (on cooperation with the guys who invented rijndael). But with the upcoming Euro, Proton is becoming more and more popular. On that card, one can store up to 4000BEF (+- 100 Euro's) pre-paid, and it is very secure.
Why aren't doesn't the US adopt those systems?
Re:Why not just assign PINs at purchase? (Score:2, Insightful)
That's a flawed suggestion. Gift cards are, typically, gifts. When I buy one at Borders it's not for me, it's for a cousin. And when my Uncle sends me 40 bucks in Best Buy Legal Tender, there's no frickin way I'm going to remember the arbitrary 4-digit number _he_ chose 4 months ago as I'm trying to purchase an extra nintendo controller. See? Gift cards aren't like debit cards. Nobody wants to put that much effort into them, especially the retailer and least of all the customer.
Re:I hate nationally syndicated stupidity (Score:3, Insightful)
Some corrections:
Despite what MSNBC would tell you, you can buy card writing equipment without going to the black market. They are perfectly legal. They just cost BIG bucks, and that's why most people don't have one :-)
They're not that expensive. You can get one on e-Bay for around $300. And if you think that's a lot of money, consider how widespread magstripes are and how convenient it would be to be able to copy them. I have some buddies who routinely "back up" the contents of their credit card magstripes. Over time the data on the stripes degrades, so they periodically rewrite it to keep it fresh. I work for a company that uses magstripe-based ID badges to get into the doors, and I have a bad habit of losing my badge... Gift cards are just the tip of the iceberg, and many of the potential uses of this equipment are very legitimate.
The theft method described to lift account numbers is no different than what is done with credit cards, except in the case of the latter you have to work harder to get a valid account number. Anyone with a card writer WOULD know how to do that, trust me.
There is a value encoded on the magnetic stripe of credit cards called the CVV (card verification value) that is generated cryptographically, plus additional cardholder information that is not printed on the face of the card. In order to encode a valid credit card magnetic stripe you either need to read the stripe off the card you're copying or you need access to the production systems used to create the cards.
Credit cards are a far greater risk because they are unrestricted in where they may be used, unlike gift cards.
Yes but no. It's true their use is less restricted, but for that reason there are many other security measures applied, such as back-end systems that check for uncharacteristic buying patterns. Also, the consumer is pretty safe from credit card fraud, since your liability is limited to $50. That isn't as much protection as it might seem, though, because gift cards don't often have more than $50 in them anyway.
Be aware that most gift card processors allow for the process of 'cashing out' the card.
Some do, most don't. The reason is that many stores that sell gift cards use exactly the same technology for provided card-based in-store credits. When you return some merchandise without a receipt, they don't want to give you your money back (otherwise you could do a tidy business buying from mail order and "returning" to the more expensive place) so instead they give you a card. Allowing you to cash out the card would defeat the purpose.
Plus, merchants and other issuers of cash cards *do* make a nice profit off of unused value, which is called "breakage". This is actually important to the feasibility of card-based solutions. Remember that the retailer has to buy equipment, software, cards, train their employees, audit the systems, track the liability pool, etc., all of which costs money. They can probably make this money back in increased sales, but that's hard to verify, while it's easy to show that the breakage value for the last year has exceeded the system cost.
Re:Barnes and Noble. (Score:3, Insightful)
Because you're not only trying to "protect people from doing stupid things", you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime. In addition, remrmber that your "normal" street criminal doen't have access to gift card blanks or mag strip writers. Usually, these low-level types are merely information collectors and end-product purchasers for a more organized high-level operation. It's "penny ante" stuff like this that supports most organized crime in America.
In the end, it's not only the "people who do stupid things" or the stores that enable them that get protected (though they receive a large amount of the benefit), it's you and me. Now you can debate whether people need protection from criminals, but it is a debate you're likely to lose...
P.S. This sort of law also helps increase the use of this kind of financial instrument by increasing its security. This may actually improve the economy. And besides, I doubt that you're the one person in existance who has never done anything stupid. Maybe we all need protection from you :-).
Re:Skimming by employees (Score:3, Insightful)
Seriously, how can you believe that the $7 an hour clerk at best buy has the authority to do "guilty until proven innocent" searches on everyone in the store, routinely?