Gift Card Hacking 264
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores.
One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
Strange..."Gift Cards"... (Score:2, Interesting)
Re:Strange..."Gift Cards"... (Score:3, Interesting)
It seems the merchants tried to reinvent the wheel with these gift cards. They could have used scratchcards such as for prepaid GSM phones, for instance. These contain a unique random number.
Re:Nondisclosure (Score:2, Interesting)
In a nondisclosure situation, nobody's going to get pissed or be at risk of losing their job until a significant amount of money is already ripped off.
If, on the other hand, MSNBC ran a list of 'top ten shittiest gift card security offenders', this would impel an immediate change be made by those ten offenders, lest they incur huge losses in reputation .
Re:Nondisclosure (Score:2, Interesting)
>> At least that's how it'd work where I work.
In my experience, most companies operate on some variation of the Fight Club 'formula'. In this case, if the cost of closing the security hole is more than the estimated value of the loss of customer loyalty plus the value of any out of court settlements, then it won't get fixed.
Re:Whee (Score:3, Interesting)
If law enforcement is able to crack down on pawn shops dealing in stolen goods, then in one fell swoop they've cut most of the profitability out from under bike theft, car breakins, home invasions, baggage theft (at airports, etc)...
Many police department have a pawn shop squad [dallaspolice.net] that regularly checks for stolen goods, primarily those with serial numbers.
There are many ways besides pawnshops to convert stolen goods: family, friends, neighbors, flee markets, black markets. There is a vast underground economy in stolen goods. It indicates that a high crime rate means there has to be a large number of otherwise honest people willing to break the law to get a good price on something.
My neighborhood computer store sells RAM at half the advertised discount retail price. It's probably stolen but I don't know for sure. The owner is a nice guy who works long hours, makes a modest living and makes minor repairs on my computer for free so why would I want to report him to the cops? He probably doesn't consider himself any more a criminal than the people he sells to.
Re:What the hell is wrong with legal tender? (Score:1, Interesting)
1) The customer was able to swipe BEFORE clerk was finished.
2) It was faster for most customers (esp. younger ones) to enter their PIN then it was to wait for a receipt to print, and then sign it.
3) Checks take forever (and are quite rude), and cash is pretty fast but many times there's an issue with change (either the person was digging around for exact change or they insisted on counting the change they got back - which is smart, but timely).
4) Debit cards became about the same speed as cash when the customer had to sign for it because there was no provision for entering their PIN.
5) Debit/Credit cards CAN be slower if the card they try doesn't work (duh!). Note: Quite frankly it seems that you don't have much of a clue over your personal finances if you don't know how close you are to your CC limit.
Cash is easier to steal, but I still welcome it over a check. Checks should be used for mailing payment to the phone company, not for your $35 groceries.
Not hard at all... (Score:5, Interesting)
I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:
We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").
My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.
Re:Skimming by employees (Score:2, Interesting)
This is designed to prevent "sweethearting" by employees. This is where and item is waved across the scanner, but doesn't actually scan, and is then placed in the bag. Ever wonder why Best Buy (and others) check the contents of your bag against your receipt within 30ft of the register? It's not to stop independent shoplifters, it's to catch/prevent sweethearting.
What you suggest is even more difficult. The gift card is only loaded by the POS system with the amount punched into the register. Now unless the store doesn't have a total display that can be seen by the customer (or the customer has the IQ of a brick) there is no way the customer will hand over $100 when $50 is shown on the display. If the clerk tries to pocket cash that is properly shown on the display then the drawer will be short.
Re:Skimming by employees (Score:2, Interesting)
That may be true in America but is definitely not true in Australia (conditions apply). The conditions are that a big obvious sign is posted at the entrance to the store stating that bag searches are a condition of entry - you enter, you give them permission to search. The other restriction is that the sales assistant is not allowed to touch any of your possessions, they can ask you to open your bag and show them and open any compartment etc, but they must not do it themselves.
I would be exceptionally surprised if a similar set of laws were not in place in America and other countries around the world. I am guessing that most stores have a condition of entry, which would most likely hold up in court.
In the age-old /. tradition, IANAL.
Re:A thing I learned about using plastic (Score:1, Interesting)
schmoko.
Re:I hate nationally syndicated stupidity (Score:1, Interesting)
1. Said gift cards are not always insecure. However, if you go to the largest retailers you can think of, get a few of each of their cards, and read them, you will discover that (a) one large retailer uses a 'secret code' which is added to the 15-digit PAN (BTW - another tip - digit 16 is a check digit) that gives you the number on the front of the card. (Remove the BIN first - ask your boss what that word means.) This means that you can reverse the process: observe the numbers in full view next time you go to said retailer, then you can whip up a new card yourself by simply subracting the secret code from the number printed on the face of the card. This entire technique is called 'eye skimming', and if it isn't a problem, then why the hell did banks stop printing the PAN on ATM receipts?
2. Phone cards have a scratch off PIN - bet you didn't notice, did you? Any idea why they are there? Right! To prevent eye skimming! In fact, the PIN is not even on the stripe - so you would need to, like, X-ray the card to get the PIN. Combine the difficulty of doing this with the fact that you'd have to sneak the cards out of the store and back in, plus the fact that they have limited value, and you see an emerging risk management model. Now, compare this with the other model: I can lift the value off a limitless amount of gift cards (and use some of that value to buy phone cards - if I want to), simply by eyeballing the cards on the shelf.
3. Reader / writer availability
I have an MSR206 (hi-co / lo-co [ask your boss]}, and AMC312 plus stacks of readers (including portable hand-helds - bet you didn't know those existed!). The most I've ever paid for an encoder is $400. There's a company in Dallas that sells MSR206 encoders for, I think, $700. The AMC312 requires Rencode (licensed - they want your real name etc.), but you can get it 'black market' from Canadian Bar Code with a fake name.
4. Some credit cards are as insecure as gift cards - some banks don't check CVC. It's easy to find out which ones (you probably know this if you're in the industry) by nudging a digit out of the stripe to see what happens at the point of sale: if the merchant calls the auth centre and hands the phone to you, the bank checks CVC. If the auth goes through in 2 seconds - successfully - they probably don't check CVC. If the auth goes through in a hundredth of a second, the merchant is standing in for the merchant. But who am I to tell you this - YOU'RE the expert!