Gift Card Hacking 264
TheSauce writes "MSNBC has this discussion of how easy it is to hack and jack the contents of those lovely Plastic Gift Cards one sees at most Mass Merchants and Consumer Electronics stores.
One retailer notes that the odds of this occuring are about at the level of being pickpocketed."
Theft isn't new. (Score:1, Insightful)
If security was doing their job, it wouldn't be such a problem.
Re:Theft isn't new. (Score:1)
Re:Theft isn't new. (Score:2, Funny)
Now I can get everything on my christmas list and screw over a horde of people during the holiday season! Isn't technology great, even when it's old technology...
Re:Theft isn't new. (Score:1)
When I said security, I meant the people programming the cards in the first place. Not the rent-a-cop types you see at the mall store.
Sorry for the misconception.
Re:Theft isn't new. (Score:1)
=]
Re:Theft isn't new. (Score:2)
No, if people had some sense of ethics this wouldn't be a problem. Why does every security lapse mentioned on
They're not victims Re:Theft isn't new. (Score:2)
The victims here are the consumers - not the stores. The stores get money for all goods sold and they're happy - the only people who get screwed are the people who's gifts get stolen.
No one's baming the consumers - they're blaming the stores for implementing idiotic policies and practices that benefit themselves at the cost of the consumer.
And if my mother had wheels she'd be a wagon.
That being said the has never been the case and (IMHO) will never be the case and people who deal and cash and goods need to be aware of this and deal appropriately.
You can bet these stores watch THEIR money carefully once it gets in the cash register - but they don't seem to care at all about protecting their customer's money or interest once they get their's.
It's like the store saying "it's our policy to leave your money on the counter while you shop - but if some one take's it before we ring it up it's your problem not ours."
=tkk
Re:Theft isn't new. (Score:2)
In this case the victims aren't the retailers, the potential victims are those who purchase the gift cards. Blaming the retailers for not taking adequate precautions against the theft of the funds in question isn't a case of "blaming the victim" (the person buying the gift card who has every right to assume that the vendor takes reasonable security precautions).
It makes perfect sense to blame vendors who don't take adequate precautions to protect their customers from theft. Remember that the customer can be ripped off even if they keep the card secured in Fort Knox, in other words the customer can't do a damned thing (short of not buying the product) to protect the card, only the vendor.
And also keep in mind that simple security measures are available that greatly increase the safety of the card, and the article points out a few retailers who implement such measures. Those who don't are fair game for criticism, IMO.
Re:Theft isn't new. (Score:2)
but its true that (Score:1, Funny)
Big Deal (Score:1, Funny)
Re:Big Deal (Score:1)
Would you rather be in the dark to such activities? If so then why why the hell are you even coming to this website to begin with.
Re:Big Deal (Score:1)
I disagree. Although I'm probably alone in this opinion, I believe that hacking a gift card is not stealing, as nothing is taken out of the store. I am merely exagerating the value of the gift card, which isn't that bad considering how often corporations exagerate the value of their merchandise, thereby inflating inflating the prices to unreasonable numbers. Besides, the store will still receive the money that is used with the gift card. Nobody is hurt.
Re:Big Deal (Score:3, Informative)
The hackers aren't just inflating the value of the card -- they're re-encoding the card so that it represents a card that someone else bought. Sure, they're "exaggerating the value of the gift card," but by lowering the value of someone else's card.
Strange..."Gift Cards"... (Score:2, Interesting)
Re:Strange..."Gift Cards"... (Score:1)
Damn if your gonna be so impersonal as to give a gift of money then give something that can be used anywhere.
Re:Strange..."Gift Cards"... (Score:3, Interesting)
It seems the merchants tried to reinvent the wheel with these gift cards. They could have used scratchcards such as for prepaid GSM phones, for instance. These contain a unique random number.
Re:Strange..."Gift Cards"... (Score:1)
the gift cards double for the store as store credit. return an item w/o a receipt? get the amount of your refund on a gift card.
Nondisclosure (Score:3, Insightful)
The company's name isn't being published to avoid giving criminals a too-easy target.
Swell. So there's no significant economic reason for that company to change their policies yet. -sigh-
At least Microsoft is internally consistant in their views on disclosure of security concerns... albeit consistantly wrong.
Re:Nondisclosure (Score:4, Insightful)
Sure there is, its the internal economic justification of the manager in charge of the gift card program. The boss is likely to hear about this, and when (s)he does (s)he will either change the program or get canned.
No one wants an easy-to-rip-off gift card system. It invites attack from other fraud artists (if this system is lax, then others likely are too), pisses off customers and ruins loyalty.
The larger problem is that there's little financial incentive for stores to fix the problem generally (other than being seen as generally lax), since the losses aren't their own, they're someone else's, and even hijacked cards are money made for the store.
Re:Nondisclosure (Score:2, Interesting)
In a nondisclosure situation, nobody's going to get pissed or be at risk of losing their job until a significant amount of money is already ripped off.
If, on the other hand, MSNBC ran a list of 'top ten shittiest gift card security offenders', this would impel an immediate change be made by those ten offenders, lest they incur huge losses in reputation .
Re:Nondisclosure (Score:2)
At least that's how it'd work where I work.
Re:Nondisclosure (Score:2, Interesting)
>> At least that's how it'd work where I work.
In my experience, most companies operate on some variation of the Fight Club 'formula'. In this case, if the cost of closing the security hole is more than the estimated value of the loss of customer loyalty plus the value of any out of court settlements, then it won't get fixed.
Re:Nondisclosure (Score:1)
In this case, if the cost of closing the security hole is more than the estimated value of the loss of customer loyalty plus the value of any out of court settlements, then it won't get fixed.
Isn't this the way it should work? Why spend money to fix a problem that virtually no one cares about?
In the case of fight club it's completely different, because we're talking about the loss of lives, not the loss of money. In this case we're talking about whether or not to spend money to stop losing money. A simple greater than or less than approach seems perfectly reasonable.
Re:Nondisclosure (Score:1)
No, we're talking about spending money to prevent your customers from being robbed due to deficiencies in your product. For an obvious (to slashdotters) analog, compare the total number of damages in billions of dollars caused by security deficiencies in Microsoft products, to the amount of actual financial liability incurred by Microsoft itself.
Suppose the company in question is Circuit City. How many hundreds of thousands of customer dollars have to be stolen before the amount of dollars that the thefts cost Circuit City corporate warrants them doing something about it ?
Re:Nondisclosure (Score:2)
Well that's just the thing, isn't it? When are these risks ever present up front? With the lottery, they publish the odds of winning (in fine print, of course), but up until I saw this article I had no idea that buying a gift card represented any kind of a financial risk (other than the risk of physically losing the card, of course). I suspect that most other people have no idea either, mainly due to companies having no incentive to publicize the risks involved with their products.
Re:Nondisclosure (Score:1)
Re:Nondisclosure (Score:2)
Or not. There's a quote in the MSNBC article from one of the anonymous company's executives that dismisses the risks addresses in the article. It appears that they don't care enough to fix the problem, even now that it's been highlighted. If they'd been explicitly named in the article, it wouldn't have been nearly as easy for them to shrug it off, and prudent consumers could avoid the company if it continued to engage in such risky behavior.
Re:Nondisclosure (Score:2)
Re:Nondisclosure (Score:1)
>> jump on the bandwagon if the retailer's name was mentioned.
No doubt. And what do you think would give these companies a reason to change their policies and fix the problem faster than a thundering bandwagon of thieves armed with this groovy new idea to make easy money ?
Re:Nondisclosure (Score:2)
Whee (Score:3, Funny)
So, after spending hundreds of dollars in equipment, casing the store and memorizing the numbers, your reward is:
Books!
Cans of Paint!
Socks!
The risk/reward here is pathetic. They would be better off stuffing things into their oversized coats during the holiday rush.
Re:Whee (Score:1)
>> Cans of Paint!
>> Socks!
Easily pawnable goods !
Books, DVDs, CDs, video games can practically be spent like cash money if you have a pawn shop closeby.
Re:Whee (Score:2)
It's always amazed me the lack of ethics that one apparently needs to run a pawn shop: trafficking in stolen goods, and encouraging theft from others.
Re:Whee (Score:2)
It's always amazed me the lack of ethics that one apparently needs to run a pawn shop: trafficking in stolen goods, and encouraging theft from others.
Some pawn shops do no doubt traffic in stolen goods (knowingly). Others are just tryinmg to make a living and are victems of the theives as well.
I'll bet that if police kept a net accessable database of serial numbers for stolen goods, many pawn shop owners would check that list for their own protection.
Re:Whee (Score:3, Interesting)
If law enforcement is able to crack down on pawn shops dealing in stolen goods, then in one fell swoop they've cut most of the profitability out from under bike theft, car breakins, home invasions, baggage theft (at airports, etc)...
Many police department have a pawn shop squad [dallaspolice.net] that regularly checks for stolen goods, primarily those with serial numbers.
There are many ways besides pawnshops to convert stolen goods: family, friends, neighbors, flee markets, black markets. There is a vast underground economy in stolen goods. It indicates that a high crime rate means there has to be a large number of otherwise honest people willing to break the law to get a good price on something.
My neighborhood computer store sells RAM at half the advertised discount retail price. It's probably stolen but I don't know for sure. The owner is a nice guy who works long hours, makes a modest living and makes minor repairs on my computer for free so why would I want to report him to the cops? He probably doesn't consider himself any more a criminal than the people he sells to.
Re:Whee (Score:2)
Because he's breaking the law? (Assuming that he is for the sake of argument)
Your thesis seems to be that if he
- is a nice guy,
- doesn't make a lot of money,
- does nice things for you personally,
- doesn't see his actions as criminal
that his criminal actions, and the effects they have on others, are excused.This whole issue came into perfect focus for me once as I was poking through the used CDs at a pawn shop one day. A woman walked to the counter with a stack of 80s metal. She plunked 'em on the counter, got her cash from the owner who clearly knew her, and said "Next time, I'll prob'ly get some country for you."
I left my stack of planned purchases and walked out.
That stack of CDs was someone's collection, or part of it. Think about that next time you buy something stolen: I wonder what the person who had this feels right now? Outraged that someone broke into their car or house? Sad that something they enjoyed is now gone? Violated that another person thinks so little of them that the thief would just take something that isn't his?
Aside from the ethical issues, there's also the pragmatic one: The machine you save may be your own. Your computer store owner gets his cheap memory from stolen machines. Who's to say that the next one won't be yours?
Re:Whee (Score:2)
Of course if you don't believe that you can always vote with your wallet and just walk out (as the original poster did), but it'd be pretty pointless to bring the police in. Also, Pawn shops serve a legitimate purpose as well, they give immediate cash for goods, which is necessary if your rent is due and you can't pay it (but have a nice stereo sitting in the corner), and your credit is so bad that you can't even get a credit card.
Still, it would be nice if there were some sort of stolen goods reporting system that the pawn shop owners could check to avoid buying too much stolen merchandise (or at lest it would allow the cops to set up half way between the scene of the crime and the pawn shop and catch the crook trying to get cash before the goods are entered into the system).
Re:Whee (Score:1)
Re:Whee (Score:3, Informative)
Re:Whee (Score:2)
On the bright side, one does have to have the actual card, not just the number--at least so far as I know.
Barnes and Noble. (Score:5, Insightful)
When you got the card, it was preauthorized with a certain amount of money in a certain account number, like any other debit card. The account number was on the magstrip of the card, was printed on the card, but was _also_ printed on the gift receipt that came with the card.
Now, all that was necessary to redeem the gift card was that number. But most people just tossed the second receipt. Which meant that a quick swipe through the trash outside the store doors could probably yield a few hundred dollars worth of gift card credit as yet unredeemed.
Nice, eh? Even when we told people expressly not to do it, they still did. Wonder how many got burned.
--saint
Re:Barnes and Noble. (Score:5, Informative)
Which is EXACTLY why several states, California foremost among them, have begun to implement consumer protection laws that require that the receipt NOT display the account number and/or the expiry date (depending on the state). I believe in the case of California, it goes into effect on Jan 1 2002.
My company's ready. I wonder how many other POS vendors aren't?
At any rate, it is the store's responsibility to comply, by using compliant POS software. Since it is easier to implement across the board than on a state by state basis, I presume that if a vendor has fixed it for CA, they will be prepared for the other states, too.
Outside the US is not something I'm familiar with.
Re:Barnes and Noble. (Score:5, Insightful)
Sheesh... Why, oh why, do we need a law to protect people from doing stupid things?
I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think?
A lot of receipts have credit card numbers on them, too, which is why you should always dispose of receipts carefully. It's a real convenience to have this reference information on a receipt, and I imagine there's a good business case for having the gift card number on the receipt as well. Makes it easier to bring the card back and get it worked out if the magstrip goes bad, for example.
What we need is a less paternalistic government to train people to be smarter and more responsible for themselves.
Oh, never mind, most people with a public school education have been trained not to think for so long now that any arguments are useless. OK, I give up... What we NEED is for these gift cards to be implanted in a chip in your wrist so you don't accidentally throw them away. That's the law we REALLY need.
Re:Barnes and Noble. (Score:3, Insightful)
You could argue the same point for any product-safety law. Why do we need a law that forbids companies from selling cars with defective brakes? (and yes, the account-number-on-the-receipt is a defect: specifically, it's a security hole)
I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think?
Seems like common sense to me.
Re:Barnes and Noble. (Score:2)
Re:Barnes and Noble. (Score:2)
>account register (MS Money), the number on my
>receipt is often the
>ONLY way I can recall which card I charged >something to.
the solution, of course, is for the receipt to only display the last four digits, as many do.
I got a "rebate" check for $10 towards my credit card bill--identified by only the last 4 digits of the accdount . .
hawk
Re:Barnes and Noble. (Score:2)
Come again? The defective brakes don't require the consumer to be stupid to cause injury or death. The account number on receipt requires the consumer to be stupid, and certainly wouldn't cause injury or death.
Quit insulting some of our intelligence, eh?
Re:Barnes and Noble. (Score:2)
Re:Barnes and Noble. (Score:2)
A lot of receipts have credit card numbers on them, too, which is why you should always dispose of receipts carefully.
They shouldn't. Putting the card number on the recipt changes it from a simple record of a transaction (which may be used for budget management, expense reimbursement, or proof of an expense in an audit) to a securety risk that should be carefully destroyed as soon as possable.Suddenly, a simple slip of paper that should have no value to anyone but the purchaser becomes the target of theft.
The laws against putting the card number on a recipt are protecting you against the merchant's stupidity much in the way that DUI laws protect you from another motorist's stupidity.
While we're at it, there are a few other numbers that should be protected. Credit card account numbers should be distinct from the credit card number. That way, my bill isn't worth stealing and I can write the account number on a payment check so that in the likely event that check and payment slip become seperated in handling, the payment may still be credited.
All bank accounts should have two distinct numbers. One that only allows deposits. That way I could write my account number on the back of a check (same reasons as above) without wondering who will see it when the check clears and is returned.
For that matter, account number shouldn't be enough to remove money from an account in the first place.
Re:Barnes and Noble. (Score:2)
Better authorization schemes DO need to happen, and perhaps won't until forced by law. However, until that time, it IS stupid for a merchant to print cc# on a recipt and the practice should be banned to protect the consumer.
Re:Barnes and Noble. (Score:2)
Ahh, but even when the full account number isn't sufficient to provide authorization, printing the full number on a receipt is still a security risk. A few years ago, ATM machines routinely printed full ATM card numbers on receipts. Many people toss these receipts at the nearest trash receptacle. Crooks would set up in, say, a shopping mall, where there was lots of traffic and a good vantage point. One person would watch people punch in their PINs, and another would swoop in and recover the discarded receipt. After harvesting this info, a bunch of blank cards and a magstripe machine were all that was needed to suck accounts dry.
Re:Barnes and Noble. (Score:3, Insightful)
Because you're not only trying to "protect people from doing stupid things", you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime. In addition, remrmber that your "normal" street criminal doen't have access to gift card blanks or mag strip writers. Usually, these low-level types are merely information collectors and end-product purchasers for a more organized high-level operation. It's "penny ante" stuff like this that supports most organized crime in America.
In the end, it's not only the "people who do stupid things" or the stores that enable them that get protected (though they receive a large amount of the benefit), it's you and me. Now you can debate whether people need protection from criminals, but it is a debate you're likely to lose...
P.S. This sort of law also helps increase the use of this kind of financial instrument by increasing its security. This may actually improve the economy. And besides, I doubt that you're the one person in existance who has never done anything stupid. Maybe we all need protection from you :-).
It *makes* criminals (Score:2)
That's one way of looking at it. Another is that it creates a lot of "crime" by making stupid actions criminal. Now the criminals are not only the people trying to steal your stuff, but the stupid people leaving your info where it's not 100% safe. The police has to chase both groups. And pretty soon everyone is a criminal and at the mercy of the police.
[Yeah,I get carried away. So what?]
There was this hot coffee incident, you know (Score:2)
Re:There was this hot coffee incident, you know (Score:2)
WARNING: Only a low grade moron would place this between her upper thighs and remove the lid in a moving vehicle!
But then again, I favor a "darwinian" defense in product liability cases . . .
hawk, esq., who doesn't see eye to eye with the tort lawyers
Re:Barnes and Noble. (Score:3, Funny)
That's ok for me though, as I know how to protect myself. Dont trash the receipt at the store. At home, carefully cut up each digit individually using a pair of scissors, separate the piles into several seperate trash bins somewhere downtown, the more blocks apart the better.
Re:Barnes and Noble. (Score:2)
Err, the last four digits are the part that is most likely to identify your account. The first six digits, IIRC, identify the card company and are pretty damn near public knowledge.
Please get your facts straight.
Re:Barnes and Noble. (Score:1)
Re:Barnes and Noble. (Score:2, Insightful)
Value and cost of cards (Score:1)
Gift Cards are not escheatable (Score:2, Insightful)
escheat (s-cht)
n.
1. Reversion of land held under feudal tenure to the manor in the absence of legal heirs or claimants.
2. Law.
a. Reversion of property to the state in the absence of legal heirs or claimants.
b. Property that has reverted to the state when no legal heirs or claimants exist.
Gift Cards are not Gift Certificates, which are bound by escheating laws. (peruse if you want, a google search [google.com] on "gift certificates escheating")
which means that to a retailer, gift cards are cheaper cuz they are not regulated.
Most retailers that do gift cards and gift certificates treat them both very similarly - aka have them electronically activated when purchased. The gift card allows the added bonus of havin them be stored value / re-chargable cards. the lack of escheating laws is also very good - less to report/ track to the government, less money lost to the government when the cards fail to be used.
fear mongering? (Score:3, Insightful)
There have been several local stories about people stealing money order machines, or printing MOs on their PCs... this stuff actually happens all the time, but a nice "holiday piece" about gift cards without even anedotal "evidence" that this is a widespread problem? Gimme a break!
There are no named sources to the story, the internet site they reference is not given, and they only list retailers viewed as less problematic (and give us a nice caveat to explain why). Not only is the problem a "scenario"- the news story itself is a scenario. Boring journalism... might as well be an op-ed piece.
I'm more concerned about issues such as identity theft, etc... at least your gift card leaves no personal identification about you.
Re:fear mongering? (Score:2)
Gimme a break! I can't count the number of times I've been sent gift certificates to stores that don't exist here, or to stores I have no interest in visiting. Not every retailer will let you shop on their website, and some of the ones who do won't let you redeem gift certificates online. In cases like this, you wind up with a nice (and maybe expensive) gift that you can't use. The obvious solution is to sell it - cheaper than it would cost to buy at the store, of course, or else what's the point - to someone who does have a store in their area.
Who'd have thought that there might actually be unwanted/unusable gifts for sale on eBay a few days after Christmas? Apparently not MSNBC...
Shaun
Re:fear mongering? (Score:2)
HA! (Score:5, Funny)
I fucking live in this town. I had no idea a vast conspiracy to defraud Best Buy was happening all around me this whole time. I figured this town had the collective IQ of a walnut. The whole time I lived here I could of been hanging out with sk1pt k1dd13z.
What are the odds (Score:1, Troll)
Most places I know of keep the gift cards at least out of sight, but if they were to keep them out in the open, well that would be sort of stupid, given the scenario.
heck, I even wonder about the telphone cards, which I never use. I would have to go to a store to look at one to see if they have visible numbers on them.
Re:What are the odds (Score:3, Informative)
Re:What are the odds (Score:2)
But even so, when I was checking out at a Wal-Mart a few months back, buying a $10 gift card because of their gas pump system that gave you a cheaper rate if you bought with a gift card, the checker said they'd had to move all their gift cards to one single island, because people kept stealing them. Yes, she said, they were valueless until they were activated, but people seemed to keep stealing them anyway. Go figure, eh?
Re:What are the odds (Score:2)
Re:What are the odds (Score:2)
Re:What are the odds (Score:5, Funny)
A lot more now :)
Why not just assign PINs at purchase? (Score:2)
Sure some yokels would write the number on the card and get it lifted or lose it, but the same could happen to cash.
Requiring extra information not available on the card would be ideal and would make the type of counterfeiting described in the article very difficult, as long as there was no simple way of resetting PINs. It wouldn't prevent inside jobs or people laundering stolen credit cards, but those types will always be hard to stop.
Re:Why not just assign PINs at purchase? (Score:1)
Re:Why not just assign PINs at purchase? (Score:1)
Because a secure PIN requires encryption devices on one end and decruption devices on another.
But, good point on the PIN, if you HAVE a debit card, take the Gift Card and 'cash it out' immediately, then deposit the cash into your bank account. Viola, your money is as secure as your paycheck
Re:Why not just assign PINs at purchase? (Score:2, Insightful)
That's a flawed suggestion. Gift cards are, typically, gifts. When I buy one at Borders it's not for me, it's for a cousin. And when my Uncle sends me 40 bucks in Best Buy Legal Tender, there's no frickin way I'm going to remember the arbitrary 4-digit number _he_ chose 4 months ago as I'm trying to purchase an extra nintendo controller. See? Gift cards aren't like debit cards. Nobody wants to put that much effort into them, especially the retailer and least of all the customer.
Reading comprehension (Score:3, Insightful)
Why not two numbers? (Score:1)
Re:Why not two numbers? (Score:1)
Do you realize how difficult this would be to implement? We're not talking about a cottage industry here, we're talking about dozens of companys for processing, dozens for the POS systems used, hundreds of actual merchants
Why they don't care (Score:5, Insightful)
But when someone forges a stored-value card, they're stealing from other customers. The "value" has already been paid for, so the store doesn't lose anything.
the perfect crime? (Score:3, Insightful)
one previous respondent had said something to the effect of, "..this is just like digging in a cash drawer.." this isn't just any kind of theft.. it's the ultimate kind! a better imperfect analogy would be: "..the store leaves $20, $50, and $100 dollar bills hanging from displays at the counter.."
if you walk into a store with the intention of stealing, what's the best thing to steal? small, high-cost items. and these items, while never as good as cash, are virtually untraceable if you use the common sense method described in the article.
also, i'm sure you'd be hassled by security if they noticed you jotting gift card numbers in your daytimer, but you don't technically have to shoplift to do this.
the shrink numbers on these things must be fantastic!
Re:the perfect crime? (Score:2, Informative)
No, that's a terrible analogy, since you're stealing from the customer that paid for the card, not the store, as you would be if they left money hanging around.
What the hell is wrong with legal tender? (Score:2, Flamebait)
No...those pre-loaded "gift cards" are a sucky idea that needs to go away. (I guess they're great if you're the merchant and it's your "policy" not to give out the balance left over on the card in cash...)
I hate nationally syndicated stupidity (Score:4, Informative)
So, a few comments:
Slow news day, plain and simple.
Re:I hate nationally syndicated stupidity (Score:3, Insightful)
Some corrections:
Despite what MSNBC would tell you, you can buy card writing equipment without going to the black market. They are perfectly legal. They just cost BIG bucks, and that's why most people don't have one :-)
They're not that expensive. You can get one on e-Bay for around $300. And if you think that's a lot of money, consider how widespread magstripes are and how convenient it would be to be able to copy them. I have some buddies who routinely "back up" the contents of their credit card magstripes. Over time the data on the stripes degrades, so they periodically rewrite it to keep it fresh. I work for a company that uses magstripe-based ID badges to get into the doors, and I have a bad habit of losing my badge... Gift cards are just the tip of the iceberg, and many of the potential uses of this equipment are very legitimate.
The theft method described to lift account numbers is no different than what is done with credit cards, except in the case of the latter you have to work harder to get a valid account number. Anyone with a card writer WOULD know how to do that, trust me.
There is a value encoded on the magnetic stripe of credit cards called the CVV (card verification value) that is generated cryptographically, plus additional cardholder information that is not printed on the face of the card. In order to encode a valid credit card magnetic stripe you either need to read the stripe off the card you're copying or you need access to the production systems used to create the cards.
Credit cards are a far greater risk because they are unrestricted in where they may be used, unlike gift cards.
Yes but no. It's true their use is less restricted, but for that reason there are many other security measures applied, such as back-end systems that check for uncharacteristic buying patterns. Also, the consumer is pretty safe from credit card fraud, since your liability is limited to $50. That isn't as much protection as it might seem, though, because gift cards don't often have more than $50 in them anyway.
Be aware that most gift card processors allow for the process of 'cashing out' the card.
Some do, most don't. The reason is that many stores that sell gift cards use exactly the same technology for provided card-based in-store credits. When you return some merchandise without a receipt, they don't want to give you your money back (otherwise you could do a tidy business buying from mail order and "returning" to the more expensive place) so instead they give you a card. Allowing you to cash out the card would defeat the purpose.
Plus, merchants and other issuers of cash cards *do* make a nice profit off of unused value, which is called "breakage". This is actually important to the feasibility of card-based solutions. Remember that the retailer has to buy equipment, software, cards, train their employees, audit the systems, track the liability pool, etc., all of which costs money. They can probably make this money back in increased sales, but that's hard to verify, while it's easy to show that the breakage value for the last year has exceeded the system cost.
Re:I hate nationally syndicated stupidity (Score:2, Informative)
[Card writers are] not that expensive. You can get one on e-Bay for around $300.
Well, that's handy to know if the one we use in the lab conks out
There is a value encoded on the magnetic stripe of credit cards called the CVV (card verification value) that is generated cryptographically, plus additional cardholder information that is not printed on the face of the card. In order to encode a valid credit card magnetic stripe you either need to read the stripe off the card you're copying or you need access to the production systems used to create the cards.
Track 1 of the card contains the carholder name, and the CVV2 information is not on the card but part of the back-end processing at the network side of the things. There is obscured information within the card account number that provides anti-counterfieting information, but aside from that the reset of the track info is largely ignored at the POS device and is problematic on the credit network side of things. There is one value that specifies the processor, for example, but most that I've seen have the same value. Furthermore, Track I information is often ignored and USUALLY not required to process a credit card. Most networks favor Track II over Track I and some just can't process Track I at all. In other words, they're not too secure and there is CERTAINLY very little in the way of protection outside of CVV2 -- which isn't even globally supported by all networks. Before you mention AVS, it is only valid for manually keyed accounts, or internet purchases.
Yes but no. It's true their use is less restricted, but for that reason there are many other security measures applied, such as back-end systems that check for uncharacteristic buying patterns. Also, the consumer is pretty safe from credit card fraud, since your liability is limited to $50.
The back-end processing protection is usually after the fact, and a clever thief would probably not be establishing a pattern, anyway. Of course, 'smart thief' is often an oxymoron
Some [allow cash out], most don't. The reason is that many stores that sell gift cards use exactly the same technology for provided card-based in-store credits. When you return some merchandise without a receipt, they don't want to give you your money back (otherwise you could do a tidy business buying from mail order and "returning" to the more expensive place) so instead they give you a card. Allowing you to cash out the card would defeat the purpose.
Careful review will indicate that I was talking about the card processing networks themselves, not the individual merchant policies. Providing a gift card for a refund is a merchant policy (and a foolish one, whatever happened to 'no receipt, no return' anyway?). The capability is there, and it's perfectly reasonable to expect to get your money's worth out of it. We'll see how that court case goes, hopefully on the side of the consumer.
Coffee! (Score:3, Funny)
Starbucks never has Raktajino, so they'd deserve it! :^)
Re:Coffee! (Score:2)
Pat
Not hard at all... (Score:5, Interesting)
I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking:
We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called "Merchandise" cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals). All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The "make your own quantity" cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the "given quantity" cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the "create your own").
My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual. All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (~13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is "hooking" people up.
Re:Not hard at all... (Score:2)
this is also a problem with bank cards (Score:2)
Re:Wonder which LARGE retailer it could be? (Score:1)
Minnesota Walmarts have them at the checkout (Score:1)
Re:Wonder which LARGE retailer it could be? (Score:5, Funny)
Tells you something about:
A) Honesty of Canadians.
B) Trusting nature of Canadians.
or C) Intelligence of Canadians.
I'll let you pick
AWG
Re:Wonder which LARGE retailer it could be? (Score:1)
sounds about right, making them the microshaft of the retail world in security circles as well as business practices.
> they aren't mentioned in the article.
umm, not totally true. They are mentioned but only because of the $1/mo. charge on unused cards after a year
Re:Wonder which LARGE retailer it could be? (Score:1)
Re:Skimming by employees (Score:2, Interesting)
This is designed to prevent "sweethearting" by employees. This is where and item is waved across the scanner, but doesn't actually scan, and is then placed in the bag. Ever wonder why Best Buy (and others) check the contents of your bag against your receipt within 30ft of the register? It's not to stop independent shoplifters, it's to catch/prevent sweethearting.
What you suggest is even more difficult. The gift card is only loaded by the POS system with the amount punched into the register. Now unless the store doesn't have a total display that can be seen by the customer (or the customer has the IQ of a brick) there is no way the customer will hand over $100 when $50 is shown on the display. If the clerk tries to pocket cash that is properly shown on the display then the drawer will be short.
Re:Skimming by employees (Score:3, Insightful)
Seriously, how can you believe that the $7 an hour clerk at best buy has the authority to do "guilty until proven innocent" searches on everyone in the store, routinely?
Re:Skimming by employees (Score:2, Interesting)
That may be true in America but is definitely not true in Australia (conditions apply). The conditions are that a big obvious sign is posted at the entrance to the store stating that bag searches are a condition of entry - you enter, you give them permission to search. The other restriction is that the sales assistant is not allowed to touch any of your possessions, they can ask you to open your bag and show them and open any compartment etc, but they must not do it themselves.
I would be exceptionally surprised if a similar set of laws were not in place in America and other countries around the world. I am guessing that most stores have a condition of entry, which would most likely hold up in court.
In the age-old /. tradition, IANAL.
Re:A thing I learned about using plastic (Score:2, Informative)