Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Security The Almighty Buck Businesses Privacy

Hacking Retail Gift Cards Remains Scarily Easy (wired.com) 108

Willium Caput, a researcher for the firm Evolve Security, examined a stack of gift cards he obtained from a major Mexican restaurant chain and noticed a pattern: aside from the final four digits of the cards that appeared to be random, the rest remained constant except one digit that appeared to increase by one with every card he examined. Andy Greenberg explains how Caput plans to defraud the system in his report via WIRED (Warning: source may be paywalled; alternative source): "You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them," says Caput. To pull off the trick, Caput says he has to obtain at least one of the target company's gift cards. Unactivated cards often sit out for the taking at restaurants and retailers, or he can just buy one. (Not all cards change by a value of one, as that first Mexican restaurant did. But Caput says obtaining two or three cards can help to determine the patterns of those that don't.) Then he simply visits the web page that the store or restaurant uses for checking a card's value. From there, he runs the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the four random digits at the end of the card's number, a process that takes about 10 minutes. By repeating the process and incrementing the other, predictable numbers, the site will confirm exactly which cards have how much value. "If you can find just one of their gift cards or vouchers, you can bruteforce the website," he says.

Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer's ecommerce page, or even in person; Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card's balance, rather than spend any money from the cards belonging to actual victims.) "It's a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person's card says it has $50 on it, and then it's gone."
Caput said he plans to present his findings at the Toorcon hacker conference this weekend.
This discussion has been archived. No new comments can be posted.

Hacking Retail Gift Cards Remains Scarily Easy

Comments Filter:
  • by Fly Swatter ( 30498 ) on Thursday August 31, 2017 @09:21PM (#55120355) Homepage
    I guess if the gift card website even allows part of that to happen, someone should be fired ?
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      That's the obvious conclusion. Then a smarter hacker will just use a botnet to brute force it.

      This is password length 101. The longer the password the longer it takes to brute force. The fact that the numbers aren't even random is part of the problem.

      The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers

      • by lucm ( 889690 ) on Thursday August 31, 2017 @09:58PM (#55120459)

        The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

        Exponential backoff works like a charm for this. It doesn't annoy legitimate users who make mistakes, and it becomes increasingly costly for the nefarious ones

        • by Anonymous Coward

          FYI: Your solution cannot handle distributed attacks, unless it does a lot more than just annoy legitimate users.

      • by Wycliffe ( 116160 ) on Thursday August 31, 2017 @10:03PM (#55120469) Homepage

        The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

        Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds. The only real solution is a good quality captcha which is what most sites use but even that's pretty trivial to defeat with things like amazon turk or access to a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)

        • by Anonymous Coward

          Captcha is a good tool for this problem due to their cost. If it takes on-average 5,000 attempts to guess the 1:10,000 card number and each Turk request costs a penny, you are out $50 dollars for a card that may have already been spent - or has not been purchased yet.

        • that's pretty trivial to defeat with things like amazon turk

          If you pay one cent each for 10,000 solutions, then you just spent $100 for a $50 gift card.

          a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)

          I have heard about this in theory, but no one has every been able to point to an actual site doing this. I don't think it would be so easy to get 10,000 people to solve a captcha, and you would need to do that for each gift card. To make it worthwhile, you would need to attract millions of users. Why should they put up with that hassle when there are plenty of porn sites with no captchas?

          • I don't think getting thousands of users would be that difficult but once you have several thousand visitors then there is probably more profitable ways of using those eyeballs than trying 10k combinations to get a $50 gift card. That would be less than a penny per captcha so if it is a 1/10k payout for $50 then a captcha is probably pretty effective. On the other hand, if the numbers are sequential and/or some of the dollar amounts are larger then that changes. I regularly get $500 home depot gift cards.

        • Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds.

          In theory you're right. In practice you're wrong. The vast majority of attacks are not well targeted and will come from single IPs and take ages to switch. You can see that anywhere someone logs fail2ban hits on a Linux machine. There's so much low hanging fruit out there that even a simple scheme is likely to make people back off.

        • The only real solution is a good quality captcha

          If handled poorly, that's a good way to get sued by blind advocacy groups. See National Federation of the Blind v. Target Corp. [wikipedia.org]

      • The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"

        Hey, you just invented teergrube! Better swim to East Texas and find a patent lawyer who can file your case on Tyvek forms that will not deteriorate underwater.

      • The second thing would be to put a time-activation lock on numbers tried by ip address

        So the criminal just switches to one of the other 18 quintillion IP addresses [pivotal.io] that his IPv6-aware ISP hands out.

    • by Gussington ( 4512999 ) on Thursday August 31, 2017 @11:35PM (#55120673)

      I guess if the gift card website even allows part of that to happen, someone should be fired ?

      Exactly. All the gift cards I've had require a PIN as well as the Card number, and a simple limit of 5 login attempts every hour ends this as a vulnerability. It's as if this article and/or technology was written in 1993...

    • by feargal ( 99776 )

      Not that it matters but with Luhn checks there's only a thousand to check.

  • by Anonymous Coward

    Bluntly, the reason that these do not have better security is that, while the security is crap, the amount of fraud done against gift cards is relatively small (and a lot of the people who perpetrate the small amount of fraud they do find have not taken care and get caught)

    As long as it costs companies less to fix and write off the fraud than it would cost to implement a more secure system, then they are likely to stick with the cheap, easy to hack system.

    • by Anonymous Coward

      No loss at all. None what so ever. For the business that is. If the card has a balance. That means someone has already given them the money for it. The business would be more than happy for that card to never get used. Money for nothing for them. They will not care at all about a thief stealing customers balances unless they get enough complaints.

      Then it wouldn't be hard to track down the thief. Get the card details from the legit customer. See who used that card as that is tracked. And have the cops show

  • by Krishnoid ( 984597 ) on Thursday August 31, 2017 @09:46PM (#55120429) Journal

    Since these gift cards have to be printed out individually anyway, couldn't they be produced using uuidgen (or the like)? Seems like a single algorithm would solve the problem for all retailers at once.

    • You are proposing no security prior to card activation. They use a sequential or systematic series so that they dont need to maintain a database of unactivated cards.
      • by flink ( 18449 )

        What "security" does having a predictable set of account numbers bring? These aren't bank routing numbers, they are just keys to a stored value. The only requirement is that they be unique and hard to guess. When the card is being activated, just check to see the uuid has never been used before and record the value of the now active card.

        Alternatively, cards should have a PIN on a scratch off window on the back of the card which is not magnetically encoded but is associated with the card number when acti

        • What "security" does having a predictable set of account numbers bring?

          Detecting and limiting insider fraud requires knowing what cards are still awaiting activation and only allowing those cards to be activated.

          People often forget about the most common fraud of them all....

      • by Sloppy ( 14984 )

        They use a sequential or systematic series so that they dont need to maintain a database of unactivated cards.

        God forbid a business spring for a pair of $80 hard disks.

        Yeah, I think I would relax the "we don't want to maintain a database of unactivated cards" requirement. How hard can that be? And it solves the fraud problem too? Pays for itself on the first day.

  • by ddtmm ( 549094 ) on Thursday August 31, 2017 @10:01PM (#55120465)
    The restaurant chain will probably reward him for bringing it to their attention by giving him a gift card to the restaurant.
  • by FeelGood314 ( 2516288 ) on Thursday August 31, 2017 @10:26PM (#55120521)
    I've help some smarter vendors with this in the past but I would guess that the vast majority are still using a checksum. It makes the verification easy and most companies are not organized enough to keep track of the cards that don't have money on them.
  • Something very like this happened to me during the holidays last year. My manager gave me a $100 gift card, and when I went to use it the card had been drained. A colleague (who reported to the same manager) experienced the same thing. When we contacted the gift card company we were given the run around and didn't get our balances back. Nice of them isn't it? Pro tip: Make sure that they use the card immediately, order it online or give them cash instead :)
    • by Gussington ( 4512999 ) on Thursday August 31, 2017 @11:41PM (#55120689)
      Pro tip, never ever buy a gift card.
      If offers worse flexibility than cash, costs more and less secure. Gift cards are for schmucks...
      • Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just

        • They also work nearly anywhere in the world, and can be posted to your near and dear ones overseas at the usual letter rate.

        • by mark-t ( 151149 )
          If your reloadable credit card gets drained because it was compromised somehow, you are usually SOL for the money that was on it that you did not use. Maybe that might not amount to a lot of money, but it's still something... and it's beside the point. If your regular credit card is compromised because of some company's poor security practices that you had no previous reason to suspect, a respectable credit card company will not charge you even a penny for the fraudulent activity.
          • Firstly, to use a "buffer card" effectively, you plan your purchases. (Yes, that dreaded budgeting thing!) You then load the card, then make the purchase. You dont carry a large balance on the card, just enough to keep it active. It requires that you have some discipline with your online purchasing, but you get some extra protection that way.

            If a retailer gets compromised, you lose just that min holding balance, and dont have to miss a day of work to file dispute forms to the sometimes hundreds of merchant

            • by torkus ( 1133985 )

              I don't know what credit cards you're using, but missing a day of work to file dispute forms doesn't match any of my experiences ever. Maybe 15 years ago?

              I've had a few cards compromised over the years (business travel overseas, etc.) and never once had to fill out any actual paperwork. In fact, in the last ~5 years the CC companies have caught the fraudulent purchases even before I did, called me to confirm, and immediately logged them for dispute if they hadn't been denied when processed. All over the

            • by mark-t ( 151149 )

              [With a prepaid card], If a retailer gets compromised, you lose just that min holding balance,

              That wasn't my point... that it isn't a lot of money is irrelevant, you still lose it.

              I've never had to miss a day of work to file dispute forms because of fraudulent activity on my card, which thankfully has not happened often... only twice in my entire life. The first time was in the early 90's when I reported my card lost to the credit card company after noticing that I didn't have it one night when I had got

            • I concur with the other two posters here. Have you not used a credit card in the last few years, or are you just tied to an incompetent bank?

              The last time there was fraud on my card, my credit union called and emailed me because it looked dodgy. I called back, confirmed that I didn't buy $35 of McDonalds in another country that morning, they canceled that charge and refunded the money. They requested I get a new card, so I walked over at lunchtime to the nearest branch where they shredded the curre

        • by tlhIngan ( 30335 )

          Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just

          • by torkus ( 1133985 )

            Some states don't allow those card-draining fees thankfully.

            And as for draining small balances off Visa/MC gift cards? Go to almost any major retailer. Their systems can and do immediately determine the balance and apply the maximum towards your bill. I've cleared off 3 or 4 cards I had sitting around in one shot quickly and easily a couple times this way.

            I'm sure there's ways to do that online (all the green dot card scams mean there's a very simple and quick way to move money off a visa/MC gift card) b

        • by flink ( 18449 )

          Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)

          You don't need a reloadable card for this. May CC companies let you generate temporary numbers linked to your main account. These can be set to be valid for a limited amount of time, have access to a limited credit line, or both. If the site does something shady or you get a report of a breach, you can just delete the temporary number from your account.

  • News at 11. Who would have thought it, huh?

    Seriously... what the fuck difference does it make that it's easy to do? It's still fucking illegal. Speeding is easy to do too, easier, I would dare say, by no less than at least an order of magnitude than this hack, but that doesn't mean that you shouldn't be responsible for it if you do it.

    What's really sad about this is that the guy went out of his way to *deliberately* find a way to do something that anyone with half a brain should know is illegal.

  • by Anonymous Coward

    Most just hang on racks. "Borrow" them and copy the numbers. Or just take a picture. It's harder to do a bulk 10000 card search but the issue is still there. Some cards are now sold in cardboard envelopes. That's a partial solution.

  • cycle through all 10,000 possible values for the four random digits at the end

    All nice what he did, but I would be impressed if he would not cycle through them, but where able to determine these last 4. My bet is that there is some sort of verification used. No idea how the numbers are build, but I can imagine that they use any of the known verifications.

    The fact that they increase by one is also normal. Having a random number (with verification) would need to be verified if it was not already handed out an

    • >Having a random number (with verification) would need to be verified if it was not already handed out and if it where not already used.

      There are easy ways around this:

      1) Use a big enough random number. 256 bit uniform random numbers will not collide.

      2) Have a secret key and a counter and encrypt the counter through a decent block cipher (say AES, or Simon which you can easily extend to a 256 bit block size). Since the counter values never collide and the block cipher is a bijective mapping, you get numb

  • "Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions."

    This is the scary part. And obviously counterfeit gift card, but accepted without question because it could be swipped?

    Would the retailer accept obviously counterfeit cash just because it said "Cash" on it?

    • by torkus ( 1133985 )

      I don't know if you've used a CC in the US in the last several years but they virtually never look at them. Unless the computer randomly requires the last 4 digits to be verified literally no one bothers checking the signature. I've been asked to show ID occasionally (which is against the merchant agreement but some places insist anyhow) but that's about it.

      Going a step further, any place with a self-checkout makes this trivial.

      Not to mention there are several products on the market that consolidate multi

  • Having worked with Credit, Debit and Gift Card processors they have security in place to make any gift card number void if it is ever had the balance checked before the card is activated. Also the online balance check would require the four digit security code which is random and only known to the processor. This might only work if a retail company was using an in-house card program and didn't implement their own security protections.
  • My wife and I both had debit cards, and hers was exactly mine + 1. In reality that means the last two digits were changed since the last digit is the checksum. I always wondered, though, if all their cards were numbered serially, since it would then be trivial to come up with a list of card numbers. With a three digit CVV it would be as easy to guess card numbers based on a single CVV value as vice versa.

  • Require the CSC or CVV2 for balance requests. THAT is not predictable, so far as I can see.

    There are a multitude of reasons why cards have predictable numbering, and none of these are going away. Just use the existing security (CVV2CSC) and let the fraud checking and auth systems do their work.

  • News flash: Being a thief is not difficult. That any particular thievery is based on technology does not make it cool, intrinsically interesting, or OK.

    I can think of dozens ways to steal things that are "scarily easy". Like knocking down an old lady and grabbing her purse.

You've been Berkeley'ed!

Working...