Hacking Retail Gift Cards Remains Scarily Easy (wired.com) 108
Willium Caput, a researcher for the firm Evolve Security, examined a stack of gift cards he obtained from a major Mexican restaurant chain and noticed a pattern: aside from the final four digits of the cards that appeared to be random, the rest remained constant except one digit that appeared to increase by one with every card he examined. Andy Greenberg explains how Caput plans to defraud the system in his report via WIRED (Warning: source may be paywalled; alternative source): "You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them," says Caput. To pull off the trick, Caput says he has to obtain at least one of the target company's gift cards. Unactivated cards often sit out for the taking at restaurants and retailers, or he can just buy one. (Not all cards change by a value of one, as that first Mexican restaurant did. But Caput says obtaining two or three cards can help to determine the patterns of those that don't.) Then he simply visits the web page that the store or restaurant uses for checking a card's value. From there, he runs the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the four random digits at the end of the card's number, a process that takes about 10 minutes. By repeating the process and incrementing the other, predictable numbers, the site will confirm exactly which cards have how much value. "If you can find just one of their gift cards or vouchers, you can bruteforce the website," he says.
Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer's ecommerce page, or even in person; Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card's balance, rather than spend any money from the cards belonging to actual victims.) "It's a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person's card says it has $50 on it, and then it's gone." Caput said he plans to present his findings at the Toorcon hacker conference this weekend.
Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer's ecommerce page, or even in person; Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card's balance, rather than spend any money from the cards belonging to actual victims.) "It's a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person's card says it has $50 on it, and then it's gone." Caput said he plans to present his findings at the Toorcon hacker conference this weekend.
Just bruteforce 10,000 requests in 10 minutes (Score:5, Insightful)
Re: (Score:2, Interesting)
That's the obvious conclusion. Then a smarter hacker will just use a botnet to brute force it.
This is password length 101. The longer the password the longer it takes to brute force. The fact that the numbers aren't even random is part of the problem.
The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers
Re:Just bruteforce 10,000 requests in 10 minutes (Score:5, Informative)
The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"
Exponential backoff works like a charm for this. It doesn't annoy legitimate users who make mistakes, and it becomes increasingly costly for the nefarious ones
Re: (Score:1)
FYI: Your solution cannot handle distributed attacks, unless it does a lot more than just annoy legitimate users.
Re: (Score:2)
Disclaimer: I didn't RTFA, but I did RTFS(ummary).
The summary says they "cycle through all 10,000 possible values for the four random digits at the end of the card's number". AFAICT, that's the last 4 of the card number - like the part that gets printed on receipts. He's cycling through those numbers, not the CSC (Car Security Code) nor CVV (Card Verification Value).
FWIW, while I did find pages labeled CSV in relation to that value (ex. https://www.teamline.cc/static... [teamline.cc]), I didn't find what that stood for.
Re:Just bruteforce 10,000 requests in 10 minutes (Score:5, Interesting)
The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"
Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds. The only real solution is a good quality captcha which is what most sites use but even that's pretty trivial to defeat with things like amazon turk or access to a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)
Re: (Score:1)
Captcha is a good tool for this problem due to their cost. If it takes on-average 5,000 attempts to guess the 1:10,000 card number and each Turk request costs a penny, you are out $50 dollars for a card that may have already been spent - or has not been purchased yet.
Re: (Score:2)
that's pretty trivial to defeat with things like amazon turk
If you pay one cent each for 10,000 solutions, then you just spent $100 for a $50 gift card.
a third party website with real users willing to solve them for you (i.e. porn sites, wares sites, etc..)
I have heard about this in theory, but no one has every been able to point to an actual site doing this. I don't think it would be so easy to get 10,000 people to solve a captcha, and you would need to do that for each gift card. To make it worthwhile, you would need to attract millions of users. Why should they put up with that hassle when there are plenty of porn sites with no captchas?
Re: (Score:2)
I don't think getting thousands of users would be that difficult but once you have several thousand visitors then there is probably more profitable ways of using those eyeballs than trying 10k combinations to get a $50 gift card. That would be less than a penny per captcha so if it is a 1/10k payout for $50 then a captcha is probably pretty effective. On the other hand, if the numbers are sequential and/or some of the dollar amounts are larger then that changes. I regularly get $500 home depot gift cards.
Re: (Score:2)
Neither of those work. It's really easy to get hundreds of IPs and/or virtual computers legally for pennies and an illegal botnet can easily have 10k+ bots so your 3.47 days becomes seconds.
In theory you're right. In practice you're wrong. The vast majority of attacks are not well targeted and will come from single IPs and take ages to switch. You can see that anywhere someone logs fail2ban hits on a Linux machine. There's so much low hanging fruit out there that even a simple scheme is likely to make people back off.
Re: (Score:2)
Seems like the best solution would be to track the number of balance checks each card number receives and base a wait time off of that.
Something as simple as make the wait time be X^1.5 where X is the number of attempts would quickly make repeatedly checking numbers infeasible
That doesn't work at all either. You only need to check a specific number once.
NFB v. Target (Score:2)
The only real solution is a good quality captcha
If handled poorly, that's a good way to get sued by blind advocacy groups. See National Federation of the Blind v. Target Corp. [wikipedia.org]
Re: (Score:2)
The easiest solution (short of recalling all the cards) is to create a "slow-countermeasure" so that it takes exactly 30.5 seconds per try, so that 0.5 x 10000 tries = 5000 minutes or 3.47 days. The second thing would be to put a time-activation lock on numbers tried by ip address, so the first 5 numbers take 30 seconds and every subsequent number adds a 30 second "please wait to try a new card"
Hey, you just invented teergrube! Better swim to East Texas and find a patent lawyer who can file your case on Tyvek forms that will not deteriorate underwater.
A /64 is still a lot of IP addresses (Score:2)
The second thing would be to put a time-activation lock on numbers tried by ip address
So the criminal just switches to one of the other 18 quintillion IP addresses [pivotal.io] that his IPv6-aware ISP hands out.
Re:Just bruteforce 10,000 requests in 10 minutes (Score:4, Interesting)
I guess if the gift card website even allows part of that to happen, someone should be fired ?
Exactly. All the gift cards I've had require a PIN as well as the Card number, and a simple limit of 5 login attempts every hour ends this as a vulnerability. It's as if this article and/or technology was written in 1993...
Re:Just bruteforce 10,000 requests in 10 minutes (Score:5, Informative)
You take the card off the rack. You go to the cash register. They ask how much you want on it. They activate it with that amount. You walk away with it presumably to give it to someone that you dont care much about because otherwise you would have put thought into their gift. There is no PIN.
Re:Just bruteforce 10,000 requests in 10 minutes (Score:5, Informative)
Some have another number (PIN) that is hidden under a scratch-off area.
Re: (Score:2)
Not most restaurant cards, which is what this is about.
Re: (Score:2)
In what universe do you get a pin with a purchase of a gift card?
In my universe. I used to work in retail, and all the gift cards had a scratch off PIN on the back for accessing online balances and stuff...
Re: (Score:1)
All the ones I've ever received have never required a PIN to use.
Re: (Score:2)
Re: (Score:2)
Not that it matters but with Luhn checks there's only a thousand to check.
Re:Pretty Anonymous (Score:5, Interesting)
Well that's the difference between a white hat researcher who's trying to demonstrate a point, and a nefarious actor who's trying to commit fraud...
Someone out to commit fraud will not take the cards to the restaurant themselves, instead they'll do other things with gift cards like:
Spend them online to have goods sent to a suitably anonymous location.
Recruit mules to do the risky work of actually using the cards in person.
Sell the cards to unsuspecting third parties.
And probably do all of these things while operating in a country outside of the reach of the law enforcement agencies that their victims are likely to contact.
Re: Pretty Anonymous (Score:1)
I'm guessing you don't own a business or have ever worked front of house at a nice restaurant. Walking in and buying a 1000 dollars worth of gift cards happens more often than you think and is not out of the ordinary. Shit just a couple months ago I bought 500 bucks in Tim Hortons gift cards.
Re: (Score:2)
I'm guessing you don't own a business or have ever worked front of house at a nice restaurant.
I was thinking the same thing. My employer easily gives out a thousand dollars worth of Dunkin' Donuts gifts cards each month to employees as part of various incentive programs (the Dunkin' cards are the runner-up prizes)
Low losses = Low security. (Score:2, Insightful)
Bluntly, the reason that these do not have better security is that, while the security is crap, the amount of fraud done against gift cards is relatively small (and a lot of the people who perpetrate the small amount of fraud they do find have not taken care and get caught)
As long as it costs companies less to fix and write off the fraud than it would cost to implement a more secure system, then they are likely to stick with the cheap, easy to hack system.
Re: Low losses = Low security. (Score:3, Informative)
No loss at all. None what so ever. For the business that is. If the card has a balance. That means someone has already given them the money for it. The business would be more than happy for that card to never get used. Money for nothing for them. They will not care at all about a thief stealing customers balances unless they get enough complaints.
Then it wouldn't be hard to track down the thief. Get the card details from the legit customer. See who used that card as that is tracked. And have the cops show
Should be a simple problem to solve (Score:3)
Since these gift cards have to be printed out individually anyway, couldn't they be produced using uuidgen (or the like)? Seems like a single algorithm would solve the problem for all retailers at once.
Re: (Score:2)
Re: (Score:3)
What "security" does having a predictable set of account numbers bring? These aren't bank routing numbers, they are just keys to a stored value. The only requirement is that they be unique and hard to guess. When the card is being activated, just check to see the uuid has never been used before and record the value of the now active card.
Alternatively, cards should have a PIN on a scratch off window on the back of the card which is not magnetically encoded but is associated with the card number when acti
Re: (Score:2)
What "security" does having a predictable set of account numbers bring?
Detecting and limiting insider fraud requires knowing what cards are still awaiting activation and only allowing those cards to be activated.
People often forget about the most common fraud of them all....
Re: (Score:2)
God forbid a business spring for a pair of $80 hard disks.
Yeah, I think I would relax the "we don't want to maintain a database of unactivated cards" requirement. How hard can that be? And it solves the fraud problem too? Pays for itself on the first day.
Thanks for the heads up... (Score:5, Funny)
Re: (Score:3)
The last 4 digits are a checksum (Score:3)
It's happened to me (Score:2)
Re:It's happened to me (Score:4, Insightful)
If offers worse flexibility than cash, costs more and less secure. Gift cards are for schmucks...
Re: (Score:3)
Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just
Re: (Score:2)
They also work nearly anywhere in the world, and can be posted to your near and dear ones overseas at the usual letter rate.
Re: (Score:2)
Re: (Score:3)
Firstly, to use a "buffer card" effectively, you plan your purchases. (Yes, that dreaded budgeting thing!) You then load the card, then make the purchase. You dont carry a large balance on the card, just enough to keep it active. It requires that you have some discipline with your online purchasing, but you get some extra protection that way.
If a retailer gets compromised, you lose just that min holding balance, and dont have to miss a day of work to file dispute forms to the sometimes hundreds of merchant
Re: (Score:2)
I don't know what credit cards you're using, but missing a day of work to file dispute forms doesn't match any of my experiences ever. Maybe 15 years ago?
I've had a few cards compromised over the years (business travel overseas, etc.) and never once had to fill out any actual paperwork. In fact, in the last ~5 years the CC companies have caught the fraudulent purchases even before I did, called me to confirm, and immediately logged them for dispute if they hadn't been denied when processed. All over the
Re: (Score:2)
That wasn't my point... that it isn't a lot of money is irrelevant, you still lose it.
I've never had to miss a day of work to file dispute forms because of fraudulent activity on my card, which thankfully has not happened often... only twice in my entire life. The first time was in the early 90's when I reported my card lost to the credit card company after noticing that I didn't have it one night when I had got
Re: (Score:2)
I concur with the other two posters here. Have you not used a credit card in the last few years, or are you just tied to an incompetent bank?
The last time there was fraud on my card, my credit union called and emailed me because it looked dodgy. I called back, confirmed that I didn't buy $35 of McDonalds in another country that morning, they canceled that charge and refunded the money. They requested I get a new card, so I walked over at lunchtime to the nearest branch where they shredded the curre
Re: (Score:3)
Re: (Score:2)
Some states don't allow those card-draining fees thankfully.
And as for draining small balances off Visa/MC gift cards? Go to almost any major retailer. Their systems can and do immediately determine the balance and apply the maximum towards your bill. I've cleared off 3 or 4 cards I had sitting around in one shot quickly and easily a couple times this way.
I'm sure there's ways to do that online (all the green dot card scams mean there's a very simple and quick way to move money off a visa/MC gift card) b
Re: (Score:2)
Gift cards suck. Get a reloadable visa debit card for them instead. Unlike a gift card that ends up with some fractional amount of a dollar left on it that the company just pockets because you never ever spend it, the card can be reloaded with more cash, and used as a buffer for online purchases. (EG, rather than risk exposure from your retailer's delicious store of credit cards getting hacked and leaked, your real card number is safe. The retailer has the reloadable visa, and when it gets drained, it just gets denied. You dont end up with thousands of dollars of debt that you have to dispute.)
You don't need a reloadable card for this. May CC companies let you generate temporary numbers linked to your main account. These can be set to be valid for a limited amount of time, have access to a limited credit line, or both. If the site does something shady or you get a report of a breach, you can just delete the temporary number from your account.
Wow... breaking the law is easy... (Score:2)
News at 11. Who would have thought it, huh?
Seriously... what the fuck difference does it make that it's easy to do? It's still fucking illegal. Speeding is easy to do too, easier, I would dare say, by no less than at least an order of magnitude than this hack, but that doesn't mean that you shouldn't be responsible for it if you do it.
What's really sad about this is that the guy went out of his way to *deliberately* find a way to do something that anyone with half a brain should know is illegal.
Re: (Score:2)
Increasing the randomness doesn't help. (Score:1)
Most just hang on racks. "Borrow" them and copy the numbers. Or just take a picture. It's harder to do a bulk 10000 card search but the issue is still there. Some cards are now sold in cardboard envelopes. That's a partial solution.
Re: (Score:2)
Re: (Score:2)
>Having a random number (with verification) would need to be verified if it was not already handed out and if it where not already used.
There are easy ways around this:
1) Use a big enough random number. 256 bit uniform random numbers will not collide.
2) Have a secret key and a counter and encrypt the counter through a decent block cipher (say AES, or Simon which you can easily extend to a 256 bit block size). Since the counter values never collide and the block cipher is a bijective mapping, you get numb
Re: (Score:2)
Argh, crap. Copied the wrong text and answered a different question. My defense is jetlag.
counterfeit gift card (Score:2)
"Caput's written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions."
This is the scary part. And obviously counterfeit gift card, but accepted without question because it could be swipped?
Would the retailer accept obviously counterfeit cash just because it said "Cash" on it?
Re: (Score:2)
I don't know if you've used a CC in the US in the last several years but they virtually never look at them. Unless the computer randomly requires the last 4 digits to be verified literally no one bothers checking the signature. I've been asked to show ID occasionally (which is against the merchant agreement but some places insist anyhow) but that's about it.
Going a step further, any place with a self-checkout makes this trivial.
Not to mention there are several products on the market that consolidate multi
Won't work with a good processor (Score:1)
Our former bank used serial numbers (Score:2)
My wife and I both had debit cards, and hers was exactly mine + 1. In reality that means the last two digits were changed since the last digit is the checksum. I always wondered, though, if all their cards were numbered serially, since it would then be trivial to come up with a list of card numbers. With a three digit CVV it would be as easy to guess card numbers based on a single CVV value as vice versa.
The SIMPLE fix (Score:2)
Require the CSC or CVV2 for balance requests. THAT is not predictable, so far as I can see.
There are a multitude of reasons why cards have predictable numbering, and none of these are going away. Just use the existing security (CVV2CSC) and let the fraud checking and auth systems do their work.
Re: The SIMPLE fix (Score:2)
The trick is to guess card numbers, get balances, then write a card with the track 1 days and spend the 'money'. The actual card gets debited, the actual owner is confused, and nobody asks for the CSC CVV2 on a swipe.
Requiring the CSC or CVV2 stops this. Simple.
Stealing is stealing (Score:2)
News flash: Being a thief is not difficult. That any particular thievery is based on technology does not make it cool, intrinsically interesting, or OK.
I can think of dozens ways to steal things that are "scarily easy". Like knocking down an old lady and grabbing her purse.