Gift cards are convenient, which is why they are so popular. If you can’t think of what to get for someone, they are an easy way to cover your bases without having to spend all night trying to think up the perfect thing. Unfortunately, they are also convenient for hackers.
Demonstrating just how easy became a project for Will Caput, a professional pen-tester, starting about two years ago. And that led to a presentation at Toorcon: San Diego this past weekend titled “Cash in the Aisles: How gift cards are easily exploited“.
In his summary, Caput noted that most people think gift cards “must be activated to have any monetary value”.
Not for anybody with some hacking skills, though, as he went on to say:
Weaker security features than the average credit card makes these gift cards nearly as valuable as cash. Mass produced, their numbers follow a predictable pattern and have limited built-in security, such as a chip or PIN, to prevent fraud.
Not that this is a new problem. Gift cards have been a target of an endless variety of scams pretty much since they came into being. In the past, thieves would “sniff” the magnetic strip on the back with a scanner and then clone it.
In 2013, a Subway franchise owner and a partner hacked into at least 13 Subway point-of-sale (PoS) systems and fraudulently added at least $40,000 to Subway gift cards. They also sold other fraudulent cards on eBay and Craigslist. Fortunately, they got caught.
There are ongoing social media scams that trick people into thinking they can get a free gift card from major retailers ranging from Amazon to Walmart, Ikea, Starbucks, CostCo, Argos and more.
But Caput’s project showed that hackers with even basic skills can turn gift cards into cash before anybody activates them, and without needing to trick anybody. He told Wired, prior to his talk at Toorcon, that since it is easy to grab a stack of unactivated cards – vendors don’t mind since they let customers load them with value online – he discovered that most of the string of numbers on gift cards from multiple vendors are the same except for one that changes with every card, plus the last four digits, which appeared to be random.
By visiting the website that the vendor uses to check a card’s value, and then running the brute-force software Burp Intruder on the last four digits, it took him about 10 minutes to discover which cards had how much value.
With that information, a hacker can use the card on the vendor’s e-commerce page. Caput said he even wrote them to a blank, plastic card with a $120 magnetic-strip writing device available on Amazon, and said most retailers would accept the card – although he said he only asked for the balance and didn’t make purchases.
Caput said he notified retailers of the flaw, and some responded by improving their security in a variety of ways – by taking down the web pages that let users check their value online, requiring users to verify their cards’ values by phone or by adding CAPTCHAs to their web pages.
But he said other vendors, who he didn’t name, didn’t do much of anything or made changes that were easy for him to defeat. Even if a vendor demands a PIN, besides the number on the card, he said Burp Intruder could defeat that as easily as it did the last four numbers on the card.
Evidence supporting the credibility of his findings came in a report earlier this year, which found that the number of discussions about stolen gift cards had spiked on the dark web marketplace AlphaBay between November 2016 and this past July, when the FBI shut down AlphaBay. The report said hackers were able to steal the value of the cards using the same technique Caput had reported.
The recommended fixes aren’t complicated: use strong CAPTCHAs and use scratch-away coverings on the numbers. Most important, don’t leave the cards sitting on a counter for a hacker to grab and then return.
And for those looking for an easy gift that you don’t have to think about – it would be wise to think about the fact that somebody else might have drained the value of that card before your recipient even gets it.
Which would mean your gift would be worthless. Not a good way to cover your bases.