Crap gift card security helps crims spend your birthday pressie cash Gift cards' lousy security makes it easy for crooks to spend marks' money, researchers said Tuesday night. During their presentation at the BSides conference in Las Vegas, William Caput and Sam Reinthaler used an $80 card reader and writer, and some tech savvy, to demonstrate just how easy it is for miscreants to get access to …
This makes no mention of the security feature that is on every gift card I have ever seen, the PIN on the back which you have to scratch to reveal.
You shouldn't be able to check the balance or purchase anything online without that PIN. Which means their attack would only work in physical stores, which with the amount of CCTV and loss prevention teams would be a bad idea, especially if you have to guess the last 3-4 digits(1 check digit).
You should never accept a card with that PIN already scratched off as it means someone could go online and use the credit. Someone could grab a load of blank cards from the counter, take them home, read the cards and scratch the PIN off, then go back and put them in the store and just wait for them to be loaded up.
Staff are supposed to be trained to check the cards haven't had the PIN scratched off before loading them up.
The smart ones "spray paint" the scratch off stuff back on if they haven't done the work to read through the scratch off.
Really, if you must use a pin, the pin should be a combination of scratch off and an authorization pin fragment. That way, the clerk doesn't know the entire PIN unless they are in on the theft.
Not sure it makes any odds as to the mechanism of discovering valid accounts, but you would hope the staff are trained not to accept cards with stickers with new bar codes printed on...
Mind you monochrome card printers are probably just as cheap as mag stripe reader / writers...
Police have devices to drain your gift cards and re-loadable debit cards as part of their civil asset forfeiture policies.
No more smuggling your drug money in those Safeway gift cards you claim you need to buy food to feed your family, you filthy drug smuggler (although, in no way in their official capacity as a law enforcement officer are they actually accusing you of committing a crime, that would mean they'd have to fill out a bunch of paperwork).
I guess my point is, expect your gift card to be drained by the police using this method if the number is close enough to the number of a seized gift card. I'm sure they'll argue it is somehow necessary to keep the peace.
There was an article many years ago in 2600 magazine about gift cards (I think of just one retailer) and how easy it was to purloin the contents. The basic idea was that you noted down the number printed on the cards which from memory were stocked sequentially. The cards only had the number encoded on the magstrip not the value so that people couldn't add value to the card themselves. The value was held on the server at head office for security. All you did was acquire a blank card and then hang around the till waiting for a card to be bought. Once someone did you knew what the number was, you just encoded that onto the magstrip. Then go to the store and hand over the card, because they didn't check if the printed number matched the encoded one. Then just spend away! Frighteningly simple.
I remember a lovely scam from my days at argos, 2 guys come in the store, with duplicates of an as yet not activated gift card. One walks to the till and asks to load it up with £500, the other walks over to Jewellery and purchases a gold chain with the newly activated gift card. First guy is fumbling around looking for his wallet for some time, then declares he left it in the car... Both guys walk out, clerk cancels transaction and the till tries to deactivate the gift card but its too late.
Only worked on Argos gift cards at the time however, since the rest only activated after (sometimes long after) the transaction was completed. Suspect they got around to fixing it by now though
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
