Gift Card Hack

This is a clever hack against gift cards:

Seems they take the cards off the racks in stores and copy down the serial numbers. Later on, they check to see if the card is activated, and if the answer is yes, they go on a shopping spree from the store's website.

What's the security problem? A serial number on the cards that's visible even though the card is not activated. This could be mitigated by hiding the serial number behind a scratch-off coating, or opaque packaging.

Posted on December 8, 2006 at 12:06 PM • 45 Comments

Comments

AnonymousDecember 8, 2006 12:40 PM

Scratch-off coatings and opaque packages aren't new solutions, either. When I bought a telephone long-distance calling card 18 months ago, it had both opaque packaging and scratch-off coating.

Israel TorresDecember 8, 2006 12:42 PM

"You may want to purchase your card from a customer service person in stores that keep their gift cards behind the counter, away from tampering."

D'oh! The best part is that in retail loss prevention 75% of loss is from employee theft... so getting a card from someone that has better access and the time to write this data down isn't the best of ideas.

Israel Torres

jananthaDecember 8, 2006 12:44 PM

Wow..What an ideal scam! Scratch off coatings are much safer i guess and to be more secure opaque covering should be there too..

BigHank53December 8, 2006 12:45 PM

The problem is that the card's serial number must be accessible to the retailer, so that it can be activated once purchased. (Stealing an unactivated one just gets you a piece of plastic.) Most stores use the optical-scan bar code. Eliminating the human-readable text will just make the thieves use a scanner instead. This raises the threshold, but how much?

MattDecember 8, 2006 12:49 PM

I've had several cards where there is a pin number that is behind scratch off. So the visible number that's used to activate it isn't useful by itself.

JustinDecember 8, 2006 1:15 PM

@BigHank53,

The activation code doesn't have to be the same as the redemption code. Each card could have a pair of numbers, one encoded as a bar code for activation, and one as text hidden behind scratch-off material for usage.

The mapping would be stored on the company's servers. Now the employees can activate cards but can't hijack the redemption code.

sysadmnDecember 8, 2006 1:30 PM

"Write down" may not be correct - how long would it take to snap a quick cell phone pic of two or three cards?

I seem to recall that when this was reported last Christmas, companies took the hard line, and blamed the card owner, rather than acknowledge the vulnerability. Still, several changed their design.b

AnonymousDecember 8, 2006 2:09 PM

"Most stores use the optical-scan bar code. Eliminating the human-readable text will just make the thieves use a scanner instead. This raises the threshold, but how much?"

Actually the scan can be a separate activation key, with the only link between it and the human readable number stored in the company's (supposedly) secure database.

Stephan SamuelDecember 8, 2006 2:17 PM

An opaque wrapper is only good if it's tight enough that you can't slide it around to get the serial number under the seemingly-ubiquitous clear part. That or a scratch-off area are only good if the user: 1) knows that they're there as a security mechanism, and 2) looks to see that they're intact.

I have doubts as to the gross effect of either measure on a population for whom requiring shoe removal at the airport feels safer.

ELBDecember 8, 2006 2:18 PM

"Most stores use the optical-scan bar code. Eliminating the human-readable text"

People can read barcodes rather easily.

Scott CarpenterDecember 8, 2006 2:28 PM

@Stephan: I wonder how many people actually feel safer because of shoe removal, and how many bitterly resent it?

I submit to it, but I don't feel safer because of it. If anything, it has the opposite effect of making me think we're all doomed because we're so clueless and easily manipulated. :-)

TonyDecember 8, 2006 2:33 PM

Even with a scratch-off coating, stores that use gift cards with sequential or easily guessable serial numbers are still at risk. The attacker starts by buying one card, and working their way down the list of possible numbers in sequence.

A PIN could protect against this, but only if it is not guessable given the serial number.

GroovinDecember 8, 2006 2:55 PM

This is a new version of an old scam. The old version used a magstripe reader/writer to clone the cards. I thought that most stores went to the scratch-off style card to fix this, but I guess I was wrong.

Naughty MouseDecember 8, 2006 4:21 PM

Since we seem to have so much knowledge in the area. Does anyone have a list of gift card manufacturing companies on the two sides of this matter? And how they accomplish the goal?

By manufacturer I don't mean Home Depot, etc, I mean whoever it is that supplies their gift cards. I looked briefly at the gift cards available nearby and didn't see a manufacturer easily visible on any of them.

Bryan FeirDecember 8, 2006 4:52 PM

@Naughty Mouse:

I know that GiveX (http://web.givex.com/) is one of the major gift card suppliers for North America, though their website is rather short on technical details. (My only relationship with them is a job interview two and a half years ago for a job I didn't get.)

Pat CahalanDecember 8, 2006 5:17 PM

Didn't we have a similar hack published a bit ago where insiders lifted large quantities of the gift cards and made duplicates, then waited for someone to activate the card and cashed in on the duplicate?

Hiding the serial number doesn't help if the card is trivially duplicated.

philDecember 8, 2006 5:58 PM

How about keeping the cards next to the register? I'm sure the cashier would notice if you picked up a card, wrote down the number, then returned the card to the rack.

Matthew SkalaDecember 8, 2006 6:35 PM

Yes, put the serial number under a scratch-off coating... because as the Ontario lottery folks have established, scratch-off coatings are invulnerable to employee compromise.

As for bar codes, some cell phones can read them. There's CueCat-like marketing software based on that already; you scan the code with your phone and the server gives you information about the product. And as others have pointed out above, humans can be trained to read bar codes too.

Mark J.December 8, 2006 8:31 PM

Do all these thieves have fake addresses? If you buy something online, you have to have it delivered somewhere. Seems like the perfect time to arrest someone for fraud.

amalafridaDecember 8, 2006 11:30 PM

Speaking of which, I know a fellow who decided to coat a postage stamp with clear white glue, and then mail it to a friend. Friend soaked the stamp free of the postcard. Along with the stamp freeing itself of the postcard, ditto for the cancellation ink. The stamp was re-used 20 times before boredom set in.

another_bruceDecember 9, 2006 1:09 AM

gift cards are tacky. you gonna give something like that, give cash, which gives your recipient maximum options and doesn't immediately concede value to a corporation. with gift cards, prepare to be ripped off, from the float they get to the service charges for inactivity they impose.

antibozoDecember 9, 2006 1:34 AM

phil> I'm sure the cashier would notice if you picked up a card, wrote down the number, then returned the card to the rack.

Would the cashier notice if I pick up the card, memorize the number, then return it to the rack? And if so, why will he or she care? It's a classic externality.

But gift cards are evil anyway. It's like giving cash but less useful since the recipient can only spend it in one place. So unless the person you're giving it to is likely to spend cash on heroin, what's the point? People say giving cash is crass; I find gift cards even more so. Giving cash says, "I want to give you something but I don't know what you need, so here, get whatever you want with this." A gift card says, "I want to give you something, but I don't know what you need, so here, get yourself something from this particular store within six months when the card will expire." It's a cop-out as far as putting thought into a gift, and it's inconvenient both to purchase and to use. And with attacks like this one, it's also a vector for pure embarrassment and misery.

Stuart YoungDecember 9, 2006 7:24 AM

Actually, why not just block the method used to verify the cards are valid? How do they tell? I'm guessing they just enter the details into the website (see below), and if it works they go order. You don't even need the actual card in many cases like this - just knowledge of the range of numbers on the cards could be enough to get you in the door in a few weeks (brute force). Avoiding using sequential numbers on the cards can reduce the brute force aspect.

If this was me, I'd also not allow the use of gift cards purchased from a store on websites. If you want to use the card, you have to go into a physical store. This puts a person in the checking line, and "hopefully" they will stop such problems, whether it's by physically checking the card for anomolies, or just because they tried redeeming a bad card.

If you want gift cards on websites, then you would be better off using customer account management (ie: a login for each user) and you allow one user to "buy" credit for another. Heck, you could even allow this to happen in store as long as you provide the gift card receivers account name/number to the clerk. You could even pay for this transaction with a store-based gift card! The customer account management backend for the site can even inform them (say, by email) that they have a gift certificate waiting for them.

And if you do accept gift cards entered into a website, then why not collect all the details BEFORE you collect the gift card details, like delivery address and so on? If you get failures on the card, then perhaps flag the transaction for someone (ie: a human) to actually look at it. Someone should easily be able to spot suspicious activity on card details.

BTW: With a camera phone, apart from the fact that many of them can read barcodes now, even a pic of most barcodes taken with many camera phones can be printed out and then scanned. Removing the digits under the code isn't going to solve that problem.

antibozoDecember 10, 2006 3:04 PM

Mark J.> Do all these thieves have fake addresses? If you buy something online, you have to have it delivered somewhere. Seems like the perfect time to arrest someone for fraud.

If having to provide for an address, there would be no fraud based on stolen credit card numbers. Usually the individual purchases are too small to make it worthwhile for police in the thief's locality even to investigate. And some fraudsters use mailboxes, etc.-type outfits, or simply have stuff delivered to a neighbor's house and pick it up before they get home.

Stuart Young> Actually, why not just block the method used to verify the cards are valid?

What difference would that make? It's easy enough simply to place an order using the gift card number and see if it works.

Stuart Young> I'd also not allow the use of gift cards purchased from a store on websites.

Well, that would make them even more useless than they already are. At least if I get a Barnes and Noble gift care, I might be able to make use of it without having to drive to a brick-and-mortar Barnes and Noble and hope what I'm looking for is in stock.

Stuart Young> If you want gift cards on websites, then you would be better off using customer account management (ie: a login for each user) and you allow one user to "buy" credit for another.

Again, that makes them more useless. Now in order to buy someone a gift card, that person needs an account, and you need to know the account id.

Really, a scratch-off coating on the number is an adequate countermeasure, IMHO.

AnonymousDecember 11, 2006 7:09 AM

@antibozo

I love getting gift cards. I love, for example, books. Most people who give me gifts don't know what books I have or need, but they know I like books. A gift card says, "I know you love books, but I don't know what book you would like". It says, "I know your interests, but I don't know enough about them". Even more so with computer equipment -- even if I *told* people what I would like, they'd probably get it wrong.

wombat94December 11, 2006 9:23 AM

I used to work for a national specialty retail chain, and we had to combat Gift Card fraud from time to time.

We did the standard measures - we required physical proof of the card (in the form of a magnetic stripe read). When we added the cards to our website, we started issuing cards with PINs under scratch-off coating in the stores, and only PIN-based cards could be used on the website for redemption.

We added a last-4 digits manual entry check at the point of sale in the stores to prove that magnetic stripe read matched the imprinted card number on redemption (this was done to reduce someone redeeming someone else's money by re-programming the MS on their own card to a different account number).

I think, during the last holiday season I was with the company, we found the last significant hole that a scammer could exploit.

Someone (or a group of someones) realized that for speed of the initial sale transaction, we were not doing a validation between the last-4 digits imprinted on the card and the MS, so they took a bunch of cards and re-wrote the MS on those cards to match the account number of a good card they had in their posession.

They could do this with any number of cards, even card in other stores, since our style of cards were re-loadable (not all gift cards are).

Then they would monitor the balance on the card, and when someone purchased one of those other cards, their balance would be put on the scammer's card.

Since we had the redemption check, the purchaser of the original card would not even be able to redeem the balance (the point of sale would reject it since the MSR and the imprinted number didn't match), and the scammer could then go in at their leisure and redeem the money.

It took us a couple of days (and several customer complaints of mismatched cards coming from the same group of stores) to realize what the exact steps of this attack were... and it was a very easy hole to close as all we had to do was add the MSR/last 4 digits validation to the sale process... but it was a pretty ingenious method of gaming the system.

I'm not sure if our Loss Prevention people ever caught the scammers. I know I would likely have heard if it was an inside job, so I don't think it was that.

It was an interesting battle, and I think my former company has gotten to the point of having about as secure of a giftcard system as any... and they were always very good about customer service if there was fraud (or simple system error) that caused funds to be lost.

That incident is really what got me going on information security as a software developer and led me to this blog.

J.D. AbolinsDecember 11, 2006 9:46 AM

I was looking at a convenience store's rack of gift cards this morning. Most had an openly visible number, but a couple card types, including ones from American Express, were sealed in an envelope. I starting thinking about the economics & security aspects of the cards and fraud. For example, who bears the costs of the fraud.

For a long time, the security emphasis has been having the cards useless unless activated at the register and communicating that message to the shoppers and would-be shoplifters. The security agenda for the vendors was to deter the racks being depleted of cards and to prevent the theft of active cards. If the cards were being tapped after they were paid for, the retailer would not lose money. The issuer might not either if the affected customer failed to notice or report the fraud.

Until the recent publicity and potential for consumer reaction, the "record the card numbers & wait until any of them are activated" fraud did not have as big of impact on the retailers and issuers as it did for the people whose cards were being tapped.

Now if the consumers started to question the security of the cards and demand better anti-fraud protection, it may encourage measures such as hiding the number to access the account or separating it from the retailer's activation number/code.

(I have yet to hear any usable indication of how prevalent this fraud is. So far, I have heard about the hack itself.)

AnonymousDecember 11, 2006 10:54 AM

Anonymous> I love getting gift cards. I love, for example, books. Most people who give me gifts don't know what books I have or need, but they know I like books. A gift card says, "I know you love books, but I don't know what book you would like". It says, "I know your interests, but I don't know enough about them". Even more so with computer equipment -- even if I *told* people what I would like, they'd probably get it wrong.

All good reasons to give you not gift cards, but cash. The cash can be accompanied with a note saying, "Buy yourself a book," and you'll be able to buy a book at any chain, online or brick-and-mortar, you like, without being limited by the brand of the gift card. And you'll be able to choose the outlet that has the best price on the book you want as well.

Davi OttenheimerDecember 11, 2006 2:55 PM

@ J.D. Abolins

Fair points. The following suggestion in the article seems odd to me:

"You may want to purchase your card from a customer service person in stores that keep their gift cards behind the counter, away from tampering."

Seems to me the opposite is in play, that many people purchase hacked giftcards (unknowingly or otherwise) because they simply get more for their money. You can often tell who has the latest problem with giftcard security by searching on eBay (165 available right now).

Some systems allow attackers (including internal employees who might have written the giftcard software) to acquire card IDs and alter the dollar amount, or recharge it, without expense to themselves. They then sell the cards online to people who think it's great to get a "deal".

Sadly, in that model, does it really makes sense to buy a "safe" card from someone behind a counter if you don't think a grey/black market card is likely to be invalidated?

And in that case the fraud does have a big impact on retailers. On a related note, what's to compell a retailer or issuers to admit that they have this type of flaw (other than SOX)?

bmzDecember 11, 2006 10:30 PM

One retailer in Australia takes the name of the gift card recipient when the card is activated. It is as simple as asking for the persons name when it is being redeemed to ensure it is being used by the right person.

My local video store does the same thing, the membership card is not personalised but has a barcode and I am asked for my password when I present my card.

For cards that need activating any word or phrase would do. Something you have, something you know, etc.

AnonymousDecember 11, 2006 10:31 PM

One retailer in Australia takes the name of the gift card recipient when the card is activated. It is as simple as asking for the persons name when it is being redeemed to ensure it is being used by the right person.

My local video store does the same thing, the membership card is not personalised but has a barcode and I am asked for my password when I present my card.

For cards that need activating any word or phrase would do. Something you have, something you know, etc.

bmzDecember 11, 2006 10:34 PM

One retailer in Australia takes the name of the gift card recipient when the card is activated. It is as simple as asking for the persons name when it is being redeemed to ensure it is being used by the right person.

My local video store does the same thing, the membership card is not personalised but has a barcode and I am asked for my password when I present my card.

For cards that need activating any word or phrase would do. Something you have, something you know, etc. It seems to work well for transactions involving a cashier but I'm not sure as to how well this would work in an online commerce or calling card scenario.

bmzDecember 11, 2006 10:36 PM

One retailer in Australia takes the name of the gift card recipient when the card is activated. It is as simple as asking for the persons name when it is being redeemed to ensure it is being used by the right person.

My local video store does the same thing, the membership card is not personalised but has a barcode and I am asked for my password when I present my card.

For cards that need activating any word or phrase would do. Something you have, something you know, etc. It seems to work well for transactions involving a cashier but I'm not sure as to how well this would work in an online commerce or calling card scenario.

BenDecember 18, 2006 11:59 PM

I work part-time for a major electronics retailer, and we've been getting communications from our corporate office about this gift card scam. It has been argued here that a scratch off coating should cover the pin number, which we do, as a preventive measure. However, that is only half the story. From the information I am getting the thieves are scratching off these strips while in the store and writing down the pin as well. All it takes is an inattentive customer and an inattentive (or overworked, considering the season) cashier not noticing the missing coating for the card to be sold with the pin pre-exposed. The scratch off coating, like any security strategy, is only as good as the person responsible for implementing it. Thankfully my company recognizes that and has been proactive in trying to raise the awareness level of its employees and increasing their financial incentives to look for this scam. At the same time, as mentioned above, employees are responsible for most of the theft in retail. This is very true, and complicates even a simple security problem like this.

dianaFebruary 1, 2007 4:09 PM

i am not to happy about what they are doing with the gift cards because it is hurting my job ,i got layed off because we are real slow now ,so think you to the ones for hurting my job ,

DJMCSlickJuly 25, 2007 12:27 PM

Gift card security occurs now by utilizing a "wrapper" on the cards. The security code on the back of the wrapper in now way can be tied to a specific card id except by the company's activitating/authorizing servers, and the transmission to request activation of the cards must come through a secure terminal (secure meaning either over TCP/IP & certified) or in the case of dialup technology, via a terminal that has been identified and recogncized by the activating parent company. Tellers or cashiers that have access to the cards can not steal or otherwise take a terminal home and turn it on and activate cards since the telephone lines & terminal used have unique identifiers.

I am managing the launch of gift cards at a large company and we forecast significant revenue with minimal risk.

hankOctober 20, 2007 12:33 PM

say a person walks up to a cashier they know and is in on the scam. cant the cashier put a large amount of money on the card even if the person only hands them a twenty to put on the card??

EnricoDecember 19, 2007 1:24 PM

Couldn't in theory someone steal a cash register or other scanning machine and then a bunch of cards and just activate them at home? =x

73N5H1September 11, 2008 11:22 AM

here's an idea... have the person purchasing the card attach a PIN to the card via the pinpad every store has ... When the person uses the card online or in store, it simply asks for their PIN for authentication.
This removes the risk of anyone stealing an activation code from a card to use later as well as the risk of an employee finding out and exploiting it internally. It also avoids the cost of changing production of the card to add new measures or installing new machines, as it works off of current hardware. In effect, it would work like a debit card. It would also be smart to add measures that limit PIN attempts to circumvent brute forcing the cards.


... or you could just give cash ;)

O.oDecember 22, 2008 6:57 PM

What if you could buy a giftcard online or have a cashire do it right there and print out a business card shaped piece of paper with a scratch-off coating. Under the coading would be a series of numbers and letters that are 100% random. Also of course you would notice if the cashire scratched it off. And maybe there could be a layer of peelable sticker like paper on top of the scratch-off part to maximize the protection. The downside to all this is that companies that supply the giftcards would have to make printers to create these new "giftcards" This could help, but with all the online hackers they could find the url and probably steal millions of dollers.

Shadow HawkJanuary 6, 2009 11:56 PM

what about using a card reader/writer like the ones on www.hackerscatalog.com

mr.xDecember 30, 2011 5:28 AM

Well you all wrong. Snapping pictures and weirding down codes only allows the artist to purchase online. Leaving the police a paper trail to his address
The reader/writer way works but it allows the card owner to spend it as well
So the artist must beat him to the store..
THIS IS THE NEW WAY. The package leaves the store via thief. The artist takes the card out and putts in a dummy, or. Blank spent card. Thief returns package to prime shelf
And as soon as package is scanned
The artist starts shopping.

Is all that stores need to do is when the card is called on for a balance check before its activated. Kill that card forever
And cashier can't ring it up
That's the facts Jacks

jim.naylor.November 13, 2013 1:16 AM

When purchasing a gift card, would it be possible for the cahier to add a pin number of the customers choice added to the computer, this number would have to be quoted to activate the card by the recieving person? I have lost a number of cards in the mail, especialy to grandchildren in the Tamworth NSW area.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..