A 22-year-old Oregon man has been sentenced to 18 months probation for stealing $6,000 worth of merchandise using gift card–cloning gear he found online. Sealtiel Chacon Zepeda was standing in the check-out line at a Fred Meyer store in Washington County when he realized it probably wouldn't be too hard to hack the the magnetic …
I wonder if using Tor would've helped mask his true location?
This could be a good little earner...
Mine's the one with the portable swiper in it
Upstanding citizen, obviously
Most criminals get caught because they are dumb. And this guy is a real winner: serving 18 month probation for the scam and "a simultaneous drunk driving conviction."
Anyway, the comment about Tor came up in my mind right away, as well. Then I read TFA and realized there was no way.
Paris, she said there was no way.
He succeeded in attracting the attention of the law.
Not surprised the stores don't want to co-operate. Makes gift cards look bad. And really they were not the ones robbed, it was the people who were given the cards as gifts or bought them for their children that are out the money. Best Buy, et al haven't lost a cent.
Nor am I.
However, what does surprise me is that we apparently cannot do anything about the behaviour of the stores involved. How about a public service ad campaign after such a case and pillory the shops concerned. One could have some fun could one not? Film a Macy gift-card and queue voice-over, "Macy's gift-card, the gift that keeps on giving and giving and giving......."
On a more serious note we know that companies that get ripped off directly are often very unwilling to tell the police or to cooperate when the police contact them. If I as an ordinary citizen conceal knowledge of a criminal offence (even though I myself have neither comitted it or benefited from it) I have (under British law at any rate) broken the law and can be punished. Why cannot we do something similar to companies that hide fraud and the like because they wish to save face?
Well, they are gift cards after all!
Why steal the cards?
Just go and scan the bar codes on the back of the cards. That ought to be enough to do the "clone job" on the card. Besides they are in numerical order on the rack.
And you wonder why I don't use/like gift cards.
Cloning a mag strip is tech as old as, well, mag strips! It's always been difficult though because you need physical access to the original card. The ingenuity here is in recording the blank cards while they are still effectively worthless. I didn't know one could query their balance online, though - that is what made this whole thing possible!
"When they were purchased and activated by customers, the software alerted him to that fact."
Really? He could tell, for example, that an itunes code was valid? That needs a lot more than just a magnetic stripe..
The itunes cards they sell in the UK don't even have magnetic stripes (it's a fixed code that gets typed into itunes).. Presumably the US uses a different system for some reason. Gift tokens are generally not plastic either...
Eh? Who said anything about an iTunes code?
The article is talking about electronic gift cards which have replaced paper gift tokens in many shops like HMV, WH Smith etc. Same size/shape as a normal plastic credit card.
They have cards with zero balance on a rack somewhere - the customer takes one to the till and says "Top this up with £20 please".
These are not iTunes codes or some Pay As You Go cards where the value is already stored against a code and the buyer scratches off the silver paint to reveal the code they need to type in to their phone/iTunes to get the credit transferred to them.
The article says "He ran the scam at numerous stores including Apple's......" so we're probably talking about their bricks and mortar (or should that be glass and shiny plastic?) stores, not iTunes.
Presumably this guy's scam would have worked over the telephone as well. All of these cards have a free phone number on the back to check the balance and most of the time, all you have to enter is the card number (some have a scratch-off PIN but not many). All he would have needed to do would be to poll the card balances periodically and wait until he didn't get a 'sorry, card number not recognised' response...
"That needs a lot more than just a magnetic stripe.."
Acually that's all you need. In the US there is a magnetic strip, code printed on the back, and usually a scratch-reveal authentication code.
When you use a gift card at a store, the cashier doesn't need to enter the gift card code or security code. Both codes are stored in the magnetic strip. Software that can read the strip can extract both pieces of information, which is all that is needed to tell if a gift card is active. To do this, you attempt to check the gift card balance online. If it works, the card is active.
That he's logging the unique ID of each card then trying to read it's balance online. The balance wouldn't show up to until the card is purchased and a balance is added to it. So it'd then say 'This one's been activated and had £50 put one it'.
Re: Fred Meyer was the only retailer that was willing to work with authorities
Why would the like Apple not e willing to work with police over this if they are being ripped off?
See post above
Apple et al aren't being ripped off. It's the people who pay good money for the gift cards
as the balance was transferred t another card. They labelled the genuine customers as liars, cheats and thieves.
Now to admit their system was flawed and that the customers weren't liars, well, that wouldn't wouldn't be good for business.
re: Why not Apple willing to work with police?
Simple, just get another gift card - not that big of a deal
I don't wonder why you don't like gift cards
>> And you wonder why I don't use/like gift cards.
Actually no I don't.
I don't sit here and wonder why an anonymous person who I don't know and will never meet doesn't like using gift cards. I'm also not particularly interested in what you had for breakfast.
Breakfast? Who said Breakfast?
It's Beer and Donuts for me please.
@"It's Beer and Donuts for me please."
... paid for by gift card.
I've always wondered...
I do, I sit here and wonder for hours why people don't use/like gift cards.
In fact, you wouldn't believe how many hours I've lost sitting here wondering why anonyomous people I don't know, and will never meet, don't like using them.
For as long as I can barely rememeber, its the one thing that's always been beyond my grasp. My life's greatest perplexity. So much so, that I could see no end in sight, and truly, I believed this mystery was to haunt me for the rest of my natural life. My fate, to die in ignorance.
And all I ever wanted to know was why? Why do these anonymous internet people shun gift cards so?
Re: I've always wondered...
Wow, that's like a whole housing estate of sarcasm.
A question asked merely for effect with no answer expected. The answer may be obvious or immediately provided by the questioner. See also:
* What Is a Rhetorical Question?
I was going to say that!
Except... I *was* wondering what he had for breakfast!
Well actually ...
... a reprogrammed Holiday Inn room key.
It said "Breakfast was included" officer...
Gift cards are lame
Put in the extra effort and write them a cheque. You can always ask what they bought with it afterwards.
In this day and age spoofing gift cards does seem pretty likely to happen.
There are aspects of this scam which should have rung alarm bells.
The same IP address querying many accounts, multiple times a day. Not normal, is it?
Using valid details for cards which haven't been sold yet. Presumably the card number has enough inbuilt verification to ensure that a random number is highly unlikely to be valid? Shouldn't it be flagged up when a valid, non active card number is queried?
Card cloning is hardly new, crims were cannibalising cassette recorder to clone cards 30 years ago.
These stores are looking after peoples money - they should have decent security. If they are using insecure mag stripes to reduce costs, they need security on the website and backend to compensate.
But why do they need to use such a cheapskate system anyway? A proportion of the money paid for gift cards never gets spent - the card is lost or forgotten (and, major WTF, they have expiry dates, christ I wish my mortgage had that clause). They could surely afford a smart card solution?
I wondered about that too
"and, major WTF, they have expiry dates, christ I wish my mortgage had that clause" -- give that person a cigar.
Buying a gift card = lending the store money
Giving the gift card to a friend or relative = transferring a debt with the debtor's consent
The person spending the gift card = calling in the loan
Since when does the borrower of money get to stipulate conditions under which they can refuse to pay it back?
The stores were not losing money.
Each time this guy used a cloned card, it zeroed the balance on a card someone's legitimately purchased gift card. The store however got paid for every card.
I imagine that the reason the stores wouldn't co-operate is because they didn't lose any money.
They almost certainly explained to the customers that had had their cards cloned that the balance was clearly zero and they had spent their money, and did they have another method payment or would they be putting those things back...
If the stores even admit it's possible, they open themselves to every tom dick and harry that has a used up gift card claiming it was cloned and demanding their money back. It would bankrupt them.
this case can be used as caselaw now. With a civil prosecution it would only need probable and with the ease at which this loony did it that should be probably enough.
Failed to cooperate?
A store failed to cooperate with authorities who were investigating a theft - particularly when the store in question was not actually the victim of the theft?
They shouldn't really have any choice in the matter.
I remember reading of cases of identity theft where a store refused to cooperate with police because they saw nothing to gain, while the person whose credit card numbers were misused would continue to be a victim. This is a gap in the law; it should be, instead, clear that those who have information needed to protect innocent people from crime must supply it.
18 months probation?
What, only 18 months probation for grand theft involving numerous anonymous victims?
If the stores cared at all, they wouldn't be using magstripes; they'd be using Chip & PIN. Yes, I know C&P's not perfect, but magstripes just scare me.
The one with all credit cards on a string so they don't ever go out of sight, ta.
Zepeda is a hero!
Most people are missing the point. Zepeda committed a computer crime, but lets be clear about one thing, this is not any clever computer hack, Zepeda just noticed a flaw in the existing human systems.
The companies concerned could have prevented the scam by the simple expedient of not placing the cards where they can be freely accessed (until a crooked employee becomes part of the scam), but no, the companies want to stick the cards in your face every time you go to the cash register, it's the cheap way to advertise them. You don't see banks doing the same thing with credit/debit cards do you? I wonder why.
Zepeda should not get a criminal record out of this, he should be rewarded and be offered a position as a security consultant to ALL of the companies he ripped off. Zepeda's error is that he only stole $6K, hardly a lunch bill for a senior executive and easily absorbed by any company, much cheaper to pay back the customers and maintain the status quo rather than introduce any real security measures.
I's love the mods to leave this thread open so we can all report how different companies have changed their procedures to combat this form of fraud, but we all know companies will do nothing to combat this sort of crime.
I hope somebody repeats this scam, I really do, except that they send the card to a executive who uses the gift card and the executive gets arrested. That would help focus their minds.
What HAVE you been smoking?
Must be "Guru's Dreamy Smoking Mixture" if you think anything will change. Why should the store do anything? It's not like THEY lost any money...
Dear, Oh dear - youth these days ... what are they using for brain cells?
Hello Hello? Is there anyone in there?
A few years ago...
...when I received a WH Smiths Gift Card my mind started thinking laterally, and found that you can just tinker with the URL to query the balence on other cards that you don't own. It doesn't take too many guesses at numbers close to yours to find cards with balence soon after Christmas. The systems/check-digit (if any) were laughably simple.
Besides, Gift Card balences expire after 1-2 years with the remaining balence going straight to the store. Old-fashioned Gift Tokens at least retained their face value almost forever.
Gift Cards = fail.
- Review Samsung Galaxy Note 8: Proof the pen is mightier?
- Nuke plants to rely on PDP-11 code UNTIL 2050!
- Spin doctors brazenly fiddle with tiny bits in front of the neighbours
- Game Theory Out with a bang: The Last of Us lets PS3 exit with head held high
- Flash flaw potentially makes every webcam or laptop a PEEPHOLE