I wonder if using Tor would've helped mask his true location?
This could be a good little earner...
Mine's the one with the portable swiper in it
A 22-year-old Oregon man has been sentenced to 18 months probation for stealing $6,000 worth of merchandise using gift card–cloning gear he found online. Sealtiel Chacon Zepeda was standing in the check-out line at a Fred Meyer store in Washington County when he realized it probably wouldn't be too hard to hack the the …
Most criminals get caught because they are dumb. And this guy is a real winner: serving 18 month probation for the scam and "a simultaneous drunk driving conviction."
Anyway, the comment about Tor came up in my mind right away, as well. Then I read TFA and realized there was no way.
Paris, she said there was no way.
However, what does surprise me is that we apparently cannot do anything about the behaviour of the stores involved. How about a public service ad campaign after such a case and pillory the shops concerned. One could have some fun could one not? Film a Macy gift-card and queue voice-over, "Macy's gift-card, the gift that keeps on giving and giving and giving......."
On a more serious note we know that companies that get ripped off directly are often very unwilling to tell the police or to cooperate when the police contact them. If I as an ordinary citizen conceal knowledge of a criminal offence (even though I myself have neither comitted it or benefited from it) I have (under British law at any rate) broken the law and can be punished. Why cannot we do something similar to companies that hide fraud and the like because they wish to save face?
"When they were purchased and activated by customers, the software alerted him to that fact."
Really? He could tell, for example, that an itunes code was valid? That needs a lot more than just a magnetic stripe..
The itunes cards they sell in the UK don't even have magnetic stripes (it's a fixed code that gets typed into itunes).. Presumably the US uses a different system for some reason. Gift tokens are generally not plastic either...
Cloning a mag strip is tech as old as, well, mag strips! It's always been difficult though because you need physical access to the original card. The ingenuity here is in recording the blank cards while they are still effectively worthless. I didn't know one could query their balance online, though - that is what made this whole thing possible!
Eh? Who said anything about an iTunes code?
The article is talking about electronic gift cards which have replaced paper gift tokens in many shops like HMV, WH Smith etc. Same size/shape as a normal plastic credit card.
They have cards with zero balance on a rack somewhere - the customer takes one to the till and says "Top this up with £20 please".
These are not iTunes codes or some Pay As You Go cards where the value is already stored against a code and the buyer scratches off the silver paint to reveal the code they need to type in to their phone/iTunes to get the credit transferred to them.
The article says "He ran the scam at numerous stores including Apple's......" so we're probably talking about their bricks and mortar (or should that be glass and shiny plastic?) stores, not iTunes.
Presumably this guy's scam would have worked over the telephone as well. All of these cards have a free phone number on the back to check the balance and most of the time, all you have to enter is the card number (some have a scratch-off PIN but not many). All he would have needed to do would be to poll the card balances periodically and wait until he didn't get a 'sorry, card number not recognised' response...
Acually that's all you need. In the US there is a magnetic strip, code printed on the back, and usually a scratch-reveal authentication code.
When you use a gift card at a store, the cashier doesn't need to enter the gift card code or security code. Both codes are stored in the magnetic strip. Software that can read the strip can extract both pieces of information, which is all that is needed to tell if a gift card is active. To do this, you attempt to check the gift card balance online. If it works, the card is active.
>> And you wonder why I don't use/like gift cards.
Actually no I don't.
I don't sit here and wonder why an anonymous person who I don't know and will never meet doesn't like using gift cards. I'm also not particularly interested in what you had for breakfast.
I do, I sit here and wonder for hours why people don't use/like gift cards.
In fact, you wouldn't believe how many hours I've lost sitting here wondering why anonyomous people I don't know, and will never meet, don't like using them.
For as long as I can barely rememeber, its the one thing that's always been beyond my grasp. My life's greatest perplexity. So much so, that I could see no end in sight, and truly, I believed this mystery was to haunt me for the rest of my natural life. My fate, to die in ignorance.
And all I ever wanted to know was why? Why do these anonymous internet people shun gift cards so?
There are aspects of this scam which should have rung alarm bells.
The same IP address querying many accounts, multiple times a day. Not normal, is it?
Using valid details for cards which haven't been sold yet. Presumably the card number has enough inbuilt verification to ensure that a random number is highly unlikely to be valid? Shouldn't it be flagged up when a valid, non active card number is queried?
Card cloning is hardly new, crims were cannibalising cassette recorder to clone cards 30 years ago.
These stores are looking after peoples money - they should have decent security. If they are using insecure mag stripes to reduce costs, they need security on the website and backend to compensate.
But why do they need to use such a cheapskate system anyway? A proportion of the money paid for gift cards never gets spent - the card is lost or forgotten (and, major WTF, they have expiry dates, christ I wish my mortgage had that clause). They could surely afford a smart card solution?
"and, major WTF, they have expiry dates, christ I wish my mortgage had that clause" -- give that person a cigar.
Buying a gift card = lending the store money
Giving the gift card to a friend or relative = transferring a debt with the debtor's consent
The person spending the gift card = calling in the loan
Since when does the borrower of money get to stipulate conditions under which they can refuse to pay it back?
A store failed to cooperate with authorities who were investigating a theft - particularly when the store in question was not actually the victim of the theft?
They shouldn't really have any choice in the matter.
I remember reading of cases of identity theft where a store refused to cooperate with police because they saw nothing to gain, while the person whose credit card numbers were misused would continue to be a victim. This is a gap in the law; it should be, instead, clear that those who have information needed to protect innocent people from crime must supply it.
Most people are missing the point. Zepeda committed a computer crime, but lets be clear about one thing, this is not any clever computer hack, Zepeda just noticed a flaw in the existing human systems.
The companies concerned could have prevented the scam by the simple expedient of not placing the cards where they can be freely accessed (until a crooked employee becomes part of the scam), but no, the companies want to stick the cards in your face every time you go to the cash register, it's the cheap way to advertise them. You don't see banks doing the same thing with credit/debit cards do you? I wonder why.
Zepeda should not get a criminal record out of this, he should be rewarded and be offered a position as a security consultant to ALL of the companies he ripped off. Zepeda's error is that he only stole $6K, hardly a lunch bill for a senior executive and easily absorbed by any company, much cheaper to pay back the customers and maintain the status quo rather than introduce any real security measures.
I's love the mods to leave this thread open so we can all report how different companies have changed their procedures to combat this form of fraud, but we all know companies will do nothing to combat this sort of crime.
I hope somebody repeats this scam, I really do, except that they send the card to a executive who uses the gift card and the executive gets arrested. That would help focus their minds.
...when I received a WH Smiths Gift Card my mind started thinking laterally, and found that you can just tinker with the URL to query the balence on other cards that you don't own. It doesn't take too many guesses at numbers close to yours to find cards with balence soon after Christmas. The systems/check-digit (if any) were laughably simple.
Besides, Gift Card balences expire after 1-2 years with the remaining balence going straight to the store. Old-fashioned Gift Tokens at least retained their face value almost forever.
Gift Cards = fail.
Biting the hand that feeds IT © 1998–2019