back to article Crap gift card security helps crims spend your birthday pressie cash

Gift cards' lousy security makes it easy for crooks to spend marks' money, researchers said Tuesday night. During their presentation at the BSides conference in Las Vegas, William Caput and Sam Reinthaler used an $80 card reader and writer, and some tech savvy, to demonstrate just how easy it is for miscreants to get access to …

  1. John Smith 19 Gold badge
    Unhappy

    Got to onder how much has been stolen in the 2 years it took the company to get its act together

    OTOH that still leave the other 50% of the industry that seems to have done jack s**t.

  2. Peter 26

    PIN on the back

    This makes no mention of the security feature that is on every gift card I have ever seen, the PIN on the back which you have to scratch to reveal.

    You shouldn't be able to check the balance or purchase anything online without that PIN. Which means their attack would only work in physical stores, which with the amount of CCTV and loss prevention teams would be a bad idea, especially if you have to guess the last 3-4 digits(1 check digit).

    You should never accept a card with that PIN already scratched off as it means someone could go online and use the credit. Someone could grab a load of blank cards from the counter, take them home, read the cards and scratch the PIN off, then go back and put them in the store and just wait for them to be loaded up.

    Staff are supposed to be trained to check the cards haven't had the PIN scratched off before loading them up.

    1. The Mole

      Re: PIN on the back

      Can't say I've ever seen gift cards with pin numbers on them - then again I've not used them for years.

      But as the article says that is one of the fixes that have been put in place to prevent this type of cloning.

    2. Speltier

      Re: PIN on the back

      The smart ones "spray paint" the scratch off stuff back on if they haven't done the work to read through the scratch off.

      Really, if you must use a pin, the pin should be a combination of scratch off and an authorization pin fragment. That way, the clerk doesn't know the entire PIN unless they are in on the theft.

  3. Gavin Chester

    John Lewis use printed barcodes

    Not sure it makes any odds as to the mechanism of discovering valid accounts, but you would hope the staff are trained not to accept cards with stickers with new bar codes printed on...

    Mind you monochrome card printers are probably just as cheap as mag stripe reader / writers...

    1. Anonymous Coward
      Anonymous Coward

      Re: John Lewis use printed barcodes

      ... but for online purchases you just type numbers in from the card - and with "click'n'collect" it would be possible to use a fake address for the id needed to collect it.

  4. Velv Silver badge
    Facepalm

    Isn't the point of the article that despite the security measures you've outlined it is possible for nefarious entities to spend the money on cards?

  5. hellwig Silver badge

    In the U.S...

    Police have devices to drain your gift cards and re-loadable debit cards as part of their civil asset forfeiture policies.

    No more smuggling your drug money in those Safeway gift cards you claim you need to buy food to feed your family, you filthy drug smuggler (although, in no way in their official capacity as a law enforcement officer are they actually accusing you of committing a crime, that would mean they'd have to fill out a bunch of paperwork).

    I guess my point is, expect your gift card to be drained by the police using this method if the number is close enough to the number of a seized gift card. I'm sure they'll argue it is somehow necessary to keep the peace.

  6. DNTP

    That 80$ magcard reader

    from Amazon.com. I keep thinking it would be extra funny if they bought it for their research with a cloned Amazon gift card.

    1. Anonymous Coward
      Anonymous Coward

      Re: That 80$ magcard reader

      There are somethings a "white hat" won't do and generally this is one. Look what happened to the guy in Hungary when he generated a ticket even though he didn't use it.

  7. JimboSmith Silver badge

    There was an article many years ago in 2600 magazine about gift cards (I think of just one retailer) and how easy it was to purloin the contents. The basic idea was that you noted down the number printed on the cards which from memory were stocked sequentially. The cards only had the number encoded on the magstrip not the value so that people couldn't add value to the card themselves. The value was held on the server at head office for security. All you did was acquire a blank card and then hang around the till waiting for a card to be bought. Once someone did you knew what the number was, you just encoded that onto the magstrip. Then go to the store and hand over the card, because they didn't check if the printed number matched the encoded one. Then just spend away! Frighteningly simple.

  8. hellsatan

    I remember a lovely scam from my days at argos, 2 guys come in the store, with duplicates of an as yet not activated gift card. One walks to the till and asks to load it up with £500, the other walks over to Jewellery and purchases a gold chain with the newly activated gift card. First guy is fumbling around looking for his wallet for some time, then declares he left it in the car... Both guys walk out, clerk cancels transaction and the till tries to deactivate the gift card but its too late.

    Only worked on Argos gift cards at the time however, since the rest only activated after (sometimes long after) the transaction was completed. Suspect they got around to fixing it by now though

    1. Ian 55

      Erm, why put the value on the card before you've actually been paid for it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019