Gift cards are extremely popular among Americans. According to InComm, 95% of Americans expect to give at least 2 gift cards this year – and a similar percentage are likely to receive at least one gift card.
There are quite a few reasons that gift cards are so popular among consumers. First, they’re totally flexible, and can be spent on just about anything. They’re also more thoughtful than a cash gift, and feel more special when given as a gift.
Because gift cards are such a popular item, just about every retailer – small and large – sells gift cards. Whether they’re selling gift cards at a Gift Card Mall in their store, online, or in-person at checkout counters, gift cards are extremely popular among retailers.
However, the popularity of gift cards is not without its drawbacks. Because gift cards are nearly untraceable after they’ve been purchased, they’ve been a target of fraud for a long time. Fraudsters with stolen credit cards will buy gift cards and spend them – “cleaning” their stolen cash.
Indeed, the ubiquitousness of gift cards has made them an extremely popular target for gift card fraud and hacking. Compared to bank-issued cards, gift cards are usually much more vulnerable, as they don’t include advanced security and anti-fraud features.
This is a huge issue for businesses. Previous fraudulent hacks have included thieves using magnetic card readers to steal card information, and crooks who steal cards, note the information on the card, and return it – then spend the money once a legitimate customer activates the card.
Recently, an even more critical security flaw was uncovered by an IT security expert named Will Caput, who recently presented his findings at the Toorcon: San Diego conference in early September, 2017.
Let’s take a look at this critical security flaw now – and discuss how both consumers and companies who sell gift cards can avoid being defrauded by this gift card “hack”.
A Critical Security Flaw – How A “White Hat” Hacker Broke Gift Card Vendor Security
In November, 2015, Will Caput was working for a security firm that was scouting a major chain of Mexican restaurants for data vulnerabilities, hackable web vulnerabilities, and other potential areas of risk.
This was only a few years after the catastrophic Target hack of 2013, so many retailers and restaurants were taking necessary steps to protect their data security, and ensure their IT systems couldn’t be breached.
During his lunch break, Mr. Caput drove to a local restaurant branch in Chico, CA. Still thinking about how to test the company’s security, he decided to grab a handful of unactivated gift cards that were sitting on the counter.
The cashier didn’t mind – customers can load these cards on their own through their website at home, so his actions didn’t seem abnormal. As he ate his lunch, Will Caput examined the stack of (valueless) gift cards he had grabbed – and noticed a pattern.
Most companies contract with a third-party vendor to issue and sell gift cards – and some of these vendors are more secure than others. As he looked at the gift cards, Caput noticed a pattern in the digits of the cards.
While the final four digits of the card varied randomly, the rest of the digits appeared to remain constant, with the exception of a single digit that increased in value by 1 for every gift card he examined. By the end of his lunch break, he’d come up with a plan to defraud the company – but only to prove a point.
How The Hack Works
Over the last two years, he’s repeated this process with several retailers – including Macy’s, Taco Bell, and Trader Joe’s. Each of these companies took the appropriate steps to protect themselves – which we’ll discuss later.
The hack itself is relatively simple, according to Caput.
- Obtain several of the target company’s gift cards – This is the first step. A potential hacker needs to acquire a number of the target company’s gift cards, in order to determine the pattern of the numbers on the card.
Unactivated gift cards are often simply left out in the open at restaurants and stores – so a hacker could just take as many as they wish, and leave the store without being caught. The hacker can even buy gift cards, if necessary.
- Examine the gift cards for a value pattern – By examining the sequence of numbers on the obtained cards, a hacker can quickly and easily determine the way that each gift card number is created. Once this pattern is identified, there are usually only 4-5 unique digits that must be “cracked” to obtain a valid gift card number.
- Use “brute forcing” software to obtain the full number of the card, and check its value online – Here’s where things get interesting. Using a “brute force” software known as “Burp Intruder”, Mr. Caput cycled through all 10,000 possible values of the last 4 digits of the gift card. As his program moved through these possible 4-digit combinations, it sent the gift card numbers to the online verification system of the restaurant in question.
When the online verification system sent back a valid response indicating that the gift card in question had a valid balance on it, he could then simply write down that number – and he was free to spend that card as he wanted.
In this way, hackers could drain the balance of a valid gift card – while remaining nearly completely untraceable.
- Sell gift cards/use them online, or use a magnetic stripe writer to create a physical card – After hackers have obtained legitimate, valid gift card numbers, they could easily sell the information online, according to Mr. Caput, or make online purchases with these cards.
Mr. Caput even went a step further – using a $120 magnetic card writing device he bought on Amazon, he wrote a gift card number to a blank card – and by checking its balance at one of the targeted stores, he found out that it was completely valid. Most stores accepted these blank card without any questions.
The hack is that simple – and that dangerous. If companies fail to take proper action to protect themselves, they can be at serious risk of being defrauded by untraceable hackers. So how can businesses protect themselves against this scam?
How Businesses Can Protect Themselves Against Hacks
Thankfully, this hack is fairly easy to prevent with the right security steps. However, without Mr. Caput discovering this vulnerability, dozens of companies would have remained in the dark about this new “brute force” hacking method.
Here are just a few of the ways that businesses that sell gift cards can protect themselves against these hacks.
- Partner with reputable card vendors – When partnering with a gift card vendor, it’s absolutely critical to ensure that they follow security best practices to issue gift cards with randomized, hard-to-crack digit sequences.
Will Caput only had to brute force 10,000 digits – which took around 10 minutes. A gift card that has 7 randomized digits would require 10,000 minutes to crack – three orders of magnitude higher than the 4-digit sequence.
By simply ensuring that cards are issued with a harder-to-detect pattern and a randomized sequence of digits, retailers and restaurants can dramatically increase the time it takes to brute-force their gift cards.
- Control and secure gift cards – Again, this is a very important step. Deactivated gift cards may not have a value, but leaving them in an easily-accessible location is a huge security risk.
If you’re seriously concerned about your security, you can consider using a locked display case. However, it’s usually good enough to keep gift cards near or behind the checkout counter – this way, your employees will be able to notice suspicious activity, and prevent individuals from taking large numbers of unactivated gift cards.
Of course, customers can still purchase multiple valid gift cards – but if your gift cards are suitably complex, they’ll be unable to “crack” the digit sequence without purchasing hundreds of cards – so this is not typically an issue.
- Lock down online verification services – One of the keys to this hack is a hacker’s ability to query online card verification services repeatedly. Mr. Caput issued 10,000 requests in only 10 minutes – and the card verification service didn’t identify this as an odd behavior.
Easy access to an online card verification service is critical for this hack. Making it inconvenient for hackers to verify balances on gift card numbers is a great way to increase your security.
Adding security and anti-bot features like reCaptcha is a good way to prevent these brute force attacks on gift cards. Alternatively, you can require a valid email address for each verification – and restrict customers to 1-10 verification queries a day. This is plenty for the average consumer – but will block hackers who are attempting brute force attacks.
Some companies have eliminated online verification altogether, switching to a phone-based system that cannot be brute-forced as easily. Any combination of these steps will help your business guard against brute force hacks.
- Use cards with scratch-away covers – This is an important step for your in-store security. Your gift card numbers should be covered up by scratch-away covers. Without this security feature, hackers don’t even have to buy or steal cards – they can simply grab some, find a corner of your store, and snap pictures of them or write their numbers down.
Scratch-away covers won’t stop determined hackers from stealing your card information – but they offer you better overall security. In addition, if employees discover large volumes of cards that have been scratched off, this may be a sign that you’re about to be targeted by a hack.
By following these simple tips, businesses can protect themselves from this new style of brute force hack. According to security firm Flashpoint, this kind of gift card hack is far from new – security analysts said that activity surrounding stolen gift cards peaked in 2016 and 2017, and that individual hackers who used this technique managed to make hundreds of thousands of dollars.
Mostly, hackers would sell gift cards that were stolen online, using “dark web” marketplaces like AlphaBay, which was recently shut down by the FBI. And despite the shutdown of large black markets for stolen information, hackers are still using these brute force hacks to steal customer information, and defraud retailers.
So don’t let your business fall victim to this new scam. Thanks to the information gathered by Will Caput, and presented at his recent conference, retailers and restaurants can be empowered with the information they need to avoid this common hack – and mitigate brute force fraud. Check out the above security tips, and take the proper steps to secure your gift cards, and prevent fraudulent gift card usage!
Need To Sell Unwanted Gift Cards? Visit EJ Gift Cards Now!
Because so many gift cards are sold each year, it’s often hard to spend the balance on each card. This is a big problem for retailers, who must account for unspent gift cards as breakage. However, there is a solution that helps consumers get the gift cards they want – and ensures that retailers have more gift cards spent at their stores!
That solution is the third-party gift card marketplace! Easy-to-use online marketplaces like EJ Gift Cards allow consumers to sell gift cards online – and these gift cards are then sold to people who are looking for discounted gift cards!
When you sell gift cards on EJ Gift Cards, everybody wins! Curious to learn more? Check out our list of accepted cards, and our easy, step-by-step selling process. With secured payment through PayPal and a comprehensive customer support team, we make it easy to sell your unwanted gift cards online, and turn them into cold-hard cash. So get started today!
