Gift cards' lousy security makes it easy for crooks to spend marks' money, researchers said Tuesday night.
During their presentation at the BSides conference in Las Vegas, William Caput and Sam Reinthaler used an $80 card reader and writer, and some tech savvy, to demonstrate just how easy it is for miscreants to get access to a victim's dosh. To make matters worse, a lot of retailers don't think there’s a problem.
“For about half of the card industry, which uses a single manufacturer, there was an ‘oh shit’ moment,” Caput told The Register. “The response from some was ignore it until you make the research public and then they change it.”
The vulnerabilities stem from just really stinky security. The vast majority of cards use a 16-digit card number, however, the first twelve digits are a strict arithmetical progression. Only the last four are randomized. In other words, you can work out other card numbers by incrementing or decrementing the non-random part, and correctly guessing the random digits to form a stranger's card number. You can use the Burp Intruder tool to generate valid card numbers by brute force, and then find out which of those have money in them.
Anyone can grab a handful of unloaded gift cards from stores, Caput explained, and then back-count the numbers to find valid cards with money on them, because people who have already taken the cards have probably loaded them up with cash. You can go online with a card number to check its balance.
The team used their MSR606 magnetic card reader-writer, bought on Amazon for $80 (£61), to reprogram blank cards with new numbers, effectively cloning valid cards so they can be used to buy stuff.
The dynamic duo spent two years gathering their research and have held off on revealing it until the security holes were fixed. Now many retailers have added security measures, such as four or five-digit PINs or a CAPTCHA system to kill brute force attacks.
The majority of cards are now safe, we're told, because a single manufacturer that makes nearly half of the cards in circulation has added protections, thus securing a huge swathe of them. Still, that leaves plenty of plastic vulnerable. For example, one cinema chain, and a casino player club card, still haven’t taken action, we're told.
The credit card companies are wise to this game of cloning, Caput said. But gift card companies aren’t so smart. He opined that the lack of action was down to companies being willing to write off a certain amount of fraud as the cost of doing business. That’s cold comfort for folks ending up having to jump through hoops to get their money back. ®