Target, Starbucks Suffer Mobile Gift Card Security Hole
Written by Evan SchumanIn a rush to make mobile gift card rollouts as convenient and low-cost as possible, some major chains—including Target and Starbucks—have overlooked security holes that allow any shopper to use the dollars loaded into other shoppers’ gift cards.
The hole, which StorefrontBacktalk verified by recreating it in a Target store on Wednesday (May 12), is the result of the cards publicly displaying enough information for someone to create a copy that can trick the POS’s barcode scan. In short, Target is putting the account numbers (PAN) into the cards’ barcodes. Indeed, the barcodes contain little else.
“You never use the PAN on the handset. Never, never,” said an official with the security company that discovered the hole.
During the last 12 or so months, pressure has sharply increased on the major chains to get in front of the mobile stampede, especially with iPhone mobile apps supporting payment. But scanning codes from mobile phones presents quite a few challenges, including early struggles with light reflecting from the screen and interfering with accurate reads.
The rollouts were accelerated with the goal of making the phone applications simple—for consumers to use, for stores to support and for chains to deploy—and keeping costs initially low. After all, no one knew what kind of revenue and profits would actually materialize.
But the main issue is not merely that the cards and their numbers are so prominently displayed (although that is definitely an issue). It is that the card number—and only the card number—is represented by the barcode. No PIN or other verification is requested when trying to use the card to make purchases, even though such information is demanded by Target’s mobile app. Indeed, Target’s card uses an adhesive strip to hide the card number and the access code. But again, the lack of that information doesn’t prevent a purchase. The card number represented by the visible image is all that is needed for transaction approval.
Editor’s Note:
The security problems with the mobile apps are not that different from those experienced with the initial gift cards (the physical magstripe version) and then experienced again when those cards were initially offered and supported on the Web. As IT-consultant-wannabe Yogi Bera would have said, as retail turns to mobile, “it’s déjà vu all over again.”
Analysts expressed surprise at the lack of security surrounding the gift cards. But they expect such matters to be resolved quickly as the mobile space matures.
“This notion of the stored value card being able to convert to a barcode is a snag. Retailers need to figure out an additional layer of authentication,” said Forrester Research VP Sucharita Mulpuru. “We don’t even know what we don’t know. This is one of the many lessons that people are going to have to learn the hard way.”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
