Target, Starbucks Suffer Mobile Gift Card Security Hole
Written by Evan SchumanIn a rush to make mobile gift card rollouts as convenient and low-cost as possible, some major chains—including Target and Starbucks—have overlooked security holes that allow any shopper to use the dollars loaded into other shoppers’ gift cards.
The hole, which StorefrontBacktalk verified by recreating it in a Target store on Wednesday (May 12), is the result of the cards publicly displaying enough information for someone to create a copy that can trick the POS’s barcode scan. In short, Target is putting the account numbers (PAN) into the cards’ barcodes. Indeed, the barcodes contain little else.
“You never use the PAN on the handset. Never, never,” said an official with the security company that discovered the hole.
During the last 12 or so months, pressure has sharply increased on the major chains to get in front of the mobile stampede, especially with iPhone mobile apps supporting payment. But scanning codes from mobile phones presents quite a few challenges, including early struggles with light reflecting from the screen and interfering with accurate reads.
The rollouts were accelerated with the goal of making the phone applications simple—for consumers to use, for stores to support and for chains to deploy—and keeping costs initially low. After all, no one knew what kind of revenue and profits would actually materialize.
But the main issue is not merely that the cards and their numbers are so prominently displayed (although that is definitely an issue). It is that the card number—and only the card number—is represented by the barcode. No PIN or other verification is requested when trying to use the card to make purchases, even though such information is demanded by Target’s mobile app. Indeed, Target’s card uses an adhesive strip to hide the card number and the access code. But again, the lack of that information doesn’t prevent a purchase. The card number represented by the visible image is all that is needed for transaction approval.
Editor’s Note:
The security problems with the mobile apps are not that different from those experienced with the initial gift cards (the physical magstripe version) and then experienced again when those cards were initially offered and supported on the Web. As IT-consultant-wannabe Yogi Bera would have said, as retail turns to mobile, “it’s déjà vu all over again.”
Analysts expressed surprise at the lack of security surrounding the gift cards. But they expect such matters to be resolved quickly as the mobile space matures.
“This notion of the stored value card being able to convert to a barcode is a snag. Retailers need to figure out an additional layer of authentication,” said Forrester Research VP Sucharita Mulpuru. “We don’t even know what we don’t know. This is one of the many lessons that people are going to have to learn the hard way.”
-Marc
May 13th, 2010 at 1:54 pm
How is this any more of a risk than regular gift cards today? Gift cards don’t have a second validation point. If someone gets access to a gift card, the same information is available and either the card can be used physically, or in many cases online.
It seems to me that all of the folks in this article are exagerating the point to gain attention for themselves.
I’d rather someone explain to me why I would pull out my phone, select an app (typically buried 3 pages back)then navigate to the right card, then select pay, show the bar code to the associate, they scan it 4 times, give up and then type the PAN in manually… instead of just pulling out my card from my wallet and swiping.
Mobile wallets are a long way away. But a retina scan being required when I get my Americano isn’t required.
May 13th, 2010 at 2:23 pm
Mike asked, “How is this any more of a risk than regular gift cards today?” It’s a fair question. The answer is in the ease of the fraud. It’s an order of magnitude more labor-intensive to create a duplicate bogus gift card that looks convincing. The magstripe would likely need to be forged as well. Not that it can’t be done, of course, as there is a lively business making and selling cloned cards with stolen information. But what makes these mobile holes so problematic is that they are so incredibly easy and inexpensive (free, really) to use. A security hole is only dangerous to the degree that thieves are going to try and leverage it. The mobile offerings seemed so much easier that it struck us as a much more ominous threat.
May 19th, 2010 at 11:19 am
Simple solution? Cover the gift card number with a scratch off coating (like the PIN). Educate clerks not to activate gift cards when the scratch off coating has been tampered with.