Target, Starbucks Suffer Mobile Gift Card Security Hole

Written by Evan Schuman
May 13th, 2010

In a rush to make mobile gift card rollouts as convenient and low-cost as possible, some major chains—including Target and Starbucks—have overlooked security holes that allow any shopper to use the dollars loaded into other shoppers’ gift cards.

The hole, which StorefrontBacktalk verified by recreating it in a Target store on Wednesday (May 12), is the result of the cards publicly displaying enough information for someone to create a copy that can trick the POS’s barcode scan. In short, Target is putting the account numbers (PAN) into the cards’ barcodes. Indeed, the barcodes contain little else.

“You never use the PAN on the handset. Never, never,” said an official with the security company that discovered the hole.

During the last 12 or so months, pressure has sharply increased on the major chains to get in front of the mobile stampede, especially with iPhone mobile apps supporting payment. But scanning codes from mobile phones presents quite a few challenges, including early struggles with light reflecting from the screen and interfering with accurate reads.

The rollouts were accelerated with the goal of making the phone applications simple—for consumers to use, for stores to support and for chains to deploy—and keeping costs initially low. After all, no one knew what kind of revenue and profits would actually materialize.

But the main issue is not merely that the cards and their numbers are so prominently displayed (although that is definitely an issue). It is that the card number—and only the card number—is represented by the barcode. No PIN or other verification is requested when trying to use the card to make purchases, even though such information is demanded by Target’s mobile app. Indeed, Target’s card uses an adhesive strip to hide the card number and the access code. But again, the lack of that information doesn’t prevent a purchase. The card number represented by the visible image is all that is needed for transaction approval.

Editor’s Note:

  • Page 1 of this Special Report covers The Overview And Impact of this security hole
  • Page 2 covers Technical Specs
  • Page 3 covers the Social Engineering Specs
  • Page 4 covers Ways To Fix The Hole

    The security problems with the mobile apps are not that different from those experienced with the initial gift cards (the physical magstripe version) and then experienced again when those cards were initially offered and supported on the Web. As IT-consultant-wannabe Yogi Bera would have said, as retail turns to mobile, “it’s déjà vu all over again.”

    Analysts expressed surprise at the lack of security surrounding the gift cards. But they expect such matters to be resolved quickly as the mobile space matures.

    “This notion of the stored value card being able to convert to a barcode is a snag. Retailers need to figure out an additional layer of authentication,” said Forrester Research VP Sucharita Mulpuru. “We don’t even know what we don’t know. This is one of the many lessons that people are going to have to learn the hard way.”

  • advertisement

    3 Comments | Read Target, Starbucks Suffer Mobile Gift Card Security Hole

    1. Mike Says:

      How is this any more of a risk than regular gift cards today? Gift cards don’t have a second validation point. If someone gets access to a gift card, the same information is available and either the card can be used physically, or in many cases online.

      It seems to me that all of the folks in this article are exagerating the point to gain attention for themselves.

      I’d rather someone explain to me why I would pull out my phone, select an app (typically buried 3 pages back)then navigate to the right card, then select pay, show the bar code to the associate, they scan it 4 times, give up and then type the PAN in manually… instead of just pulling out my card from my wallet and swiping.

      Mobile wallets are a long way away. But a retina scan being required when I get my Americano isn’t required.

    2. Evan Schuman Says:

      Mike asked, “How is this any more of a risk than regular gift cards today?” It’s a fair question. The answer is in the ease of the fraud. It’s an order of magnitude more labor-intensive to create a duplicate bogus gift card that looks convincing. The magstripe would likely need to be forged as well. Not that it can’t be done, of course, as there is a lively business making and selling cloned cards with stolen information. But what makes these mobile holes so problematic is that they are so incredibly easy and inexpensive (free, really) to use. A security hole is only dangerous to the degree that thieves are going to try and leverage it. The mobile offerings seemed so much easier that it struck us as a much more ominous threat.

    3. Rocky Rosenberg Says:

      Simple solution? Cover the gift card number with a scratch off coating (like the PIN). Educate clerks not to activate gift cards when the scratch off coating has been tampered with.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.