StorefrontBacktalk

This is page 2 of:

Target, Starbucks Suffer Mobile Gift Card Security Hole

May 13th, 2010

Gartner Security Analyst Avivah Litan expressed similar thoughts. “This can shake up the whole mobile app world. The mobile [gift card] is totally vulnerable and PIN should be added,” Litan said. “Security is always an afterthought. It’s never baked into the new applications.”

Asked why, Litan said that IT security professionals are often seen by senior management and product execs as “naysayers. They stand in the way of everything. [Senior execs] are focused on customer acquisition and revenue, driving new products to market. The security people are basically seen as a pain in the neck.”

Editor’s Note:

Page 1 of this Special Report covers The Overview And Impact of this security hole
Page 2 covers Technical Specs
Page 3 covers the Social Engineering Specs

Page 4 covers Ways To Fix The Hole

Quite a few chains are using similar approaches to gift card security so it’s certainly the case that Target and Starbucks are not alone. In the Starbucks case, the problem is that its cards—which are prominently displayed for consumers to browse—include the visible numbers associated with each card. With that number, a thief can go to any one of several free Web sites and convert that number into a barcode. That barcode is all that the scan looks for.

The thief merely waits for the card to be funded by a fellow customer and then presents that barcode to the cashier. To make things look right, the image can be placed within a screen capture of the mobile app’s screen. But as long as the barcode is scanned, the transaction will be approved.

At Target, the process is almost as simple but requires an additional step. Instead of grabbing the number, the trick at Target is to take a picture of an online barcode, which needs to be decoded and then encoded into the kind of barcode its system expects. When we tested it Wednesday (May 12), the decoding and encoding process took about two minutes at a pair of free Web sites. (Note: During our successful attempt at recreating the gift card bug, we purchased the card we were trying to recreate to avoid doing anything illegal.)

Ironically, the Target mobile app gives the appearance of being especially secure. Beyond the adhesive strip and that access number (along with Seq and Event numbers), the app requires a PIN (and stresses to the user that it’s not preserved by Target in a readable form, so if it’s lost, the card is toast, at least as far as the mobile app is concerned. Getting cash value from the store, though, is another matter) along with a phone number.

But again, that data isn’t required to complete a transaction. Target apparently is using only the first four sections of the barcode (along with error correction), and that’s all that is necessary to complete a transaction.

Note: We reached out to both Starbucks and Target—at several levels—seeking comment for this story. As of deadline, representatives of neither chain commented. Also, a senior executive of the security firm that initially discovered the breach said he had sent letters to senior executives of both chains—several weeks ago–alerting them to the problem. Neither responded to the security firm.

Posted in E-Commerce, In-Store, IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud

3 Comments | Read Target, Starbucks Suffer Mobile Gift Card Security Hole

Mike Says:
May 13th, 2010 at 1:54 pm
How is this any more of a risk than regular gift cards today? Gift cards don’t have a second validation point. If someone gets access to a gift card, the same information is available and either the card can be used physically, or in many cases online.

It seems to me that all of the folks in this article are exagerating the point to gain attention for themselves.

I’d rather someone explain to me why I would pull out my phone, select an app (typically buried 3 pages back)then navigate to the right card, then select pay, show the bar code to the associate, they scan it 4 times, give up and then type the PAN in manually… instead of just pulling out my card from my wallet and swiping.

Mobile wallets are a long way away. But a retina scan being required when I get my Americano isn’t required.
Evan Schuman Says:
May 13th, 2010 at 2:23 pm
Mike asked, “How is this any more of a risk than regular gift cards today?” It’s a fair question. The answer is in the ease of the fraud. It’s an order of magnitude more labor-intensive to create a duplicate bogus gift card that looks convincing. The magstripe would likely need to be forged as well. Not that it can’t be done, of course, as there is a lively business making and selling cloned cards with stolen information. But what makes these mobile holes so problematic is that they are so incredibly easy and inexpensive (free, really) to use. A security hole is only dangerous to the degree that thieves are going to try and leverage it. The mobile offerings seemed so much easier that it struck us as a much more ominous threat.
Rocky Rosenberg Says:
May 19th, 2010 at 11:19 am
Simple solution? Cover the gift card number with a scratch off coating (like the PIN). Educate clerks not to activate gift cards when the scratch off coating has been tampered with.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.