This is page 3 of:
Target, Starbucks Suffer Mobile Gift Card Security Hole
Thus far, all these details are the programming/engineering aspects behind the flaws. The social engineering part of the process is even easier.
At Starbucks, the thief only needs to capture the displayed number of the card. That could be done by taking pictures or by writing the numbers down or memorizing them. But in most Starbucks, that would be difficult to do without being detected. That fact might limit a thief to only doing one or two cards at a time, or it might simply require more creativity.
A thief could pretend to be talking on the phone—a very common occurrence at a Starbucks—but instead have the voice memo feature activated so she is being recorded. The thief then improvises a conversation, working in the numbers as she talks. If no one is eavesdropping too closely, it might not sound that unusual. “So did you see what 4552628 was wearing last night? When I saw 4789092, I thought he’d faint. By the way, I need to catch the 8329900 home tonight, so I have more than an hour to kill.”
Although the idea of discreetly taking pictures of Target gift cards might sound daunting, it’s actually quite easy. The cards are housed throughout the store. If a thief is too shy to do his Candid Camera impression at the end of a checkout lane, there are plenty of quieter places in the aisles where the gift cards are touted, often out of the view of security cameras.
And if a thief is especially nervous, she can quickly pocket 40 or 50 cards and go to the restroom, where a smartphone can be used to carefully photograph the cards before they are replaced. The thief would have to note which cards are in front and therefore likely to be purchased—and filled with stealable money—sooner.
Editor’s Note:
The other social engineering part is determining when the gift cards are filled with money. The Target access codes do make that information difficult to learn from the Web site, but it’s not a concern for thieves. They can either watch the cards from within the store—perhaps even overhearing the amounts stored on a card—or simply roll the dice with statistics. They know that popular cards—in a busy store—will likely move within a couple of days and that that is especially true for the first several in a stack. Thieves also know that such cards often sit unused for weeks after being purchased, so they can make reasonably good guesses as to when to try to cash in.
Conveniently, the iPhone makes such matters easier. The bogus barcodes are saved as images on the phone–images designed to resemble the app’s screen. The iPhone allows for the photo display to instantly move to the next image at the flick of a fingertip. This capability means that if a thief is told there’s no money on a particular card, he can react with surprise and indignation. “What?” he says, and then pulls the phone back to click on the image, when he’s actually moving to the next photo. That photo is identical to the first image, except that it has a different barcode. He then asks to rescan the image and, lo and behold, it now comes up with $250.
Another help for this scam are stores that instruct associates to never touch or hold customers’ smartphones, for fear that they’ll drop or otherwise damage the device and make the store liable. Of course, the biggest help is that associates generally do not examine such screens closely at all, nor would they generally know what to look for. Store associates will likely ignore prices, dates, location and other elements that do not match in much the same way as these details are ignored by the barcode scan.
By the way, in theory, the image doesn’t even have to appear on the phone itself. A printout of the barcode taped onto the phone’s screen would also work, although the risk of getting caught would be much higher.
How can gift cards be made more secure? Several ways.
-Marc
May 13th, 2010 at 1:54 pm
How is this any more of a risk than regular gift cards today? Gift cards don’t have a second validation point. If someone gets access to a gift card, the same information is available and either the card can be used physically, or in many cases online.
It seems to me that all of the folks in this article are exagerating the point to gain attention for themselves.
I’d rather someone explain to me why I would pull out my phone, select an app (typically buried 3 pages back)then navigate to the right card, then select pay, show the bar code to the associate, they scan it 4 times, give up and then type the PAN in manually… instead of just pulling out my card from my wallet and swiping.
Mobile wallets are a long way away. But a retina scan being required when I get my Americano isn’t required.
May 13th, 2010 at 2:23 pm
Mike asked, “How is this any more of a risk than regular gift cards today?” It’s a fair question. The answer is in the ease of the fraud. It’s an order of magnitude more labor-intensive to create a duplicate bogus gift card that looks convincing. The magstripe would likely need to be forged as well. Not that it can’t be done, of course, as there is a lively business making and selling cloned cards with stolen information. But what makes these mobile holes so problematic is that they are so incredibly easy and inexpensive (free, really) to use. A security hole is only dangerous to the degree that thieves are going to try and leverage it. The mobile offerings seemed so much easier that it struck us as a much more ominous threat.
May 19th, 2010 at 11:19 am
Simple solution? Cover the gift card number with a scratch off coating (like the PIN). Educate clerks not to activate gift cards when the scratch off coating has been tampered with.