First, gift cards are pretty insecure, physically speaking. It is very easy to lose (or steal) a gift card. In order to protect themselves from these thefts, retailers require gift cards to be activated at the point of sale -- which means that someone has to pay for a gift card before it can be used. Unfortunately, this means that the damages from gift card loss always fall on the consumers, rather than on the retailers.
Starbucks has an interesting way to solve this problem. If you receive a Starbucks gift card, you have two choices -- you can just use the card as it is, or you can register it by opening an account at starbucks.com and entering the information on the back of the card. You can register several cards to your starbucks.com account -- and most importantly, you can move the balances around between them whenever you want. This means that if you lose a card that still has $15 on it, you can simply go to your starbucks.com account, move the balance to a different card, and go buy your Pumpkin Spice Latte without worrying.
Second, some gift cards can be "hacked" fairly easily. Most gift cards display account numbers on the back, which can be used to track the balance of the card, and sometimes to use the card at a retailer's online store. If these numbers are not randomized, a hacker can get one or two gift cards, and begin testing other account numbers in a similar range -- much like Jon Oberheide did with gift cards from Panera. Even though the site used a CAPTCHA to prevent this behavior, Oberheide maneuvered around the CAPTCHA because the Panera site used an insecure direct object reference. Because the url contained the account number, Oberheide was able to write a script to check the balances of 50,000 cards.
This specific security breach is not particularly concerning for either Panera or the owners of the cards. Because Panera has no online store, there is no way that a hacker could use the card online to purchase things. For a store like Target or Old Navy, however, this breach would be an issue. A hacker could use this process to find an active card carrying a balance -- and then use that gift card account to go on an online shopping spree.
Retailers have several ways to get around this. Some package their cards in such a way that it is impossible to see the account number without tampering with the packaging. Other cards include a scratch-off PIN, which must then be entered in order to use the card at an online store. Clerks are advised not to sell cards that have clearly been tampered with, whether that means an open package or a scratched-off PIN.
Gift cards are an easy gift, but they come with some security concerns. It's a good idea to be careful, and notice the security measures that the gift cards you buy come with.
Sources:
Posts
Interesting post! I have often wondered about the security of these cards and was surprised to see these new innovations to prevent theft and tampering. Because the cards only have a relatively small amount of money assigned to them, and the costumer must pay upfront, it is surprising that the companies worry much about the cards security.
ReplyDeleteThough I have not seen any cases of this, what could cause a real security threat would be if a hacker could create his own gift cards by hacking the programs that adds funds to cards. Like we have seen time and again, it is not hard to create phony cards. With a place like Walmart or Target, that has self checkouts, criminals could easily make purchases with blank cards with the magnet strips.
I think that it is interesting to think about gift cards as a security threat. I agree with NYIrish74 in that you have to look at the money that goes onto gift cards. People are usually putting in between $20-$100. This is a relatively small amount to these companies, but the security threat is still there.
ReplyDeleteI found it was more interesting to think about the online stores like Target and Wal-Mart. The threat to them is definitely more severe. I would be interesting to hear stories of people who would hack into stores using these cards. Since the cards don’t have a significant amount of money on them, hackers would have to use lot of gift cards to have large gains. I think this might be a reason why we don’t hear about this as much.
Another thing to consider is the growing industry of generic gift cards. American Express produces a gift card that is attached to an individual's name. This opens up the possibility of doing more damage with a gift card than could have been done in the past. Some would consider a generic gift card to be most useful type of gift because the recipient of such a card could use it on whatever he or she needed too, but with those benefits the risks involved also increase greatly.
ReplyDeleteIf I recall correctly, in a news clip seen from class earlier in the semester, hackers tend to use fake credit card accounts to buy large amounts of gift cards with various values associated. The hacker is then easily able to sell or use the gift cards themselves with a fairly clean or absent trail left behind. I would think that this scheme should be the higher concern for the companies (not to mention the credit card companies having to pay for the gift cards). All in all, the gift card system has several vulnerabilities. Fake gift cards, stolen gift cards, faulty gift card accounts, and the aforementioned illegally purchased gift cards are just some of the obvious vulnerabilities taken advantage of by criminals everyday.
ReplyDelete