Gift cards, according to researcher Will Caput, remains woefully easy to hack – if someone knows the right method.
And the right method isn’t hard.
Caput realized this when studying a collection of retail gift cards from one store and saw that while the last four digits on the card are apparently random, the rest are not. Usually they are in fact almost identical to each other – with a single number going up on each individual card.
Hacking a card – Caput noted, is as easy as figuring out whatever the pattern is, visiting the web page that the store or restaurant provides to check card value – and using bruteforce software to capture the other four numbers (it takes about 10 minutes to cycle through all 10,0000 possible combinations of that last four).
By repeating the process and incrementing the other predictable numbers, the site will confirm exactly which cards have how much value.
“If you can find just one of their gift cards or vouchers, you can bruteforce the website,” he says.
One forced, the cards can be used online, or even printed onto a card (with an inexpensive mag stripe printer from Amazon) and you can even use the cards in a store without issue.
“It’s a pretty anonymous attack,” Caput says. “I can go in, order food and walk out. The person’s card says it has $50 on it, and then it’s gone.”
Caput did note that he only has the store check the card balance if it works. He has not actually made a habit of draining other people’s accounts. He does however, make restaurants and retailers aware of what he has found and gotten some response. Trader Joe’s, Macy’s and Taco Bell have all responded by either taking down their gift card value-checking web pages or by adding CAPTCHAs to their card value-checking web pages, designed to prevent automated programs from bruteforcing gift card numbers.