To most people, un-activated gift cards hanging on a rack in a store are worthless. But to hackers, those cards are just cash waiting to be stolen.

Gift cards have weaker security measures than debt or credit cards, cyber researcher William Caput, tells Wired. The weak security features create a vulnerability, which makes the gift cards valuable to someone who knows how to exploit the security hole. With a little bit of hacking and craftsmanship, a fraudster can spend the money on someone's card before they do.

Caput tells Wired, in an article about his research, that gift cards are mass-produced with sets of card numbers that follow a simple pattern-- the first set of 10 numbers are identical, the eleventh and twelfth numbers count up from 01 to 99, and the last four digits are random. Caput first discovered this vulnerability--an easy-to-follow pattern--two years ago when he was hired as a white hat hacker to penetration test a large restaurant chain.

With the numerical pattern, Caput says a hacker can check how much money is on specific cards by visiting the restaurant's or store's website. Caput says a hacker will need to use software that will enter each sequential combination to enter all 10,000 possibilities for the last four card numbers, but the hacker can cycle through card numbers and see how much money is on those cards that are activated.

Hackers can use the gift cards online or print fraudulent gift cards themselves by taking blank plastic cards and writing magnetized strips onto them with a machine that sells on, Caput says.

"You're basically stealing other people's cash through these cards," Caput tells Wired. "You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them."

Caput warned retailers about the security vulnerabilities. Many companies heeded his advice and added security features to their sites to prevent hackers from testing thousands of card numbers. But he says these changes still don't prevent someone from taking photos of un-activated card numbers at the store and waiting until someone activates them so they can steal the money.

According to a report released this year by security firm Flashpoint, the number of criminals targeting gift cards has been trending up for the last two years. A vendor selling stolen gift cards on dark web marketplace AlphaBay made over $400,000 in sales in eight months, Flashpoint analyst Liv Rowley tells Wired. The vendor was selling cards from stores like Whole Foods and OfficeMax.

Although many retailers already fixed the vulnerabilities, Caput told Wired that a "disturbing fraction" of retailers are still open to hacking. The fix, fortunately, is easy. Caput says retailers shouldn't leave un-activated cards out in the aisles and they should add tests to their e-commerce sites to prevent hacking software from checking thousands of card numbers for value. Caput also says retailers could add scratch-away covers to cards and require a PIN number to use the card.

Published on: Sep 1, 2017