Are Your Business's Gift Cards Vulnerable to Hackers?

If businesses weren’t focused on improving their network security prior to last week’s bombshell disclosure from Equifax, they certainly are now. There’s a good chance, though, that many businesses aren’t even aware of a potentially massive vulnerability in their network: the plastic gift cards that they keep on display in their brick-and-mortar stores.

It’s easy to forget that gift cards as we know them are a fairly novel concept. Despite holding dominion over retail kiosks, grocery store check-out lines, and holiday shopping lists for years, gift cards are a newer invention than the world wide web.

It’s not surprising, then, that each passing year sees changes to the ways that gift cards are offered and redeemed. What is rather surprising, however, is that despite having come so far technologically, the infrastructure surrounding gift card sales and redemption, from brick-and-mortar displays to merchant websites, remains so vulnerable to fraud and theft.

It was that surprising realization that first led William Caput, a California-based technical adviser and network security expert, to research gift card hacking. While assessing the vulnerability of a restaurant chain’s website in 2015, Caput discovered that a combination of factors made gift cards an easy target for hackers. It didn’t take long for Caput’s warnings to retailers to be backed by evidence: a recent report from security firm Flashpoint found that gift card fraud is big business on the dark web, with one user racking up $400,000 in sales in under a year.

In recent months, Caput has been interviewed by numerous publications about his research (including in this excellent piece from Wired) and recently presented his findings at the ToorCon hacker conference in San Diego.

We spoke to William about his research and the steps that businesses of all sizes should take to minimize the risk of gift card hacking.

The good news? With just a few adjustments, businesses can make it much more difficult for hackers to steal gift card balances.

The bad news? Many retailers are still susceptible to the methods Caput warned businesses about in 2015.

---

The Problem:

Many businesses leave unactivated gift cards in areas where customers can pick them up and look at them. In theory, this is a perfectly acceptable and even beneficial practice; since the cards don’t hold any monetary value until they’re activated, it makes sense to let customers acquaint themselves with your business’s branded currency while they shop.

In practice, however, displaying unactivated gift cards could give hackers the only information they need to help themselves to an unlimited supply of your merchandise. Many businesses that offer gift cards also allow customers to check the balance of their gift cards on the company website.

​A hacker could pick up a pile of gift cards in-store, record the numbers on the back of the gift cards, and determine which numbers in the sequence are generated randomly and which change predictably from card to card. Caput, for example, found that the restaurant chain he was auditing issued gift cards whose first 8 digits increased by one from card to card and whose last 4 digits appeared to be randomly generated. With only 4 numbers left to chance, Caput found he was able to use a bruteforcing software to determine the card number and load value of any gift card from the chain in around 10 minutes. ​

---

The Solution(s):

When we asked Caput, fresh off of his presentation titled ‘Cash in the aisles: How gift cards are easily exploited’, what steps businesses can take to prevent gift card hacking, his response was pleasantly straightforward: “Don’t leave unactivated gift cards out and implement a CAPTCHA on the page where customers check their gift card balance”.

Yet even a weak CAPTCHA isn’t enough to deter hackers with Caput’s drive and know-how; Caput found that several retailer websites utilize a CAPTCHA that can be removed simply by disabling Javascript, rendering them just as susceptible to an attack. Likewise, companies that have implemented a four-digit pin number neglect to understand that the ease of determining 4 randomly generated numbers was what hackers found appealing about gift cards in the first place.

One of the most alarming pieces of Caput’s saga is also one that presents the easiest fix for retailers; as if it wasn’t bad enough that Caput was able to obtain all the information necessary to steal gift card loads online, with the purchase of a $120 magnetic strip writing tool, Caput was able to load those stolen funds onto a physical card and redeem them at the point of sale.

As a law-abiding security researcher, Caput only checked the balances of these cards in-store, but he was met by no objections from employees. It’s essential that businesses train their employees to recognize the difference between a branded gift card and a homemade one, or else hackers may soon be able to eat for free at the restaurant of their choice.

---

Key Takeaways:

​The weaknesses that Caput’s research identified all have at least two things in common: they can easily be prevented, and they don’t immediately hurt the merchant’s bottom line.

“It’s just laziness,” Caput told us, remarking that the gulf in security between most payment methods and gift cards is dramatic. And that’s referring to the biggest players; Caput says that smaller businesses’ gift card security “is much worse” because smaller brands’ cards often use a completely linear numbering system.

There can be no doubt that the fallout from a stolen gift card pales in comparison to the fallout from the exposure of 143 million Americans’ private data, but the Equifax breach serves as a valuable lesson to the many companies still not heeding Caput’s warnings: when preventable fraud occurs and customers are left hurting, consumers lose confidence in the companies and systems that burned them. If gift card sales are to keep booming for the foreseeable future, companies will have to take the necessary steps to ensure that America’s most requested gift doesn’t also become its most vulnerable product.

​If you have concerns about the security of your gift card program, we recommend you contact your gift card processor. If you would like to hear about the ways that nthCard protects our clients, we would be happy to hear from you.