Truth 22 That gift card might be worthless
In recent years, gift cards have become the ultimate gift. The people you’re buying for get what they want, and you don’t have to work too hard at picking out the right gift. Unfortunately, in 2006 and 2007, people in the U.S. started running into a form of theft in which legitimate gift cards purchased in legitimate stores ended up with a zero balance, even though the purchaser had done nothing wrong.
While the person receiving the card was not a victim of having any personal information stolen, the identification of the gift card was being impersonated. What made this more interesting is that this attack was taking place often days before the card was ever purchased.
The original attack is actually quite simple. A thief goes into the store carrying a notepad and a pen. He walks up to the gift card section and grabs a handful of gift cards. As he walks around the store looking as if he is shopping, he nonchalantly writes the gift card numbers on a notepad. The number is generally located on the back of the card just under the printed bar code. Once the thief has written the number down for all the cards, he returns to the wall and hangs the cards back up. The thief then leaves the store without spending a dime.
Most gift cards also contain an available funds verification phone number. This number is provided to allow the owner of the card to call in and get the current balance of the gift card. Beginning that day, the thief starts calling the toll-free number and, when prompted to enter the card number he wants to verify, he submits the numbers he wrote down on his notepad. As he enters each card, the automated attendant responds back that there are no funds available, as expected.
Now, when you activate a card that you plan to give as a gift, the funds suddenly became available. When the thief calls in and supplies the number for that card, instead of having a balance of $0, it now has a balance equal to your generosity. The thief immediately goes online, makes a purchase, submits that gift card number, and has the merchandise shipped to a drop house. By the time you give that gift card to someone else, there is nothing left.
Since the pin is protected until you reveal the security pin, this guarantees your safety. So you think.
When this scheme first started being reported, corporations realized they needed to do something to protect consumers from these types of attacks. In response, they added an additional security pin to the gift card. The security pin is covered with either a solid sticker or the same silver scratch-off stuff that you might find on a lottery ticket. The idea is that you cannot verify the funds available on the card without submitting both the card number and the security pin. In addition, when attempting to make purchases via the Internet, you are required to submit both the card number and the security pin. Since the pin is protected until you reveal the security pin, this guarantees your safety. So you think.
Unfortunately, that’s not exactly true either. The first problem is that most people don’t know about the security pin. In fact, when I have spoken to people during tests of this attack, the majority had no idea that the pin was even there or that they should never buy a gift card if the security pin has already been exposed. The other problem is that, even if the security pin has never been exposed, that doesn’t mean that the gift card number can’t be stolen.
I started this attack by purchasing a hand-held barcode scanner for about $75. Then I went to the grocery store, which offered dozens of different gift cards. For this particular attack, I decided I would test one specific store, Home Depot, though this attack would work on about 95% of the gift cards offered on the market today. I took every card for my test store off the rack and placed them in the top of my shopping cart. As I walked through the store seemingly shopping, I used the hand-held barcode reader to scan the barcode on each of the gift cards. When I was done, I rehung all the gift cards except for one. I purchased that card and left the store. I then went to the store and used the gift card, leaving a balance of $0 on the card. When the cashier went to take the card, I asked for it back, explaining that my son liked to play with them. The clerk gave me the empty card.
The next day, I went back to the store and scanned all the cards again. This time there were three cards missing, meaning they had been purchased. When I dumped the data at home, I was quickly able to pick out the three gift card numbers that were missing from the day before.
Now, if I were a true criminal, I would have continued my attack by using one of those three numbers. However, I am not a real bad guy, so instead, I went back to the store and purchased a second gift card.
With a razor blade, I carefully scraped the barcode and number from the used gift card I purchased a day or two earlier. I then used a printer designed to print on plastic cards to place the number from my second card onto the first card. Again, if I were a criminal, I would have printed the barcode and number for one of the cards that I knew was purchased by someone else. Now with my old card that had my newly printed barcode and number, I headed back to Home Depot. I grabbed a couple items I needed and paid using my newly printed gift card. Sure enough, the card worked like a charm, and the cashier never questioned it.
Now, some of you might be thinking to yourself, “What about that security pin?” It turns out that the security pin is only needed when you make purchases online or you use the self-checkout lines. If you check out with a live cashier, the security pin is not required, so just like that, a criminal has emptied your newly purchased gift card.
While most of the time I have security tips and suggestions on how you can protect yourself from the types of attacks I outline, in this case the real solution needs to come from the corporations making these gift cards. The real solution will come when the gift cards are properly packaged to hide the bar code as well as the security pin. Then the cashier should be required to peal off whatever has concealed the information during the time of purchase.
In the meantime, my best advice is to only purchase gift cards that have been kept behind the counter and away from places where people can easily record the numbers.