### Hacking Gift Cards

To better understand how it is possible to hack gift cards, we’ll demonstrate weaknesses with gift cards, balance checking, and how hackers can enumerate gift cards even without knowing the card holder. It is important to explain that the technique can be applied to any gift card that’s not using a CAPTCHA or a pin, for any kind of commercial activity they are intended (i.e. Retailer stores, shops, restaurants)

In this example, we analyzed a lot of gift cards used by a prominent restaurant. The cards were not purchased, so they were not loaded or activated, this implies that they come with no balance.

Figure 1 – Gift cards used in the test

We look for the generation sequence of the card numbers by analyzing the number reported on the cards discovering the pattern.

The above card reported the following numbers

6088 5124 5565 1064

6088 5124 5566 2489

6088 5124 5567 1652

6088 5124 5568 7415

6088 5124 5570 6523

6088 5124 5572 1163

Looking at the numbers above, you can determine the possible valid numbers by recognizing the pattern. The cards all have the same numbers for the first 10 digits. The 11th and 12th digits are counting up to 100 (and if they continue this pattern, once they hit 100 the 10th digit will change to the next number and the 11th and 12th digits will start again at 00). The cards have apparently random digits in the 13th – 16th positions.

The number of requests necessary to find a valid card is so equal to 10^4 = 10,000 because 4 are the digit used in the generation process.

We know the gift cards start from a specific number, so they restricted the space of analysis to the numbers related to earlier cards in the stack that were most likely sold to a customer.

Once we discover the pattern, we use the online card balance checker, in the case of the restaurant by visiting the restaurant online and look for “check gift card balance” on it.

In order to analyze every single request, we use Burp Proxy tool.

Below the request to the card balance checker that was intercepted for one of the gift cards:

Host: order.xxxxxxx.com
User-Agent: Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{“giftCardNumber”:”6088 5124 5570 6523“}

Figure 2: HTTP Request

In the following case the gift card has no balance.

{“ErrorMessage”:”Error with Giftcard GetBalance (6088512455706523) FD Status: OK – Txn Status: 09″,”ErrorMessageExtended”:””,”FriendlyErrorMessage”:””,”InfoMessage”: null,”Status”:3,”StatusCode”:0,”Card”:
{“AvailableBalance”:0,”CardNumber”:”XXXXXXXXXXXX6523″,”History”:[]}}

Figure 3: HTTP Response

We attempt to discover the response for invalid or inactive cards by try entering a random card number.

Host: order.xxxxxxxxx.com
User-Agent: Mozilla/5.0(iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{“giftCardNumber”:”6088 5124 5570 2222“}

Figure 4 – HTTP Request

We identify different responses depending on the card status (i.e. invalid or inexistence, and account balance equal to zero).

At this point the last step is trying possible combinations for gift card numbers with the Burp Intruder Tool.

Figure 5 – Burp Tool invalid gift card numbers

In some cases, restaurants allow users to use the gift cards by knowing only the number even without the card they were printed on. But the most common method is to clone the card.

This can be accomplished by using a magnetic strip writer like the one below.

Figure 6 – Magnetic strip writer

The attacker needs to take an empty card and write the data of a legitimate one on it. Swiping a blank store gift card will populate the data fields on the card (see below).  Changing the first field with a valid number is all that is needed to complete the attack.

Figure 7– Magnetic strip writer track info

Gift cards are an easy target for cyber criminals, the enumeration of the card numbers is simplistic and the absence of authentication systems makes theft of balances a prime target for thieves.

A few suggestions to protect gift cards:

• Implement a CAPTCHA on your gift card balance checking site
• Use gift cards that implement authentication mechanisms using an additional PIN, and never store the gift card PINs with the gift card numbers.
• It is important to protect gift cards when they are at the store, avoiding theft, keep them in the safe and do not expose them in area publicly accessible.
• It is a good practice to limit online balance look-ups to several per hour, maximum from a single IP address.

On the customer side, it is important to avoid buying gift cards from untrusted sources.

Gift card fraud is a lucrative business for criminal organizations that cause every year significant loss to the retailers and potential damages to the company reputation.

Let me close with a list of suggestions to avoid gift card scams:

• Don’t buy gift cards from online auction sites, buy gift cards directly from the store issuing the gift card or from a secure retailer’s website.
• Don’t buy gift cards off of publicly displayed racks in retail stores.
• Ask the store cashier to scan the gift card in front of you, in this way you can buy only valid card. Check also that the balance is exactly the one you charged it with.
• Carefully examine both the front and back of a gift card before you buy it. Be aware of gift card that could have been tampered with.
• Register the gift card at the store’s website if the store allows it, this will allow to early discover any misuse.

References