Advertisement Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailers ecommerce page, or even in person; Caputs written them to a blank plastic card with a 120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the cards balance, rather than spend any money from the cards belonging to actual victims.) Its a pretty anonymous attack, Caput says.Close Alert Close Hacking Retail Gift Cards Remains Scarily Easy Backchannel Business Culture Gear Ideas Science Security More Chevron Story Saved To revist this article, visit My Profile, then View saved stories.Close Alert Close Sign In Subscribe Search Search Backchannel Business Culture Gear Ideas Science Security Andy Greenber g Securit y 08.31.2017 07:00 AM Hacking Retail Gift Cards Remains Scarily Easy One security researcher reveals the secrets of simple gift card fraud.Facebook Twitter Email Save Story To revist this article, visit My Profile, then View saved stories.
Daniel AckerBloombergGetty Images Facebook Twitter Email Save Story To revist this article, visit My Profile, then View saved stories. In November of 2015, Will Caput worked for a security firm assigned to a penetration test of a major Mexican restaurant chain, scouring its websites for hackable vulnerabilities. So when 40-year-old Caput took a lunch break, he had beans and guacamole on his mind. He decided to drive to the local branch of the restaurant in Chico, California. While there, still in the mindset of testing the restaurants security, he noticed a tray of unactivated gift cards sitting on the counter. ![]() While the final four digits of the cards seemed to vary randomly, the rest remained constant except one digit that appeared to increase by one with every card he examined, neatly ticking up like a poker straight. By the time he finished his burrito, he had a plan to defraud the system. The Gift Grift After years of examining the retail gift card industry following that initial discovery, Caput plans to present his findings at the Toorcon hacker conference this weekend. They include all-too-simple tricks that hackers can use to determine gift card numbers and drain money from them, even before the legitimate holder of the card ever has a chance to use them. While some of those methods have been semipublic for years, and some retailers have fixed their security flaws, a disturbing fraction of targets remain wide open to gift card hacking schemes, Caput says. And as analysis of the recently defunct dark web marketplace AlphaBay shows, actual criminals have made prolific use of those schemes too. Youre basically stealing other peoples cash through these cards, says Caput, who now works as a researcher for the firm Evolve Security. ![]() Hack Credit Card Software Program Series Of GiftA series of gift cards Caput took from one retailer show how their numbers increment by one, making them predictable after a hacker bruteforces the four random final numbers. William Caput To pull off the trick, Caput says he has to obtain at least one of the target companys gift cards. Unactivated cards often sit out for the taking at restaurants and retailers, or he can just buy one. Not all cards change by a value of one, as that first Mexican restaurant did. But Caput says obtaining two or three cards can help to determine the patterns of those that dont.) Then he simply visits the web page that the store or restaurant uses for checking a cards value. Hack Credit Card Software Program Software Burp IntruderFrom there, he runs the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the four random digits at the end of the cards number, a process that takes about 10 minutes. By repeating the process and incrementing the other, predictable numbers, the site will confirm exactly which cards have how much value. If you can find just one of their gift cards or vouchers, you can bruteforce the website, he says. Advertisement Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailers ecommerce page, or even in person; Caputs written them to a blank plastic card with a 120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. Caput only asks the store or restaurant to check the cards balance, rather than spend any money from the cards belonging to actual victims.) Its a pretty anonymous attack, Caput says.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |