Researchers reveal hacks for prepaid gift cards| Gift Cards Convenient And Easy To Hack. Researchers reveal hacks for prepaid gift cards. Database Security. Gift Cards Convenient And Easy.
Gift card activation hack – today not all people know what it is. And if you know, then ask yourself the questions: Where can I buy a gift card activation hack?
Or How can I use it? We will clarify and tell you where to buy and how to use the gift card activation hack. What kind of gift cards are there? This is a gift card for the purchase of a particular product in a particular store. For example, in the store Gifts and souvenirs or in the store Childrens goods.
It is a map for getting impressions from a future trip, a romantic evening, an excursion, a visited master class or another event. Universal gift card. This card is a means of exchange for gifts-impressions, gift cards for shopping networks or electronic gift certificates. The proposed gift card activation hack is one of the cards listed above. Where can I buy a gift card activation hack? Know that today you do not need to waste time searching for gifts. Gift can be replaced by a gift card.
And no need to waste time searching for a gift card. Today the gift card activation hack can be ordered through the Internet. And the gift card will come to you as soon as possible and will become a pleasant gift. What does the gift card activation hack look like? In the photo above you can see the gift card activation hack.
Your future gift will look like this.
Why does every security lapse mentioned on /. Blamed on the victims? The victims here are the consumers - not the stores. The stores get money for all goods sold and they're happy - the only people who get screwed are the people who's gifts get stolen. No one's baming the consumers - they're blaming the stores for implementing idiotic policies and practices that benefit themselves at the cost of the consumer. If people had some sense of ethics this wouldn't be a problem.
And if my mother had wheels she'd be a wagon. That being said the has never been the case and (IMHO) will never be the case and people who deal and cash and goods need to be aware of this and deal appropriately. You can bet these stores watch THEIR money carefully once it gets in the cash register - but they don't seem to care at all about protecting their customer's money or interest once they get their's. It's like the store saying 'it's our policy to leave your money on the counter while you shop - but if some one take's it before we ring it up it's your problem not ours.'
Crime and criminals have been with us from the beginning and will be with us until the end. Most people are honest, but there will always be a small minority that aren't. There's not much point in wringing one's hands over this fact and whining about 'people not having some sense of ethics'. In this case the victims aren't the retailers, the potential victims are those who purchase the gift cards. Blaming the retailers for not taking adequate precautions against the theft of the funds in question isn't a case of 'blaming the victim' (the person buying the gift card who has every right to assume that the vendor takes reasonable security precautions).
It makes perfect sense to blame vendors who don't take adequate precautions to protect their customers from theft. Remember that the customer can be ripped off even if they keep the card secured in Fort Knox, in other words the customer can't do a damned thing (short of not buying the product) to protect the card, only the vendor. And also keep in mind that simple security measures are available that greatly increase the safety of the card, and the article points out a few retailers who implement such measures. Those who don't are fair game for criticism, IMO. Big deal - this is theft.
Why does it get featured on./? Because it involves something remotly technology related. Guess what - it's still stealing - this is no different than rummaging through an open cash register drawer. Although I'm probably alone in this opinion, I believe that hacking a gift card is not stealing, as nothing is taken out of the store. I am merely exagerating the value of the gift card, which isn't that bad considering how often corporations exagerate the value of their merchandise, thereby inflating inflating the prices to unreasonable numbers. Besides, the store will still receive the money that is used with the gift card.
Nobody is hurt. Let's hear you say that next time your girlfriend gives you a $50 gift card for your favorite electronics store, and when you go to use it, the store clerk tells you there's no balance left on the card. He also points to the small print on the card which says (as quoted from the article) 'We cannot be responsible for funds used without your knowledge.'
The hackers aren't just inflating the value of the card - they're re-encoding the card so that it represents a card that someone else bought. Sure, they're 'exaggerating the value of the gift card,' but by lowering the value of someone else's card.
Gift cards are basically a replacement for gift certificates. Whomever came up with them was probably trying to solve a problem with paper certs fraud.
The idea is you go to the store, ask for a card with N amount on it, pay, and you're given a card that can be used later. You give that card to the person you wish to.
When making a purchase with the card, the amount is deducted from the balance on the card. The gift cards double for the store as store credit. Return an item w/o a receipt? Get the amount of your refund on a gift card.
So there's no significant economic reason for that company to change their policies yet. Sure there is, its the internal economic justification of the manager in charge of the gift card program.
The boss is likely to hear about this, and when (s)he does (s)he will either change the program or get canned. No one wants an easy-to-rip-off gift card system. It invites attack from other fraud artists (if this system is lax, then others likely are too), pisses off customers and ruins loyalty. The larger problem is that there's little financial incentive for stores to fix the problem generally (other than being seen as generally lax), since the losses aren't their own, they're someone else's, and even hijacked cards are money made for the store.
Most smart managers want to fix a problem before it bites them. The fact that the name of the company ain't in the news has little to do with the amount of internal heat people are facing. You can bet your ass that the MSNBC called a lot of the company's management asking 'Did you know how easy your gift cards are to rip off????' And the person in charge of the gift card program, who had probably touted its security previously, will be sitting in the boss' office on Jan 2 answering some hard questions.
At least that's how it'd work where I work. In this case, if the cost of closing the security hole is more than the estimated value of the loss of customer loyalty plus the value of any out of court settlements, then it won't get fixed. Isn't this the way it should work? Why spend money to fix a problem that virtually no one cares about? In the case of fight club it's completely different, because we're talking about the loss of lives, not the loss of money. In this case we're talking about whether or not to spend money to stop losing money. A simple greater than or less than approach seems perfectly reasonable.
In this case we're talking about whether or not to spend money to stop losing money. No, we're talking about spending money to prevent your customers from being robbed due to deficiencies in your product. For an obvious (to slashdotters) analog, compare the total number of damages in billions of dollars caused by security deficiencies in Microsoft products, to the amount of actual financial liability incurred by Microsoft itself. Suppose the company in question is Circuit City.
How many hundreds of thousands of customer dollars have to be stolen before the amount of dollars that the thefts cost Circuit City corporate warrants them doing something about it? As long as these risks are presented upfront, there shouldn't be any lawsuits involved in the first place. Well that's just the thing, isn't it? When are these risks ever present up front? With the lottery, they publish the odds of winning (in fine print, of course), but up until I saw this article I had no idea that buying a gift card represented any kind of a financial risk (other than the risk of physically losing the card, of course).
I suspect that most other people have no idea either, mainly due to companies having no incentive to publicize the risks involved with their products. ' Sure there is, its the internal economic justification of the manager in charge of the gift card program. The boss is likely to hear about this, and when (s)he does (s)he will either change the program or get canned.'
There's a quote in the MSNBC article from one of the anonymous company's executives that dismisses the risks addresses in the article. It appears that they don't care enough to fix the problem, even now that it's been highlighted. If they'd been explicitly named in the article, it wouldn't have been nearly as easy for them to shrug it off, and prudent consumers could avoid the company if it continued to engage in such risky behavior. If law enforcement is able to crack down on pawn shops dealing in stolen goods, then in one fell swoop they've cut most of the profitability out from under bike theft, car breakins, home invasions, baggage theft (at airports, etc).
Many police department have a dallaspolice.net that regularly checks for stolen goods, primarily those with serial numbers. There are many ways besides pawnshops to convert stolen goods: family, friends, neighbors, flee markets, black markets. There is a vast underground economy in stolen goods. It indicates that a high crime rate means there has to be a large number of otherwise honest people willing to break the law to get a good price on something. My neighborhood computer store sells RAM at half the advertised discount retail price. It's probably stolen but I don't know for sure. The owner is a nice guy who works long hours, makes a modest living and makes minor repairs on my computer for free so why would I want to report him to the cops?
He probably doesn't consider himself any more a criminal than the people he sells to. The owner is a nice guy who works long hours, makes a modest living and makes minor repairs on my computer for free so why would I want to report him to the cops? Because he's breaking the law? (Assuming that he is for the sake of argument) Your thesis seems to be that if he. is a nice guy,.
doesn't make a lot of money,. does nice things for you personally,.
doesn't see his actions as criminal that his criminal actions, and the effects they have on others, are excused. This whole issue came into perfect focus for me once as I was poking through the used CDs at a pawn shop one day.
A woman walked to the counter with a stack of 80s metal. She plunked 'em on the counter, got her cash from the owner who clearly knew her, and said 'Next time, I'll prob'ly get some country for you.' I left my stack of planned purchases and walked out. That stack of CDs was someone's collection, or part of it.
Think about that next time you buy something stolen: I wonder what the person who had this feels right now? Outraged that someone broke into their car or house? Sad that something they enjoyed is now gone?
Violated that another person thinks so little of them that the thief would just take something that isn't his? Aside from the ethical issues, there's also the pragmatic one: The machine you save may be your own. Your computer store owner gets his cheap memory from stolen machines. Who's to say that the next one won't be yours? The problem is the burden of proof. You (and the Pawn shop owner) has no way to prove that those CDs were stolen.
She might have been just cleaning out her attic and going through her and her brother's old CD collection and selling off the stuff she doesn't like anymore. Of course if you don't believe that you can always vote with your wallet and just walk out (as the original poster did), but it'd be pretty pointless to bring the police in. Also, Pawn shops serve a legitimate purpose as well, they give immediate cash for goods, which is necessary if your rent is due and you can't pay it (but have a nice stereo sitting in the corner), and your credit is so bad that you can't even get a credit card. Still, it would be nice if there were some sort of stolen goods reporting system that the pawn shop owners could check to avoid buying too much stolen merchandise (or at lest it would allow the cops to set up half way between the scene of the crime and the pawn shop and catch the crook trying to get cash before the goods are entered into the system).
I worked at Barnes and Noble for a while a couple Christmases ago, and here's how their gift card system worked: When you got the card, it was preauthorized with a certain amount of money in a certain account number, like any other debit card. The account number was on the magstrip of the card, was printed on the card, but was also printed on the gift receipt that came with the card. Now, all that was necessary to redeem the gift card was that number. But most people just tossed the second receipt.
Which meant that a quick swipe through the trash outside the store doors could probably yield a few hundred dollars worth of gift card credit as yet unredeemed. Even when we told people expressly not to do it, they still did. Wonder how many got burned. The account number was on the magstrip of the card, was printed on the card, but was also printed on the gift receipt that came with the card. Which is EXACTLY why several states, California foremost among them, have begun to implement consumer protection laws that require that the receipt NOT display the account number and/or the expiry date (depending on the state). I believe in the case of California, it goes into effect on Jan 1 2002. My company's ready.
I wonder how many other POS vendors aren't?:-) At any rate, it is the store's responsibility to comply, by using compliant POS software. Since it is easier to implement across the board than on a state by state basis, I presume that if a vendor has fixed it for CA, they will be prepared for the other states, too. Outside the US is not something I'm familiar with. Why, oh why, do we need a law to protect people from doing stupid things? I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think? A lot of receipts have credit card numbers on them, too, which is why you should always dispose of receipts carefully.
It's a real convenience to have this reference information on a receipt, and I imagine there's a good business case for having the gift card number on the receipt as well. Makes it easier to bring the card back and get it worked out if the magstrip goes bad, for example. What we need is a less paternalistic government to train people to be smarter and more responsible for themselves.
Oh, never mind, most people with a public school education have been trained not to think for so long now that any arguments are useless. OK, I give up. What we NEED is for these gift cards to be implanted in a chip in your wrist so you don't accidentally throw them away. That's the law we REALLY need.
Why, oh why, do we need a law to protect people from doing stupid things? You could argue the same point for any product-safety law. Why do we need a law that forbids companies from selling cars with defective brakes?
(and yes, the account-number-on-the-receipt is a defect: specifically, it's a security hole) I could see a law where the vendor had to inform you to protect the numbers, but not allow them to give you a slip of paper with the number on it? That's pretty paternal, don't you think? Seems like common sense to me. Common sense? Sorry, but I this 'law' is already becoming a pain in my arse as retailers begin to implement it. I have six credit cards which I am constantly using. When I go to enter my transactions into my account register (MS Money), the number on my receipt is often the ONLY way I can recall which card I charged something to.
Some retailers, luckily, are still printing the last four or five digits on the receipt, but with the others I now find myself having to write account info on my receipts just to keep my accounts straight. A lot of receipts have credit card numbers on them, too, which is why you should always dispose of receipts carefully. They shouldn't. Putting the card number on the recipt changes it from a simple record of a transaction (which may be used for budget management, expense reimbursement, or proof of an expense in an audit) to a securety risk that should be carefully destroyed as soon as possable.Suddenly, a simple slip of paper that should have no value to anyone but the purchaser becomes the target of theft.
![Hack Prepaid Visa Gift Card Hack Prepaid Visa Gift Card](http://italianchamber.us/wp-content/uploads/2018/11/philz-gift-card-awesome-hack-prepaid-visa-t-card-of-philz-gift-card.jpg)
The laws against putting the card number on a recipt are protecting you against the merchant's stupidity much in the way that DUI laws protect you from another motorist's stupidity. While we're at it, there are a few other numbers that should be protected. Credit card account numbers should be distinct from the credit card number. That way, my bill isn't worth stealing and I can write the account number on a payment check so that in the likely event that check and payment slip become seperated in handling, the payment may still be credited.
All bank accounts should have two distinct numbers. One that only allows deposits. That way I could write my account number on the back of a check (same reasons as above) without wondering who will see it when the check clears and is returned. For that matter, account number shouldn't be enough to remove money from an account in the first place. There's no inherent problem with identifying the account on the receipt. The problem is with a system where simple knowledge of the existance of the account is presumed to imply authorization to charge to it.
Unfortunately, it's this which is hopelessly broke. Ahh, but even when the full account number isn't sufficient to provide authorization, printing the full number on a receipt is still a security risk. A few years ago, ATM machines routinely printed full ATM card numbers on receipts. Many people toss these receipts at the nearest trash receptacle. Crooks would set up in, say, a shopping mall, where there was lots of traffic and a good vantage point. One person would watch people punch in their PINs, and another would swoop in and recover the discarded receipt.
After harvesting this info, a bunch of blank cards and a magstripe machine were all that was needed to suck accounts dry. Why, oh why, do we need a law to protect people from doing stupid things?' Because you're not only trying to 'protect people from doing stupid things', you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime. In addition, remrmber that your 'normal' street criminal doen't have access to gift card blanks or mag strip writers.
Usually, these low-level types are merely information collectors and end-product purchasers for a more organized high-level operation. It's 'penny ante' stuff like this that supports most organized crime in America. In the end, it's not only the 'people who do stupid things' or the stores that enable them that get protected (though they receive a large amount of the benefit), it's you and me. Now you can debate whether people need protection from criminals, but it is a debate you're likely to lose.
This sort of law also helps increase the use of this kind of financial instrument by increasing its security. This may actually improve the economy. And besides, I doubt that you're the one person in existance who has never done anything stupid. Maybe we all need protection from you:-).
Because you're not only trying to 'protect people from doing stupid things', you're also attempting to combat the criminals who take advantage of people who do stupid things. You may like to think that this is a dumb idea, but things that make crime harder also make it less likely that someone might turn to crime. That's one way of looking at it. Another is that it creates a lot of 'crime' by making stupid actions criminal. Now the criminals are not only the people trying to steal your stuff, but the stupid people leaving your info where it's not 100% safe. The police has to chase both groups. And pretty soon everyone is a criminal and at the mercy of the police.
Yeah,I get carried away. Why, oh why, do we need a law to protect people from doing stupid things? What we need is a less paternalistic government to train people to be smarter and more responsible for themselves. Isn't this the same government that runs this funny country where you can sue the hell out of the maker of your microwave oven if they didn't include a strip of paper saying it's unsuitable for drying pets, or where people sue the hell out of McDonalds for not adding a notice on the cups for their steaming hot coffee saying that the coffee is hot? Most places already do this. Looking through a bunch of receipts from christmas, Texaco, ShopRite (a PA-area food store), Kmart, Walmart, and Bed Bath & Beyond print the last 4 digits, Levi's Outlet at Franklin Mills Mall prints the whole number.
That's ok for me though, as I know how to protect myself. Dont trash the receipt at the store. At home, carefully cut up each digit individually using a pair of scissors, separate the piles into several seperate trash bins somewhere downtown, the more blocks apart the better. A lot of stores are like that.
I used to work for KMart back when their cards were intro'd, and it worked the exact same way. The plus for KMart is that (according to the article) is that there is a conf number in the stripe not found on the card and not given to the customer. The only loophole would be a card that had it's stripe damaged, as the clerk would have to punch in the card number printed on the front, nothing else. But this article talks about re-programming the the stripe on the card, which is made difficult by the conf code.
I have worked in retail for many years and stores do not pay as much attention to gift cards as they should because they have no real value. They are like coins at amusement parks, they are only good at the respective stores. To put more money into safeguarding them, would destroy the supposed cost effeciency of these cards. Another point to consider is the switch from paper gift certificates. I believe that this was a much safer way to do business, but stores needed to 'get with the times' and have a more electronic certificate.
I guess this is one of those instances where advanced technology does not benefit us more than we think. From Dictionary.com: escheat (s-cht) n.
Reversion of land held under feudal tenure to the manor in the absence of legal heirs or claimants. Reversion of property to the state in the absence of legal heirs or claimants. Property that has reverted to the state when no legal heirs or claimants exist. Gift Cards are not Gift Certificates, which are bound by escheating laws. (peruse if you want, a google google.com on 'gift certificates escheating') which means that to a retailer, gift cards are cheaper cuz they are not regulated.
Most retailers that do gift cards and gift certificates treat them both very similarly - aka have them electronically activated when purchased. The gift card allows the added bonus of havin them be stored value / re-chargable cards. The lack of escheating laws is also very good - less to report/ track to the government, less money lost to the government when the cards fail to be used. It holds the.potential. to be a problem- big deal.
They cited NO actual examples of theft other than the money laundering example, and there are many easier ways of laundering money if you use your imagination. There have been several local stories about people stealing money order machines, or printing MOs on their PCs. This stuff actually happens all the time, but a nice 'holiday piece' about gift cards without even anedotal 'evidence' that this is a widespread problem?
Gimme a break! There are no named sources to the story, the internet site they reference is not given, and they only list retailers viewed as less problematic (and give us a nice caveat to explain why). Not only is the problem a 'scenario'- the news story itself is a scenario. Boring journalism. Might as well be an op-ed piece.
I'm more concerned about issues such as identity theft, etc. At least your gift card leaves no personal identification about you. What bothered me most about the article was the mention that gift cards are selling on eBay for 75 cents on the dollar.
They said they hadn't verified any of the current auctions as being fraudulent (how would they have gone about doing this, anyway?) but the article implied that every gift card on eBay is probably illegit. Gimme a break! I can't count the number of times I've been sent gift certificates to stores that don't exist here, or to stores I have no interest in visiting. Not every retailer will let you shop on their website, and some of the ones who do won't let you redeem gift certificates online.
In cases like this, you wind up with a nice (and maybe expensive) gift that you can't use. The obvious solution is to sell it - cheaper than it would cost to buy at the store, of course, or else what's the point - to someone who does have a store in their area. Who'd have thought that there might actually be unwanted/unusable gifts for sale on eBay a few days after Christmas? Apparently not MSNBC. What are the odds of something like this actually hapening? How many thieves are there out there with the technical know how to pull this off, compared to the public at large?
Most places I know of keep the gift cards at least out of sight, but if they were to keep them out in the open, well that would be sort of stupid, given the scenario. Heck, I even wonder about the telphone cards, which I never use. I would have to go to a store to look at one to see if they have visible numbers on them. Around here, the gift cards are just sitting by the register back by the candy (Meijer's and Walmart both did this). They were easy to get, even easier to swipe because they were just glued to the back of a bigger card.
To swipe one, one would just have to drop a bunch of cards, and then while bent over, peel the card off the bigger card. Also, I don't know about Walmart, but Meijer's were all precharged. The UPC's on the bigger card were even all the same (probably something like 41250., I used to work at Meijer and all Meijer Branded stuff including the gift cards start with the same 5 numbers.). Thing is most stores don't have the storage or available UPC's to give each card a separate UPC code (only way they could keep the cards as they have them and keep them deactivated until they are scanned). The only way I think they could make these things more safe is if you had to do what you used to do and go to Guest Services and buy the card and have the guest services folks charge a denomination on them by swiping the card. Most of the cards I have seen as of late all had how much money each card held printed right on the card!
This was at every place I have been this season including even some of the nicer stores! Meijer did not even have cashier's type in a code or anything to activate them. They just swiped it and the appropriate figure was added to the total along with your groceries. This may have changed, but I agree with the article that it is easy. I doubt many would even have to have the card programmers to steal lots of cash. I don't know about Meijer's, but at my K-Mart (and, as far as I know, at Wal-Mart) you have to put money on the card when you buy it.
Until then, it's simply empty. I scan the card, enter the amount, slide it through my credit card reader, then blammo, that card has money on it (or at least it does after the customer pays)-but not before. Someone could come along and take all the cards we had on the shelf-but none of them would be worth anything. It's the same for the long distance phone cards that hang along the impulse buying lanes-they have to be swiped through the register to activate them. But even so, when I was checking out at a Wal-Mart a few months back, buying a $10 gift card because of their gas pump system that gave you a cheaper rate if you bought with a gift card, the checker said they'd had to move all their gift cards to one single island, because people kept stealing them. Yes, she said, they were valueless until they were activated, but people seemed to keep stealing them anyway. Go figure, eh?
Why not just assign a PIN number, stored in the store computer, not on the card, when the card is bought and charged? Sure some yokels would write the number on the card and get it lifted or lose it, but the same could happen to cash. Requiring extra information not available on the card would be ideal and would make the type of counterfeiting described in the article very difficult, as long as there was no simple way of resetting PINs.
It wouldn't prevent inside jobs or people laundering stolen credit cards, but those types will always be hard to stop. Why not just assign a PIN number, stored in the store computer, not on the card, when the card is bought and charged? That's a flawed suggestion. Gift cards are, typically, gifts. When I buy one at Borders it's not for me, it's for a cousin. And when my Uncle sends me 40 bucks in Best Buy Legal Tender, there's no frickin way I'm going to remember the arbitrary 4-digit number he chose 4 months ago as I'm trying to purchase an extra nintendo controller. Gift cards aren't like debit cards.
Nobody wants to put that much effort into them, especially the retailer and least of all the customer. An easy way out would be to put two account numbers with every card Do you realize how difficult this would be to implement? We're not talking about a cottage industry here, we're talking about dozens of companys for processing, dozens for the POS systems used, hundreds of actual merchants.
Sure, if we were redesigning our financial infrastructure from scratch I would be all in favor of cards with NO real account on the face, smart chips, and encrypted PINs for ALL transactions. But it ain't gonna happen this decade. This had occurred to me some time ago when i saw the ramping-up of these things. I think it kinda started with best buy and spread from there. Now every major retailer has them. One previous respondent had said something to the effect of, '.this is just like digging in a cash drawer.' This isn't just any kind of theft.
It's the ultimate kind! A better imperfect analogy would be: '.the store leaves $20, $50, and $100 dollar bills hanging from displays at the counter.' If you walk into a store with the intention of stealing, what's the best thing to steal?
Small, high-cost items. And these items, while never as good as cash, are virtually untraceable if you use the common sense method described in the article. Also, i'm sure you'd be hassled by security if they noticed you jotting gift card numbers in your daytimer, but you don't technically have to shoplift to do this.
The shrink numbers on these things must be fantastic! Remember what we did before all these plastic cards and shit came out? That's right.we went to the bank and took out pieces of paper with numbers printed on them and the words: this note is legal tender printed across the bottom.and we got along just fine. Wanna give someone an impersonal gift because you can't think of what to give them or can't be bothered shopping.put a couple of these pieces of paper in an envelope and give it to them! Need to send it through the mail? Write cheque or get a money order!
I don't even like using my ATM card for purchases.I prefer withdrawing the cash and paying with that and nothing pisses me off more than having some dingbat in line in fromt of me trying card after card and none of them seem to work (especially the express lane at the grocery store, which is supposed to be cash only!). I especially love it when once in a while I encounter a merchant that's flirting with the idea of no longer accepting cash payments.
'Uh, what part of this note is legal tender don't you understand? No.those pre-loaded 'gift cards' are a sucky idea that needs to go away. (I guess they're great if you're the merchant and it's your 'policy' not to give out the balance left over on the card in cash.). By way of boda fides, I work for a POS (point of sale) vendor that just happens to support the processing of said gift / stored value cards. As a result I have had to become very familiar with the mechanics of the whole thing. So, a few comments:.
Despite what MSNBC would tell you, Debit cards are not protected from theft by a lack of visible account number. Rather they are protected by encrypted PIN. Despite what MSNBC would tell you, you can buy card writing equipment without going to the black market. They are perfectly legal. They just cost BIG bucks, and that's why most people don't have one:-).
The theft method described to lift account numbers is no different than what is done with credit cards, except in the case of the latter you have to work harder to get a valid account number. Anyone with a card writer WOULD know how to do that, trust me. Credit cards are a far greater risk because they are unrestricted in where they may be used, unlike gift cards. Be aware that most gift card processors allow for the process of 'cashing out' the card. Provided the store allows, there's no reason that there would be unclaimed cash left on the card. Of course, those merchants that do NOT allow cash-out are the ones to be concerned with. Slow news day, plain and simple.
Some corrections: Despite what MSNBC would tell you, you can buy card writing equipment without going to the black market. They are perfectly legal. They just cost BIG bucks, and that's why most people don't have one:-) They're not that expensive. You can get one on e-Bay for around $300. And if you think that's a lot of money, consider how widespread magstripes are and how convenient it would be to be able to copy them.
I have some buddies who routinely 'back up' the contents of their credit card magstripes. Over time the data on the stripes degrades, so they periodically rewrite it to keep it fresh. I work for a company that uses magstripe-based ID badges to get into the doors, and I have a bad habit of losing my badge. Gift cards are just the tip of the iceberg, and many of the potential uses of this equipment are very legitimate. The theft method described to lift account numbers is no different than what is done with credit cards, except in the case of the latter you have to work harder to get a valid account number.
Anyone with a card writer WOULD know how to do that, trust me. There is a value encoded on the magnetic stripe of credit cards called the CVV (card verification value) that is generated cryptographically, plus additional cardholder information that is not printed on the face of the card. In order to encode a valid credit card magnetic stripe you either need to read the stripe off the card you're copying or you need access to the production systems used to create the cards. Credit cards are a far greater risk because they are unrestricted in where they may be used, unlike gift cards. It's true their use is less restricted, but for that reason there are many other security measures applied, such as back-end systems that check for uncharacteristic buying patterns. Also, the consumer is pretty safe from credit card fraud, since your liability is limited to $50.
That isn't as much protection as it might seem, though, because gift cards don't often have more than $50 in them anyway. Be aware that most gift card processors allow for the process of 'cashing out' the card. Some do, most don't. The reason is that many stores that sell gift cards use exactly the same technology for provided card-based in-store credits. When you return some merchandise without a receipt, they don't want to give you your money back (otherwise you could do a tidy business buying from mail order and 'returning' to the more expensive place) so instead they give you a card. Allowing you to cash out the card would defeat the purpose.
Plus, merchants and other issuers of cash cards.do. make a nice profit off of unused value, which is called 'breakage'.
This is actually important to the feasibility of card-based solutions. Remember that the retailer has to buy equipment, software, cards, train their employees, audit the systems, track the liability pool, etc., all of which costs money. They can probably make this money back in increased sales, but that's hard to verify, while it's easy to show that the breakage value for the last year has exceeded the system cost. Corrections to corrections::-) Card writers are not that expensive.
You can get one on e-Bay for around $300. Well, that's handy to know if the one we use in the lab conks out:-) There is a value encoded on the magnetic stripe of credit cards called the CVV (card verification value) that is generated cryptographically, plus additional cardholder information that is not printed on the face of the card. In order to encode a valid credit card magnetic stripe you either need to read the stripe off the card you're copying or you need access to the production systems used to create the cards. Track 1 of the card contains the carholder name, and the CVV2 information is not on the card but part of the back-end processing at the network side of the things. There is obscured information within the card account number that provides anti-counterfieting information, but aside from that the reset of the track info is largely ignored at the POS device and is problematic on the credit network side of things. There is one value that specifies the processor, for example, but most that I've seen have the same value.
Furthermore, Track I information is often ignored and USUALLY not required to process a credit card. Most networks favor Track II over Track I and some just can't process Track I at all. In other words, they're not too secure and there is CERTAINLY very little in the way of protection outside of CVV2 - which isn't even globally supported by all networks.
Before you mention AVS, it is only valid for manually keyed accounts, or internet purchases. It's true their use is less restricted, but for that reason there are many other security measures applied, such as back-end systems that check for uncharacteristic buying patterns. Also, the consumer is pretty safe from credit card fraud, since your liability is limited to $50. The back-end processing protection is usually after the fact, and a clever thief would probably not be establishing a pattern, anyway. Of course, 'smart thief' is often an oxymoron:-) Some allow cash out, most don't. The reason is that many stores that sell gift cards use exactly the same technology for provided card-based in-store credits.
When you return some merchandise without a receipt, they don't want to give you your money back (otherwise you could do a tidy business buying from mail order and 'returning' to the more expensive place) so instead they give you a card. Allowing you to cash out the card would defeat the purpose.
Careful review will indicate that I was talking about the card processing networks themselves, not the individual merchant policies. Providing a gift card for a refund is a merchant policy (and a foolish one, whatever happened to 'no receipt, no return' anyway?). The capability is there, and it's perfectly reasonable to expect to get your money's worth out of it. We'll see how that court case goes, hopefully on the side of the consumer. I work at a Circuit City, and I can attest to the fact that I doubt this could be too hard.
I had a guy come in and pay for an LCD monitor and some other things with 20(!) $50 gift cards. It got me thinking: We have (like most stores) two types of gift cards. There are cards which are pre-printed with a given amount (in that case, $50). We then have cards which have any given amount attached to them, and that number is generated at the register. We THEN have what are called 'Merchandise' cards, which are issued as store credit for returns (or those wretched AOL/Compuserve/MSN deals).
All of these cards are treated exactly like any other type of plastic. They have a 12-digit number on the back of them (unlike the sixteen digit on most plastic). The 'make your own quantity' cards are all tracked in our backend system (a centralized SCO-UNIX server in our back office, which routes to a big honking server via satellite). But the 'given quantity' cards (like the aforementioned stack 'o' $50 cards) are not (I can tell because of the lack of processing time when they are sold, versus the 'create your own'). My guess is that the number scheme for those $50 cards is already embedded in our system. It's a simple case of using a scanner/programmer to see which digits differ between active and inactive units. The fun part comes from the fact that any purchase over $100 requires that we enter a telephone number and address for an individual.
All returns and exhanges are handled from this address, and we can track everything any person has bought or returned since the beginning of our central-server implementation (13 years ago). If a person purchases an inordinately large amount of things with gift cards, the system will tag it, and Loss Prevention at Corporate will be alerted. The further fun aspect comes from the fact that the digits on the gift cards are tied to a given store location when they are shipped out, so I don't think it would be too hard to figure out a) which store they're coming from and b) which employee is 'hooking' people up. Most retailers are setup to deal with employee fraud. Next time you're in a big grocery store or department store look up above the register. You'll likely see camera pods/windows.
If they are using a flat scan barcode reader there will also likely be a light that flashes each time an item is scanned. This is designed to prevent 'sweethearting' by employees. This is where and item is waved across the scanner, but doesn't actually scan, and is then placed in the bag. Ever wonder why Best Buy (and others) check the contents of your bag against your receipt within 30ft of the register? It's not to stop independent shoplifters, it's to catch/prevent sweethearting.
What you suggest is even more difficult. The gift card is only loaded by the POS system with the amount punched into the register. Now unless the store doesn't have a total display that can be seen by the customer (or the customer has the IQ of a brick) there is no way the customer will hand over $100 when $50 is shown on the display.
If the clerk tries to pocket cash that is properly shown on the display then the drawer will be short. Best buy is not legally allowed to check your bag against your recipt if you refuse to allow them, by the way. That may be true in America but is definitely not true in Australia (conditions apply). The conditions are that a big obvious sign is posted at the entrance to the store stating that bag searches are a condition of entry - you enter, you give them permission to search. The other restriction is that the sales assistant is not allowed to touch any of your possessions, they can ask you to open your bag and show them and open any compartment etc, but they must not do it themselves. I would be exceptionally surprised if a similar set of laws were not in place in America and other countries around the world. I am guessing that most stores have a condition of entry, which would most likely hold up in court.
In the age-old /. Tradition, IANAL.