Gift cards are an easy target for cyber criminals, the enumeration of the card numbers is simplistic and the absence of authentication systems makes theft of balances a prime target for thieves. Changing the first field with a valid number is all that is needed to complete the attack.įigure 7– Magnetic strip writer track info Swiping a blank store gift card will populate the data fields on the card (see below). The attacker needs to take an empty card and write the data of a legitimate one on it. This can be accomplished by using a magnetic strip writer like the one below. But the most common method is to clone the card. In some cases, restaurants allow users to use the gift cards by knowing only the number even without the card they were printed on. invalid or inexistence, and account balance equal to zero).Īt this point the last step is trying possible combinations for gift card numbers with the Burp Intruder Tool.įigure 5 – Burp Tool invalid gift card numbers We identify different responses depending on the card status (i.e. We attempt to discover the response for invalid or inactive cards by try entering a random card number. In the following case the gift card has no balance.
#MSR605X WALMART MAC OS X#
User-Agent: Mozilla/5.0(iPad U CPU iPhone OS 3_2 like Mac OS X en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10Īccept: application/json, text/javascript, */* q=0.01 POST /Payment/GetGiftCardBalance HTTP/1.1 In order to analyze every single request, we use Burp Proxy tool.īelow the request to the card balance checker that was intercepted for one of the gift cards: Once we discover the pattern, we use the online card balance checker, in the case of the restaurant by visiting the restaurant online and look for “check gift card balance” on it. We know the gift cards start from a specific number, so they restricted the space of analysis to the numbers related to earlier cards in the stack that were most likely sold to a customer. The number of requests necessary to find a valid card is so equal to 10^4 = 10,000 because 4 are the digit used in the generation process. The cards have apparently random digits in the 13th – 16th positions. The 11th and 12th digits are counting up to 100 (and if they continue this pattern, once they hit 100 the 10th digit will change to the next number and the 11th and 12th digits will start again at 00). The cards all have the same numbers for the first 10 digits. Looking at the numbers above, you can determine the possible valid numbers by recognizing the pattern. The above card reported the following numbers We look for the generation sequence of the card numbers by analyzing the number reported on the cards discovering the pattern. The cards were not purchased, so they were not loaded or activated, this implies that they come with no balance. In this example, we analyzed a lot of gift cards used by a prominent restaurant. It is important to explain that the technique can be applied to any gift card that’s not using a CAPTCHA or a pin, for any kind of commercial activity they are intended (i.e.
To better understand how it is possible to hack gift cards, we’ll demonstrate weaknesses with gift cards, balance checking, and how hackers can enumerate gift cards even without knowing the card holder.
0 kommentar(er)
