Gift Card Hacking
During the past few years, I’ve read many articles about how hackers steal your gift card balance before you use it. I read what they were doing and that gave me a simple idea that allowed me to find a vulnerable site and then I reported the issue. Here is how I did it.
How “hackers” can get your balance
So I’ve read articles about “hackers” stealing your gift card balance in many places and companies around the world. Note that I double-quote the word hackers because I think, in some cases, it is more of a scam rather than a hack.
I will explain one scenario: Someone goes to a big store and takes all the gift cards on the shelf, and scratches them off the back until they can see the PIN. Takes a picture of the back of the card, and returns them to the shelf so people can buy them afterward.
I have to add that the store needs to have a website so you can check the balance of the card, so knowing the card and PIN it is possible to check it online. With that, the person goes home, looks at the photos he has taken, and creates a list of all the cards with their respective PINs. After that, the person creates a script to look at the balance every night. If the balance is positive then bingo; the card is ready to be used online.
This does require some technical skills but it also requires some physical interaction and that is not how a hacker operates, that’s why I see it more like a scam.
Note: Don’t buy a gift card if it is previously scratched off.
Finding a vulnerable system
I never paid attention to gift cards before, even after getting a few for Christmas but after reading the article I thought: there has to be a way to do this without having physical access to each one of the cards.
I looked at the main stores in my city for the ones that had an online checker until I found one:
I actually found many but this happened to have no CAPTCHA so it was the perfect target.
Now the next step was to get some gift cards, I was going to buy two in the store but then I realized I could buy them online. It was better to get them online because then I would get them “generated” one after the other and that would allow me to find the pattern for card generation.
It turns out there were not in series meaning they were like:
-XXXX XXXX XXXX 0001
-XXXX XXXX XXXX 0004
You can already tell the length is the same as a credit card so I started looking at the pattern used by the payment card industry. Turned out these gift cards were using Luhn‘s algorithm. The PIN was also numeric but had no pattern or relation with the card number (that I could tell but also my sample was too small).
I used Burp Suite to intercept the requests and sent the request to the repeater. I tried a few wrong responses and then the right PIN (I had it). The status on the page didn’t change but the page length did. I went back with the repeater and kept sending a few wrong PINs to make sure there was no lockout mechanism. There was none.
For the proof of concept, I had then to start scraping the page looking for all the combinations. To generate the card number I found the Python code in Wikipedia and that allowed me to see if it was valid or not.
For this, I used as a starting point the card numbers I had, so I added 1 every time, and test it with the algorithm, if it was valid I would Brute Force the PIN. I show how to implement a part of this in Python in this article I wrote recently: Brute-force attack using Python.
You just have to add the card number generator step to the code and use numbers instead of a dictionary of passwords.
I found a few with a balance but after that, the other successful ones had zero balance, meaning the account was created but no one had bought them yet.
With that in hand, I reported the issue.
I know there are many sites out there that still have a similar structure but they have CAPTCHA in place, meaning you will have to get over that but is still doable if you bypass that implementation.
I need to add that this is not something you can do with the more modern Gift Cards, usually those that are digital only, where the card number is not something you can brute-force. This is a defect that was inherited because of the old magnetic stripe cards that’s why is more likely to find this in places that have a physical location and have their own Gift Card implementation, like retail stores, grocery stores, and so on.
