Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer’s ecommerce page, or even in person; Caput’s written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card’s balance, rather than spend any money from the cards belonging to actual victims.) "It’s a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person’s card says it has $50 on it, and then it’s gone."

Balancing Act

Caput has been warning retailers and restaurants about his scheme since he first discovered it nearly two years ago. Potential targets, including Trader Joe's, Macy's, and Taco Bell, have all responded by either taking down their gift card value-checking web pages and requiring users to check their gift cards by phone or by adding CAPTCHAs to their card value-checking web pages, designed to prevent automated programs from bruteforcing gift card numbers.

But other restaurants, retail outlets, and companies, which Caput declined to name on the record, have either failed to implement security measures against his fraud trick or added a defense that he was able to circumvent. He found that many gift card purveyors now use a CAPTCHA on their card value-checking page that he can strip away simply by disabling javascript elements on the page, using the software tool Burp Proxy. That allowed him to carry out the same bruteforce attacks, find the numbers of activated cards, and exploit them just as he had in 2015. Other one-off retailers and regional chains he's tested haven't added CAPTCHAs at all, or use simple incremented numbers on their gift cards that don't even require bruteforcing.

Some retailers' cards use PIN numbers in addition to the number encoded into the card. But that PIN is only required to check the card's balance, not to spend its value, Caput says. And if a hacker really wanted to determine the value of one of those PIN-protected cards, they could bruteforce it with Burp Intruder just as easily as the card's number itself.

'I can go in, order food, and walk out. The person’s card says it has $50 on it, and then it’s gone.' —Security Researcher Will Caput

Caput points out that even restaurants and retailers that have added robust CAPTCHAs to their gift card value-checking pages can remain vulnerable. If gift cards are left accessible, he can simply grab the entire stack of cards, photograph the back of them, and later place them back in the tray. Then he simply checks on those numbers periodically via the restaurant or retailer's website until the card's been activated. When it is, he can spend whatever money has been added to it.

The vulnerabilities that Caput found aren't merely theoretical. In May security firm Flashpoint released a report in which the company found hundreds of discussions of "cracked" gift cards on criminal web forums, spiking in the summer of 2016 and again in early 2017, compared with virtually none before 2016. Flashpoint analyst Liv Rowley says one vendor on the dark web marketplace AlphaBay alone had made more than $400,000 in sales between November of 2016 and July of this year when AlphaBay was shut down by the FBI, largely by selling stolen gift cards for more than a dozen brands, including stores like OfficeMax and Whole Foods. When Flashpoint talked with one of the affected retailers, the company's researchers determined that the seller was indeed using an automated tool to bruteforce activated gift cards, just as Caput has shown. "A lot of gift cards are numbered sequentially, and it appears he or she was just checking them like that," Rowley says.

All of the gift card security issues Caput highlights have relatively simple fixes: Implement strong CAPTCHAs that bad actors can't circumvent on gift card value-checking sites, don't leave unactivated gift cards up for grabs at store counters, and use scratch-away coverings on cards to prevent them from being photographed and then replaced in stores.

But until retailers and restaurants make those fixes, consumers would be wise to think twice about buying gift cards that could potentially have their value siphoned away by hackers. Before you pick up that unguarded card from a retail counter, perhaps consider who might have picked one up first—and who else might know that slice of plastic's secrets.