Time was gift cards were a great Christmas gift. Now? Well, let me tell you …
For Christmas this year, my brother got me one of those $50 Visa gift cards. Usable anywhere Visa is accepted – in the U.S. that is, but I’m sure there’s some small shops and cafes that don’t want to deal with cards. So good idea, right? Depends …
I didn’t try to use it right away, I was trying to think of something I’d want as a gift to spend it on. I mean, if you’re spending it on something you would have bought anyway, then it’s not really something special. So about 10 days later I make up my mind, but the card doesn’t work. I try again a few days later, same thing. So I go back and find the materials that came with the card to see what I can find out.
They list a website that you can check your balance and even transaction history on, I go there and see the card has not $50 but $1 on it. Someone cloned the card (created a card with the same data on its magnetic stripe) and spent the other $49 at a Target in California.
My brother’s guess is that someone in the store copied the information and sold it online. Sorry, only the cashier can see the number on the card (at least, unless my brother was a complete idiot and bought one with the tab removed) and can he surreptitiously write that down while you’re standing in line? Okay, either of those amount to “My brother is an idiot”, but there’s a third possibility.
You remember that website you can use to check your balance? If someone has a general idea what range of numbers are used on these cards, they could simply try guessing numbers until they find one that works. For you and me probably not a good strategy – after some number of tries they’d ban your IP so you couldn’t try more – but if you happen to have a botnet you could have 1000 different computers each try 20 different numbers for you (or whatever number is small enough not to get banned) and eventually find one. Or if their security is bad, someone hacked their system and got the number that way, or an employee sold it … all amounts to the same thing.
Store/merchant gift cards wouldn’t be so much of a target since they are only good at that store (not that it is hard to find a Walmart or McDonald’s anywhere, but that’s still only 1/1000th of the places a Visa gift card is valid at). And if you actually have to check the balance in the store rather than online, then they couldn’t brute force the numbers like I described above (even if having such a website is a major convenience for users).
Of course, what they really need is something harder to clone. A chipped card or at least something with additional numbers not used on the website … that is, the card has 16 digits and the website also requires the 3 digit security code, but if the stripe had some extra digits you couldn’t see on the website that would make it harder. That’s why regular cards do have a chip. Until these gift cards do have better security, I’d say you’re better off just giving cash.
