Target, Starbucks Suffer Mobile Gift Card Security Hole
Written by Evan SchumanMay 13th, 2010
Special Report: In a rush to make mobile gift card rollouts as convenient and low-cost as possible, some major chains—including Target and Starbucks—have overlooked security holes that allow any shopper to use the dollars loaded into other shoppers' gift cards. The hole, which StorefrontBacktalk verified by recreating it in a Target store on Wednesday (May 12), is the results of the cards publicly displaying enough information for someone to create a copy that can trick the POS's barcode scan. In short, Target is putting the account numbers (PAN) into the cards' barcodes. Indeed, the barcodes contain little else.
"You never use the PAN on the handset. Never, never," said an official with the security company that discovered the hole.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
3 Comments | Read Target, Starbucks Suffer Mobile Gift Card Security Hole
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
May 13th, 2010 at 1:54 pm
How is this any more of a risk than regular gift cards today? Gift cards don’t have a second validation point. If someone gets access to a gift card, the same information is available and either the card can be used physically, or in many cases online.
It seems to me that all of the folks in this article are exagerating the point to gain attention for themselves.
I’d rather someone explain to me why I would pull out my phone, select an app (typically buried 3 pages back)then navigate to the right card, then select pay, show the bar code to the associate, they scan it 4 times, give up and then type the PAN in manually… instead of just pulling out my card from my wallet and swiping.
Mobile wallets are a long way away. But a retina scan being required when I get my Americano isn’t required.
May 13th, 2010 at 2:23 pm
Mike asked, “How is this any more of a risk than regular gift cards today?” It’s a fair question. The answer is in the ease of the fraud. It’s an order of magnitude more labor-intensive to create a duplicate bogus gift card that looks convincing. The magstripe would likely need to be forged as well. Not that it can’t be done, of course, as there is a lively business making and selling cloned cards with stolen information. But what makes these mobile holes so problematic is that they are so incredibly easy and inexpensive (free, really) to use. A security hole is only dangerous to the degree that thieves are going to try and leverage it. The mobile offerings seemed so much easier that it struck us as a much more ominous threat.
May 19th, 2010 at 11:19 am
Simple solution? Cover the gift card number with a scratch off coating (like the PIN). Educate clerks not to activate gift cards when the scratch off coating has been tampered with.