Gift cards and loyalty programs are a go-to gift for many shoppers. They’re easy to use and obtain and organizations use them to promote business by offering deals when using one. For many of the gift cards, you only need a card number and a PIN to use them while the loyalty cards only need a barcode. Attackers are using this knowledge to guess card numbers and PINs leading to your gift and loyalty being empty prior to use.
Retail companies are notorious for offering a gift card balance checker service online, and some of these companies even tell you if the card number you entered was valid. If not properly secured, a persistent attacker could enumerate other gift cards by brute-forcing them.
Once a valid gift card has been found, attackers will work to guess the PIN by using the gift card checkout option provided by the retailer. Given the short PIN length below, it will only take 10,000 attempts. With an automated tool, it would take mere minutes.
Once successful, attackers can also choose to print them on a blank card to make it look legitimate for in-store use instead of using it online and leaving a trace.
Gift cards are not the only cards that are prone to this issue. Loyalty points can also be a victim in card number enumeration attacks. Loyalty cards, for the most part, only have a barcode and if successfully enumerated can be printed and used in stores. The lack of authentication methods (like the three digits on regular credit cards) in loyalty points cards increases the risk of its balance being stolen.
Organizations have begun moving from online balance checks to other solutions, such as phoning. However, this method can also be automated. This issue will continue to get worse as more retailers allow for this functionality, yet the majority of companies are still underestimating the risks.
Steps to help secure Gift-cards
There are many mitigation strategies that vendors can use for the security of their gift-card and loyalty card programs. The list we have below are the mitigation strategies we suggest retailers use to make their programs more secure:
- Implement rate-limiting or CAPTCHA services on card-balance checking services. A typical user will not be issuing 10,000 requests for their PIN.
- Protect gift cards by hiding the card numbers within an enclosure that needs to be opened on checkout. Doing so will prevent individuals from gathering numbers off the shelves.
- Loyalty cards should have additional validation prior to being used in stores and online.
Although there have already been cases on how easy it is for an attacker to steal gift cards or use loyalty points maliciously, the majority of companies still overlook this issue. Having a secure gift card program will not only help retailers in the short-term, but it will also improve their reputation in the eyes of their customers in the long-term.
Ask us about how we continuously work with retailers to improve their gift and loyalty card programs.