In November of 2015, Will Caput worked for a security firm assigned to a penetration test of a major Mexican restaurant chain, scouring its websites for hackable vulnerabilities. So when 40-year-old Caput took a lunch break, he had beans and guacamole on his mind.
He decided to drive to the local branch of the restaurant in Chico, California. While there, still in the mindset of testing the restaurant’s security, he noticed a tray of unactivated gift cards sitting on the counter. So he grabbed them all—the cashier didn’t mind, since customers can load them with a credit card from home via the web—and sat down at a table, examining the stack as he ate his vegetarian burrito.
As he flipped through the gift cards, he noticed a pattern. While the final four digits of the cards seemed to vary randomly, the rest remained constant except one digit that appeared to increase by one with every card he examined, neatly ticking up like a poker straight. By the time he finished his burrito, he had a plan to defraud the system.
The Gift Grift
After years of examining the retail gift card industry following that initial discovery, Caput plans to present his findings at the Toorcon hacker conference this weekend. They include all-too-simple tricks that hackers can use to determine gift card numbers and drain money from them, even before the legitimate holder of the card ever has a chance to use them. While some of those methods have been semipublic for years, and some retailers have fixed their security flaws, a disturbing fraction of targets remain wide open to gift card hacking schemes, Caput says. And as analysis of the recently defunct dark web marketplace AlphaBay shows, actual criminals have made prolific use of those schemes too.
“You’re basically stealing other people’s cash through these cards,” says Caput, who now works as a researcher for the firm Evolve Security. “You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them.”
A series of gift cards Caput took from one retailer show how their numbers increment by one, making them predictable after a hacker bruteforces the four random final numbers.