Payment Card Security Security

Home Depot Replacement Card Misfire

Today, I received a new credit card from The Home Depot. (In the picture, the top one is my old one and the bottom is, obviously, the new one). The first thing I noticed was the new card was attractive and that they added a chip. I thought that was fantastic that a store card would go through the work. I then dug a bit further, and was less happy.

Behind the card, there is a mag stripe still. The Home Depot (“Home Depot”) cards are not valid at other stores (like a Visa, MasterCard, etc). This means that they control the entire payment ecosystem. My local Home Depot has chip technology, as have a few other locations I’ve been to. This means that they could have issued strictly chip cards and done away with the magstripe entirely. This would make them a clear leader in payment technology and I would have really been impressed. Sadly, they didn’t. Oh well, most companies don’t even have chips, and the big banks universally issue mag+chip cards.

The next issue I noticed (honestly, it is kind of a nice feature even it if it incredibly insecure) was that the card comes activated, ready to start using. I don’t need to call from my home phone, I don’t need to activate online. Just go and start buying lumber, screws, or even a garage kit… Oh, and look — the credit limit is printed right on the paperwork!

The next issue is that the entire card number is printed on the flyer attached to the card. You might believe that this is a bit pedantic because, after all, the card is attached. If somebody stole the mail, they’d surely have the card #.

Sadly, this makes it much easier to shine a light through the envelope and see the entire card number unmolested. Likewise, after disposing of the document (if unshredded), now your entire card number is in the bin somewhere.

The final issue is that this was an unsolicited bulk card reissue. I didn’t lose my old card, I didn’t know a new card was on its way. The issue with all of these vulnerabilities is magnified when an event like this happens. Somebody like me can receive a card, realize these issues, and then start grabbing these documents out of the mail. Postal workers can bring a flashlight and a cellphone to work and start capturing these numbers enmasse. The chip was a nice addition, and the new card looks great. The security, however, leaves much to be desired.

Payment Card Security Security

How to Scam Garage Sale Sites with Gift Cards

PLEASE TAKE NOTE: The title is correct, this is how to scam users of garage sale groups. The intended audience, however, is victims and group administrators. The goal here is to convey how easy it is to defraud people into purchasing gift cards, and why they should not be allowed for sale in these groups.

You should never purchase used gift cards from anybody without the authorization of the selling store, and their support transferring your balance to a new gift card.

Short Version of the Scam

When you purchase a gift card from somebody on the Internet, you may find that paying $50 for $100 of merchandise credit is a fantastic tradeoff. The fact is, you will pay $50 and they will keep the $100. Leaving you out money.

How this scam works

This is nothing new, it is very similar to how credit card fraud has worked for years, however there are many site admins and potential consumers unaware of this tactic.

How Payment Cards Work

Your older credit cards, and the majority of gift cards in the world use a magnetic stripe (the black line on the back of your card). This mag stripe, from a fundamental level, operates exactly like old cassette tapes. When you swipe your card, the equipment reads the card and a special number comes up. This number does not include your balance, but does generally contain the card number, expiration, the name of the card holder, and a few other pieces of information.

This information does not ever change. This is the problem with credit cards, and why EMV “chip” cards were introduced, they reduce the attack surface and greatly increase the complexity of this issue.

The scammer’s shopping list…

The scammer will buy a valid gift card (let’s say it’s $100 worth), and a card reader / encoder. The latter device is roughly $30 from Amazon, and there are plenty of legitimate reasons to sell and own these devices. At this point, an attacker has all of the tools they need.

The scammer reads the card’s data into a computer, and encodes it (sort of like saving a file) onto an extra card that they picked up.

Selling the Gift Card

The card will be listed for sale in multiple areas, usually for some money off the face value, and with the caption “Got this for (insert holiday), don’t shop there” or similar. Sometimes this will be backed up with a picture of the register receipt.

A buyer is found through one of these garage-sale groups, and you meet up. You first call the store to verify the $100 balance, and sure enough — the card is loaded legitimately. You gladly pay your $50 for the card, and you both leave happy. You may head straight to the store, you may wait a few days, or you may be extra hilarious and gift this card to somebody.

Hook, Line and Sinker

As soon as you leave, the attacker has a duplicated gift card of yours and can call a friend at the store to purchase another gift card, food, clothes, or anything else with that card. By the time you get to the store, that card will have a $0 balance, and the Facebook / Craigslist / etc account will be long gone.

Buying Gift Cards Legitimately

The majority of stores expressly prohibit transferring cards between people, and for this reason. The best way to do this safely is that both you and the seller meet at the store in question, and you purchase a new gift card with the card they’re selling, you can then dispose of the depleted card, and your new card will not be vulnerable to this scam, as the seller will not posses a duplicate of your gift card.

There are also websites that may have additional mechanisms for exchanging gift cards, though you should always keep in mind how this works. Companies will often state directly on the cards “TREAT THIS CARD LIKE CASH”, claiming that losing the card or other conditions will prevent them from issuing a balance. Furthermore, as far as the store is concerned, you spent the balance, and store clerks will almost never check a gift card for validity. Even if they do, there’s embossers for that.