The hole, which StorefrontBacktalk verified by recreating it in a Target store on Wednesday (May 12), is the result of the cards publicly displaying enough information for someone to create a copy that can trick the POS's barcode scan. In short, Target is putting the account numbers (PAN) into the cards' barcodes. Indeed, the barcodes contain little else.
"You never use the PAN on the handset. Never, never," said an official with the security company that discovered the hole.
During the last 12 or so months, pressure has sharply increased on the major chains to get in front of the mobile stampede, especially with iPhone mobile apps supporting payment. But scanning codes from mobile phones presents quite a few challenges, including early struggles with light reflecting from the screen and interfering with accurate reads.
The rollouts were accelerated with the goal of making the phone applications simple—for consumers to use, for stores to support and for chains to deploy—and keeping costs initially low. After all, no one knew what kind of revenue and profits would actually materialize.
But the main issue is not merely that the cards and their numbers are so prominently displayed (although that is definitely an issue). It is that the card number—and only the card number—is represented by the barcode. No PIN or other verification is requested when trying to use the card to make purchases, even though such information is demanded by Target's mobile app. Indeed, Target's card uses an adhesive strip to hide the card number and the access code. But again, the lack of that information doesn't prevent a purchase. The card number represented by the visible image is all that is needed for transaction approval.
The security problems with the mobile apps are not that different from those experienced with the initial gift cards (the physical magstripe version) and then experienced again when those cards were initially offered and supported on the Web. As IT-consultant-wannabe Yogi Bera would have said, as retail turns to mobile, "it's déjà vu all over again."
Analysts expressed surprise at the lack of security surrounding the gift cards. But they expect such matters to be resolved quickly as the mobile space matures.
"This notion of the stored value card being able to convert to a barcode is a snag. Retailers need to figure out an additional layer of authentication," said Forrester Research VP Sucharita Mulpuru. "We don't even know what we don't know. This is one of the many lessons that people are going to have to learn the hard way."Gartner Security Analyst Avivah Litan expressed similar thoughts. "This can shake up the whole mobile app world. The mobile [gift card] is totally vulnerable and PIN should be added," Litan said. "Security is always an afterthought. It's never baked into the new applications."
Asked why, Litan said that IT security professionals are often seen by senior management and product execs as "naysayers. They stand in the way of everything. [Senior execs] are focused on customer acquisition and revenue, driving new products to market. The security people are basically seen as a pain in the neck."
Quite a few chains are using similar approaches to gift card security so it's certainly the case that Target and Starbucks are not alone. In the Starbucks case, the problem is that its cards—which are prominently displayed for consumers to browse—include the visible numbers associated with each card. With that number, a thief can go to any one of several free Web sites and convert that number into a barcode. That barcode is all that the scan looks for.
The thief merely waits for the card to be funded by a fellow customer and then presents that barcode to the cashier. To make things look right, the image can be placed within a screen capture of the mobile app's screen. But as long as the barcode is scanned, the transaction will be approved.
At Target, the process is almost as simple but requires an additional step. Instead of grabbing the number, the trick at Target is to take a picture of an online barcode, which needs to be decoded and then encoded into the kind of barcode its system expects. When we tested it Wednesday (May 12), the decoding and encoding process took about two minutes at a pair of free Web sites. (Note: During our successful attempt at recreating the gift card bug, we purchased the card we were trying to recreate to avoid doing anything illegal.)
Ironically, the Target mobile app gives the appearance of being especially secure. Beyond the adhesive strip and that access number (along with Seq and Event numbers), the app requires a PIN (and stresses to the user that it's not preserved by Target in a readable form, so if it's lost, the card is toast, at least as far as the mobile app is concerned. Getting cash value from the store, though, is another matter) along with a phone number.
But again, that data isn't required to complete a transaction. Target apparently is using only the first four sections of the barcode (along with error correction), and that's all that is necessary to complete a transaction.
Note: We reached out to both Starbucks and Target—at several levels—seeking comment for this story. As of deadline, representatives of neither chain commented. Also, a senior executive of the security firm that initially discovered the breach said he had sent letters to senior executives of both chains—several weeks ago--alerting them to the problem. Neither responded to the security firm.Thus far, all these details are the programming/engineering aspects behind the flaws. The social engineering part of the process is even easier.
At Starbucks, the thief only needs to capture the displayed number of the card. That could be done by taking pictures or by writing the numbers down or memorizing them. But in most Starbucks, that would be difficult to do without being detected. That fact might limit a thief to only doing one or two cards at a time, or it might simply require more creativity.
A thief could pretend to be talking on the phone—a very common occurrence at a Starbucks—but instead have the voice memo feature activated so she is being recorded. The thief then improvises a conversation, working in the numbers as she talks. If no one is eavesdropping too closely, it might not sound that unusual. "So did you see what 4552628 was wearing last night? When I saw 4789092, I thought he'd faint. By the way, I need to catch the 8329900 home tonight, so I have more than an hour to kill."
Although the idea of discreetly taking pictures of Target gift cards might sound daunting, it's actually quite easy. The cards are housed throughout the store. If a thief is too shy to do his Candid Camera impression at the end of a checkout lane, there are plenty of quieter places in the aisles where the gift cards are touted, often out of the view of security cameras.
And if a thief is especially nervous, she can quickly pocket 40 or 50 cards and go to the restroom, where a smartphone can be used to carefully photograph the cards before they are replaced. The thief would have to note which cards are in front and therefore likely to be purchased—and filled with stealable money—sooner.
The other social engineering part is determining when the gift cards are filled with money. The Target access codes do make that information difficult to learn from the Web site, but it's not a concern for thieves. They can either watch the cards from within the store—perhaps even overhearing the amounts stored on a card—or simply roll the dice with statistics. They know that popular cards—in a busy store—will likely move within a couple of days and that that is especially true for the first several in a stack. Thieves also know that such cards often sit unused for weeks after being purchased, so they can make reasonably good guesses as to when to try to cash in.
Conveniently, the iPhone makes such matters easier. The bogus barcodes are saved as images on the phone--images designed to resemble the app's screen. The iPhone allows for the photo display to instantly move to the next image at the flick of a fingertip. This capability means that if a thief is told there's no money on a particular card, he can react with surprise and indignation. "What?" he says, and then pulls the phone back to click on the image, when he's actually moving to the next photo. That photo is identical to the first image, except that it has a different barcode. He then asks to rescan the image and, lo and behold, it now comes up with $250.
Another help for this scam are stores that instruct associates to never touch or hold customers' smartphones, for fear that they'll drop or otherwise damage the device and make the store liable. Of course, the biggest help is that associates generally do not examine such screens closely at all, nor would they generally know what to look for. Store associates will likely ignore prices, dates, location and other elements that do not match in much the same way as these details are ignored by the barcode scan.
By the way, in theory, the image doesn't even have to appear on the phone itself. A printout of the barcode taped onto the phone's screen would also work, although the risk of getting caught would be much higher.
How can gift cards be made more secure? Several ways.How can gift cards be made more secure? Several ways.
As a short-term measure until more robust security measures are fully deployed, the gift cards can be placed behind the counter, alongside cigarettes, adult-themed items and restricted types of over-the-counter medicines. Because these fraud tactics required close examination of the items, this approach would slow down the assaults from customers.
Then again, most fraud attempts are inside jobs. As such, the "shove 'em behind a counter" tactic won't do much to deter employee fraud, which could mean that this plan won't make as large a dent as it could. Still, any reduction is helpful.
Speaking of the "Get 'Em Out Of Sight" suggestion, there's a non-trivial concern about out-of-sight out-of-mind. There's a reason gift cards have been prominently displayed and it's because marketing wants them to be as convenient for consumers to grab as possible. But that goal can still be achieved by replacing the real cards with cheap dummy cards.
When someone brings one up to the cashier, the associate pulls out a real card from a drawer. This approach is not that different from what video rental stores (anyone remember those?) used to do, with empty video cases on the shelf and the real videos to be retrieved by a store associate as they're being paid for.
This point gets into the area of actually improving card security, which would require POS and app changes. Forcing the customer to type in a PIN when the card is loaded with value is not especially onerous, nor is seeking that PIN for using the card.
Tokenization is a behind-the-scenes approach to secure the mobile process. It's not clear if it would be needed, but some forms of tokenization might take some of the load off of retailers. Then again, a strict PIN approach might be sufficient.
This topic gets into one of the oldest Loss Prevention debates. Should checkout speed (how many customers can be processed in any one-hour period) trump security?
Scams using fake barcode labels on products have often been quite successful, relying on the fact that cashiers wouldn't look up long enough to notice that a product scanning as a watermelon was actually a flat-screen television. When was the last time a chain pushed associates to take the time to look at and compare credit card signatures with the customer's signature? (It sort of makes signing the credit card a nostalgic act.)
For those retailers willing to sacrifice speed for fraud reduction, these scams are not that difficult to detect. Look at the phone. Is that your chain's app? Ask the customer to click on an icon. With an iPhone, a good technique is to simply ask for the phone to be tilted. If it's just a picture, it will reorient and shrink, while the actual app would act differently.
Liability concerns notwithstanding, asking the cashier to briefly hold the phone to scan the barcode—while moving the image on the screen—wouldn't be out-of-line. Still, these are time-consuming steps. If mobile apps become as popular as many predict, these verification tactics could become untenable. Then again, so could the fraud losses.