Hacking Gift Cards: Part 2
Ways to safeguard against gift card exploitable vulnerabilities
In my previous blog, Hacking Gift Cards, I outlined how you can get free food by enumerating valid gift cards with Burp Intruder. This blog continues that narrative, but adds in other types of cards and attack vectors. In addition, I’ll illustrate some problems with gift card balance checking, and how gift cards can be easily enumerated without the card holder’s knowledge or permission. In some cases, the security surrounding a gift card is so bad you don’t even need to use Burp Intruder.
https://portswigger.net/burp/
In Hacking Gift Cards Part 1, I discussed six gift cards that had a discernible pattern. Identifying the pattern allowed us to find values on cards that were already sold and had value. In searching for more targets, I found some additional attack vectors against gift cards. To test these vulnerabilities, I went to several restaurants, coffee shops, and merchants throughout my local community and collected unloaded gift cards. These cards were available at the register and acquired without any cost. About half of the gift cards I collected were not secure, and therefore perfect targets.
Figure 1
Looking at the numbers above, you can determine the possible valid numbers by recognizing the pattern. The cards all have the same numbers for the first 12 digits. The last four digits are randomized between 0001 and 9999. Now that we have a discernible pattern, we can go online to check the card balance. The website is always printed on the back of the card, or you can visit the stores online site and look for “check gift card balance.”
Figure 2
In Figure 2, we see that the website for these cards also requires a registration code to access the balance. The registration code on these cards is located on the back, next to the card number in Figure 1. This is a slight road block, but nothing we can’t handle.
Before getting too discouraged, let’s first see if we can determine if invalid and valid cards are processed differently in the system. Below, in Figure 3, we receive the following error message:
Figure 3
Bingo! The error message allows us to test the different card numbers to determine an invalid card from a valid card. Now that we have a way to determine valid cards from invalid cards, we can use Burp Intruder to find which card numbers are valid. With only 9999 attempts, we will know all the cards that have a potential dollar value based upon the server response.
We open Burp and load the POST request into Intruder. We add our markers at the position for the last four digits of the card, highlighted in the below Figure 4.
Figure 4
Our payload sets in Burp Intruder is identical to my last blog. Numbers with an incrementing value from 0001 to 9999, demonstrated below in Figure 5.
Figure 5
Unlike in my previous blog, we know what a valid loaded card response looks like on the website. So we can start the attack, shown in Figure 6, and enumerate based upon the invalid response.
Figure 6
After we run the attack, we sort the responses that have a check mark in Figure 7, to give us all the cards that require a registration code.
Figure 7
Since we don’t have the actual registration code, we cannot find the value of the card. But that doesn’t stop us from making cards with the valid numbers and seeing if they work at the actual store.
Using our magstrip writer in Figure 8, we can read an unloaded card and see the values on each track. For this example, we have the card number, name of vendor, and a four digit number. The vendor and four digit number were the same on all the cards from this vendor, leading me to believe they were tied to a location.
Figure 8
Through MagCard, we can write the valid card numbers to blank cards and see which ones have value by attempting to make a purchase at a store.
Figure 9
With this easy pattern, we can write cards in decreasing numbers that were most likely purchased prior to these unloaded cards. Example:
1000000084
1000000083
……
Below in Figure 10, is another example. This arcade game facility created player cards that increment by one as well.
Figure 10
As this blog has demonstrated, there are still problems with the way gift cards are sold to customers. Patterns are easily identifiable on the cards, leading to enumeration. Cards are physically available to customers without purchasing them. Limited or no safeguards are in place to prevent theft of money loaded onto the cards.
Ways to safeguard:
Prerequisites:
Burp Suite Professionalhttps://portswigger.net/burp/
In Hacking Gift Cards Part 1, I discussed six gift cards that had a discernible pattern. Identifying the pattern allowed us to find values on cards that were already sold and had value. In searching for more targets, I found some additional attack vectors against gift cards. To test these vulnerabilities, I went to several restaurants, coffee shops, and merchants throughout my local community and collected unloaded gift cards. These cards were available at the register and acquired without any cost. About half of the gift cards I collected were not secure, and therefore perfect targets.
Hacking Gift Cards
As you can see in Figure 1, some of the cards I collected have a discernible pattern.Figure 1
Looking at the numbers above, you can determine the possible valid numbers by recognizing the pattern. The cards all have the same numbers for the first 12 digits. The last four digits are randomized between 0001 and 9999. Now that we have a discernible pattern, we can go online to check the card balance. The website is always printed on the back of the card, or you can visit the stores online site and look for “check gift card balance.”
Figure 2
In Figure 2, we see that the website for these cards also requires a registration code to access the balance. The registration code on these cards is located on the back, next to the card number in Figure 1. This is a slight road block, but nothing we can’t handle.
Before getting too discouraged, let’s first see if we can determine if invalid and valid cards are processed differently in the system. Below, in Figure 3, we receive the following error message:
Figure 3
Bingo! The error message allows us to test the different card numbers to determine an invalid card from a valid card. Now that we have a way to determine valid cards from invalid cards, we can use Burp Intruder to find which card numbers are valid. With only 9999 attempts, we will know all the cards that have a potential dollar value based upon the server response.
We open Burp and load the POST request into Intruder. We add our markers at the position for the last four digits of the card, highlighted in the below Figure 4.
Figure 4
Our payload sets in Burp Intruder is identical to my last blog. Numbers with an incrementing value from 0001 to 9999, demonstrated below in Figure 5.
Figure 5
Unlike in my previous blog, we know what a valid loaded card response looks like on the website. So we can start the attack, shown in Figure 6, and enumerate based upon the invalid response.
Figure 6
After we run the attack, we sort the responses that have a check mark in Figure 7, to give us all the cards that require a registration code.
Figure 7
Since we don’t have the actual registration code, we cannot find the value of the card. But that doesn’t stop us from making cards with the valid numbers and seeing if they work at the actual store.
Using our magstrip writer in Figure 8, we can read an unloaded card and see the values on each track. For this example, we have the card number, name of vendor, and a four digit number. The vendor and four digit number were the same on all the cards from this vendor, leading me to believe they were tied to a location.
Figure 8
Through MagCard, we can write the valid card numbers to blank cards and see which ones have value by attempting to make a purchase at a store.
Hacking Other Company Gift Cards
Working here at Solutionary, we’ve seen how companies struggle to secure their gift cards. My example in this blog is just one company. From the gift cards I collected, I also saw a couple identifying factors to hack other cards. In Figure 9 below, the store we grabbed these gifts cards from increments their cards by one digit.Figure 9
With this easy pattern, we can write cards in decreasing numbers that were most likely purchased prior to these unloaded cards. Example:
1000000084
1000000083
……
Below in Figure 10, is another example. This arcade game facility created player cards that increment by one as well.
Figure 10
As this blog has demonstrated, there are still problems with the way gift cards are sold to customers. Patterns are easily identifiable on the cards, leading to enumeration. Cards are physically available to customers without purchasing them. Limited or no safeguards are in place to prevent theft of money loaded onto the cards.
Ways to safeguard against these weaknesses:
As described in my previous blog, Solutionary has pioneered some safeguards to curtail the theft of loaded gift cards. While our clients are ahead of the curve, many others are still vulnerable. As with most things security related, a weakness has to be demonstrated before a fix is implemented.Ways to safeguard:
- Implement a CAPTCHA on your gift card balance checking site
- Use gift cards that have a random four digit pin in addition to the 16 digit card number
- Do not increment gift cards by values of one
No comments:
Post a Comment
https://sophosnews.files.wordpress.com/2015/11/anonymous-1200.png?w=780&h=408&crop=1
hey guys if you like my blogs, have any questions, or any suggestions please feel free to let me know thanks and remember to never stop being curious and question everything and everyone!!