Their Security Holes, Your Money
This column was written by Evan Schuman, the editor of StorefrontBacktalk, a site that tracks retail technology, e-commerce and security issues. Retail Realities appears every Friday. Evan can be reached at E-mail and on Twitter.
In a rush to make mobile gift card rollouts as convenient and low-cost as possible, some major chains-including Target and Starbucks-have allowed security holes that allow any shopper to use the dollars loaded into other shoppers' gift cards. The hole, which StorefrontBacktalk verified by recreating it in a Target store on Wednesday (May 12), involves the cards publicly displaying enough information for someone to create a copy that can trick the POS's barcode scan. In short, they are putting the account numbers (PAN) into the barcodes. Indeed, the barcodes contained little else.
"You never user the PAN on the handset. Never never," said an official with the security company that discovered the hole.
During the last 12 or so months, pressure has sharply increased on the major chains to get in front of the mobile stampede, especially with iPhone mobile apps supporting payment. But scanning codes from mobile phones presents quite a few challenges, including early struggles with light reflecting from the screen interfering with accurate reads.
The rollouts were accelerated with the goal of making the phone applications simple-for the consumers to use, for the stores to support and for the chains to deploy-and keeping costs initially low. After all, no one knew what kind of revenue and profits would actually materialize.
The full technical details of the mobile gift card hole establish how easy the attack is to do at a technical level, but what is far more frightening is how easy the social engineering elements are. In other words, how easy the retailers have made it for the thieves to collect the information to perform their technical magic.
Officials involved have identified quite a few ways to minimize the security risks to consumers, if the retail chains are willing to implement them. Setting aside the dollars, the cost of making these applications slower may negate the perception benefits of making them more secure. It might be cheaper for the chains to reimburse ripped-off customers than to make the system materially safer.
The issue is not merely that the cards and their numbers are so prominently displayed (although that is definitely an issue). It is that the card number-and only the card number-is represented by the barcode. No PIN or other verification is requested when trying to use the card to make purchases, even though such information is demanded by Target's mobile app. Indeed, Target's card uses an adhesive strip to hide the card number and the access code, but, again, the lack of that information doesn't prevent a purchase. The card number represented by the visible image is all that is needed for a transaction approval.
The security problems with the mobile apps are not that different from those experienced with the initial gift cards (the physical magstripe version) and then experienced again when those cards were initially offered and supported on the Web. As IT-consultant- wannabe Yogi Bera would have said, as retail turns to mobile, "it's déjà vu all over again."
Analysts expressed surprise at the lack of security surrounding the gift cards, but expected such matters to quickly be resolved as the mobile space matures.
"This notion of the stored value card being able to convert to a barcode is a snag. Retailers need to figure out an additional layer of authentication," said Forrester Research VP Sucharita Mulpuru. "We don't even know what we don't know. This is one of the many lessons that people are going to have to learn the hard way."
Gartner Security Analyst Avivah Litan expressed similar thoughts. "This can shake up the whole mobile app world. The mobile (gift card) is totally vulnerable and PIN should be added," Litan said. "Security is always an afterthought. It's never baked into the new applications."
Asked why, Litan said that IT security professionals are often seen by senior management and product execs as "naysayers. They stand in the way of everything. (Senior execs) are focused on customer acquisition and revenue, driving new products to market and the security people are basically seen as a pain in the neck."
Quite a few chains are using similar approaches to gift card security so it's certainly the case that Target and Starbucks are not alone. In the Starbucks case, the problem is that their cards-which are prominently displayed for consumers to browse-include the visible numbers associated with each card. With that number, a thief can go to any one of several free Web sites and convert that number to a barcode. That barcode is all that the scan is looking for.
The thief merely waits for the card to be funded by a fellow customer and the thief can then present that barcode to the cashier. To make things look right, the image can be placed within a screen capture of the mobile app's screen, but as long as the barcode is scanned, the transaction will be approved.
At Target, the process is almost as simple, but it requires an additional step. Instead of grabbing the number, the trick at Target is to take a picture of an online barcode, which then needs to be decoded and then encoded into the kind of barcode their system expects. When we tested it Wednesday, the decoding and encoding process took about two minutes at a pair of free Web sites. (Note: During our successful attempt at recreating the gift card bug, we purchased the card we were trying to recreate to avoid doing anything illegal.)
By Evan Schuman
Special to CBSNews.com