How Attackers Cash Out on Stolen Gift Cards

Key Findings

• A gift card supplier was vulnerable to a brute force attack, which allows an attacker to steal legitimate users’ gift cards across dozens of popular retailers, including Pizza Nova
• We found gift cards across all affected retailers on sale for a fraction of their worth — usually a sign the gift cards are stolen.
• Norton Labs disclosed its findings to all affected parties to help protect consumers.

Gift cards can feel like money in your pocket — or, occasionally, someone else’s pocket. That's because gift-card scams are widespread, and there are a variety of ways to get bilked.

Here's what happened to a NortonLifeLock engineer who discovered his gift cards were worth $0. His discovery set in motion a Norton Labs investigation. Its findings can help consumers understand how this gift-card scam works and how to protect against becoming the victim of a similar scam.

Here’s the story, as told by the Norton Labs team.

Discovery: These are signs of stolen gift cards

A Norton Labs engineer noticed that gift cards he had bought at Costco were showing a $0 balance after purchase, despite not having used them.

After some quick web searching, we found that gift cards for Pizza Nova and many other brands were being sold on some online websites for as much as 85% off, a clear sign of illegal sale.

In addition, the values of the gift cards were not round numbers. For example, we found one with a balance of $6.25, which is typical of gift cards that have previously been used.

We’ve included an example of such a retailer below.

The evidence pointed to attackers stealing gift card numbers then reselling them to make a quick profit.

Investigation: How we uncovered weak security

When we investigated, we found that many of the affected gift cards appeared to come from GiveX, a  gift card supplier.

We suspected that attackers might be using a website designed to check gift card balances to verify and steal gift card numbers.

We’ve included an example of this website below.

As you can see, the website asks for two pieces of information: the gift card number and the gift card PIN.

We bought a few gift cards to better understand the structure of this data.

Below is a Pizza Nova gift card that we purchased. The gift card number is a 19-digit number, while the PIN is a 4-digit number, which is often hidden before purchase. This appears to be quite a secure system.

Here’s the problem: The gift card number is not random, but actually has a discoverable structure, making it easy to guess.

All gift cards for the same brand — in this case Pizza Nova— start with the same prefix. In our example, it’s 6035710419344. That means only 6 digits of the gift card actually change between gift cards.

An attacker may therefore use the gift card balance portal to check whether a gift card number is valid by entering a random gift card number and PIN and solving the CAPTCHA.

In this case, the search space is only 1010, with many possible solutions. This is a small search space for any modern computer. In addition, this page uses an older, unsecure version of CAPTCHA, which can be solved by simple off-the-shelf tools.

To test this theory, we wrote a simple program to try random gift card numbers for Pizza Nova, coupled with a deep learning model to solve this version of the CAPTCHA (97.66% accuracy). We found the website uses a weak form of rate-limiting based on IP address, but this was easily circumvented using the Tor anonymization network.

Using this method, we were able to find numerous active Pizza Nova gift cards with a non-zero balance that an attacker might steal and resell.

It Gets Worse: Scamming at the Retail Level

In addition, we found that attackers might perform some legwork to make this attack more effective. Here's how.

Since gift cards are displayed in many stores, attackers may be capturing gift card numbers, which are about to be sold (see below). In that case, an attacker only needs to guess the PIN using the website mentioned above.

Additionally, we found that card numbers are consecutive in stores, so an attacker can guess, based on the card numbers available on the shelf, which card numbers have recently been sold.

Remediation: Help for gift-card websites

To fix these problems, we suggested the following steps to the affected parties:

1. Implement stronger rate-limiting on the balance-checking portal website (for example, ban Tor exit nodes) and use a stronger CAPTCHA.
2. Have longer PIN numbers (6+ digits).
3. Increase the length of the gift card number.
4. Require login before checking the balance.
5. Make sure stores do not carry continuous card numbers.

What can you do to protect against this gift card scam?

If you’re reading this and are worried about your own gift cards, here’s what we would recommend:

• When possible, purchase gift cards that are not preactivated "the time of purchase." 
• Make sure you check the gift card balance when you get home.
• Last, it’s better when gift cards have longer PINs, so look for those extra digits when purchasing.

Innovations from Norton Labs are for research, evaluation, and consumer feedback purposes. NortonLifeLock does not give any warranties as to the suitability or usability of these prototypes and recommends safeguarding data and reviewing all terms and conditions before use.

Copyright © 2021 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries.