The vulnerabilities that Caput found aren't merely theoretical. When it is, he can spend whatever money has been added to it. Then he simply checks on those numbers periodically via the restaurant or retailer's website until the card's been activated. If gift cards are left accessible, he can simply grab the entire stack of cards, photograph the back of them, and later place them back in the tray. The person’s card says it has $50 on it, and then it’s gone.' -Security Researcher Will CaputĬaput points out that even restaurants and retailers that have added robust CAPTCHAs to their gift card value-checking pages can remain vulnerable. And if a hacker really wanted to determine the value of one of those PIN-protected cards, they could bruteforce it with Burp Intruder just as easily as the card's number itself. But that PIN is only required to check the card's balance, not to spend its value, Caput says.
Some retailers' cards use PIN numbers in addition to the number encoded into the card. Other one-off retailers and regional chains he's tested haven't added CAPTCHAs at all, or use simple incremented numbers on their gift cards that don't even require bruteforcing. That allowed him to carry out the same bruteforce attacks, find the numbers of activated cards, and exploit them just as he had in 2015.
#Otc smart card hack software#
He found that many gift card purveyors now use a CAPTCHA on their card value-checking page that he can strip away simply by disabling javascript elements on the page, using the software tool Burp Proxy. By the time he finished his burrito, he had a plan to defraud the system.īut other restaurants, retail outlets, and companies, which Caput declined to name on the record, have either failed to implement security measures against his fraud trick or added a defense that he was able to circumvent.
While the final four digits of the cards seemed to vary randomly, the rest remained constant except one digit that appeared to increase by one with every card he examined, neatly ticking up like a poker straight. So he grabbed them all-the cashier didn’t mind, since customers can load them with a credit card from home via the web-and sat down at a table, examining the stack as he ate his vegetarian burrito.Īs he flipped through the gift cards, he noticed a pattern. While there, still in the mindset of testing the restaurant’s security, he noticed a tray of unactivated gift cards sitting on the counter. He decided to drive to the local branch of the restaurant in Chico, California. So when 40-year-old Caput took a lunch break, he had beans and guacamole on his mind. In November of 2015, Will Caput worked for a security firm assigned to a penetration test of a major Mexican restaurant chain, scouring its websites for hackable vulnerabilities.
0 kommentar(er)
