找回密碼
 註冊
查看: 7768|回覆: 27

劈零售禮品卡, 易. [轉載, 英文]

    [複製鏈接]
簽到
2902
發表於 2017-9-17 01:26:35 | 顯示全部樓層 |閱讀模式

登入後,內容更豐富

您需要 登錄 才可以下載或查看,沒有賬號?註冊

×
HACKING RETAIL GIFT CARDS REMAINS SCARILY EASY
劈零售禮品卡, 易也.
[轉載, 英文]

[小人唔敢亂貼劈野古仔, 要先等待板主大人批准.然後貼原文比同胞共享交流.]


ANDY GREENBERGANDY GREENBERG, SECURITY, 08.31.1707:00 AM
發表於 2017-9-17 05:49:15 | 顯示全部樓層
等於傳統店, 好多好易被偷$
回覆 讚好 不讚 使用道具

舉報

 樓主| 發表於 2017-9-17 07:20:49 | 顯示全部樓層
IN NOVEMBER OF 2015, Will Caput worked for a security firm assigned to a penetration test of a major Mexican restaurant chain, scouring its websites for hackable vulnerabilities. So when 40-year-old Caput took a lunch break, he had beans and guacamole on his mind. He decided to drive to the local branch of the restaurant in Chico, California. While there, still in the mindset of testing the restaurant’s security, he noticed a tray of unactivated gift cards sitting on the counter. So he grabbed them all—the cashier didn’t mind, since customers can load them with a credit card from home via the web—and sat down at a table, examining the stack as he ate his vegetarian burrito.
As he flipped through the gift cards, he noticed a pattern. While the final four digits of the cards seemed to vary randomly, the rest remained constant except one digit that appeared to increase by one with every card he examined, neatly ticking up like a poker straight. By the time he finished his burrito, he had a plan to defraud the system.

The Gift Grift
After years of examining the retail gift card industry following that initial discovery, Caput plans to present his findings at the Toorcon hacker conference this weekend. They include all-too-simple tricks that hackers can use to determine gift card numbers and drain money from them, even before the legitimate holder of the card ever has a chance to use them. While some of those methods have been semipublic for years, and some retailers have fixed their security flaws, a disturbing fraction of targets remain wide open to gift card hacking schemes, Caput says. And as analysis of the recently defunct dark web marketplace AlphaBay shows, actual criminals have made prolific use of those schemes too.
“You’re basically stealing other people’s cash through these cards,” says Caput, who now works as a researcher for the firm Evolve Security. “You take a small sample of gift cards from restaurants, department stores, movie theaters, even airlines, look at the pattern, determine the other cards that have been sold to customers and steal the value on them.”

To pull off the trick, Caput says he has to obtain at least one of the target company’s gift cards. Unactivated cards often sit out for the taking at restaurants and retailers, or he can just buy one. (Not all cards change by a value of one, as that first Mexican restaurant did. But Caput says obtaining two or three cards can help to determine the patterns of those that don't.) Then he simply visits the web page that the store or restaurant uses for checking a card’s value. From there, he runs the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the four random digits at the end of the card’s number, a process that takes about 10 minutes. By repeating the process and incrementing the other, predictable numbers, the site will confirm exactly which cards have how much value. "If you can find just one of their gift cards or vouchers, you can bruteforce the website," he says.
Once a thief has determined those activated, value-holding card numbers, he or she can use them on the retailer’s ecommerce page, or even in person; Caput’s written them to a blank plastic card with a $120 magnetic-strip writing device available on Amazon, and found that most retailers accept his cards without questions. (Caput only asks the store or restaurant to check the card’s balance, rather than spend any money from the cards belonging to actual victims.) "It’s a pretty anonymous attack," Caput says. "I can go in, order food, and walk out. The person’s card says it has $50 on it, and then it’s gone."

Balancing Act
Caput has been warning retailers and restaurants about his scheme since he first discovered it nearly two years ago. Potential targets, including Trader Joe's, Macy's, and Taco Bell, have all responded by either taking down their gift card value-checking web pages and requiring users to check their gift cards by phone or by adding CAPTCHAs to their card value-checking web pages, designed to prevent automated programs from bruteforcing gift card numbers.
But other restaurants, retail outlets, and companies, which Caput declined to name on the record, have either failed to implement security measures against his fraud trick or added a defense that he was able to circumvent. He found that many gift card purveyors now use a CAPTCHA on their card value-checking page that he can strip away simply by disabling javascript elements on the page, using the software tool Burp Proxy. That allowed him to carry out the same bruteforce attacks, find the numbers of activated cards, and exploit them just as he had in 2015. Other one-off retailers and regional chains he's tested haven't added CAPTCHAs at all, or use simple incremented numbers on their gift cards that don't even require bruteforcing.
Some retailers' cards use PIN numbers in addition to the number encoded into the card. But that PIN is only required to check the card's balance, not to spend its value, Caput says. And if a hacker really wanted to determine the value of one of those PIN-protected cards, they could bruteforce it with Burp Intruder just as easily as the card's number itself.
Caput points out that even restaurants and retailers that have added robust CAPTCHAs to their gift card value-checking pages can remain vulnerable. If gift cards are left accessible, he can simply grab the entire stack of cards, photograph the back of them, and later place them back in the tray. Then he simply checks on those numbers periodically via the restaurant or retailer's website until the card's been activated. When it is, he can spend whatever money has been added to it.
The vulnerabilities that Caput found aren't merely theoretical. In May security firm Flashpoint released a report in which the company found hundreds of discussions of "cracked" gift cards on criminal web forums, spiking in the summer of 2016 and again in early 2017, compared with virtually none before 2016. Flashpoint analyst Liv Rowley says one vendor on the dark web marketplace AlphaBay alone had made more than $400,000 in sales between November of 2016 and July of this year when AlphaBay was shut down by the FBI, largely by selling stolen gift cards for more than a dozen brands, including stores like OfficeMax and Whole Foods. When Flashpoint talked with one of the affected retailers, the company's researchers determined that the seller was indeed using an automated tool to bruteforce activated gift cards, just as Caput has shown. "A lot of gift cards are numbered sequentially, and it appears he or she was just checking them like that," Rowley says.
All of the gift card security issues Caput highlights have relatively simple fixes: Implement strong CAPTCHAs that bad actors can't circumvent on gift card value-checking sites, don't leave unactivated gift cards up for grabs at store counters, and use scratch-away coverings on cards to prevent them from being photographed and then replaced in stores.
But until retailers and restaurants make those fixes, consumers would be wise to think twice about buying gift cards that could potentially have their value siphoned away by hackers. Before you pick up that unguarded card from a retail counter, perhaps consider who might have picked one up first—and who else might know that slice of plastic's secrets.
回覆 讚好 不讚 使用道具

舉報

 樓主| 發表於 2017-9-17 07:22:50 | 顯示全部樓層
本帖最後由 jgyjgw 於 2017-9-17 07:23 編輯

A series of gift cards Caput took from one retailer show how their numbers increment by one, making them predictable after a hacker bruteforces the four random final numbers. WILLIAM CAPUT
GiftCards-Inline.jpg
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-17 08:27:08 | 顯示全部樓層
真係好易劈零售禮品卡
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-17 08:41:48 | 顯示全部樓層
very good info   
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-17 09:12:00 | 顯示全部樓層
The loophole seems to be on the card number and PIN. Up to the IT people to fix it.
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-17 10:34:22 | 顯示全部樓層
Thank you for the information
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-17 21:51:25 | 顯示全部樓層
道高一尺, 魔高一丈.
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-17 22:24:09 | 顯示全部樓層

道高一尺, 魔高一丈
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-18 01:10:59 | 顯示全部樓層
電腦嘅嘢,一吓設計唔小心,就會出事
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-18 09:50:42 | 顯示全部樓層
考慮了一段時間, 才決定保留這一帖。 原因有幾方面。
1, 也是最大考慮, 就是會否構成 我們觸犯 協助及教唆 他人犯罪 這個法律。
2, 對我們業者, 是否有一點貢獻, 從而使自己管理範圍的系統更安全。
3,對廣大讀者,又有什麼好的或壞的影響 ?

最後決定保留, 但作了少許修改。
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-18 09:55:06 | 顯示全部樓層
修改方面, 移除了連結,1,以免讀者可以到該網站,再連結去其他。
2, 這亦符合本台一個原則。

帖文保留, 使大家知道來龍去脈。

回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-18 10:01:50 | 顯示全部樓層
考慮時, 毛毛在2樓給了我一個啟示,
就是那些禮物卡, 放在台面, 就如有人放一疊錢一樣,
不代表你可以除手拿走。連丟在地上的,也不能拾遺不報啦!  

但有否犯罪意圖, 是看見銀紙的人士自己思想而已
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-18 14:15:47 | 顯示全部樓層

其實D$$要加幾多鎖, 就汰下幾有用.
以前川龍飲茶, 自助到計數放低$都得

澳洲, 出事後, 5怕熕, 多數發卡都食左損失.
而且 Gift Card 要幫襯買野, 好易有手尾
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-18 14:19:47 | 顯示全部樓層
馬後砲 發表於 2017-9-18 09:50
考慮了一段時間, 才決定保留這一帖。 原因有幾方面。
1, 也是最大考慮, 就是會否構成 我們觸犯 協助及教 ...

IT 5夠會計界團結, 其實D系統要人 Audit 簽名,
大家又揾多D
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-18 20:10:53 | 顯示全部樓層
犯法行為嘅嘢,易都唔好去做!
回覆 讚好 不讚 使用道具

舉報

 樓主| 發表於 2017-9-19 11:28:55 | 顯示全部樓層
本帖最後由 jgyjgw 於 2017-9-19 11:31 編輯
馬後砲 發表於 2017-9-18 09:50
2, 對我們業者, 是否有一點貢獻, 從而使自己管理範圍的系統更安全。...


我們業者, 必要時時睇住, 劈鬼的手法, 用什么漏洞.
教訓是比如微軟所有產品, 衰極, 漏洞多到, 防洞補洞幾十年大生意, 成行成市. 睇住 勒索軟件, 到今仍冇乎.

另方面, 到今iOS同Android, 唔系冇漏洞, 但比起微軟產品, 冇咁衰.
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-20 08:12:31 | 顯示全部樓層
本帖最後由 HKOXSEX 於 2017-9-20 08:16 編輯
馬後砲 發表於 2017-9-18 09:50
考慮了一段時間, 才決定保留這一帖。 原因有幾方面。
1, 也是最大考慮, 就是會否構成 我們觸犯 協助及教 ...


4台,
咁多 Cracked Software 私人 Folder share.
E D 正式高危一族.
4台重提升E類帖

波仔要管理下
回覆 讚好 不讚 使用道具

舉報

發表於 2017-9-20 11:34:22 用手機發表 | 顯示全部樓層
HKOXSEX 發表於 2017-9-20 08:12
4台,
咁多 Cracked Software 私人 Folder share.
E D 正式高危一族.

个一版係大旧管理,唔到我理呀!
就算大旧俾面,佢分区唔同我呢便分区。我冇理由上到去佢分版度玩野啦!
回覆 讚好 不讚 使用道具

舉報

您需要登錄後才可以回帖 登錄 | 註冊

本版積分規則

Archiver|聯絡我們|141華人社區

GMT+8, 2024-3-29 17:01

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回覆 返回頂部 返回列表