Melbourne Developer Exposes Gift Card Security Flaw
▼ Summary
– A vulnerability on The Card Network’s website allows gift card PINs to be easily guessed by brute force, as there is no limit on PIN entry attempts.
– Melbourne developer Simon Dean discovered the flaw after purchasing two compromised $500 gift cards from Woolworths, which were redeemed by thieves shortly after activation.
– Dean used a Python script to crack a fresh card’s PIN in under 15 minutes, demonstrating the security weakness without needing physical access to the card.
– TCN/Incomm, the card issuer, resolved Dean’s case and reimbursed him but declined to disclose details about the vulnerability or any fixes implemented.
– The company stated that investigating gift card misuse is challenging due to the lack of registered users, making verification processes more complex.
A significant security flaw in gift cards sold at major Australian retailers has been uncovered, allowing thieves to easily guess PINs and drain funds without physical access to the card. The issue centers on unprotected API endpoints that fail to limit login attempts, making it possible for attackers to systematically guess the correct four-digit combination.
Melbourne-based developer Simon Dean first encountered the problem after purchasing two $500 gift cards from Woolworths. He intended to use them for a laptop purchase at JB Hi-Fi but discovered the final four digits on both cards had been scratched away. Suspecting foul play, Dean contacted the store and was referred to the card supplier, The Card Network (TCN). To his surprise, TCN informed him that one card had already been activated just hours after his purchase, even though the protective film covering the PIN remained unbroken.
Driven by curiosity and concern, Dean examined TCN’s website and identified multiple unsecured API endpoints. Using a new $20 TCN gift card for testing, he wrote a Python script to brute-force the 10,000 possible PIN combinations. With no rate limiting in place, the correct code was identified in under five minutes. Dean confirmed the result by scratching off the film himself, verifying that the script had accurately guessed the PIN.
A computer science graduate, Dean utilized AI coding assistants to streamline the scripting process but emphasized that the underlying vulnerability was shockingly simple to exploit. He reported the issue to TCN, though the response was slow and offered no bug bounty or reward. After sharing his experience in a YouTube video, TCN eventually reimbursed the $500 taken from one of his cards, but only after more than a month of waiting.
Dean also assisted another affected individual in recovering their funds by reaching out to TCN’s general manager directly. Still, the company has not communicated any plans to address the vulnerability. Commenters on his video suggested that contacting the gift card department of the original retailer often leads to quicker resolutions in such cases.
When approached for comment, a spokesperson for Incomm, TCN’s parent company, acknowledged Dean’s case but declined to discuss specifics, citing privacy and policy restrictions. The spokesperson stated that the matter had been “resolved” and that the company employs various security tools to monitor suspicious activity. However, they emphasized that gift cards lack registered users, complicating fraud investigations.
Following media inquiries, a banner appeared on TCN’s website announcing the temporary suspension of a feature allowing physical cards to be swapped for online use. Incomm did not confirm whether other customers had reported similar incidents, nor did it elaborate on the security measures in place, arguing that disclosing such details could aid criminals.
This incident highlights broader concerns around gift card security and the ease with which determined attackers can bypass inadequate protections. Consumers are advised to use gift cards promptly and monitor balances closely, as delays in reporting issues can make recovering lost funds more difficult.
(Source: ITNews)