Aug 31 2005
Home Depot Gift Cards
I read a very interesting article in the 22:2 issue of 2600 written by Glutton that talks about the lousy security on Home Depot gift cards.
I have to say that Glutton makes a pretty astute observation. If you look at the cards, there is no magnetic strip on them. Just a number on the back of the card along with a barcode that correspond to an entry in the Home Depot database that tracks the gift cards. Since these cards are hung up unactivated (and sometimes even in other stores besides the Home Depots themselves) what is to stop a malicious person from getting a look at a card before it's activated and scanning the barcode with a pocket size barcode reader? Not much.
Fast forward a few days. After a legitimate customer buys and activates the card, that malicious person has the barcode. Creating and printing a duplicate barcode and taping it to the back of some other Home Depot card is trivial. Then they could use those handy-dandy self-checkout machines and swipe their homemade card for payment. And the poor legitimate customer is none the wiser until they try to use the card and there is nothing left on it. I haven't ever looked at Home Depot's website with regard to the gift cards either. I'm assuming that you could just type in the number on the back into the website for payment? If that's the case, you could still track somebody who's stealing by the shipping address, but it might be hard to prove who the malicious party is.
I hope that Home Depot gets on the ball and changes the way they do things. They could easily plug the vulnerability by not leaving the unactivated gift cards out for the public to grab. Put them behind the counter with the cashier until they're activated. Or better yet, put a magnetic strip on the cards so that somebody would have to do more than just have a pocket barcode scanner to forge them.
As for 2600, I'd like to say that I don't necessarily agree with most of the politics that seem to permeate the magazine. A little too far to the left if you ask me. But it does seem to provide a lot of good technical information, and is a good read for anybody concerned about digital security.
Tags: Security
