Melbourne Developer Uncovers Flaw Enabling Gift Card PINs to Be Breached
We independently review everything we recommend. When you buy through our links, we may earn a commission which is paid directly to our Australia-based writers, editors, and support staff. Thank you for your support!
Quick Overview
- Melbourne developer Simon Dean uncovers a weakness that facilitates easy cracking of gift card PINs.
- The Card Network (TCN) cards have exposed API endpoints, making them vulnerable.
- Dean employed a Python script to perform unrestricted brute-force attacks on the PINs.
- Although Dean received a reimbursement, TCN did not provide a bug bounty or a follow-up fix.
- Incomm, TCN’s parent company, acknowledges the issue but shares limited details.
The Revelation of a Significant Weakness
Gift cards available in Australian supermarkets have been found to harbor a serious security weakness, as revealed by Melbourne developer Simon Dean. The flaw exists on the website of the gift card issuer, enabling the card’s PIN to be easily guessed, which allows thieves to access funds with just the card number.
Identifying the Problem
Dean acquired two $500 gift cards with plans to purchase a laptop at JB Hi-Fi. However, he encountered difficulties upon realizing that the last four digits of the card numbers had been scratched off. Nevertheless, the PIN cover remained intact, prompting Dean to dig deeper.
Capitalizing on the Vulnerability
Upon noticing the inadequate security measures, Dean discovered several unprotected API endpoints on the card issuer’s website. By utilizing a Python script, he successfully brute-forced the 10,000 possible four-digit PIN combinations. The lack of limits on PIN attempts allowed him to find the correct PIN in a matter of minutes.
Feedback from The Card Network
Dean reported the flaw to The Card Network (TCN), but was met with a protracted and arduous process. After sharing a YouTube video outlining his experience, TCN refunded him the $500 lost from one card. However, they did not provide any incentive or strategy to address the vulnerability.
Official Statement from TCN-Incomm
Incomm, the parent company of TCN, confirmed the vulnerability but offered minimal details. They mentioned that various security tools are employed to monitor for suspicious activities, yet specific countermeasures were not disclosed. They acknowledged the challenges in verifying misuse of cards due to the anonymous nature of gift cards.
Conclusion
The findings by Simon Dean underscore a serious security concern regarding gift cards in Australia, especially those issued by The Card Network. Despite pinpointing the flaw, the reaction from TCN and Incomm has been limited, leaving the solution to the issue unclear. Consumers are urged to exercise caution and report any problems immediately.
Q: What vulnerability did Simon Dean uncover?
A: Dean identified that unprotected API endpoints on TCN’s website allowed unrestricted brute-force attempts to guess gift card PINs.
Q: How did Dean confirm his findings?
A: Dean utilized a Python script to brute-force the PINs and verified the correct one by checking against the physical card.
Q: What did TCN do in response to the vulnerability?
A: TCN reimbursed Dean but did not provide a bug bounty or a comprehensive plan to address the vulnerability.
Q: How long did it take Dean to crack the PINs?
A: Dean managed to write the script and crack the PINs in under 15 minutes.
Q: What guidance is offered to consumers facing similar issues?
A: Consumers are advised to reach out to the gift card department at the point of purchase for rapid resolution of any issues.
Q: What security measures does TCN claim to have implemented?
A: TCN claims to implement various security tools and technologies to track suspicious activity, although they do not specify which measures.
