Gift cards sold in Australian supermarkets can have their PINs easily guessed, thanks to a vulnerability on the issuer's website, opening them up to redemption by thieves who only need to know the card number to access the stored funds.
The vulnerability was discovered by Melbourne developer Simon Dean who bought two gift cards worth $500 each, which he intended to use to purchase a laptop at JB Hi-Fi with.
After buying the cards, Dean ran into trouble redeeming them as the cards had had the last four digits scratched off them.
Speaking to iTNews, Dean said he wasn't sure why the last four digits were missing.
"The missing digits were definitely strange, I can speculate that the [someone] did this to slow me down in being able to use the card, this would allow them more time to crack the PIN," Dean said.
Dean sought assistance from the Woolworths location where he bought the cards, but was directed to the card supplier, The Card Network (TCN).
"When I called The Card Network, they informed me over the phone that [one] card had been activated, [and] they said it occurred within an hour or two of me purchasing the cards," Dean said.
This occurred despite the film covering the PIN for the card being intact and not scraped off.
Surprised at the response from TCN, Dean investigated the card issuer's website further and found it had multiple unprotected API endpoints on the pages.
Armed with a fresh TCN gift card that had $20 stored on it, Dean used a Python script to brute-force guess the 10,000 possible four-digit PIN values.
As the TCN website didn't limit the amount of PIN entry tries, Dean was able to work out the correct combination of digits which he verified by scraping off the film covering the four digits on the card.
"It took me under 15 minutes to both write the script and then crack the pin. I'm going to say 10 minutes of that was the script itself and five minutes was spent doing the cracking," Dean said.
Computer science graduate Dean used AI coding assistants to write most of the code but he went into this knowing the general structure of the Python script used.
Dean reported the vulnerability to TCN, which turned out to be a lengthy and cumbersome process.
After publishing a YouTube explaining what had happened, Dean heard from the company which reimbursed him the $500 taken from one of the cards he bought.
He had to wait for over a month, and TCN offered no reward or bug bounty for finding the vulnerability.
Dean said he helped another person to get their money back by contacting the general manager of TCN, but has not heard back from the company with what it proposes to do to fix the vulnerability.
For others who have experienced similar card redemption issues, Dean said commenters on his YouTube video suggested it's better to contact the gift card department of the place of purchase, which deals with problems like the above very quickly.
Woolworths has been contacted by iTnews for comment on the incident.
The Card Network-Incomm responds
A spokesperson for TCN's parent company Incomm confirmed Dean's case, but declined to provide any further details on the vulnerability.
"We do not comment on individual cases due to privacy and policy restrictions, but we can share that our team has been in contact with Mr Dean regarding his issue," the spokesperson said.
"We have resolved both his case and the concerns he raised after fully investigating the issue," the spokesperson added.
After iTnews contacted TCN/Incomm for comment on Dean's case, a banner appeared on the company's website: "Please note: the option to swap your physical card for online use is currently unavailable. We expect this feature to be back online within the next 24 to 48 hours. Thanks so much for your patience!"
Incomm declined to say if it had received further reports of cards being redeemed illicitly.
The spokesperson said TCN/Incomm uses a range of security tools and technologies to monitor suspicious activity across the life cycle of a gift card, from activation to redemption, when asked what countermeasures the company had taken to prevent further such fraud attempts.
"We do not publicise specifics of how we deploy security measures in order to prevent criminals from understanding and abusing these protections, which would create additional risk for our customers and partners," the spokesperson said.
Investigating misuse is more difficult with gift cards, TCN/Incomm said.
"While we work to investigate potential issues as quickly as possible, it is important to keep in mind that gift cards do not have a registered user whose identity we can instantly verify," the spokesperson said.
"This makes the verification process more involved when a consumer reports an issue, as is standard across the industry."
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
Local Government Focus Day Queensland
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
