Woolworths gift card thread

[VantageXL]

They are being replaced. Not tampered, packs were all correctly intact. Just misprinted cards that shouldnt have made it through QC.

Scratched off digits, no CVV and the magnetic stripe doesn’t work? That’s 100% a tampered card. Believe it or not but it’s possible to open up the packaging and reseal it without leaving any visible signs.

I’ve studied this scam quite a lot and have bought tampered cards myself. You can go through the gift card company but in my experience they’re very slow and tedious to deal with. Emailing the Woolworths Gift Cards customer care team photos of your gift card and receipt is the fastest way to get a refund.

 

[Captain Halliday]

Emailing the Woolworths Gift Cards customer care team photos of your gift card and receipt is the fastest way to get a refund.

Are you saying there’s a separate customer care team just for GCs?

Would you mind sharing the email address?

 

[VantageXL]

Are you saying there’s a separate customer care team just for GCs?

Would you mind sharing the email address?

Woolworths Gift Cards (soon to become Everyday Gifting) have their own customer support which know how to handle these issues: [email protected]

 

[andye]

Another potentially useful disposal avenue for the visa debits is linkt tolls. Lower fees for debit v credit though haven't checked if you need to do the surcharge sums

You do need to

 

[anchew]

Is This Australia's Most Easily Hacked Gift Card? (The Card Network)

Here's a YouTube clip on the TCN Gift card hacking issue that people in this thread might be interested in.

 

[levelnine]

Is This Australia's Most Easily Hacked Gift Card? (The Card Network)

Here's a YouTube clip on the TCN Gift card hacking issue that people in this thread might be interested in.

Importantly, it shows you don't need to tamper with a gift card to hack it. You simply need to take a photo of the back and write a bit of code to get the PIN from the website. Absolutely crazy.

 

[Big John]

OK. No more TCN cards for me. Too big a vulnerability to risk losing my hard earned money.

 

[bussyboy]

Just watched the Simon Dean video, crazy!

 

[lovestotravel]

Is This Australia's Most Easily Hacked Gift Card? (The Card Network)

Here's a YouTube clip on the TCN Gift card hacking issue that people in this thread might be interested in.

Added to the fact that TCN is not part of AFCA

So if you need to escalate a complaint, you will have to take it to VCAT/small claims etc which takes ages and costs $$$

 

[VantageXL]

At some point I think these companies are just going to have to accept that tampering is unstoppable and switch to a system where gift card redemption codes are printed on your receipt. Not only would it be cheaper and more environmentally friendly but there would be nothing for anyone to tamper with.

It's either that or they start keeping these gift cards under lock and key.

 

[aikman]

At some point I think these companies are just going to have to accept that tampering is unstoppable and switch to a system where gift card redemption codes are printed on your receipt. Not only would it be cheaper and more environmentally friendly but there would be nothing for anyone to tamper with.

It's either that or they start keeping these gift cards under lock and key.

Classy gift.

Here's your gift - a few numbers printed on a piece of receipt paper.

 

[VantageXL]

Classy gift.

Here's your gift - a few numbers printed on a piece of receipt paper.

People actually give these things as presents?

 

[33kft]

At some point I think these companies are just going to have to accept that tampering is unstoppable

Unfortunately in this case it's much worse, since there's no tampering involved and they've just basically left it open for people to brute force the PINs, which is entirely avoidable. I was hoping to see a video on how this clever tampering is achieved but instead I watched a video on how some financial institutions are just incompetent.

Imagine if a bank did something like this... but gift card companies seem to exist on the fringe and get away with things like this.

 

[lovestotravel]

People actually give these things as presents?

Yes, our kids get them quite often as it's hard to buy for kids aged 5-15 and it's a bit "nicer" than cash

Unfortunately in this case it's much worse, since there's no tampering involved and they've just basically left it open for people to brute force the PINs, which is entirely avoidable. I was hoping to see a video on how this clever tampering is achieved but instead I watched a video on how some financial institutions are just incompetent.

Imagine if a bank did something like this... but gift card companies seem to exist on the fringe and get away with things like this.

Yep TCN is a financial institution yet not a member of AFCA - They don't care how they operate and how they treat customers as they know they can get away with it

Any other company operating like this would be hit with thousands of $$ of fees from AFCA and probably an investigation into systemic issues.

 

[Mr_Orange]

Just watched the Simon Dean video, crazy!

Same, it's unbelievable actually. I know people with enough Python skills to write that script. I expect we all do!

 

[VantageXL]

Unfortunately in this case it's much worse, since there's no tampering involved

They’ve clearly scratched off some of the card numbers which is textbook tampering. TCN’s poor security practices have made it easier for the scammers but they still accessed the physical cards prior to someone purchasing them which is the real issue.

 

[Mr_Orange]

They’ve clearly scratched off some of the card numbers which is textbook tampering.

My guess is that the scammers have done that to slow down use of the card by the genuine buyer. That said, they only seem to need 15 minutes to brute force the PIN.

 

[33kft]

They’ve clearly scratched off some of the card numbers which is textbook tampering. TCN’s poor security practices have made it easier for the scammers but they still accessed the physical cards prior to someone purchasing them which is the real issue.

I don't think it is the real issue in this case, to be honest - you are right that they seemingly had, but they didn't need to - they could just have performed a BIN attack and got to the same outcome. I'm really not sure why they chose to tamper with them, it neither guaranteed them that the card number was live nor did it give them access to the sensitive part which is the PIN. It would have reduced the search area for them but that's only if the cards had been purchased in the time between when they accessed the physical card and when they tried brute forcing it.

Personally I'd just have performed sequential BIN / PIN attacks myself if I were the attacker - TCN have implemented apparently zero safeguards against that and there's no need to enter the store at all and expose yourself to the associated identity leak.

Or perhaps Simon found a completely different vector to the one they had been using. I don't know. But on a fast enough machine with apparently no technical limitation you could be brute forcing several of those cards with 10,000 potential PIN combinations per second. You'd only need to purchase a few cards to work out the BIN "ranges" and scan them recursively.

 

[masco131]

I just went on the TCN website to try exchanging some of the active gift cards I bought during the last promotion, but a pop-up appeared saying that online exchanges to retailers are currently unavailable. It looks like they’ve suspended the feature, possibly after receiving a lot of backlash following the recent video.

 

[VantageXL]

I don't think it is the real issue in this case, to be honest - you are right that they seemingly had, but they didn't need to - they could just have performed a BIN attack and got to the same outcome.

In this case you're absolutely right but by real issue I am referring to what's harder to solve. TCN will (hopefully) fix this vulnerability quickly but it's impossible for them to stop scammers from accessing physical gift cards as long as they continue being sold openly with sensitive information. The likely consequence of this story is that scammers will just start modifying or removing PINs which we've already seen them do with other gift cards. Tamper-resistant packaging doesn't seem to stop them either.

Putting the redemption codes on receipts isn't as inelegant as it sounds. True Rewards sell Visa and multi-retailer Him, Her etc gift cards at Ritchies IGA and various service station brands around the country that use this system and it works well. The physical "gift cards" on the shelf look like normal gift cards but they're completely generic with the back of each one featuring redemption instructions and an area for you or the person serving you to write down the code. It's not as convenient as buying a magnetic stripe card that you can immediately start swiping but it's not that different and the benefits far outweigh the costs.