October 21, 2007

Toys-R-Us Gift Cards Need Security Improvements

Yesterday, we had the opportunity to closely inspect Babies-R-Us gift cards that were recently purchased directly from the store. Unfortunately, we noticed that the gift cards are very susceptible to an old gift card scam, which we call the “backdoor”. The scam got so pervasive that gift card companies implemented a simple technology to successfully thwart the scam. What is difficult to understand is why Toys-R-Us, the parent company of Babies-R-Us, has not implemented this technology for their gift cards.

How the gift card scam works is fairly simple and ingenious. The scammer goes to a store, grabs some gift cards, writes down the gift card numbers, and returns the gift cards to where he got them from. With the gift card numbers, he can check online or over the phone to see if any of the gift cards have been activated. Once the scammer finds a gift card that has been activated, he proceeds to use the gift card online. In turn, the legitimate owner of the gift card is left with an empty gift card. The scam can easily be implemented on a larger scale by using a magnetic card reader to swipe and record as many gift cards as possible.

To thwart this scam, several gift card companies added a PIN code to the back of gift cards. The PIN code was deliberately not included in the digital information stored on the card’s magnetic strip. Furthermore, the PIN code is hidden under a foil coating and is only accessible by scratching off the foil. In order to check the balance of a gift card via phone or online, the PIN code must be provided. Therefore, if a scammer scratched of the foil to get the PIN code, buyers would know that the gift card is compromised and not purchase it. The hidden PIN code is such a simple technology that can easily and effectively protect shoppers from the “backdoor” scam.

Babies-R-Us Gift Card

The above illustration of a sample Babies-R-Us gift card shows that there is no hidden PIN code. In order to check the balance or redeem the gift card online, all you need is the gift card number. To say the least Toys-R-Us gift cards are not very secure. One method that Toys-R-Us can deploy to minimize the occurrence of the “backdoor” scam is to restrict the access of gift cards, such as locating the gift cards behind the checkout counter. However, this does not prevent employees from pulling off the “backdoor” scam. The best way for Toys-R-Us to prevent the “backdoor” scam is to implement PIN codes for their gift card. If so many retailers and stores are using this technology for their gift card, why isn’t Toys-R-Us?

Be Sociable, Share!

Comment now » | Posted by Alex | Filed under: Analysis

Leave a Comment



Feeback, Tips, Questions, Bugs?

Please, use the contact us form to leave us any feedback, question, tips or bug reports.

For comments or questions about an article, please use the article's comment form. Thank you!