Gift Cards, Money Laundering, And Other Shenanigans

Wednesday, December 05, 2012

Jackie Singh

14a99a86a54b134f8052222127b442c9

A few months ago, it was reported that the RCMP was looking for further tools to track down money laundering using pre-paid cards. Initially I thought it was another one of those crimes that are uncommon and that it would be seemingly difficult to prove that it exists, but I have sort of changed my mind somewhat.

Here I will discuss what I’ve learnt about gift cards, what you can do with them, what you cannot, and some oddities that I ran across. A lot of this won’t be new, isn’t going to be unfamiliar to those in the payment card industry, and reverse engineering this is rather trivial once you’ve read a few things.

image
The tiny one is kind of weird. Introduction

 

I received a magnetic stripe reader from my girlfriend and decided to swipe a few cards through it to test it out. Upon scanning my Starbucks card, I came across something interesting:

image

There’s no value on this card (it’s just a souvenir from New York City), but it’s actually the same format as a bank card. To break it down, here’s an image that shows the above data as how it is read:

image

The above format is standard for almost all payment card methods regardless of network or if it is credit or ATM–two tracks is the norm, but a lot of them are single tracked. Unlike an ATM card however, the number that is on the physical card does not match what is on the stripe–as opposed to “6010 5661 6720 1370″, we have “6076 1672 0137 4974″. However, you can see that the second and third sets of numbers (1672 and 1374) start from the last digit of the second set of digits finishing towards the last set.

We’ll ignore that for now as the important digits here to start with are the first four and in this case we have two: 6010 and 6076. Just like credit cards, the first few digits of a card indicate which financial institution we’re dealing with–this is officially referred to as an “issuer identification number” (IIN).

Figuring out who runs the back-end

IINs are publicly known and thus it makes it easy for us to do a bit of research on these gift cards.

Let’s start with the first four digits as represented on the back of the card–6076. A quick search through that page does not give us a result for those digits, but if we look for just the name “Starbucks”, we end up with 6051, 6056, 6060, 6068, and then 6071. Of course, 6076 does not show up in the list, but you can easily infer that the numbers will just keep increasing and it will be possible that we’ll end up with cards in the future starting with 6080 and so forth. However, this is not useful to us because we already know it’s a stupid Starbucks card.

Without a magstripe reader, we’ll only know that it is just a Starbucks card and nothing more. Luckily we do have one here and we can answer this question: what happens if we search just for 6010?

Simple: we get that the answer for this is “ValueLink stored value card”. To be more precise, 601056 is actually the set of digits that identifies it in the list and it is not as common to have cards identified by just four-digits alone–most are six.

It then becomes a question of “what the heck is ValueLink?” Well, it is a prepaid card service delivered by First Data, a transaction services company head-quartered in the United States. While the name may not be familiar to you, you might be familiar with the STAR interbank network which is used all over that country.

So now we know a bit more about who runs the payment network and what it might be using to carry data back and forth between the institution and the merchant.

So it’s a bank card?

More or less it can be considered a proper bank card (or “debit card”, “ATM card”, or whatever you want to call it). The format matches up and it is seemingly operated on an interbank network. There’s one catch here: it isn’t easy to pull money out of it once it is put in.

The reason for this is while it may supposedly connect to the STAR network, it does not mean that any ATM will know what to do with the IIN. In addition to the number, the ATM must be able to route to the issuer. The issuer’s number is known but it is very likely that attempting to pull cash out will not function.

Also there’s the elephant in the corner: what the heck is its PIN? When you’re issued a card from the bank, you’re typically asked to associate a four-digit number with it to be used for each transaction. However, in certain circumstances it may not be required and the card can indicate this–for those who are wondering, the EMV system (chip and PIN) does the very same thing.

Going back to the diagram, we see that the service code is set to “000″. The third digit in that value indicates that a PIN is required, but the use of ’0′ in the first two is interesting as it is uncommon to have it set such in the first and having it set to not contact the issuer in the second. This is in stark contrast to my credit union-issued card, which has “120″, it means that it can do international interchange, the issuer must be contacted, and just like the Starbucks card, a PIN is required. One thing to note is that newer bank cards in Canada are issued with “220″ to ensure that the chip is used if the terminal has the option.

So based on the card’s own service code, we know that we cannot easily just pop the card into an ATM machine and think that it will go through. What if we were to modify the service code? If we were to set the value of the third digit to 2 and set the first to “12″ to form “122″, would it allow for a transaction to occur outside of the merchant sans a PIN?

Another thing is that in speaking with a few friends who have worked in the banking industry, the typical default PIN on is actually the last four digits of the card. It is possible that the PIN in this Starbucks card is set to 4974 but it could also be 1370. This is not guaranteed as it could be 0000 or 1234 for all we know as well.

I would like to imagine that modifying the service codes might allow you to extract cash out of the machine, but I have to also consider that it is possible that the payment processor will have safeguarded this. There is also the problem of being able to route with the card’s IIN to begin with.

Are all gift cards created equally?

It appears to be a common trait for cards that use the ValueLink system to be configured in this way. For example, Canadian coffee and baked goods chain, Tim Hortons uses the very same company to provide its gift card service and it too has the same restrictions. One interesting thing of note however is that they do not track which card design is used at the point-of-sale. By default, it seems that all cards from them are reported with the name “TIMCARD”, whereas the Starbucks cards I’ve worked with have included “NYFY12CARD” and “SBUXICONICMINI”.

A number of gift cards also happen to use the Visa and Mastercard networks too and my understanding of those is that they’re restricted to a specific list of merchants if they’re for a shopping centre or just a single merchant itself.

TicketMaster gift cards in Canada use ICICI Bank of Canada (IIN 6277) and have the same service codes as before. Strangely, when I scanned an unused gift card for $26.95 to Playland (an amusement park in Vancouver), it comes up as Citibank, but under the Home Depot banner (IIN 6035). Could I spend that money intended to go ride a roller coaster to buy parts for one instead? I guess one could get a Home Depot card, deplete it, and then then write over the data with the value from a Playland card? This could be a possible way to spend money that you have for one merchant at another and could make some services like Cardswap unnecessary.

Some gift cards completely do not match a typical bank card. For example, GiveX issues a 19-digit number that matches the barcode, magstripe, and the physical card itself. This particular card does not conform to the use of an IIN at all.

What are the advantages of this system?

Well, one thing that makes the use of bank card schemes quite safe is that it’s quite a bit harder to clone the value of a card on to another. It’s certainly doable to clone the card itself and use it multiple times, but it’s going to drain the account as it is used and even if two or more people are swiping the card, it’s drawing from the same account.

However, there have been examples of criminals taking advantage of race conditions to extract cash in what would be considered a closed and secure system. However, that sort of activity is much easier to thwart whereas using a system where numbers are generated such as the GiveX system could lead to further problems. While not on GiveX’s network, Apple’s iTunes gift cards algorithm was figured out and gift cards with values of up to $200 were going for $3.

Closing

So the closing answer is that you’re not going to likely be able to use a gift card from your favourite coffee chain in an ATM any time soon, but it might be possible to use them at different merchants. The only thing I would say is that you might want to be prepared for dirty looks should you hand a Starbucks card at a Tim Horton’s.

With regards to the RCMP, while a prepaid Visa or Mastercard could be a potential threat, I don’t see an easy, effective solution for using store gift cards for money laundering unless someone has an insider connection somewhere.

This article has been crossposted from http://afreak.ca/blog/?p=176 with the permission of its most excellent author, Colin.

Possibly Related Articles:
20638
Webappsec->General
Banking
fraud Money Laundering Credit Cards Mag Stripe
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.