Capmark Financial Group’s newly combined companies generated more than $1 billion in 2014 e-commerce sales.
By snapping a picture of the bar code on a gift card in-store and performing some technical coding, a would-be criminal can display the bar code on his smartphone to be scanned and redeemed by a cashier—if that gift card was purchased in the interim.
Sometimes in the rush to get a brand new system in place, retailers can lose sight of the details. Target Corp. has learned a lesson about haste potentially making waste with its new program that enables consumers to redeem gift cards via mobile devices.
Target acknowledges that a security hole has been found in the process by which a gift card can be redeemed through its mobile app. The app shows the bar code for a gift card that a cashier can scan from a customer’s mobile device. A consumer seeking to commit fraud, however, can snap a picture of a gift card in a Target store before it is sold, then decode it and re-encode it using one of a number of free web sites, a process required to enable the Target scanning system to recognize the data.
The individual then attempts to redeem it at a later date, hoping that in the interim someone has funded and gifted the card, and that the recipient has yet to redeem it. While that is not a scenario that lends itself to massive fraud, like hacking into a computer system and stealing countless credit card numbers, it still could be done.
The security problem is that redemption of the gift card through the mobile app does not require any layer of authentication to complete a transaction, such as a personal identification number. The bar code contains all the information necessary for redemption.
Cashiers can do something to trick up a fraudster, though. The image of the bar code is stationary within the mobile app; thus, if the orientation of the smartphone is changed, the image will not move. But a fraudulent image is displayed through a smartphone’s photos section, which realigns images horizontally and vertically when the smartphone is moved. Target does not allow its cashiers to handle customers’ smartphones for fear of liability in the event of an accident, but a cashier could feasibly ask a customer to shift the orientation of his phone.
“Protecting our guests from fraud is an important priority for Target and we are aware of this particular risk of fraud related to our mobile gift cards,” says a spokesman at Target, No. 21 in the Internet Retailer Top 500 Guide. “We are always monitoring fraudulent activities in our stores; at this point, we have not seen any significant increase in fraudulent activity related to our gift cards. We continually consider adding appropriate security enhancements to all our products and services, including our mobile offerings.”
The major lesson to be learned, security experts say, is that retailers must vet new applications more thoroughly, even though mobile commerce is a rapidly developing field and merchants may be tempted to get mobile programs to market fast.
“Retailers don’t quite grasp yet when a customer walks into a store they have a lot more technology in their pockets. The fact that a retailer might scramble to get a mobile gift card app in place without thinking about how a bad guy might get his hands on it is not shocking at all,” says Steve Rowen, a managing partner at Retail Systems Research LLC who specializes in security issues.
But because of everything that must be done to make this fraudulent activity work, this particular problem is not likely to be a big one, Rowen adds.
“I don’t think it will be a serious problem—it’s exposed and the lesson is there,” he says. “Credit card fraud, where all of a sudden vast numbers of people are getting breached, is serious and can have great scope. The Target issue is not yet a problem and the red flag is up now, and it’s up to retailers to figure out how to keep this type of thing from becoming a serious problem.”