Anybody who’s spent time keeping up with blogs and forums in the points & miles world eventually reads about somebody being defrauded by a legitimate gift card purchase. Blogger Mike over at igobyplane.com has the most extensive account I’ve seen yet of being ripped off–and what’s more, he’s found evidence that links the thief to someone in the IT department at InComm.
It’s a lengthy piece and I encourage you to read it as there is a lot more detail than I’m going to share here, but Mikes’s first point is that PayPal My Cash cards have a security flaw:
I speculated that a possible problem was the sensitive PIN numbers – the only thing required to load money – may be easy to get by clever employees. As it turns out however, even stupid employees can get to them. They are stored in a database in plaintext – meaning they are there to just read off. They are not encrypted or encoded. They are not even shielded from mass user access – anyone who can poke around in the database can see them.
Mike also was able to track down an email address associated with the theft. The email address’s owner is connected to an InComm IT guy on LinkedIn. Which is circumstantial evidence, of course, but it still makes you wonder.
Apparently a number of people have had funds go missing and been told that they’re out of luck and they have to eat the $500 or whatever amount they have loaded on the card. Mike found a lawyer and got in on a class action lawsuit, which InComm eventually settled for an undisclosed amount. Even if InComm employees aren’t actually stealing, it would be nice to see InComm making more of an effort to compensate innocent customers defrauded by its product.
Mike’s conclusions:
- If you buy use these cards, you should use them as soon as possible. (This is already the usage pattern for most.)
- If you have one of these that has been sitting around for a couple weeks – it’s worth calling up customer service first to verify with the 16 digit number that the money is still there. If you don’t do this step, I would recommend at least taking a video of you scratching off the PIN and trying to load the card, just in case.
- If your card has been sitting around a couple months – or longer – the likelihood of your money being gone grows exponentially!
Again, I encourage you to read the full article and see what you think.
Since the first day I bought a Vanilla Reload several years back and realized you could try an endless number of 10 digit combinations on their site until you hit on one that worked, I’ve wondered how much money they would have to pay out.
Now I am stuck with 3 $250 AA gift cards on which the entire gift card number decomposed over a 2 year period sittind in my safe, and AA says , “tough shit, we are not responsible for damaged cards.”
Maybe find one of those grad students who use x-rays and such to read thousand-year-old manuscripts? There’s got to be a way.
first off, i want to say thanks for linking to my piece pfdigest. still trying to get it more publicity and some real actions to be taken.
re: 10 digits; the universe of that is actually pretty big. a smart site would also stop you after x number of bad tries (knowing incomm, let’s be skeptical of this one though.) not only would you need to hit a number, but a number with money on it too. i thought it possible the algorithm was reverse engineered by an outside party for the PPMC or someone used the code internally. still tough to hit a valid number they actually made a card with and that had money i think though. although super easy if you can just go in the database and run a report to tell you these things, because the numbers are all plain to read and the info is all there anyway. this is actually worse than just posting PINs in the break room, since the computer can even tell them what cards have been used or not.
re: vanilla – i was told that all IT employees used to be able to read vanilla data, but now only those in the ITC FL side, that investigate fraud, can read them. i’m not sure how this was done technically, maybe just limiting privileges. i’m not familiar with the vanilla cards, so things may be plaintext there that should also be encrypted. redditors told me ebay gift cards appear similar to paypal ones, and i would not be surprised if incomm had plaintext values all over that should not be across many different products.
i don’t like the single number thing period – even a $10 starbucks card has you put in both the 16 digits plus the scratched PIN. note in my case, a 2 step would still be easily compromised, as employees have access to both numbers.