A topic I have been following lately is gift cards and the profound lack of randomness in their numbers.
This whole "love affair" started when I was teaching at RSA a year or so ago and they handed out gift cards to all of the attendees of their training for lunch. They were actual pre-paid AMX cards for a local mall, the exact same cards you would give out to friends and family because you are too lazy to buy them a proper gift.
When we got back to class I asked everyone if they would be willing to partake in an experiment. I had all of them write their numbers down and bring their cards up to the front of class and lay them all out. What we found was a bit odd. The numbers were all very close to each other. What happens is a company (or a person) buys a batch of these then hands them out. There were over 200+ people there for the training and it was pretty clear all of these cards were from the same batch.
Just a few days ago I was in a blue big-box department store, and while waiting in line I noticed the huge variety of different gift cards for iTunes, Chili’s, Amazon and just plain Visa gift cards for the lazy. I decided on a whim to purchase three cards with numbers on the outside of the package as close to each other as possible.
So there I am sitting on the floor of a department store with about 50 cards spread out around me. Oddly enough no one stopped me or asked me what I was doing. Apparently, a strange person in a "There no place like 127.0.0.1" shirt, sitting on the floor while sifting through gift cards is not all that strange a sight. Because God knows, there is no better way to be "edgy" then wearing shits that will only be understood by .1% of the population.
When it came time for my purchase there were a few surprises. First, I had to put at least $20 on the card. That was cool. Second, I had to purchase them with cash. This was very interesting. I cannot help but wonder if the organization in question here knew the security of this whole system sucked and wanted their money upfront. It also may be a way to stop people from converting stolen credit cards to gift cards easily.
As soon as I got home I opened them and with very little-to-no-shock, the numbers were damn close to each other. One (small) saving grace was the three number, CVC or CCV numbers, were all different. I did some plugging around and I found that these numbers are not mandatory for online merchants. Further, I went searching around online and I found a number of vendors who do not require this number.
Finally, the cards are a bit cheap looking. It would be no great feat for a bad guy to clone and create additional cards with numbers that will be used. He would just have to wait for the Christmas rush and go shopping.
I talked about this in the SANS 560 vLive class I was teaching and Leonard Isham (one of my students) sent me a fascinating pair of articles:
Turns out there has been a problem with this for some time.
Let’s step back from this for just a second and look at the larger issue. Randomness is key to security. Below are just a few examples where numbers that are non-random have bit us in the ass.
The point we should take from all of this is that anytime there is nonrandom numbers it is a possible point of attack. There are examples to the contrary, though. For example, WPA uses sequential IV's to reduce the chance of collision due to the birthday paradox. However, situations where someone thought it through are rare. Most of the time it is simply due to the fact that someone is being lazy. Turns out, chaos is your friend when it comes to securing your protocols and numbering schemes!
The more I think about this, the more it makes me mad. Why do vendors do this? I guess it is because they never thought it was a problem. People keep buying cards and if the money disappears, who cares? The unlucky consumer has little or no recourse. Can you imagine a scenario where someone goes and complains that the money that was supposed to be on their card is gone?
"Right sir! I will put the money back on your card. How much was it you say? $100? Righty-right!"
Maybe this year I will pass on the gift card rush. Maybe, this year I will give thoughtful gifts that reflect how important each person on my gift list is to me. Maybe this year I will not buy gift cards.
John Strand will be teaching SANS Hacker Techniques and Incident Response in San Francisco November 5-11.