Cybersecurity researcher Jamieson O’Reilly said the security flaw Dean had identified was probably caused by poor security measures on a page of The Card Network website – specifically a lack of CAPTCHAs and rate-limiting.
Loading
CAPTCHAs are a common online test where users perform an action to prove they are human and not bots. Rate limiting is a security feature that restricts the number of times an online tool can be used within a particular timeframe.
O’Reilly said it would be feasible for a person with basic coding knowledge to access this vulnerability, calling the level of technical skill involved “extremely low”.
“Attackers could scrape or photograph card numbers in retail stores before purchase, monitor for activation, and immediately brute-force the PIN … once live funds were detected,” he said.
“This kind of exploit doesn’t require specialised malware, credential theft, or advanced intrusion techniques. It simply leverages poor web application security hygiene.”
Dean said he had contacted The Card Network through three separate channels to flag the security flaw he’d found on August 25. A week later, he’d received only one generic email response saying the issue would be escalated. That’s when he decided make a YouTube video.
“This was such a blatant sort of lack of oversight on their end. It was ridiculous that I was able to do this. It took me under 15 minutes to program the little script and crack the PIN,” he said.
“There’s no reason that I should have to make this video to get my money back.”
A spokesperson for The Card Network confirmed the company had since contacted Dean in response to his video. They said his lost money had been refunded, and his wider concerns had been rectified.
Loading
“We leverage a range of security tools and technologies to monitor suspicious activity across the lifecycle of a gift card from activation to redemption,” the spokesperson said.
The company declined to comment on the exact nature of the security vulnerability or how many individuals might have been affected.
After an arduous customer service process that spanned almost two months, Dean said he was still dissatisfied with the response from the company. The Card Network should acknowledge the wider impact of the vulnerability, he said.
“Obviously, I wanted my $500 back. But at the same time, lots of people across the country … are probably getting ripped off by this. So I just want them to fix their systems and improve their customer service,” he said.
“Take it really seriously,” Dean added. “Especially because these are gifts … if you have a problem, you want to solve it.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
