A major gift card operator was forced to investigate a security issue after a content creator successfully hacked into one of its cards without entering a PIN.
YouTuber Simon Dean said creating a code to hack into the 'TEEN' gift card was "astonishingly simple" and could lead to people being scammed if they unknowingly buy already used cards.
Dean told SBS News he uncovered the security issue after being a victim of fraud himself, when he tried to use a gift card and was told it had already been redeemed by a woman he didn't know.
"I was really confused because the PIN code on the back of the card was still intact. It was covered with a scratch-off thing," he said.
A consumer survey from financial comparison site Finder in January 2024 estimated Australians have $1.4 billion in unused gift cards sitting in their wallets or inboxes.
Hundreds of dollars lost in a matter of hours
Dean posted a video to social media earlier this week, explaining how he discovered a security issue with the gift card.
He said he bought two cards, each valued at $500, so he could earn extra points from a reward scheme at Woolworths.
But he was only able to redeem one of the cards on the website and received an error message from The Card Network site, prompting him to call customer service.
"That second card had been redeemed, like within an hour or two of me purchasing the card. The person on the other end of the phone told me that it was redeemed by some woman," he said.
"It was some mobile number that wasn't mine."
Cracking the pin
Dean was out of pocket $500, and while he sought remittance from The Card Network, he was curious to find if he could figure out what had happened himself.
After scanning the website, he claims to have identified a security issue that could be exploited.
To test his theory, he bought another 'TEEN' gift card, this time valued at $20. He wanted to see whether he could hack the website and uncover the concealed PIN based on the details visible on the card.
Dean said the process took under 15 minutes and resulted in the correct PIN.
"This was so basic and so simple, it was quite astonishing, really. I'm not a sophisticated hacker," he said.
SBS News has chosen not to explain how Dean managed to hack the website for security reasons.
A six-week resolution process
The Card Network said it would not comment on an individual case and in a statement to SBS News, said: "We leverage a range of security tools and technologies to monitor suspicious activity".
"We do not publicise the specifics of how we deploy security measures to prevent criminals from understanding and abusing these protections, which would create additional risk for our customers and partners," a spokesperson for The Card Network said.
The Card Network confirmed it had been in contact with Dean and resolved "both his case and the concerns he raised after fully investigating the issue".
Dean said it took around six weeks to receive a refund and that he was asked by The Card Network to complete a statutory declaration and provide a police report.
Dean was fully reimbursed for the $500 spent on the irredeemable card.
"Hopefully they fix their systems and hopefully people won't have to go through what I went through in order to get their money back," he said.
The Card Network said the verification process for gift cards that have been bought is "more involved" and that "gift cards do not have a registered user whose identity we can instantly verify".
Gift card companies should 'assume the worst'
Angus Kidman, international editor-at-large at Finder, told SBS News companies should move away from "simplistic" four-digit security PINs.
"A four-digit pin is just not very secure. There are better methods," he said.
"For most businesses, having something that is more sophisticated is going to make more sense. While it may be more expensive to invest in that tech, if you do suffer from a breach, those expenses are going to be even higher."
Finder research shows hundreds of millions of dollars are spent each year on gift cards, and the companies behind them have a responsibility to protect customers from fraud, Kidman said.
"Businesses need to be able to respond quickly when there is evidence of a breach because it really matters both in terms of serving their customers well and because you can do yourself enormous reputational damage.
"Businesses have to assume the worst; they have to assume that somebody is going to try and hack into these systems and therefore, they have to make sure that's not easy to do."
