Simon Dean’s recent experience with a $500 gift card purchase has unveiled significant security vulnerabilities within the gift card system, particularly concerning the ‘TEEN’ gift card. Just like Dean, someone who was defrauded would find their card already redeemed by a mystery user. This case is emblematic of our biggest issues regarding gift card security. More importantly, it challenges us to reconsider how we do what we do today.
Dean bought two $500 gift cards to earn additional points under Woolworths’ loyalty program. He attempted to redeem the cards, only for an “Expiration code not valid” error message to appear on The Card Network website. One of his cards had been used already. So Dean made a move and reached out directly to customer service. There, he learned that remedying the issue would require a lengthy ordeal starting with filling out a statutory declaration along with a police report.
Dean says it took about six weeks for him to get refunded for the card that was fraudulently redeemed. In his righteous anger, he went public, using social media to spread word of the absurd security gaps that he found, even releasing a video describing the exploits. He continued in his testimony that hacking the ‘TEEN’ gift card code was just ridiculously simple. In less than 15 minutes, he hacked the system and extracted the correct PIN.
Reacting to Dean’s disturbing ordeal, Angus Kidman, international editor-at-large at Finder, said it’s time to stop relying on the bare minimum in security. He lamented that industry still relied on “simplistic” four-digit PINs, calling for better security approaches.
“A four-digit pin is just not very secure. There are better methods,” – Angus Kidman
Kidman stated that the private sector, particularly in the transportation arena, should accept accountability by investing in advanced security technology. The example he gave were for cases where the upfront investment would be greater. These costs pale in comparison to the fiscal disaster that could occur from a cybersecurity attack.
“For most businesses, having something that is more sophisticated is going to make more sense. While it may be more expensive to invest in that tech, if you do suffer from a breach, those expenses are going to be even higher,” – Angus Kidman
Finder surveyed Australian consumers in January 2024 and found that Australians have racked up a shocking $1.4 billion worth of unused gift cards. This issue is especially meaningful for many stakeholders. Finder’s research has found that Americans waste as much as $3 billion annually on unused gift cards. This lapse in consumer protection underscores the urgent need for robust bill security provisions.
Dean’s ordeal opens the door for serious questions about how companies should respond to a possible breach. Kidman pointed out that businesses must act swiftly when evidence of fraud arises to mitigate reputational damage and maintain customer trust.
“Businesses need to be able to respond quickly when there is evidence of a breach because it really matters both in terms of serving their customers well and because you can do yourself enormous reputational damage,” – Angus Kidman
He stressed that companies should be taking steps beforehand to prepare for hacks before they happen. They need to establish systems that are hard for bad actors to game.
“Businesses have to assume the worst; they have to assume that somebody is going to try and hack into these systems and therefore, they have to make sure that’s not easy to do,” – Angus Kidman
Following Dean’s ordeal, The Card Network released a statement outlining their security measures. They deploy a variety of tools and technologies to track down signs of bad actor activity. In the most part, they don’t disclose what they’re doing to secure their platforms. This is designed to prevent criminals from taking advantage of any vulnerabilities.
“We leverage a range of security tools and technologies to monitor suspicious activity,” – The Card Network spokesperson
In response to our inquiry, the spokesperson clarified what qualifies for verification of purchased gift cards. They noted that it is “much more complicated” since these cards lack a known, registered user with a clear, verifiable identity.
“The verification process for gift cards that have been bought is more involved,” – The Card Network
“Gift cards do not have a registered user whose identity we can instantly verify,” – The Card Network
Dean concluded by expressing hope for future improvements in security systems so that others would not have to endure similar challenges when it comes to obtaining refunds or dealing with fraudulent activity.
“Hopefully they fix their systems and hopefully people won’t have to go through what I went through in order to get their money back,” – Simon Dean
