https://www.youtube.com/watch?v=oBarXDL23hs
As per above video:
The Card Network/TCN allegedly appears to not rate limit balance checks, so anyone who copies the card number (visible without opening) could allegedly spam PIN checks against all the numbers they allegedly stole and check when the card is activated
[allegedly]
The perfect recipe for ADAGCHS
Great video and warning. Can't believe the poor customer service and the process he had to go through to prove he didn't use the card.
I wonder if there is any follow up on who spent his $500 e.g. are TCN able to contact the retailer where $500 spent for shipping address if spent online or if in person then receipt and security footage of the transaction at counter.
There’s prob some element of privacy law involved here unless police investigate on behalf
It will be good if police can get involved yeah. And if they find the person(s) they could try improve their customer service by having the police obtain details on all the other purchases made by the perp, track back to the original TCN cards and proactively load the balance back onto those affected TCN cards.
So did TCN really hire a second year uni intern to do this sloppy job?
In fairness, these companies should be audited as they're dealing with significant amount of $$ so it's pretty appalling to have these loopholes.
0000
0001
0002
0003
6969
Double nice
How did you know my PIN?
Everyone knows the middle out algorithm is the most efficient :)
https://choice.gift/pages/check-balance
is the checking site without the captcha, imagine allowing 10000+ requests on your site without flagging it
I tried sending around 3000 requests at a rate of 5 per second to this API endpoint and no rate limits were hit. I used an old Good Food gift card and was able to brute force the pin in 10 minutes (took another 10 minutes for chatgpt to generate the brute forcing code).
yup once you have the pin, you can set it to check the card once an hour for the balance to show.
Chatgpt wouldn't make any code to brute force pins "I can’t provide you with code that attempts to brute force or automatically guess PINs on a website — that would be considered unauthorized access and could be illegal."
youre asking the wrong question to chatgpt.
ask it to try 4 digit numbers and stop when it finds the correct one
It's now fixed.
UPDATE: Proof of vulnerability - https://web.archive.org/web/20250615212745/https://choice.gi… internet archive has it up.
the site is gone the API isnt
API is gone now, returning 404
@AwesomeAndrew: mustve chanaged between my comment and now or was caching as i was using the same card number
Don't let your guard down even if this is fixed as scammers are much more likely to remove and replace the PIN stickers instead of resorting to brute forcing the PIN. You need to inspect the cards carefully before purchase and ideally familiarise yourself with what an untampered card looks like.
They really need to implement the activation-code-on-receipt mechanism here in Oz as well. Otherwise there is no magic solution to this card tampering plague.
Yes that's the guy
Yikes…
No doubt the card number is deliberately scratched off as well to slow down/prevent the legitimate buyer from using it until the scammer can brute force/use the card.
Seems like it, they must also have a script running on a regular basis to attempt to convert the card to another card?
tbh that's a bit noob. A sophisticated attacker could just check known card/pin combos for balance at frequent intervals and spend them immediately.
Easy, just select all Camrys
These cards are literally, buy in store, use them in front of the store person. If it doesn't work, manager, and immediate refund.
Do not buy them for gifts.
I went back to store immediately just 1 minute away but was told the transaction has been approved and they cant refund.
Simon? Is that Simon?
This happened to me on 28th Aug but I didnt convert the physical giftcard to online JB Hifi giftcard but instead I went immediately to JB Hifi store to buy Mario game. JB Hifi staff swipe the giftcard but card error and cannot be accepted. Went back to the Coles store, where I bought to complain, was told they cant refund because transaction has been approved. Registered the card and received the confirmation amount. Followup by calling TCN and Customer Service (CS) checked and confirmed the card amount and mentioned it could be damaged card and asked for photocopy of the card, with front and back and receipt purchased to be emailed to them. Send the requested infos immediately. Next day, followup with CS, and was told card has ZERO (0) balance. What? How and what happened? I haven't used the card. I had to do Statutory Declaration and now waiting for outcome. God knows when they will give me the outcome. Where else can I complain? Anyone has any idea where to complain to, please let me know. My heart goes to our vulnerable citizens, if this happened to them, they might not know how to reach out. Together we have to stop this from happening and TCN has to be held liable.
Doing a chargeback with your bank is definitely the easiest way out, if you have paid by card.
Otherwise you can go back to the place of purchase and vehemently quote that they have an obligation under the ACL to refund you in case of a major defect (yours certainly is) and hopefully the manager can't stand you anymore and simply give you a refund.
Failing that you can contact the customer service hotline of Coles/Woolies and ask them to get the manager to refund.
As for going to TCN directly, it would be a huge waste of your time. You do have a common law claim against them in your state's CAT but it is going to be a lengthy process. TCN isn't an AFCA member so there is no free third party dispute resolution service avaliable.
Thanks for your info. I did call Coles hotline provided by Coles store and they said they cant refund but I didnt mention about their 'obligation under the ACL to refund’ because I didnt know until you mentioned. Thank you for sharing. I was about to do chargeback after reading the comments on the video but TCN just replied that Coles will be refunding my money. Phew! I am surprised how they allowed TCN to operate without being AFCA member or members some sort of governing bodies. Thank you once again for your sharing.
I don't think gift card companies are required by law to become an AFCA member. It is more for financial licensees. Lots of retail companies sell gift cards without holding an Australian financial services licence.
Therefore unless you really know what you are doing and be very cautious, card inception is not a good idea. You lose the chargeback protection for a mere 2~5% saving.
@truetypezk: I have learned my lesson well now. Very true, after what I have gone through with so much time wasted, not worth the effort at all. I would’ve thought Australian law is matured and anyone handing or issuing card with monetary value should hold a licence. Where I am from, our Central bank will have clamped on the company. Interesting to know. Thanks for sharing the information. Appreciate.
@AppleLime: The lesson here is always pay by credit card. Do a charge back and let someone else fight it out for you.
@Repstar: Definitely if you just use the cards for regular personal purchases. I've bought tens of millions (probably nearly 100mil take or give) of gift cards and still got bitten a few times. You have to be extremely careful when doing inception with un-chargebackable payment methods.
The bright side is when you buy a shit load of them you can afford to factor it into expected loss and don't bother too much about it.
Made it to the news. Dude got his money back.
https://www.sbs.com.au/news/article/australian-youtuber-hack…
Shameful and embarrassing. They should pay him for finding and exposing this.
Good work by old mate on YT
Blackhawk is not any better lol