Home Depot's Lousy Security

by Glutton

Next Christmas, if you give out The Home Depot gift cards, you may be giving the gift of nothing.

Look at one of their cards and you'll see that there is no mag stripe.  It has a barcode on the back, printed right on the plastic.

This sort of barcode is called a "Codabar" and is a commonplace configuration typically used by retailers for internal organization.  It doesn't have a fixed length nor does it use a check digit, although sometimes users will create their own check digit structure.  When the customer or cashier flashes the card over the store's reader, a database is checked to see if the card has been activated and how much money remains in the account.

Unfortunately, The Home Depot doesn't use some proprietary or unusual bar code for their cards.  It is easily duplicated by evildoers.  All they have to know is how to make a Codabar.

Now imagine an evildoer downloads Bar Code Pro or a similar product from a file sharing network and cranks out a barcode.  How could he use it to pilfer money?  For starters, he could peek at other barcodes in the store.  Inactivated cards are typically hung in racks for people to buy.  How hard would it be to grab one and look at the number?  Scanning the code with a reader confirms that the number beneath the code is faithfully represented (which in itself is a security flaw).  Then the evildoer prints out the code and tapes it to the back of the card.  All he has to do is wait for the code to be activated by another customer.

Another trick might be to figure out what the code represents.  Which segment of the code is the store number?  Well, that's easy enough to figure out since the store number is printed on the receipt.  Analyzing a number of cards could reveal if there's a check digit structure.  Which numbers change?  Which do not?  Once he had it figured out, the evildoer could create random barcodes and see if they are activated.

So the evildoer goes to the store clutching a forged card.  What next?  Surely any cashier with half a brain cell could tell that there is a new piece of paper taped over the bar code.  Fortunately for our villain, The Home Depot decided to hire fewer cashiers and has set up self-check-out stations in a lot of their stores.  The evildoer scans his forged card, and if there is money in the account he waltzes out with his ill-gained loot.  If he did something wrong and the attendant comes over to help, he palms the fake card and shows him a real card.  The attendant "shows him how to do it" and the thief escapes to plot once again.

The security on the system is awful and relies only on criminals not knowing how to make Codabars.  With self-check-out lanes, a potential thief can experiment all he wants until he figures out how to rob his fellow customers.

So next Christmas, are you going to give someone a card with nothing on it?

Return to $2600 Index