Gift Certificate Security Concerns

[page8worker]

I have a bit of a security concern on the gift certificate system in AbleCommerce, which I'm hoping someone can address for me here. I know that a gift certificate has a randomly generated 17 digit number, and that it must be activated before it can be used. I also know that a customer must login to see the serial number; however, it appears that once activated a serial number can be used by any customer, regardless if they actually purchase the gift certificate or not. That's to be expected, right? After all this is a gift certificate. More than likely I'm purchasing it to give to someone else, so I don't want it tied to me. However, since anyone can actually use the serial number once it has been activated it is also open to abuse by non intended recipients. For example what is stopping a hacker from using a brute force attack against the system to scan for valid gift certificate/serial numbers? After all, we are talking about potentially 1000s of active serial numbers sitting on a site with just decent traffic, and all the hacker would need to know is if the number is active or not. It seems that there should be a second layer of security, which is pretty standard (i.e. username/password, credit card/security code, debit card/PIN, etc...), such as a user assigned PIN.

Thoughts?

Thanks,

[jmestep]

You could send the GC# with the activation email and take the serial number off the display page.

[Logan Rhodehamel]

I don't know if this will ease your concern, but there are 100,000,000,000,000 possible gift certificate numbers. Suppose you had 5000 numbers generated in your store, and a hacker managed to try a brute force attack a million times, their chances of discovering a valid number are still only 0.00005%.

We will discuss whether we can reduce that risk even further.

[page8worker]

Thank you guys for the responses. Logan, your example does make it seem less likely, which is good. Ultimately, though, this project could evolve into a very active site, so any additional security that could be added would be much appreciated.

Thanks again,

[AbleMods]

Your chances of getting hit with credit card fraud are far greater than a successful brute force attack searching for a gift certificate value.

A PIN code isn't going to resolve it either, it just increases the time before a successful guess is made.

A simple retry counter on the gift certificate failure during checkout with an automatic IP block after 10 failures would solve 99% of the problem.

In the end, a high-value website should always be augmented with network monitoring and intrusion detection tools. The full responsibility of website security should never rest with the site alone.

[Logan Rhodehamel]

A PIN code isn't going to resolve it either, it just increases the time before a successful guess is made.

If we wanted to all but eliminate the risk of fraud, we could combine a randomly generated PIN with a certain number of retries before the gift certificate was deactivated. Of course, this will come with an added overhead to the merchant (legitimate users who mix up and need their certificate reactivated?). That may be overkill.

A simple retry counter on the gift certificate failure during checkout with an automatic IP block after 10 failures would solve 99% of the problem.

I have already registered a bug to have something of this nature done. Combined with the minimal chance of guessing a correct number it should be satisfactory. As with anything we can't prevent fraud completely, but here we should be able to reduce the risk even further without adding overhead.

In the end, a high-value website should always be augmented with network monitoring and intrusion detection tools. The full responsibility of website security should never rest with the site alone.

This is true. In my example above I mentioned the prospect of a million attempts - at this stage ideally you would have a firewall that is able to detect and prevent this kind of traffic.

[page8worker]

Again thank you for the replies. We have already been assessing additional security and had no intentions of placing all the responsibility on the site alone, rather we simply wanted to eliminate/reduce the chances of any of our customers being compromised, at least as much as possible. After all it is our responsibility to explore all possible scenarios, the what ifs if you will, on their behalf. Not to mention as easy as it is to circulate information online these days it would only take one customer being compromised, and then you can only guess what would potentially happen then...

Also, it is true that adding a PIN would not eliminate the chance of being compromised, but it would greatly reduce the probability. After all there is one factor that is not being added into these equations, which is simply blind luck. By adding something like a PIN the culprit can no longer simply stumble upon (be it through brute force or any other means) an active number, rather, they would also have to provide some sort of response to the challenge. Again though, I'm not saying that a PIN is the only way to go. I simply offered it as a suggestion. I also like the notion of adding some kind of auto block feature to the site.

Thanks again for all the feedback on this matter.

[WylieE]

This is probably an odd question related to gift certificate serial numbers. We have a legacy accounting system. I need to link gift certificates to customer prepayments. The serial number is the best choice, but my legacy system is limited in the number of fields available and the best choice is limited to 6 digits. In order to match the two up, I'm thinking of taking either the first 6 or last 6 numbers of the GC number.

Not knowing the exact formula use for generating the random numbers, I cannot judge which series of numbers would be least likely to ever be repeated. Unique numbers are much prefered?

Can anyone suggest which set of numbers would be my best choice?

Thanks,
Eric.

[Logan Rhodehamel]

Well... the last six. The first two are constant. Actually... the number is a faux card number in the sense that the last digit is a check digit for the 16 digit number. But it would also be considered random since it is calculated based on the random numbers generated previous.