Author Topic: Brute-Forcing Gift-Cards Codes?  (Read 2731 times)

0 Members and 1 Guest are viewing this topic.

Offline Coto

  • Serf
  • *
  • Posts: 21
  • Cookies: -37
    • View Profile
Brute-Forcing Gift-Cards Codes?
« on: January 19, 2016, 03:46:33 pm »
I was looking at Amazon's Gift-Card System. I know there are many Major Companies that sell you Gift-Cards for their Services. I was wondering, weather those Gift-Card Codes existed, so you could guess it and apply it? Or when you purchase the Gift-Card it gets enabled to be able to be redeemed by the buyer? If not, couldn't someone just brute-force Amazon's Gift Card System? For example, input the Wordlist which would have Amazon's Gift-Card Code Format, then get tons of Gift-Cards, meaning it would make the Brute-Forcer rich...

So, I was wondering weather Gift-Cards Codes get enabled on Purchase or not.

Offline Racheltjie de Beer

  • Serf
  • *
  • Posts: 26
  • Cookies: -1
  • Everything Zen
    • View Profile
Re: Brute-Forcing Gift-Cards Codes?
« Reply #1 on: January 19, 2016, 05:38:51 pm »
I've done work for one of "those" companies.  I've also develop the algorithm to randomly generate the card numbers. Brute force on the last 9 digits of a 19 digit card number, Good luck,  and they employ pen testers to prevent it.

EDIT:
Ok I've decided to expand the answer on this for the sake of sharing knowledge.  I know, ppl get brainfarts and rush to post stuff but we are here to learn.

Here is how a Card system / network, like Amazon's Gift-Cards, most probably works.  There are three players in this equation, the distribution partner (DP - the shop or website selling the product), aggregator network partner (AN - the link between DP and CP) and the content partner (CP - like Amazon).

In brief:
The DP is a network on its own, consisting of Point of Sales (POS) devices, like tills/cash registers, servers, db, etc.  The POS will send the card details to the DP's server, where more information will be added to the message that will be send to the AN.  This communications between the DP and AN is most likely secured, e.g. certificate exchanged etc.

The AN will verify where the message came from and the contents of the message.  It will check the fields in the message against information provided by the CP pertaining to the product being sold. If there is something wrong the AN will send an error back to the DP.

The CP will activate the product only if all the information match up.  The CP can void the product if it suspect fraud.  The CP will then reply to the AN which in turn will reply back to the DP.

Sometimes the CP can act as all three or as AN and CP.  As for the AN part, that can also be divided into multiple networks, i.e. local AN company connecting to an international AN company that connects to another local AN company.

As for the Card number; it is usually specified according to an ISO standard and is either 16 or 19 digits.  But CP may choose what ever they like.  Usually a 19 digit card number is broken up in 4 parts; BIN number (6 digits), Issuer Ref (4 digits), Random numbers (8 digits) and a check digit (1 digit).  You can figure out what the first two parts are by looking at existing cards.  The third part is a random, non-sequential number (search for large non-sequential random generating algorithms) and the check bit is usually use Luhn algorithm.

Digital gift-card follow about the same route but might even be more secure due to the fact that the access is online and there are a shitload of skidies out there...

Each of these partners in this network spend a lot of time, effort and money to ensure their (part of the) network is secure.  I'm not saying it is impossible to hack, but like all things concerning money, a lot of percussion were made.

So my question to OP is, where will you start? What will be your entry point?
« Last Edit: January 20, 2016, 07:53:25 am by Racheltjie de Beer »
(Thinkn) x ∑1n (Search x Reading)

Offline Coto

  • Serf
  • *
  • Posts: 21
  • Cookies: -37
    • View Profile
Re: Brute-Forcing Gift-Cards Codes?
« Reply #2 on: January 20, 2016, 07:05:13 pm »
Thanks, what about other Retailer's Gift-Card's systems? When you buy for example an iTunes Gift-Card from the Store next to your house, does the guy working there enable it as soon as you purchase it, or something?

Offline Racheltjie de Beer

  • Serf
  • *
  • Posts: 26
  • Cookies: -1
  • Everything Zen
    • View Profile
Re: Brute-Forcing Gift-Cards Codes?
« Reply #3 on: January 21, 2016, 07:41:40 am »
Some networks will activate immediately, and other will have a delay. Most Gift-card, Pin on Receipt (POR) or digital redemption type products works like this.
(Thinkn) x ∑1n (Search x Reading)

Offline riptorrent

  • /dev/null
  • *
  • Posts: 8
  • Cookies: 0
    • View Profile
Re: Brute-Forcing Gift-Cards Codes?
« Reply #4 on: January 23, 2016, 05:19:06 pm »
I don't condone this at all. For the sake of argument though. If you were an mturk worker you could transfer earnings daily for gift card codes to get a sample to analyze. I love amazon though don't rip em off.  I would guess they are probably generated at the time of payment.

Offline Trap_lord

  • /dev/null
  • *
  • Posts: 19
  • Cookies: -20
    • View Profile
Re: Brute-Forcing Gift-Cards Codes?
« Reply #5 on: February 02, 2016, 08:31:51 pm »
About the delay wouldn't hydra's proxy option take care of that by using a different ip each try.
Interesting idea though, I mean if you crack an amazon gift card you can buy almost anything, next best thing to cash.
This is your life and it's ending one minute at a time - Fight Club(1999)

Offline Coto

  • Serf
  • *
  • Posts: 21
  • Cookies: -37
    • View Profile
Re: Brute-Forcing Gift-Cards Codes?
« Reply #6 on: February 07, 2016, 05:57:10 pm »
I wasn't planning on doing this using Hydra, I have made a Python Script that works just as fine. Maybe Hydra is actually faster on that, but if you've got the time to wait, it could work. I haven't thought about the Proxy though.

I'm actually looking for Sites that allow you to redeem gift cards that don't require big codes, just small ones and that don't require you to change your IP every time/ask for captcha. If you can find any, let me know! :)