Panera Gift Card Security
Wednesday, April 15, 2009
A bit of information on Panera Bread's gift card security, or lack thereof.
Traditional gift card security often involves a randomized account number and a scratch-off PIN number. Randomized account numbers prevent attackers from guessing valid accounts numbers to use. Scratch-off PIN numbers prevent attackers from checking/using card numbers and from going in to brick-and-mortar stores to capture numbers of unactiviated cards on the racks (checkout clerks are advised to discard any cards that already have the PIN scratched-off or otherwise tampered with). Online websites also use CAPTCHAs and rate-limiting to avoid attackers attempting to bruteforce card number space.
Upon a visit to Panera for a delicious turkey bravo, I naturally wandered over to the gift card stand to play with the piles of unactivated magcards. A quick glance of two cards showed two nearly identical account numbers, only differing by a couple hundred values:
Sequential card numbers, not a good start. I purchased a couple cards with a low balance to play around with. Later, I checked out the Panera website to query the balance of my cards and test other cards within the same sequential range:
Darn, a CAPTCHA! Looks like we're out of luck for mass querying of card numbers. Filling in the card number and the correct CAPTCHA value results in being redirected to the following URL:
/checkbalance_transhistory.aspx?cardNum=6006491610278240240&isCA=False
Hrm, what if we simply supply a different card number directly in the query string? Surpise, the results are shown for the specified card number without requiring us to complete a CAPTCHA. In other words, the original CAPTCHA check is useless since it is not actually enforced by the page displaying the results.
So it turns out we can do some mass querying of candidate card numbers. With a quick httplib python script, I queried 50,000 card numbers from 600649161023198727 to 600649161023248727. Some summary stats:
Total cards queried: 50,000
Total cards with a non-zero balance: 17,570
Max value on a card: $200.00
Min value on a card: $0.01
Average value on a card: $10.78
Total value of queried cards: $189,487.49
$189,487.49 is a lot of sandwiches!
In addition to the balance, the Panera site displays where/when the card was purchased/activated and lists individual transactions for every time it is used. While tracking someone's Panera usage isn't very exciting, one could run some interesting stats on most popular Panera stores, most effective placement/conversion rates of gift card displays, etc.
Numerous attempts to contact Panera and the company responsible for their gift card distribution have been unfruitful.