According to the National Retail Federation, Americans are expected to spend $27.6 billion on gift cards this year. But what if your gift card was compromised and all the money was drained from it before you even went shopping?
Cybersecurity expert Jim Stickley says he did that with Nordstrom gift cards. "I can write software that's designed to go after a website and actually pull the card pins one at a time from each card," Stickley told TODAY national investigative correspondent Jeff Rossen.
Stickley says that Nordstrom gift cards have shorter PIN numbers than most retailers' cards, and initially had no protection from bots. He demonstrated the vulnerability by hacking a newly purchased Nordstrom gift card and draining all $50 from it.
Nordstrom declined to meet in person, so Stickley walked them through the problem and how to fix it by phone.
Nordstrom fixed the flaw after NBC News brought it to their attention. However, Nordstrom told NBC News, "our customers are always our top priority, and if we learn they were negatively impacted by an issue with our gift card systems, we'd work quickly to take care of them." Nordstrom added, "We have a number of gift card security controls in place, and a team of experts that regularly test, review and enhance those controls."
Here are tips to protect your gift cards:
- Experts say you shouldn't buy gift cards from public racks. Instead, buy them at the stores themselves, and make sure the cards are kept behind the counter, where the public doesn't have access to them. Better yet, buy them online if you can.
- If you have to buy gift cards from a rack, never buy one where the PIN is exposed (it's usually that 3- or 4-digit number on the back of the card). If the PIN is exposed, choose a different company; it's not worth the risk.
- If you get a card that's been drained of all the money, experts say you should call the number on the back of the card rather than searching online or calling the retailer yourself. They warn that scammers can create very realistic-looking customer service pages that could fool consumers.