Gift Card Cracking: How Random Numbers Become Free Money
a woman buys a gift card at a supermarket, slides it into a birthday envelope, and mails it across the country. a week later her nephew scratches off the panel, types the code into the store’s website, and the screen tells him the balance is zero. the card was never used.
somewhere between the rack at the checkout and the moment he opened it, every cent on it had already been spent by someone he will never meet. nobody broke into a vault. nobody stole the physical card. the value simply walked off while it sat in an envelope, drained by a machine quietly guessing at cards exactly like it.
this is one of the stranger thefts on the modern internet, because nothing about it looks like theft. there is no forced door, no skimmed wallet, no hacked account with a password behind it. only a number, and the slow work of guessing which numbers happen to be worth money.
a gift card is really just a number
a gift card feels like an object. it has a design, a logo, a little foil panel you scratch off. but to the store’s computers, none of that exists. all that matters is the code printed on the back and, sometimes, a short pin hidden under the panel.
when you redeem a card, the website does not look at the plastic. it takes the number you typed, finds the matching record, and reads off whatever balance is attached. the card in your hand is just a reminder of a number that lives on a server. lose the plastic, keep the number, and you still have the money. learn someone else’s number, and you have theirs.
so a gift card is not really a card at all. it is a password to a small pile of cash, printed on plastic and sold next to the chewing gum.
why the number range is the weakness
here is the part that makes the whole thing possible. the numbers on a store’s gift cards are not scattered randomly across every number in the universe. they sit inside a predictable range, a block the store has set aside for its own cards.
they have to. the system needs to recognize one of its own cards the instant someone types it in, so the valid codes cluster together in a known space rather than hiding among every possible combination of digits. that makes life easy for the cashier and the customer. it also means that if a program generates numbers shaped like that store’s cards, a meaningful fraction of those guesses will land on codes the store actually issued.
most of those issued cards will be empty, never activated, or long since spent. but a store sells millions of these things, and at any moment a great many sit loaded and untouched, waiting for a birthday that has not arrived yet.
enumeration, explained simply
the technique that finds them has a plain name. enumeration. it just means working through a set of possibilities, in order or near enough to it, and checking each one.
picture a hotel with a long corridor of rooms and no list of which are occupied. try each handle and most doors are locked or empty, but try enough and you eventually open one with someone’s suitcase inside. enumeration against gift cards is that corridor, except the doors number in the millions and a machine tries them far faster than any hand could.
the attacker does not know which specific cards hold money, and does not need to. they only need a way to ask the store, over and over, whether a given number is real and what it is worth. and most stores have, without meaning to, built exactly that door.
the balance check that gives it away
almost every gift card program has a friendly little feature. a page where you type your card number, maybe the pin, and it tells you how much is left. it exists to be helpful. you want to know there is enough on the card before you reach the register.
but that same page answers a question for anyone, not just the cardholder. type a number, and it reports whether that number is a real card and what balance sits behind it. it does not know or care who is asking. to the page, a worried shopper and an automated guessing program look almost identical.
so the attack is not some exotic forced entry. it is the balance check, used against itself, asked millions of times by software instead of once by a person. the feature meant to reassure customers becomes the oracle that tells a guessing machine which guess just struck cash. most answers come back as nothing, and the machine simply moves on, because it does not get tired and time is the only thing it has to spend.
once a loaded number is found, taking the value is almost an afterthought. the balance can be spent online, loaded into a wallet, or turned into digital goods that resell instantly, and it never has to become physical. that is what makes the victim’s experience so eerie. the real card is still sitting in an envelope on a kitchen counter on the other side of the country. nothing was taken from their hands. the number was simply guessed, checked, and emptied.
why gift cards specifically
gift cards sit at a rare intersection of properties that almost nothing else has all at once, and that is what makes them a favorite target.
they are treated like cash, honored without anyone asking who you are, the way a twenty dollar bill works for whoever holds it. there is no login, no identity tied to the value, no bank behind it asking questions. they are hard to trace, because money moved through a card does not carry a name the way a bank transfer does. and they are easy to resell, into a whole open market for discounted gift cards where a stolen balance becomes clean money fast. cash, untraceable, and liquid, all in one humble store card.
the part where the scams come in
there is a second, uglier place gift cards show up, and it touches far more people than the enumeration story ever will. a huge share of scams now end with the same instruction. pay in gift cards.
the fake tax agent, the pretend tech support call, the romance that suddenly needs money, the boss emailing in a panic. astonishingly often the demand is the same. go to the store, buy gift cards, scratch off the panels, and read the numbers over the phone.
it works for the same reasons covered above. the moment those numbers are read out, the value is as good as cash, it cannot easily be traced, and it cannot be reversed. a card chargeback can claw money back. a gift card number, once spoken aloud to a stranger, is simply gone. so remember one thing. no real government, bank, or company will ever ask to be paid in gift cards. that request, by itself, is the scam announcing itself out loud.
how stores fight back
stores are not blind to any of this, and their defenses are a good lesson in how you protect anything that turns a number into money. the goal is never to make guessing impossible, because nothing is. the goal is to make it slow, expensive, and loud.
rate limiting comes first. a real shopper checks a balance once or twice, so the system watches how many checks come from one place and slows, then blocks, anything that looks nothing like a human. a challenge comes next, a captcha in front of the balance check that asks the visitor to prove they are a person, raising the cost of every guess until that small cost becomes a wall.
then there is the shape of the number itself. longer codes, paired with a pin and drawn from a much larger, more random space, mean guessing lands on a real card far less often. and there is locking, freezing out a source after a run of failed checks, the way a phone locks after too many wrong passcodes.
watching for the spike
the most interesting defense is the quietest one. stores watch the balance check itself as a signal. on a normal day, balance checks tick along at a steady, boring rate, because real people check real cards at a human pace.
an enumeration attack does not look like that. it arrives as a sudden flood, most of it hitting numbers that are not real cards. that pattern, many checks against mostly invalid numbers, is almost impossible to fake as anything else. it is the fingerprint of a machine working through a range, and when the system sees it, it can throttle the channel, demand a challenge, or shut the balance check down for a while.
no single defense stops a determined attacker. stacked together, though, they change the economics. each layer makes guessing slower, costlier, and more likely to trip an alarm, until the numbers game quietly stops paying.
the deeper rule underneath it all
step back from gift cards and you find a law that governs far more than this. anything that turns a number into cash will be probed by machines, relentlessly, forever. a gift card, a coupon code, a loyalty balance, a discount link. if a string of digits can be converted into value, someone will eventually point automated guessing at it.
this is not a flaw in any one store’s website. it is a property of money itself meeting the internet. the moment value can be claimed by knowing a secret number, and that number can be checked at machine speed, the guessing begins. the only real question is whether the defenses make the guessing cost more than it returns. that is the whole game, quietly playing out behind every balance check page you have ever ignored.
The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.