Tim Hortons Inc.’s new mobile app, TimmyMe, is prone to a security loophole that allows someone to create barcodes online to steal the money from customers’ gift cards.
Tim Hortons launched the TimmyMe mobile payments app in December 2013, which allows users to connect their gift cards to their app and then pay with the app at the cash register. As long as an attacker has a gift card’s 16-digit number, he can generate barcodes for these gift cards, scan them at a Tim Hortons cash register, and charge gift cards bought by another person. The Android and iOS versions of the mobile payments app are currently in pilot mode, being accepted at only 55 Tim Hortons locations across southern Ontario.
When reached for comment, Tim Hortons had this to say in an email:
“We are aware of this issue as this is something that affects almost all retailers currently accepting mobile barcode gift card payments. We are currently in a very small pilot market which helps control the exposure unlike some of our competitors who are widely using this same technology throughout North America. We are very pleased to let you know that we have developed a secure solution which will be in place in the very near future, prior to Tim Hortons full roll-out.”
IBM Corp., which developed the TimmyMe mobile app for Apple iOS and Google Android, also responded with a comment via email.
“IBM has identified an approach that would allow Tim Hortons, during this pilot, to address the exposure. IBM continues to develop and invest in mobile solutions that will help our clients address this technology gap.”
Tim Hortons isn’t the only coffee chain to have this problem. In November 2011, CTV Ottawa reported on its investigation of Starbucks, when a customer said he was able to generate barcodes online and debit money from the coffee giant’s gift cards. Starbucks did not return CTV Ottawa’s calls before the time of publication. At the time of this writing, it’s still possible to look up barcode generating tips from users on forums like CrackBerry.com through a simple Google search.
In the case of Tim Hortons, users need to enter a 16-digit number, plus an additional scratch-to-reveal code, to register their Tim Hortons gift card using the TimmyMe app. Once that number is keyed in, the gift card’s balance will appear on the app, and a customer can use it to pay for their order.
BlackBerry 10 devices use near field communication (NFC) technology to tap a point-of-sale terminal to pay, meaning this version of TimmyMe doesn’t generate barcodes.
But for devices running Apple iOS and Google Android, the app creates a PDF417 barcode – one that can easily be replicated using many freely available online tools, says Darryl Burke, the security consultant who tipped ITBusiness.ca off to the vulnerability.
As long as an attacker knows a card’s 16-digit number, he or she can generate a barcode for it. The code hidden behind the scratch-off portion of the card isn’t needed. The attacker can then take the generated image and overlay it on a screenshot of the TimmyMe app. The end result is a barcode that looks just like the one from Tim Hortons.
In theory, the size of the barcode doesn’t matter – as long as the scanner at the cash register can scan it, it should work. However, Burke says he made his barcode the same size as the barcode in the TimmyMe app, ensuring the employee behind the cash register wouldn’t question it.
“My goal here is for Tim Hortons to A, legitimately recognize this issue and B, fix it,” says Burke, who runs his own firm, Burke Consulting, in Newmarket, Ont. He adds he first became aware of the vulnerability in December 2013. But after notifying Tim Hortons and speaking to more than one customer service representative, he waited 30 days and didn’t hear anything back until Feb. 6, when a Tim Hortons product manager called to ask about the vulnerability.
“It’s not just an issue for me and my money … but it’s everybody else who’s got cash on these cards and invested in Tim Hortons who may lose it if this information goes public. And it’s not that hard to figure this out.”
ITBusiness.ca tested out the vulnerability last week, buying a gift card, generating a barcode for it using Burke’s tool, and sending a volunteer Vineland, Ont. resident to a Beamsville, Ont.-based Tim Hortons participating in the pilot program. She ordered a medium-sized tea and a honey cruller for $2.59, displayed the app-generated barcode, and the transaction went through. The gift card was debited for that amount using the TimmyMe app’s transactions view.
ITBusiness.ca repeated the same test for Starbucks this week, finding it’s also possible to generate a transactional barcode for a Starbucks gift card using the same online tools, or even mobile apps.
However, there are a few key points to note about this gap in security, Burke says. An attacker would still need to have a card’s 16-digit number to be able to charge anything to it, though he says he could imagine a scenario where someone might build an algorithm that could generate valid 16-digit numbers.
There’s also no way to access anyone’s credit card information through this vulnerability. All the attacker would be able to get would be money to spend at Tim Hortons, he says.
Essentially, this security loophole is an oversight on Tim Hortons’ part, says Robert Beggs, CEO of Digital Defence, a company that focuses on data security breaches.
But the company hasn’t violated any industry standards, namely the Payment Card Industry’s Data Security Standard (PCI-DSS), which governs merchants who accept credit cards at their point-of-sales terminals. To violate that standard would require the company to lay open its customers’ credit card information to attackers – and that hasn’t happened in this situation, he says.
While he says he’s not sure how common this loophole might be, using gift cards can be a risky business for consumers, Beggs notes.
“People have to understand, a gift card is like a piece of cash … I think, psychologically, they treat it like a credit card with all the security that a credit card has, because it looks like a credit card,” he says. “That’s one of the reasons why people have an inherent trust in little pieces of plastic that fit into the wallet – they look just like Visa and Mastercard … But credit cards have had several decades’ worth of experience in order to get security down pat.”
“Generally, the rule is, because these cards are so insecure and there’s no standards governing how they’re authenticated, you put as much as you can afford to lose on them,” he adds.
Claudiu Popa, CEO of Informatica Security Corp., agreed. He adds it’s hard to get around the convenience of giving and spending gift cards, but gift card holders can protect themselves by only putting small amounts on their cards. That way, if the value is lost, the financial hit won’t be as heavy.
Still, even more important than the financial aspect might be the cost to a business’ image, Popa says.
“If Starbucks and Tim Hortons cards are insecure – this is within the retail space, so that’s a big deal – who knows about ones that are in larger amounts … where you might conceivably have gift cards in the hundred-dollar range?” he says. “Even if it’s not costing [Starbucks and Tim Hortons] much money, it’s costing them in reputation.”
Though Tim Hortons and IBM say they intend to fix the loophole, there’s no word on how they’ll do it, or when a fix will be rolled out.