NZ Post Prezzy Card Flaw - Free Money For Everyone

By tonyhughes Hughes, in , posted: 10-Jan-2007 09:02

There is a flaw in the way NZ Posts VISA Prezzy Card process some payments under some circumstances. I managed to exploit this unintentionally, and recieve goods from an online retailer, without having to pay for them. (Prezzy Card is a prepaid credit card available to anyone, without any personal details or signup form).

After my bad experience trying to notify ASB Banks Pago GM about a flaw in their mobile payment service which left them wide open to a simple social engineering hack, and a seperate client-hardware based attack, only to be basically ignored, with the GM doing nothing about my initally private warning, I found myself wondering what to do about my latest discovery.

Well - here goes... I decided to just post a notification of the flaw (but not details on how to take advantage of it) on the internet.

If NZ Post want to contact me, they are more than welcome to. Please note that I will require your company contact details, so that I can proactively call you back on a company line (otherwise any fool could ring me...). Drop me an email to tony at tall dot co dot nz.

Tonight while performing some perfectly legitimate business on the internet, I discovered a way to make two seperate purchases with a value of over $30NZD without having a single cent charged to my prepaid Visa card.

I have replicated this one more time purely for educational purposes, with a much smaller amount.

I am semi-confident that under the right conditions, a much larger purchase could also be made, but I am not prepared to commit major fraud to prove this - perhaps I will test it with the blessing of a willing merchant participant at some stage?

Really - NZ Post, someone in authority should contact me soon, because im not a super-smart security consultant, and didnt set out to do this on purpose - so im sure others will discover it fairly soon, and distribute the instructions, which will spread like wildfire.

P.S. Its also possible that the problem is partly or fully the fault of the merchant concerned, but either way, I think NZ Post should be concerned, as it dispels any trust people may have in the prepaid card system, and makes your company look a little incompetent. VISA probably should take equal blame, although really, its an NZ Post product, bought from NZ Post.

P.P.S. It should also be noted that I plan to pay for my ill-gotten gains in full. If I wasnt going to, why would I blog about it? (Before anyone accuses me of being some sort of thief or criminal fraudster).

[Originally posted 9th Jan 2007 22:14, and shamelessly bumped up the front page at 9:55am on the 10th Jan]

## Update: thanks to Juha Saarinen for the Computerworld Story

NZ Post's general manager for payment services, Terese Tunnicliffe, says that this is indeed what will happen: "The retailer is accepting the risk that the purchaser does have sufficient funds for the transaction and is not committing fraud - or making a genuine mistake about the amount of funds available," she says.

So the retailer takes the risk on that a prepaid credit card has not run out, when they probably never get to see the balance on the card. Nice answer NZ Post.

Other related posts:
How to move your Drupal 7 site to a different folder on your domain...
HOWTO: Install Ubuntu Server 12.04 LTS and get working mailserver
I want broadband, why do I have to wait 3 days to even know if its POSSIBLE?

Comment by chiefie, on 9-Jan-2007 22:33

Geepers! Hope NZ Post looks into this ASAP with so many people are recommending and more and more people getting comfy with the Prepaid credit card idea, this won't be good if it is being abused or the exploit become known. Also, I hope you won't face the same difficult at the guy that does NZ Reserve Bank phone exploit. Good luck! Keep us posted with any progress from NZ Post.

Comment by inane, on 9-Jan-2007 22:46

feel free to let me know how you did it so I can further prove your claim...

for purely "educational" purposes only of course!! lol.

Comment by johnr, on 9-Jan-2007 22:53

Tony my best friend I think we should catch up on MSN for a chat I need some new toys to play with and you may be able to help

Comment by alasta, on 10-Jan-2007 08:17

Damn you, why did you have to go and tell them! I want my free money!

Author's note by tonyhughes, on 10-Jan-2007 08:32

You all shock and surprise me ;-)

Two payment systems exposed in two month..... I feel like a 733t h4x0r (for about three seconds - then I feel like an idiot who will have to spend time on the phone to a corporation telling them how to suck eggs, and recieve nothing for the privilege).

I would prefer, from a time and effort point of view, to just shut my mouth, and delete this page....


Comment by chiefie, on 10-Jan-2007 09:07

Awww... don't be so hard on yourself... if those companies are giving you grieves... put it to public, find a lawyer and see what they suggest? In the end, the public needs to know the flaw to protect them.

Author's note by tonyhughes, on 10-Jan-2007 09:51

My concern is that a small online retailer working on already low margins, could be left in the lurch, having honoured payment that NZ Post said was ok, only to discover that after supply of goods or service, the payment has not come through.

So much for "prepaid".

Still no word from NZ Post...

Comment by inane, on 10-Jan-2007 10:07

Document everything, then send it to them with an invoice for security consultation services,

there are people who do that for a living (like that guy who hacked the reserve bank phone system)

Author's note by tonyhughes, on 10-Jan-2007 10:19

Yeah, but its well known that I work for a prominent IT company. I couldnt be bothered having to defend my actions at an employment disciplinary meeting. I am contractually bound after all not to do anything to bring my employer into disrepute, which im sure that would.

When Pago-gate happened, I fronted up to my boss before it became widely known, so that he knew what was going on (before hearing it from anyone else in a bad light).

I guess I should do the same for Prezzy-gate...

Author's note by tonyhughes, on 10-Jan-2007 10:26

All your prepaid credit card are belong to me... (Wikipedia explanation)

Comment by adamj, on 10-Jan-2007 11:29

I have had 2 telephone conversations with Pago GM and several emails, mainly about usability of their site, but it was obvious from the moment I heard of the concept how easily the system could be exploited with a little social engineering.

Author's note by tonyhughes, on 10-Jan-2007 14:53

Was this in relation to your job? Are you able to disclose what he had to say?

Comment by juha, on 10-Jan-2007 17:39

OK, can't do trackbacks from the Computerworld website, but here's our Tony featuring in a major story. :)

Been thinking about it, and I don't think it's fair to say that it's NZ Post's fault. They're just repackaging a Visa card, aren't they? Not their problem that retailers don't authenticate purchases straightaway.

That, incidentally, means the hole is available for more than just the Prezzy card...

Author's note by tonyhughes, on 10-Jan-2007 18:25

It may not be their fault, its certainly their problem when the online retailers come knocking on their door for reimbursement...

Author's note by tonyhughes, on 10-Jan-2007 18:26

retailer "whats the name on all these fraudulent purchases?"
employee "uhhh.... "Prezzy Card Holder"
retailer "WTF is a prezzy card"


Comment by sbiddle, on 10-Jan-2007 19:57

Another quesrion for Tony/Juha - how "realtime" are realtime credit card systems? How long does it take for a purchase from an online retailer that is using a realtime credit card authorisation system or any bricks & mortar retailer using an EFTPOS terminal to actually be debited from the card?

Comment by johnr, on 10-Jan-2007 21:15

Hey Tony I need pizza and beer here at work can I borrow your Prezzy card again!! LOL

Author's note by tonyhughes, on 10-Jan-2007 21:26

lol... you gonna have men with VISA branded automatic weapons at my door if you not careful!!

Comment by juha, on 12-Jan-2007 09:16

Should be pretty much instant to authorise payments... I mean, look at EFTPOS: even big outlets use slow 9,600 bps leased lines for multiple terminals, so iTunes should be able to verify transactions over the Internet in a few seconds.

Comment by Hone, on 6-Oct-2008 21:37

should of got some bonus bonds with your card tony.

Comment by cashback, on 11-Mar-2009 10:29

nice read thanks good insight.

Comment by Lerin, on 29-Jun-2009 22:29

Hi sir, im in a big problem.I saw ur add in the net thats y i write this.Can you give me some money as u like,even it is $1 that ill b great 4 me.I live in Nz.Dont think this is a fake message.

Comment by Sui, on 26-Apr-2010 12:25

Hi there I was hardly looking to find something free online to help me gain some money for my family especially my kids. I really need your help.

Comment by Guenter Finau, on 28-Feb-2012 13:31

hello and how are you sir/ma'am i would like to apply for are card thank you

Subscribe To My RSS Feed