WHY HACKERS LOVE WAL-MART MONEY CARDS…

The blogger at GhettoWebmaster dropped us a line to help spread the word that those Wal-Mart pre-paid Visa cards are not only financially a horrible idea, but that your money would be safer scattered in the street.

I heard about Walmart’s new “Money Card” which is nothing more than a prepaid Visa card. Just like any other such card, it has a website where you can check your balance, add funds to your account, etc.

Alternatively, you can have your account information stolen, be exposed to hardcore XXX porn, or line the pockets of a bottom-feeding douche bag while trying to reach the site. Why? Because Walmart, just like most companies, is nothing short of retarded when it comes to internet security and protecting their brand in the online world.

No big surprise there. Why should Wal-Mart care about the security of your card after it collects the up-front fee you pay for the priveledge of loaning it money interest free? Here’s the problem.

Their site says that it’s secure. It even has a nifty little seal on it from Thawte verifying that it’s protected by RC4 128-bit encryption.

Yeah, so what? I said that all those evil evil bad bad things could happen to a person while trying to reach the site. I never said that they’d actually make it there. Your good ol’ Uncle Buck or Aunt Charlene who’s not too savvy on that there interweb, but falls perfectly into the demographic of folks who would have a Wally World prepaid money card, is likely to mistype the web address.

That’s why any security-minded company who wants to protect their customers and brand’s image would / should at the very least register all of the most common typo domains when setting up shop on a new domain – especially if it’s a financial kinda deal. In Walmart’s infinite wisdom, they did no such thing.

I’ve been hovering around the edges of computers for more than 30 years and one lesson I’ve learned is that the moment anyone claims to have created the unhackable you can start the countdown clock to when it will be, in fact, hacked.

There is nothing code-slingers like better than making a fool out of some arrogant suit.

After hearing about this new Walmart card and the accompanying website, I checked to see if they had registered and were forwarding over traffic from one of the most common typos: the full web address prefixed with a “www”. Typing out “www” and then forgetting or simply missing the dot afterwards is commonplace among eTards and fast typers.

Sure enough, wwwwalmartmoneycard.com was wide open. So, I registered it. Just for good measure, I went ahead and registered almartmoneycard.com today too. Missing the first letter of a domain is also pretty common. Luckily for Walprivilegely World, I snagged those domains with the sole intent of using them as an example for this blog entry.

And see? You don’t even need a degree in Computer Science to do something like this. Imagine what the real crooks are thinking.

Jeff Hess: Have Coffee Will Write.

29 Responses to “WHY HACKERS LOVE WAL-MART MONEY CARDS…”

  1. UncleBob says:

    Wait… I thought this was going to be a story about how easy it is to hack into the Wal*Mart Money Card site or something… Instead, WM is being blasted because they’re not spending extra money to prevent stupid people from making errors?

    Not even Wal*Mart makes enough money to do that.

  2. If one has a “real” Visa/Master card then the law protects you from card theft and misuse. Your maximum liability is $50 as long as you notify the card issuer within a short period of time when you first discover the problem.

    In addition most card companies use algorithms to identify suspicious behavior and block the use until the problem is cleared up, or at least confirm the use.

    I had a case where someone had gotten my card number and when I next went to use it the card was already blocked. I called and they issued me a new one.

    Just another reason why a cash card is a poor idea. It used to be that some financial institutions were interested in promoting wise spending and savings patterns, hence the existence of things like credit unions. Why they are not doing more outreach to the under served remains a mystery to me.

  3. Jeff Hess says:

    Shalom Uncle Bob,

    It was what you thought it was Bob.

    Once a hacker sets up fake sites (something that is very easy to do as any Phisher will tell you) it then becomes possible to harvest login and passwords for the real site.

    With those in hand, the Wal-Mart site becomes an ever spewing money machine.

    B’shalom,

    Jeff

  4. Jeff Hess says:

    Shalom Robert,

    Well said.

    B’shalom,

    Jeff

  5. UncleBob says:

    No, it’s not what I thought. I thought Wal*Mart’s website was not secure and one could break into it.

    It’s hardly breaking into the website when you hand over your password to someone else.

    If a user does exactly what they’re supposed to do, they’ll be safe (well, unless there’s another way to get into the site that hasn’t been published). It’s unreasonable to expect a company to plan around every stupid error their clients could possibly one day make.

    If your write a check at Wal*Mart for $20 over and get the $20 cash back, then go outside and get ripped off by a scam artist who dupes you into willingly handing them your $20, is it Wal*Mart’s fault?

    Here we are attacking a company for not buying up every possible mis-type and permutation of their web address (16 letters, any one could be left out, so there’s 16 possibilities there. One could accidentally hit the wrong key while typing, so let’s put some high school math to the test here… 37,192,366,944,000 possible different combinations if customers mistype a letter (or 16) by hitting a key next to it. That’s not even taking into account that a customer could accidentally leave one of those letters out…) I know there’s some anger against Wal*Mart for charging so much in fees – perhaps they’re using the fees to start a savings account to register all 37+ Trillion Domain names. Let’s see, quick check says GoDaddy.com charges about $7/name. After a mere 130,173,284,304,000
    operator assisted calls, Wal*Mart will have saved up enough money! Whoo!

    Seriously though, the internetz is a scary place. Don’t be stupid. And if you’re stupid, don’t cry when you discover everyone else isn’t looking out for you.

  6. Jeff Hess says:

    Shalom Bob,

    Given that you can register a domain name for just a few bucks, I don’t think it’s unreasonable to expect a multi-billion dollar company to do its best to protect its customers.

    There are also secondary security features that can be employed to backstop the site.

    But what this really points to is the way Wal-Mart continues to miss the obvious. A company with its resources shouldn’t be making these kinds of bush league mistakes.

    B’shalom,

    Jeff

    B’shalom,

    Jeff

  7. huh? says:

    eh. . . are you serious? this has nothing to do with “security” . . . you are an fucking amature aint you?

    the website has a lot of issues, but this has nothing to do with it . ..

  8. Jeff Hess says:

    Shalom Huh,

    First, thank you for stopping in, for reading and, most importantly, for taking the time to write a comment. It’s all about the conversation.

    Breaking security is 90 percent social engineering, 9 percent luck and 1 percent nerve. If a Wal-Mart is making mistakes my 6th grade students know how to exploit, how secure do you think the site really is?

    B’shalom,

    Jeff

  9. UncleBob says:

    Jeff:

    Again, it may only cost a few bucks to register a domain, but how many thousands of http://www.walmartmoneycard.com web addresses should Wal*Mart have to register before they’re considered “safe”?

    Here’s what I’m going to do. I’m going to go to the hardware store and buy some wood, nails and paint. I’m going to put together a fake bank and set it up on the sidewalk in front of the real bank down the street. Now I’m going to see how many people walk up to my fake bank and give me their account information. And it’ll be the bank’s fault for not setting up the fake-bank first.

  10. Jeff Hess says:

    Shalom Bob,

    You know, if you do a good enough job, you could pull it off.

    It’s not that different from scam artists who put false card readers over the installed readers in ATMs.

    Customer scan their card, get no response from the ATM, figure it’s broken and go elsewhere.

    The scam artist pull the fake reader, with the collected mag strip and PINs before the bank opens, creates fake cards and drains accounts before anyone knows there’s a problem.

    How much are the Wal-Mart cash cards insured against theft? Is there a limit past which Wal-Mart will eat money stolen from the card? I wouldn’t bet anything important on it.

    B’shalom,

    Jeff

  11. UncleBob says:

    Oh, I’m sure the cards don’t really protect you if someone does manage to rip you off because of one. I’m not a fan of these cards either (it’s also important to note that most Debit/Check cards issued from banks do not provide protection that most major Credit Cards do) but I think it’d be much more productive to focus on the flaws of the cards than to bring up stuff like “Teh h4x0rs can get your information if you’re not smart enough to go to the real Wal*Mart site.”

  12. Jeff Hess says:

    Shalom Bob,

    I look at this way. If a company doesn’t know enough to lock the front door at night (which only helps to keep honest people honest), how in the world can anyone trust it to do the serious security work that might thwart the real thieves?

    B’shalom,

    Jeff

  13. UncleBob says:

    If I had to guess, I’d say the website probably isn’t taken care of by Wal*Mart anyway. It’s probably part of VISA, since the Green Dot card is their thing and all. So… is VISA secure?

  14. Jeff Hess says:

    Shalom Bob,

    Good question. If the whole thing is outsourced to Green Dot then the fault becomes even scarier.

    Kind of like buying fish from China.

    B’shalom,

    Jeff

  15. UncleBob says:

    But how many stores (both chains and Mom and Pops) “outsource” their credit card/gift cards through one of the major credit card companies? If you just don’t trust VISA, MasterCard, AMEX, Discover, etc to be secure, you’re gonna have to get a big wallet to hold all the cash you’re going to be using (even more so, since many locations are going to a “no checks” policy).

  16. Jeff Hess says:

    Shalom Bob,

    Actually I don’t trust Visa, MasterCard, Discover or AMEX.

    What I do trust is Federal law that places limits on consumer liability for the credit card company’s lack of security.

    I could be wrong here, but I don’t believe those protections extend to these kind of pre-paid cards.

    B’shalom,

    Jeff

  17. UncleBob says:

    Probably not any more than they extend to Debit/Check cards as I mentioned above. 😉 And how many people use those death traps on a regular basis (Yes, for those wondering, I do listen to Clark Howard…)

  18. Jeff Hess says:

    Shalom Bob,

    I don’t own a, or normally watch, television, but this past week I visited my parents and saw some of the Visa commercials where people are encouraged to use the card to buy fast food by belittling people who are silly enough to pay cash and slow things down.

    (My gawd, who would want to spend all that time counting out exact change?)

    B’shalom,

    Jeff

  19. Mary White says:

    Check My Balance

  20. Jeff Hess says:

    Shalom Mary,

    First, thank you for stopping in, for reading and, most importantly, for taking the time to write a comment. Community is all about the conversation.

    My hacking days are long behind me so I’ll wish you at least a positive balance.

    B’shalom,

    Jeff

  21. Allen Clowery says:

    Hi,

    Phishing is a major problem no doubt. Creating artificial sights, and/or data warehousing containers is an immediate problem. Mostly though and seriously, I own a walmartmoney card and I believe that they have finally succeeded after years of trying to infiltrate the banking industry, a means to have one’s pay deposit automatically desposited onto the card, bill pay features, at a cost, but nevertheless they work, and the ability to utilize the VISA logo anywhere in the world.

    In essense Welcome to the Bank of Walmart. In time as cashing checking checks and ATM machine fees get closer to $5.00 per transaction, I believe Walmart has struck titanium gold…not just gold. In essence each carrier of a Walmartmoney card in and of itself is a bank.

    Walmart and Visa are the middle entities collecting a good 8-9 bucks to initiate the card but if a customer uses the card and the website as it is intended and can live with a few up front non-hidden fees, I really honestly believe that they will slowly but surely put the prepaid Visa and Mastercard small business non-name companies, out of business.

    In fact if anything I bet Walmart is acuiring those businesses right now. Look …..FACT Walmart using our nations most prominent ideal systems, regarding capitalism, has put to work hundreds of thousands of employees who sell items made from all over the world.

    The have FORCED through ecomomic grants, and realitor high stake ventures, the Eisenhower Inter-State system to add exit after exit so that shopping for products and services, and commerce are as inexpensive as possible. They offer the local communities scholarships, give work to pre and post high school graduates, and above all, and read carefully: They have single handedly taken MAIN STREET AMERICA out of the major economic picture and left it in the dust of retail businesses such as gas stations and convenience stores.

    Walmart is turning into a government of its own. I have faith that Sam Walton’s heritage and proginy will hold steadfast to the simple principals of capitalism without corruption and act literally as a 4th check and balance to our great nation’s ever more greedy loop hole filled, government.

    So now we have our lower house, the legislative branch, the all inspired one of two part system, the lower house, containing a population (capped) based elected legislature and an upper house, and the senate which is governed by 101 senators if you count the district of columbia and 102 if you count the vice presidents power to cast a deciding vote, with ideally each state having the right to have 2 upper house representatives no matter how big or small each state is.

    Okay….that’s just one of the checks, in relationship to tyranny, the othe two major checks are of course the executive branch which is the White House and its great power and world influence, commander in chief, and the ultimate power to veto any law that makes it’s way through the legislature, and then ultimately you have the supreme court who solely interprets the federal constitution based on the intent of history’s past legislation or imposed laws to protect the people and keep our nation as free as it possibly can without over stepping their grounds, i.e. the 2000 presidential election which believe.

    However, I am suggesting that Walmart the mother of all retail sale, economic powerhouses in the entire world, I suggest that it could and I say could act as an indirect 4th check and balance, by using the pure unpolitically influenced laws of supply and demand, (an example of a politically influenced retail force would be the cost of fuel.

    What a mockery to democracy that was – right after president-elect Obama beat McCain miraculously the fear, the headlines, the hype, the pandamonia about drilling off shore, all was forgotten, because, unlike and other product in the history of our nation, including the great depression, “gasoline” within less than 90 days dropped its value three fold.

    There was no supply and demand factor involved in that, it was 100% political. The greedy oil companies held on as long as they could as well as those who held stock in oil used fear based proproganda to drive the oil prices up to begin with thus oil was never, ever really worth $130.00 a barrel.

    It may have been bought and short traded on the internet by day traders and several billions of dollars changed hands, but like Enron and Natural Gas, refined oil never was actually Worth what the American people suffered to pay for it.

    So… back to a 4th chech and balance… why not Walmart… who is privately owned, be an indirect private 4th check and balance to the great constitution and represent the private inductry that is honestly trying to bring customers most inexpensive yet quality based commodities for the price, yes… at the expense of many underage workers all over the world, but we need to stop trying to drive home our moral values on these countries. They are still developing both thein infrastrature and in ideaology. We went through it and so will all developing nations.

    Back to the topic of the Walmartmoneycard. Any company who can argumentatively act as a 4th check and balance system to our countries constitution… especially with all of its semi and forthrigh political attempts to help communities become stronger around the world, be considered STUPID enough to put up a system like walmartmoneycard.com and not first have though the entire phishing concept through.

    Re-read the disclaimers. Using an iconic slogan as a comparison “walmart isn’t setting up people to be placed in a fraudulant siituation, the people who are not careful using walmartmoneycard.com are putting themselves into this situation just as guns don’t shoot people, people shoot people.

    Curious, why did you purchase wwwwalmartmoneycard.com, ever though they they have already imaged your hard drive, using military technology because of the national security risks involved, should they ever be compared as worthy as being a 4th check and balance system to our government.

    I bet your computer, your name, car, and most every transaction you have ever made using a debit or credit card has been pulled and reviewed. Dude some advise… don’t inform the world that somehow Walmartmoney card is a potential hazard and then tell them that you own a website that could be easily set up as a phishing site or sold from you to another party as such and not expect some type of reprecussion. Walmart has employees who specifically monitor all blogs, and all google hits regarding their institution. To even hint that Walmart is unsecure and a potential risk to the average status quo dude who may not even qualify for a conventional bank account is eqvuivalent to suggesting that Bill Gates or Ted Turner don’t monitor their own bank accounts.

    Sincerely,

    Without any malice or judgement, just advise which is not intended to be offensive, just prudent. I believe walmartmoneycard.com just may have the potential to help tax payers get some of their money back from all the socialist type bailouts our nations has literally been forced to enact buy developing yet a new way to save the average person money… if they use it correctly.

    Ask yourself this… how much money did you pay in overdraft fees, and or banking fees this year, whether knowing or now. The walmartmoneycard is here to stay and like “kleenex” or “ipod” they got their systems’ up and running the quickest therefor they will be almost impossible to overtake.

    Lastly… and politically scented with capitalism and entreprenurism in mind… it would not be impossible to overtake their infrastructure and implentation… look how Google took on Yahoo, MSN, Altavista, Netscape, and all the other major dominant powerhouse search engines… keeping in mind that the Internet still only accounts for between 3% and 8% of retail sales made.

  22. Jeff Hess says:

    Shalom Allen,

    First, thank you for stopping in, for reading and, most importantly, for taking the time to share your views with us and our readers. Building our community is all about our conversations.

    I’m thinking a great deal since September about the implications of credit cards, ATM cards and the a-penny-here-a-penny-there reality of our banking system.

    I’m unsure as to the possible solutions, but I do know that we must keep talking.

    B’shalom,

    Jeff

  23. Big says:

    Walmart money card is the best prepaid credit card.

    • Jeff Hess says:

      Shalom Big,

      First, thank you for stopping in, for reading and, most importantly, for taking the time to express yourself. Conversations are what build our community.

      And the Walmart card is superior because why?

      B’shalom,

      Jeff

  24. Carly Phillips says:

    Ok first to the person to mistook what this site was- what so you could steal cash?   My husband and I have been hacked twice- money went to fictional businesses- Wallmart- un able to help except to say Yeah the payment went through- but did Nothing to help us. We are dumping them for good, We have a real bank now with real responsibility to its customers- basically Wallmart cant be bothered.  If you hated it before- well you can hate it some more- down with Wallmart.  I am sick of being cheated out of my money, which I earn and my husband.

  25. Tiffany says:

    Can’t believe that put four hundreds dollars for pay billing and check the balance was one hundred dollar to help my husband to put gas for his truck to work. And he said was about seventy dollar left. So I check balance today is 1.34 dollar. HUH. so I look at what hell there took my money with ask my permit. I thought walmart money card should have protection. But NOT. I THINK IT’S VERY WRONG TO STEAL THE PEOPLE MONEY FROM THE MONEY IN WALMART MONEY CARD. like my husband tried to call the Google company with app and won’t tell him. I thin Google and walmart should owe to all people who bought a walmart card. I am sick to see steal money from people MONEY. Now I am broker that I still suppose to pay another billing.

  26. rashunda butler says:

    i got hacked and i want my shit back

Leave a Reply

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Anti-spam image