Australian financial technology company The Card Network (TCN) temporarily suspended part of its gift card redemption system this week after a YouTuber identified an apparent cybersecurity gap in the firm’s website, which he says allowed a scammer to steal the value of a $500 gift card he purchased.
Melbourne-based Simon Dean, who holds a computer science degree, posted a video on Sunday after finding what he called an “incredibly simple vulnerability” in the TCN website.
Dean alleged the security gap likely allowed cybercriminals to attempt brute-force attacks — which involve repeated trial-and-error guessing of security credentials — to correctly identify four-digit PINs of TCN gift cards which had recently been purchased.
TCN's popular gift cards are widely available in Australia through major retailers like Coles and Woolworths, as well as at many smaller businesses and online.
The company, which launched in 2019 and was acquired by global firm InComm Payments in 2022, typically themes its vouchers around similar groups of retailers and gives them names such as 'Him’, ‘Her’, ‘Active’, ‘Shop’, ‘Home’, and ‘Teen’.
Physical versions of the gift cards are often swapped or transferred through the TCN website into a digital gift card valid for a particular retailer.
Dean said he believed scammers could take photos of visible card numbers on the back of the gift cards in store, before relying on parts of TCN’s website which allowed them to spam the system with the card numbers and the 10,000 possible four-digit PIN combinations until one worked when a card was purchased.
This was despite the plastic film covering the PIN on the back of the cards not being tampered with — and the technique worked in Dean's own testing, he said.
After correctly guessing the PIN of a newly-bought gift card, scammers could take the funds for themselves by quickly swapping it to a digital gift card before the purchaser got around to doing it themself — which Dean said he experienced firsthand.
The Card Network gift cards are available online and at retailers across Australia. Image: The Card Network / LinkedIn
'They’ve got a real issue’
Dean told Information Age his “frustration and curiosity” after losing the value of his $500 gift card led him to test out parts of the TCN website, and ultimately discover the vulnerability.
He said that unlike the TCN website page where users can check a gift card’s balance, pages which allowed them to turn a physical gift card into a digital one did not have a CAPTCHA system, which determined whether a user was human in order to prevent spam attacks.
After purchasing a $20 TCN gift card to test, Dean said he used coding tools within Anthropic’s AI assistant Claude to help develop a brute-force script to run on parts of TCN’s website.
He correctly guessed the card's PIN in under 15 minutes, he said.
While he was “initially euphoric” after getting the PIN right, Dean said he then realised there was “a real problem” at play.
“I’ve got to let them know — they've got a real issue,” he remembered thinking in the moment.
“So it became a bit more serious after the first minute or two."
Simon Dean says he used a brute force attack to successfully guess the PIN of a TCN gift card he purchased for testing. Image: Simon Dean / YouTube
Dean said he reported the vulnerability to TCN on 25 August, but did not hear back for a few days — and when he did, TCN did not mention the vulnerability, he claimed.
“You’d think a serious company that deals with money would care about it if someone emailed them about a vulnerability,” he said in his YouTube video.
“The reason that I investigated it all and made the video was their customer service just taking forever to deal with it, and the hoops they were making me jump through,” Dean told Information Age.
TCN suspended the option to swap physical gift cards for online ones earlier this week, following Dean’s video.
"We expect this feature to be back online within the next 24 to 48 hours,” read a disclaimer the company posted to its website.
While the feature remained offline and the warning was still present on Wednesday morning, the functionality appeared to have been fixed by midday, Sydney time.
Both Coles and Woolworths confirmed they had been in contact with TCN during the incident, and the company's gift cards remained available for purchase.
Simon Dean says while he was 'initially euphoric' after finding the vulnerabiilty, he quickly realised there was 'a real problem'. Image: Simon Dean / YouTube
‘I didn’t do this to try and get a payoff’
Dean said TCN had since refunded his $500, but the company — whose official motto is “be generous” — would not confirm to Information Age whether Dean would receive any reward for his discovery.
A TCN spokesperson said the company had been in contact with Dean, and had “resolved both his case and the concerns he raised after thoroughly investigating the issue".
“We leverage a range of security tools and technologies to monitor suspicious activity across the lifecycle of a gift card from activation to redemption,” the spokesperson said.
“… Our highest priority is to protect consumers and support those who are experiencing an issue with their gift card.
“We review every situation on a case-by-case basis to provide an appropriate resolution.”
Dean said he was just glad the company had been called to action.
“I didn’t do this to try and get a payoff or anything,” he said.
“I just wanted my $500 and I wanted people not to get ripped off.”
