Few to any gift cert systems I've experienced in the past few years still work in that manner. It's trivial for a brute force gift certificate code stuffing attack to be used on it, allowing a criminal to steal the funds and have a product shipped before anyone realizes what has occurred. Now you have a shopper missing their funds, and a merchant having shipped a product to the criminal.

I guess I should clarify - I'm talking about balances on gift cards - I found 4 that I had laying around the house, 3 of the 4 had the ability to check the balance on their website. The 4th one was a small local brewery that didn't have the option. All three had the card number field, a pin number field, and a visual reCAPTCHA.

It's been a while since I've used a gift card online but I recall entering the card number in a field without needing to jump through a bunch of other hoops.

A system that allows an unauthenticated entity to 'check a balance' with the same data you would use to redeem the balance has the same flaw. It just adds a step where you have to mess with the balance checking input first and then perhaps create a throwaway account to make the purchase using the now-known code.

Systems that send gift cert links with a pin embedded in the URL are not much safer; now you have two variables to play with instead of one, but both can be submitted via the same automated requests. Or, their error messages improperly reveal if the code was valid but pin was not.

Checking the balance of a physical gift card, where the card is only usable in person, isn't much of a risk since possession of the number but not the card doesn't get you anything.

Recaptcha is a hindrance rather than a solution; there are bots that can solve recaptcha, it's just a question of whether it's worth it to the attacker to do so vs hammering a more attractive site that doesn't have that speed bump. There are also human networks that will solve recaptcha's and similar for a fee, which may be worth paying if a criminal expects to achieve a greater theft than the cost of acquisition.

The Sebenza method made sense in 2005 but is susceptible to exploit currently.

ILoveHostasaurus - David, I do appreciate needing to keep everything secure and I know your job isn't easy because you have to stay 10+ steps ahead of all the bad actors trying to do harm.

My goal is to try to keep everything as customer friendly and easy to use as possible. I have store owners constantly ask me - "why can't it work like Shopify" (or some other system)? I always remind my clients that Miva puts security first, and I'm sure they appreciate that too, but they just want it to be easy for their customers. They also want it to be easy for them to use.

They don't want to have to continually makeover their stores just to be able to stay up to date. I've got a store owner that has had their store made-over, what seems to be once every 3 years. The move from MMUI to CSSUI, updating from the Base Ready Theme to Shadows, further makeover to be able to use new features to Shadows (which just can't be updated with a click of a button like WordPress). I do remind them that things do change, software does update and sometimes even becomes obsolete (like Windows). Being able to update the core without worrying about breaking the store is so much better now, but storeowners also would like to be able to update Shadows without overwriting what is already in place (as I have mentioned many times before - like WordPress's usage of Child Themes)

Then being told by SEO experts that Miva isn't SEO friendly (and those experts recommending makeovers). Struggling with Google's Core Web Vitals almost since the first day we were told they were relevant. Having other SEO experts ignore the CWVs in favor of keyword rich content (which did seem to work well). And back to the Core Web Vitals (which still seems to be relevant).

All things said, I truly appreciate all that you do to keep the Miva platform secure. I'm just trying to reiterate both the storeowner's perspective and customer usability. Thanks again David!

For the first point, Shopify's system is known to regularly have unauthorized redemption of gift codes, including from brute force and targeted phishing. If the store does not also purchase add-on security modules (for a monthly fee) to try and intercept these bots, the brute force issue is frequent. So instead, you end up inconveniencing all shoppers 24x7 via overall security posture via the add-ons and lose regular sales as a result, in the name of protecting gift cert codes. Everyone likes ease of use until they have a theft and are forced to decide whether they're going to blame the gift card holder and not reinstate the value from before the theft, or write off the loss, and then they ultimately move to a stricter style of redemption anyway because they are tired of either the ill will or writing off losses.

Regarding "continually make over their store", and MMUI vs CSSUI, if MMUI is even entering the conversation, then we're likely talking about a haphazardly maintained store that has been around for more than ten years, and is likely operated with an expectation that it work like it did in 2010, with the same tools, and same effort, even though the functionality has grown by orders of magnitude. We're talking about something that was removed from the software ten years ago, and was deprecated for years prior. Shadows has been built into the core product for five years now, and if someone adopts both that and modern tools and modern development techniques, it is quite easy to maintain everything with easy check in and check out of code, and the diffs of the affected templates we publish with each release. Comparing this to Wordpress child themes is confusing, because with Wordpress, the parent theme can update with no notice, with no documentation of what exactly was changed, and if the child theme suddenly becomes incompatible with the parent, the whole site is down until you figure it out with your own line by line comparison of each overridden file. You can't even roll it back like you can with our templates and version control, you're just down until you figure it out. With our releases, the updates never break your templates, and then you can easily pull, compare, and integrate the changes on your schedule rather than ours. This sounds more like an issue of not using available tools and techniques, causing a greatly increased consumption of time.

I'm going to back up this ILoveHostasaurus person - whoever that is. I'm aware of a Miva customer who did a custom solution in the way you're talking about and had an open "check balance" and we saw a multi-million count attack on it with sequential certs. Even when we added a delay between attempts it continued until the system was protected by customer account.

Thanks Keifer Hunniford - both your insight and ILoveHostasaurus is invaluable. Yes, I have had to pull a few store owners kicking and screaming into some of the new tools. I listen to a lot of "stuff" about how hard the new features are or how difficult Miva is, but I listen and I make progress with them albeit slow. I had a minor win yesterday with a store owner who absolutely abhorred PageBuilder. I went over the (same) features a number of times trying to keep my frustration in check until I heard "I think I can work with this!". The store then went on to create a whole new page with PageBuilder. I continue to try to get reluctant storeowners to move into newer features. I am constantly reminding store owners of the obsolescence of many third-party modules, while still finding some of them need to be used.

I continue to be a champion for the Miva platform after all these years, touting its security, its great customer support and its continuing flexibility.