Gift cards and rewards are becoming an easy-to-access bounty for cybercriminals who don’t want to risk their paycheck by triggering hawkishly-monitored credit card transactions, just as it happened to C&A Brazil this week…
Many companies don’t think of their gift card or reward features as the first place to protect from fraud, and black-hat hackers count on this to steal loyalty and reward points to cash in for anything like vacations, products, and other services. Although it’s significantly less reported on than credit card fraud, the effects of these attacks have been known for years.
Only last week, it was reported that a cybercriminal group, dubbed the Fatal Error Crew, attacked the gift card platform of the C&A clothing store in Brazil. As revealed by Brazilian media and confirmed by C&A in a corporate communication, data from approximately 36,000 customers who purchased gift cards was accessed, and included ID numbers, email addresses and the amount of money loaded onto the cards.
The techniques criminals use to exploit gift cards are as numerous as they are lucrative, starting from the basic online purchase of goods as a guest user to avoid leaving a trace. Some companies already know the trick and force gift card users to create an account before they can use it.
Of course, this is not stopping fraudsters: there is software available for cheap that creates new accounts en masse and then bad actors can access them and cash out their stolen gift cards.
Loyalty that Doesn’t Pay Off
Attackers are constantly looking for the point of least resistance to make a profit, and companies must make sure they don’t have a weak link. Aside from gift cards, reward and loyalty points have become a tempting objective as they don’t trigger a credit card payment event. Additionally, one in three program members only checks their balance once every few months and one in ten never checks their balance according to the consumer fraud report from Connexions Loyalty.
Weak Spots that Keep Getting Hit
If online companies are only monitoring the outcome of purchases and transactions, they are leaving themselves open to a whole world of risk they have no visibility into. Along with account takeover fraud, non-traditional risk points such as adding reward and loyalty points should be continuously monitored.
Gift card, reward points, and payment information will continue to be exposed and available to whoever wants to purchase it. But it’s up to companies to implement security barriers that devalue this information.
Slamming the Treasure Chest Shut
Confirming that all points of risk, not just the purchase, are monitored will ensure the company’s environment is not a target for bad actors. To spot high-risk activity, whether it is around the gift card or reward points environment, it’s not enough to verify the username, password, and easily-spoofed information such as location, connection, and device. Instead, online companies need to utilize a multi-layer security solution that includes technology that focuses on a user’s unique physical relationship with a device, such as passive biometrics.
By factoring in a myriad of variables, ranging from patterns of behavior – how someone fills out a form or moves inside an account – right through to how hard a customer types on a device companies can detect high-risk behavior that normally goes unnoticed. These techniques, applicable to any placement, are cutting-edge in fraud prevention.
In an age where even the most innocent of gifts can be defrauded, adopting this new technology is a step forward in the fight against fraud. Other basic measures retailers should already take in protecting customers from gift card fraud include adding PIN verification to their cards and keeping them in a secure location – away from the shop floor, where sneaky hands can grab them. Gift card fraud isn’t the present anyone asked for, but a combination of retailer diligence, consumer awareness, and appropriate anti-fraud measures means it is easily returnable.
Related to this blog Gift Card Fraud: The Forgotten Threat in Cyber Security Month