When a simple request from a trusted person becomes fraud.
Picture the scene: you get an email from your boss or relative asking if you can help them out. They happen to be working remotely when they need your help. They may want you to buy gift cards for staff prizes or make a purchase on their behalf because their card is not working. Fast forward to the final scene, featuring you out hundreds to thousands of dollars on your credit card, and the pretend boss or relative has accessed the money on the gift cards and gone silent.
Cybercrime has been around since the advent of the Internet, deploying tactics that become more and more complex. Whether it is Russian hackers using malware to steal almost a million dollars in cash from ATMs, or people taking advantage of peace sign selfies to copy the fingerprint and gain access to accounts, there is seemingly no limit to the creativity and growing sophistication of cybercriminals.
Gift cards are yet another black hole for security professionals. Though significantly less reported on than credit card fraud, the effects of these attacks have been known for years. The Federal Trade Commission says gift cards are now the number one payment method for scammers as they are impossible to trace.
More traditional cybercrime tactics, such as targeted or untargeted phishing attacks, can also be used to gain access to card details en-masse. Such an example dating from July 2017 involved a criminal gang contacting people impersonating HMRC, the UK revenue department, and coercing them into making payments in iTunes gift vouchers, which can be easily transferred into cash. The techniques criminals use to exploit gift cards are as numerous as they are lucrative.
Fraudsters have also been known to take down gift card numbers at a store and check their balance online. When they see that a dollar amount is loaded onto the card, they start using it. For the more technical-minded bad actors, the cloning of gift cards can be just as lucrative as the cloning of credit cards. Fraudsters could use a credit card magnetic stripe reader (readily available to purchase online legally) to gain access to the account numbers of gift cards.
Back in May 2015, a Brian Krebs investigation into Starbucks gift cards found that it was worryingly easy for fraudsters to drain customer’s bank accounts via the auto-load feature. Starbucks loyalty cards were used to facilitate fraud against individual cardholders, as opposed to against Starbucks itself. This scheme involved the cardholder’s password, facilitating the potential for further fraud to be committed on an individual if they reuse their passwords across multiple accounts.
The password/username model that has served Internet users so “well” for years is now easily compromised. Social engineering, credential reuse, and malware have all been found capable of bypassing it. We need to look at a multi-layered solution that includes technology that focuses on a user’s unique physical relationship with a device, such as passive biometrics.
By factoring in a myriad of variables, ranging from patterns of behavior (where you access your accounts) right through to science fiction-esque analysis of how hard you hold your device or type, this technology can create a unique user impression that can’t be replicated by a cybercriminal. These techniques represent the cutting edge in fraud prevention. By combining them with the traditional two-factor authentication model, companies can pinpoint with near-certain accuracy whether a user is who they say they are. In an age where even the most innocent of Christmas presents can be defrauded, adopting this new technology is a crucial step forward in the fight against fraud.
Other measures retailers can take in protecting customers from gift card fraud include adding PIN verification to their cards and keeping them in a secure location away from the shop floor, to stop the card numbers from being accessed fraudulently. At the same time, merchants can set up triggers when someone purchases an unusual number of gift cards, as they could be reacting to a scam like our grandma from the beginning of this article.
A combination of retailer diligence, consumer awareness, and appropriate anti-fraud measures can help overturn this type of fraud.
Related to this post: Catch Them If You Can: Three types of fraud, and how to protect yourself from them