Gift card fraud starts here

Gift Card Fraud: The Forgotten Threat in Cyber Security Month

Why everyone’s go-to Christmas present is also a gift for fraudsters.

Picture the scene; you purchase a gift card as a Christmas or birthday present for a friend, colleague or family member. The card is valid at a major retailer (or several major retailers) and, because the money is packaged in a card, you assume it is a perfectly safe present. The problem is you are not taking cybercrime into account.

Cybercrime has been around since the advent of the Internet, deploying tactics that become more and more complex. Whether it is Russian hackers using malware to steal almost a million dollars in cash from ATMs, or people taking advantage of ‘peace sign’ selfies to copy the fingerprint and gain access to accounts, there is seemingly no limit to the creativity and growing sophistication of cybercriminals.

Gift cards are yet another black hole for security professionals. Though significantly less reported on than credit card fraud, the effects of these attacks have been known for years. Back in May 2015, a Brian Krebs investigation into Starbucks gift cards found that it was worryingly easy for fraudsters to drain customer’s bank accounts via the auto-load feature. Starbucks loyalty cards were used to facilitate fraud on individual card holders, as opposed to on Starbucks themselves. This scheme involved the card holder’s password, facilitating the potential for further fraud to be committed on an individual if they reuse their passwords across multiple accounts.

If a fraudster gains access to an account of relatively low importance that happens to share credentials with a more significant one, then both are in danger. Fraudsters are acutely aware of the rampant reuse of credentials and will exploit it to their advantage. Take this as another reminder of how sensible password practices can keep you safe online. Not all scams involving gift cards are sophisticated, however.

Aside from stealing the physical card from a customer, fraudsters have been known to take down gift card numbers at a store and check their balance online. When they see that a dollar amount is loaded onto the card they start using it. For the more technical-minded bad actors, the cloning of gift cards can be just as lucrative as the cloning of credit cards. Fraudsters could use a credit card magnetic stripe reader (readily available to purchase online legally) to gain access to the account numbers of gift cards.

More traditional cybercrime tactics, such as targeted or untargeted phishing attacks, can also be used to gain access to card details en-masse. Such an example dating from July 2017 involved a criminal gang contacting people impersonating HMRC, the UK revenue department, and coercing them into making payments in iTunes gift vouchers, which can be easily transferred into cash. The techniques criminals use to exploit gift cards are as numerous as they are lucrative.

As mentioned above, the password/username model that has served Internet users so ‘well’ for years is now easily compromised. Social engineering, credential reuse, and malware have all been found capable of bypassing it. We need to look at a multi-layered solution that includes technology that focuses on a user’s unique physical relationship with a device, such as passive biometrics.

By factoring in a myriad of variables, ranging from patterns of behavior (where you access your accounts) right through to science fiction-esque analysis of how hard you press buttons and how you hold your device, this technology can create a unique user impression that can’t be replicated by a cybercriminal. These techniques represent the cutting edge in fraud prevention. By combining them with the traditional two-factor authentication model, companies can pinpoint with near-certain accuracy whether a user is who they say they are. In an age where even the most innocent of Christmas presents can be defrauded, adopting this new technology is a crucial step forward in the fight against fraud.

Other measures retailers can take in protecting customers from gift card fraud include adding PIN verification to their cards and keeping them in a secure location away from the shop floor, to stop the card numbers being accessed fraudulently. Gift card fraud isn’t the present anyone asked for, but a combination of retailer diligence, consumer awareness, and appropriate anti-fraud measures means it is easily returnable.  

Related to this post: Catch Them If You Can: Three types of fraud, and how to protect yourself from them

Want to learn more about Identity Proofing? Download Javelin’s latest report: 2017 Identity Proofing Platform Scorecard here. Want to read more posts like this? See our full blog here.