Criminals Are Stealing Your Cash Through Gift Cards
...Before you even have a chance to use them
Facts:
More than $130 billion is spent on gift cards each year.
Gift cards are highly favored among criminals due to the anonymity they provide as well as how easily they can be converted to cash.
From physical theft to cloning to exploiting merchant loopholes, thieves use many different methods to obtain gift card balances.
This kind of fraud has become a costly conundrum for retailers and creates a negative shopping experience for consumers.
A Cautionary Tale
One day, a security researcher decides he wants Mexican for lunch. Craving beans and guacamole, he drives to a popular chain restaurant nearby and walks in. While placing his order, the researcher notices a tray of gift cards laying on the counter and grabs a stack of them. The cashier doesn’t care — none of these cards hold any value until a customer puts money on them, which can be done online. Knowing this, the researcher takes his burrito and the stack of cards back to his booth, and begins to examine them up close.
As he flips through the unactivated gift cards, the researcher notices a pattern: While the last four digits of the cards seem to vary at random, the rest of the numbers remain constant. The only exception is a single digit, which appears to incrementally increase, by a factor of one, from card to card. The researcher smiles to himself. In the short amount of time it took to finish his burrito, he has devised a plan to defraud the system.
Source: Pankaj Patel on Unsplash
To pull this off, the researcher needs to obtain at least one gift card from the targeted retailer, although he hopes to get two or three. After all, having multiple cards makes it easier to determine patterns used by the target merchant. And since unactivated cards are often left out on display, he can either take one or simply buy one. Once the cards have been procured, all that’s left to do is visit the retailer’s website and find the page that allows users to check the balance of their gift cards. From this webpage, the researcher runs a brute forcing software, called Burp Intruder, to cycle through the 10,000 possible values for the last four digits on the card. The whole process takes ten minutes to complete. By repeating this action and incrementing the other predictable numbers, the website will confirm which cards have value and for how much.
Once the research discovers the gift cards that have been activated, he then has the option to spend them on the retailer’s website. Alternatively, he can write the data to blank plastic cards — using a magnetic-strip writing device purchased on Amazon — and use the balances in-store. Most retailers and restaurants would accept these cards without question. However, the researcher decides to stop the experiment before any damage can be done, but presents his findings shortly thereafter.
What’s the Real Story Here?
It remains surprisingly easy for hackers to determine gift card numbers and spend the balances, before the legitimate holder of the card ever has a chance to use them. While some of the methods have been semipublic for years — and retailers have been working to fix these security loopholes — a disturbing number of targets remain wide open to gift card hacking schemes.
To make matters worse, crimes like this are tough to track because most victims don’t file reports. After all, many retailers cap gift card balances at $500 or less, which isn’t high enough for law enforcement to spend resources investigating or pursuing these cases. Furthermore, due to the anonymity of the attack, it’s difficult to know where to begin hunting down those responsible.
How It Works
Here are just some of the techniques used by thieves to steal money off of gift cards:
Hacking loyalty rewards programs
One lucrative approach for cybercriminals is to hack into a person’s rewards account and use the reload option to quickly siphon money out. This happened with the Starbucks mobile app back in 2015.
Another common technique is to hack into loyalty rewards programs and convert the account balances to gift cards or airline miles. To do this,
A cybercriminal obtains the username and password to a person’s credit card rewards program, usually through reused credentials or malware.
They then log in and check the value of the account.
Credit card redemption programs, among others, allow members to redeem various offers in exchange for points. However, many of these offers are problematic for the fraudster. He can’t choose physical products like golf clubs. After all, where would he ship them? Opting for cash back no good either, since it can only be redeemed as statement credit or sent as a check to the cardholder. Fortunately, there are e-gift cards, which can be delivered to any email address specified by the redeemer.
The fraudster chooses this option and instantly receives an email containing his e-gift card, which can either be spent online or printed out and used in-store. Doing this, he can easily exchange $5,000 worth of points for $5,000 worth of e-gift cards.
Often times, the fraudster wants to convert these cards into cash, using online platforms such as CardCash or Raise. This is how he effectively cleans the money, so that he can spend it anywhere, risk-free.
Stealing numbers and cloning cards
One of the most common forms of gift card fraud involves thieves tampering with cards inside the retailer’s store — before the cards are purchased by legitimate customers. Using a handheld card reader, crooks can swipe the card’s magnetic strip to record the serial number and other data needed to duplicate the card. The more brazen criminals will simply write down or take pictures of the numbers right there in the store.
Some retailers pair gift card numbers with a PIN code for an additional layer of security. This PIN is covered by a scratch-off decal, which thieves can remove and replace with identical or similar decals purchased online. Doing this makes it difficult for the customer to tell whether or not the card has been tampered with.
Source: Flint Gatrell
In other cases, scammers will leave the PIN cover intact and use online bots or other software to guess the code, just like the security researcher mentioned above. Often times, these codes are just four digits long, making them easy for hackers to crack.
From there, it’s a waiting game. The cards are worthless until activated, so the fraudster sits around at his computer and monitors the various card balances via the merchant’s website. Once someone purchases a card and loads it with money, he quickly spends the balance or sells the card online at a discount.
Meanwhile, the person who bought the card — or received it as a gift — doesn’t realize what has happened until they go to use it and find that the balance is zero.
Acquiring numbers in bulk
This technique is slightly more difficult, but far more rewarding for cybercriminals: acquire gift card numbers in bulk directly from the issuer or merchant. This can be done through phishing, SQL injection, social engineering, or accidental disclosure.
Accidental disclosure is what happened to Australian retailer Woolworth’s a few years ago. An employee accidentally sent out an email containing a spreadsheet with 8,000 gift card numbers to more than 1,000 people. The total loss was estimated to be $1.3 million. Anyone who received the email could immediately go shopping online or sell the gift cards for cash.
Take Steps to Protect Yourself
Buy gift cards online by purchasing directly from retailers. Criminals don't have easy access to these cards, which helps mitigate your risk.
If you buy a gift card in store, ask for one that is kept behind the counter or in well-sealed packaging. If the cards are out in the open on a rack, pull one from the middle — as those are less likely to be tampered with. That said, before you buy, inspect the barcode numbers to see if there are duplicates or if the packaging has been tampered with. If the cards aren’t in view of surveillance cameras or store employees, get yours somewhere else.
Keep the receipt when buying gift cards so you have proof of the purchase. Include that receipt if you give the card as a gift. If you find that your card has been drained of funds, you may be able to recover that money by going to the merchant where the card was purchased.
Final Notes and Updates
While most retailers and restaurants have been warned about these kinds of schemes, only a handful of them have improved their security measures. These include requiring users to check their gift cards by phone and adding CAPTCHAs to gift card value-checking pages. (The latter helps prevent automated programs from bruteforcing gift card numbers, although it isn’t completely foolproof.)
Other merchants, however, have failed to do anything about the problem, despite the fact that all known gift card security issues have relatively simple fixes. For instance, implementing strong CAPTCHAs so that bad actors can't circumvent “check your gift card balance” webpages, not leaving unactivated gift cards up for grabs at store counters, and using scratch-away coverings on cards to prevent them from being photographed in stores.
Until retailers and restaurants make these fixes, consumers should think twice about buying gift cards. Before you pick up that unguarded card from a retail counter, consider who else might have already accessed the numbers printed on the back. Or you could just avoid all this paranoia and take the safe route, by purchasing your gift cards directly from the retailer’s website.
Useful Resources
Security Researcher Will Caput explains how gift cards are easily exploited:
How hackers drained bank accounts via the Starbucks app:
https://money.cnn.com/2015/05/13/technology/hackers-starbucks-app
Woolworth’s gift card data breach:
https://www.cnet.com/news/data-breach-sees-woolworths-gift-cards-leaked-in-email-bungle
Report gift card fraud:
https://www.ic3.gov/media/2015/150611.aspx
Editor’s Note: Have you been affected by fraud? Most people have, in some form or another. If you have a story you would like to share, we’re sure our readers would benefit from hearing it. Please send an email to editor@theconartist.pub detailing your experience, and we will be in touch. Your privacy and any wishes of anonymity will be respected.
Thanks for reading! If you haven’t already, consider joining our community to receive in-depth exposés on the latest scams, hoaxes, and other forms of fraud.