May 4, 2017 By Mark Samuels 3 min read

Cybercriminals are using fraudulent gift cards to beat the information security measures of retailers. A recent Flashpoint report suggested that malicious actors have become increasingly interested in gift card fraud during the past few years. What is more, these individuals are evolving their techniques in response to changes in security measures.

With the total cost of this type of fraud likely to run into the thousands, retail organizations should investigate ways to help their businesses mitigate the risk of cybercriminal activity.

Unwrapping Gift Card Fraud

The report suggested that cybercriminals have long seen gift cards as a great way to make the most of stolen credit cards. Such errant individuals have traditionally used their ill-gotten credit facilities to buy gift cards online. They could then use or resell these cards without worrying about the credit card numbers being canceled.

The criminals’ activities were undermined as businesses caught on to gift card fraud and increased security measures. Flashpoint reported an increase in the number of cards being declined in late 2015.

As a result, cybercriminals, who had previously built underground empires, found that their stolen cards were no longer viable for sale. This realization led them to take a different approach and pursue other ways of obtaining gift cards, according to the report.

Shifting Tactics

Cybercriminals are now compromising the gift card systems themselves by working out the numbers of legitimately issued cards that have not yet been spent. Many gift cards are numbered sequentially, according to the report.

Fraudsters often turn to automation to help with the laborious number-checking process. Flashpoint referred to the recently discovered GiftGhostBot, which automates thousands of checks against more than 1,000 websites in search of unused gift cards.

CSO Online reported that Flashpoint tracked chatter in underground forums and observed a significant rise in discussions about “cracked” gift cards last summer. The number of conversations per month rose from a nominal amount during the first half of 2016 to almost 600 last summer.

A Growing Threat

The popularity of this new type of fraud, plus the poor level of security measures, led Flashpoint analysts to conclude that this errant activity will increase. CSO Online quoted Flashpoint analyst and report author Liv Rowley, who said that, according to anecdotal evidence from retailers, this type of fraud can total thousands of dollars.

CIO referred to research from Gift Card Granny that suggested that the average holiday shopper purchased two gift cards in 2015. By 2018, the total volume of gift card value is anticipated to hit $160 billion.

As with the Flashpoint research, the CIO article confirmed that prepaid gift cards can be a big target for fraud and money laundering. Retailers should build stronger defense processes and invest in enterprise-class security tools to check the details of card users in real time.

The Flashpoint report noted that gift cards are not held to strict antifraud standards, unlike bank-issued credit and debit cards. The firm advised businesses seeking to address gift card fraud to consider a range of security measures, including:

  • A CAPTCHA system for all online purchases made with gift cards to help prevent instances of gift card checking by bots;
  • A more complex numbering system for gift cards, such as one that uses a mix of both numbers and letters;
  • Requiring correct PIN numbers to check gift card balances or use gift cards for in-store purchases; and
  • Subjecting transactions that use certain gift card management applications to greater scrutiny.

Until gift card security standards catch up to those of credit and debit cards, these best practices are consumers’ and retailers’ best bet to defend against sneaky fraudsters.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today