Cybercriminals are using fraudulent gift cards to beat the information security measures of retailers. A recent Flashpoint report suggested that malicious actors have become increasingly interested in gift card fraud during the past few years. What is more, these individuals are evolving their techniques in response to changes in security measures.
With the total cost of this type of fraud likely to run into the thousands, retail organizations should investigate ways to help their businesses mitigate the risk of cybercriminal activity.
Unwrapping Gift Card Fraud
The report suggested that cybercriminals have long seen gift cards as a great way to make the most of stolen credit cards. Such errant individuals have traditionally used their ill-gotten credit facilities to buy gift cards online. They could then use or resell these cards without worrying about the credit card numbers being canceled.
The criminals’ activities were undermined as businesses caught on to gift card fraud and increased security measures. Flashpoint reported an increase in the number of cards being declined in late 2015.
As a result, cybercriminals, who had previously built underground empires, found that their stolen cards were no longer viable for sale. This realization led them to take a different approach and pursue other ways of obtaining gift cards, according to the report.
Cybercriminals are now compromising the gift card systems themselves by working out the numbers of legitimately issued cards that have not yet been spent. Many gift cards are numbered sequentially, according to the report.
Fraudsters often turn to automation to help with the laborious number-checking process. Flashpoint referred to the recently discovered GiftGhostBot, which automates thousands of checks against more than 1,000 websites in search of unused gift cards.
CSO Online reported that Flashpoint tracked chatter in underground forums and observed a significant rise in discussions about “cracked” gift cards last summer. The number of conversations per month rose from a nominal amount during the first half of 2016 to almost 600 last summer.
A Growing Threat
The popularity of this new type of fraud, plus the poor level of security measures, led Flashpoint analysts to conclude that this errant activity will increase. CSO Online quoted Flashpoint analyst and report author Liv Rowley, who said that, according to anecdotal evidence from retailers, this type of fraud can total thousands of dollars.
CIO referred to research from Gift Card Granny that suggested that the average holiday shopper purchased two gift cards in 2015. By 2018, the total volume of gift card value is anticipated to hit $160 billion.
As with the Flashpoint research, the CIO article confirmed that prepaid gift cards can be a big target for fraud and money laundering. Retailers should build stronger defense processes and invest in enterprise-class security tools to check the details of card users in real time.
The Flashpoint report noted that gift cards are not held to strict antifraud standards, unlike bank-issued credit and debit cards. The firm advised businesses seeking to address gift card fraud to consider a range of security measures, including:
- A CAPTCHA system for all online purchases made with gift cards to help prevent instances of gift card checking by bots;
- A more complex numbering system for gift cards, such as one that uses a mix of both numbers and letters;
- Requiring correct PIN numbers to check gift card balances or use gift cards for in-store purchases; and
- Subjecting transactions that use certain gift card management applications to greater scrutiny.
Until gift card security standards catch up to those of credit and debit cards, these best practices are consumers’ and retailers’ best bet to defend against sneaky fraudsters.