Gift cards face an increasing threat of being compromised by hackers and thieves, as conversations on the “Deep & Dark Web” centered around “cracked” gift cards rose greatly mid-2016, according to research from Flashpoint, a business intelligence firm that tracks fraud-related chatter online.
Retailers and financial companies have been successful, to some degree, in the fight against stolen or compromised credit cards being used to buy legitimate gift cards. With that shift, criminals now appear to be targeting the gift cards directly, according to the company’s report, “Cybercriminal Interest in Gift Cards."
Criminals are capable of using a variety of methods, including fast, automated bots to crack the serial numbers of the gift cards, attempts made easier by the fact that in some cases large numbers of gift cards are sequentially numbered, Flashpoint said.
Improving in-store payment card security via EMV chip card transactions and other measures seems to have had the effect of dispersing criminals to find new, weaker targets in the retail and payments sectors. We have heard a lot about the increasing threat of e-commerce hacks, and gift cards are now shaping up as another target. The timing of this evolution matches up pretty well with the increasing adoption of chip-based credit cards in the marketplace.
We recently learned about the GiftGhostBot discovered by Distil Networks, which had attacked almost 1,000 web sites to find gift cards it could breach to access their balance. Flashpoint's research also cites the GiftGhostBot as an example of the growing threat, but it is clear that there is much more to this mounting problem. Stolen gift cards can be sold on the black market for as little as 5% of their value and ultimately could be matched with fake receipts that make them easier to use for purchases.
It seems that gift card security is in some cases notoriously weak, with identification numbers sometimes running in sequence on large numbers of gift cards, and usage PINs being malleable enough that randoms PINs in some cases can work.
The Flashpoint report noted: "Cybercriminals’ continued interest in gift card fraud aligns with a common practice among many gift card issuers: the prioritization of user experience and profits over security. Unlike bank-issued credit and debit cards, gift cards are not held to strict anti-fraud standards, which means that many gift cards may lack common-yet-effective security features aimed to help combat fraud."
Gift card fraud negatively affects customers as well as brands' reputations, Chris Olson, CEO of The Media Trust, said in a statement emailed to Retail Dive regarding Flashpoint's report. “Unfortunately, website security continues to be a frequently overlooked issue for enterprises, especially retailers. As ecommerce operations grow and thrive in the digital economy, it’s important for businesses to take a holistic management approach to ensure security and privacy aren’t sacrificed in the name of user experience," he said. "This means one individual needs to be responsible for the entire website operation — IT, marketing, revenue, security, risk, etc. — and can effectively balance revenue objectives and compliance with company policies and regulatory requirements.”
Adding to the overall security challenge is that fact that gift card balances remain unused or unclaimed for long periods of time after they have been purchased and given as gifts being purchased, a notion that may actually keep card providers from wanting to invest in high-level gift card security.
Among other mitigation advice, Flashpoint recommended card issuers and businesses accepting gift card require use of correct PINs to make purchases and check balances, and that a CAPTCHA system be used to complete online purchases involving gift cards. Consumers also could take better care to avoid their gift cards being compromised, though the biggest piece of advice is pretty obvious — treat that gift card like cash. Use it.