5 reasons fraudsters love gift cards more than you do

Fraudsters love gift cards more than you do. This might come as a shock to you, but it’s true. As Nethone Chief Innovation Officer Aleksander Kijek explains in a webinar with the Merchant Risk Council entitled “Gift Cards: How Scammers Take Advantage of Your Inattention,” there are a number of reasons behind the love affair between fraudsters and gift cards.

If your online business offers gift cards, then the love affair most likely has a direct negative impact on risk levels for your daily operations.

In short, fraudsters love gift cards because...

...the security is easy to crack ...they’re great for Account Takeover (ATO), the hottest online fraud today ...they save fraudsters precious time ...they are convenient for money laundering ...gift card numbers can be stolen directly. No Darknet required!

In the early days of gift cards, fraudsters would just go into the shop, find the gift cards on the stand, and take pictures of the card numbers which is the unique identifier behind the money of the card.

So the retail industry came up with the idea to just put PINs on the gift cards. Even if the fraudster had a card number, the money was still protected with a PIN, which is revealed by physically scratching the back of the card.

But here comes the next challenge. A four or even an eight digit number is not something that is hard to crack. You can crack it in seconds even with “number of attempts” and/or “time limit” security features enabled. PINs are not much of a detriment. Brute-forcing PINs today is a solved issue.

And if you allow customers to make their own PIN, you make it even easier for fraudsters. There are 10^4 possible combinations in a 4-digit scenario, but humans everywhere are extremely predictable; most people do not pick random numbers when they have the opportunity to create a PIN. A survey of 3.4 million PINs showed that 25% comes from just 20 possibilities! In fact, 10% of the surveyed cardholders used “1234” as the PIN; about 20% choose 1234, 0000 or 1111! Here are more results from the survey:

• More than 10% choose 1234 as their PIN. About 20% choose 1234, 0000 or 1111
• It’s quite popular to use one’s birthday year as a PIN, such as 1960, 1982, 1990, etc.
• A full 17.8% of PINs are couplets, such as 7878, 8181.
• Straight-down-the-middle of the keypad “2580” is No. 22 on the most-used PINs list
• The top 20 most popular PINs together make up 26.83%
• 8068 is the "safest" PIN, used just 25 times out of 3.4 million.

Even if fraudsters weren’t given a head start with PINs like 1234, 1111, etc., PIN-breaker software is just a Google search away. There are even free, open-source PIN-breaker packages available.

Gift cards are great for Account Takeover (ATO), which is one of the latest, hottest types of fraud. The gift card environment is far less secure than the credit card environment. Gift cards do not have many of the security features that credit cards have. The credit card environment has “PCI DSS” (Payment Card Industry Data Security Standard) which has been around for quite a while and has increased in security over time. Merchants today never store credit card information. Credit card information is kept with PSPs and banks. But the gift card environments are maintained by smaller entities. So of course fraudsters target the less secure environment to take over users' accounts.

Some fraudsters will take advantage of the lesser security around gift cards to commit ATO and transfer balances of nearly depleted cards and collect the money for themselves. They might gather 5,000 cards with $5 balances on them.

Everyone knows that the concepts of love and time are closely linked. If a fraudster buys 1000 stolen credit card numbers on the Darknet (or sometimes even on the Clearnet or messaging apps), then she/he is buying from another fraudster, who probably has more than one buyer. Because the stolen credit card numbers are shared with multiple people, the value of the “product” quickly decreases. There is a time crunch---the fraudster has to convert the money on the credit cards as quickly as possible. A popular way to accomplish this is to buy multiple gift cards, since there is no shipment involved.

Fraudsters love gift cards so much that they create dedicated online shops to sell them at a steep discount on Darknet Markets, where you can purchase gift cards for 50% of the usual price. That money (usually in cryptocurrency form) will go directly to the fraudster. The legitimate shop will eventually just send the goods because it was purchased with a gift card. The transaction is clean except for the stolen gift cards, making it far more difficult to pin down the fraudster. In the end, the fraudsters have laundered money that they obtained from a shady source. This also means that serious fraud might be behind the operation. Fraudsters also sell stolen gift cards on the Clearnet, or indexed Internet, to “regular” people and then keep the customers’ personal information for future ATO scams. Stolen login info is a keep that keeps giving.

A popular scam to get gift card numbers involves old fashioned manipulation of people: fraudsters posing as a CEO email an employee. It’s easy to get a CEO’s last name, email address, photo, and other info since they’re public figures. Then the fraudsters send a spoofed email to an employee asking for the following: “I need this purchase very quickly, please use the company card to buy 10 gift cards and send me their numbers.” Of course it doesn’t work 100% of the time, but it’s a numbers game. It would be identified only after someone does the accounting and they see there was money taken out of the cards.

Also, there is a higher chance of a fraudster having physical contact with a gift card, since they are probably just hanging in some display in a large store along with a lot of other gift cards, or easily accessible near a checkout counter. Scammers have a range of tools that they can use to get access to the information on the gift cards, even if they’re nicely packaged. In contrast, people rarely make their credit cards available to passersby (or even their loved ones, in some cases) unless they’re stolen.

The love affair between fraudsters and gift cards is not going to end anytime soon. If anything, the love affair will probably deepen with time. Knowing this, it is best to prepare your eCommerce site, online gaming platform, travel site, etc. against future attacks. Check out Aleksander Kijek’s webinar and learn more about gift card fraud and what you can do to prevent it through program design, partnering with experts, and Machine Learning tools. In future articles we will explore these topics in greater detail.