As retailers and other businesses increase security measures to prevent the use of gift cards purchased with stolen credit card numbers, cyber criminals have been focusing on fraudulent gift cards, according to a report released this morning by Flashpoint.
Traditionally, gift cards have been a quick way to make stolen credit card numbers pay off quickly. They buy the gift cards online, in bulk, then use the gift cards at their leisure or resell them, without worrying that the credit card number has been canceled -- until the charge backs started coming in from the credit card companies and merchants wised up.
So criminals have been turning to hacking the gift card systems themselves, figuring out how to find the gift card numbers of cards that have already been issued, but haven't yet been spent.
Flashpoint tracks chatter in underground, criminal forums, and noticed a sharp increase of conversations around "cracked" gift cards last summer. The number of conversations tallied per month went from just a handful for the latter half of 2015 and the first half of 2016, then spiked to nearly 600 last summer, with another spike to over 300 this past December.
These gift cards were legitimately purchased, and many recipients don't use them for a long time. The credit card companies don't complain because the gift cards were deliberately purchased by legitimate card holders.
"As far as we have seen there are no charge backs related to this and we aren’t aware of any penalties facing merchants," said Liv Rowley, analyst at Flashpoint.
Worst case, the recipient of a gift card would complain that it didn't have any money on it, or it didn't have as much money on it as they expected.
"This type of fraud does indeed often times go unnoticed by customers," she said.
But that doesn't mean that retailers should ignore the problem, she said.
"We’ve heard anecdotal evidence from retailers who absolutely see fraud happening at the levels of thousands of dollars lost," she said. "This type of fraud has a big impact on retailers, as they are selling products to people who aren’t the rightful owners of the gift cards – or are providing products and services on gift cards that were never paid for."
Merchants should add some security measures to their gift cards, she said, so that they are no longer such attractive targets for criminals.
"Additionally, given the popularity of this fraud, it’s possible that compliance regulations will be implemented down the road, leaving gift card issuers not utilizing proper security measures scrambling to be in compliance," she said.
And those additional security measures can be very simple.
For example, many gift cards are numbered sequentially, making it extremely easy for criminals to guess numbers. The criminals then check numbers with the gift card company's online balance checker or on third-party sites to determine the value.
Some criminals use bots that can check gift card numbers against thousands of websites in search for unused gift cards with balances.
Some websites ask for PINs, according to the Flashpoint report, but usually those PINs aren't actually checked -- criminals can enter any random PIN to get their balances.
Flashpoint recommended that companies issuing gift cards implement a real system for checking PINs when verifying card balances, use CAPTCHAs, and generate random card numbers or letter and number combinations.