There's a love affair between fraudsters and gift cards. Learn more about gift card fraud and how you can prevent it with Machine Learning models.
.png)
Fraudsters love gift cards more than you do. There are a number of reasons behind this love affair, and we'll try to list them all in this article.
Why fraudsters love gift cards
If your online business offers gift cards, then the love affair most likely has a direct negative impact on risk levels for your daily operations.
In short, fraudsters love gift cards because:
- the security is easy to crack
- they’re great for Account Takeover (ATO)
- they save fraudsters precious time
- they are convenient for money laundering
- gift card numbers can be easily stolen
Cracking gift card PINs is a solved issue for fraudsters
In the early days of gift cards, fraudsters would just go into the shop, find the gift cards on the stand, and take pictures of the card numbers, which are the unique identifiers behind the money on the card.
So the retail industry came up with the idea to just put PINs on the gift cards. Even if the fraudster had a card number, the money was still protected with a PIN, which is revealed by physically scratching the back of the card.
But here comes the next challenge. A four or even an eight-digit number is not something that is hard to crack. You can crack it in seconds even with 'number of attempts' and/or 'time limit' security features enabled. PINs are not much of a detriment. Brute-forcing PINs today is a solved issue.
And if you allow customers to make their own PIN, you make it even easier for fraudsters. There are 10^4 possible combinations in a 4-digit scenario, but humans everywhere are extremely predictable; most people do not pick random numbers when they have the opportunity to create a PIN. A survey of 3.4 million PINs showed that 25% comes from just 20 possibilities! In fact, 10% of the surveyed cardholders used '1234' as the PIN; about 20% chose 1234, 0000, or 1111! Here are more results from the survey:
- More than 10% chose 1234 as their PIN. About 20% choose 1234, 0000 or 1111
- It’s quite popular to use one’s birthday year as a PIN, such as 1960, 1982, 1990, etc.
- A full 17.8% of PINs are couplets, such as 7878, 8181.
- Straight-down-the-middle of the keypad '2580' is No. 22 on the most-used PINs list
- The top 20 most popular PINs together make up 26.83%
- 8068 is the "safest" PIN, used just 25 times out of 3.4 million.
Even if fraudsters weren’t given a head start with PINs like 1234, 1111, etc., PIN-breaker software is just a Google search away. There are even free, open-source PIN-breaker packages available.
Gift Cards Are Great for ATO
Gift cards are great for Account Takeover (ATO), which is one of the latest, hottest types of fraud. The gift card environment is far less secure than the credit card environment. Gift cards do not have many of the security features that credit cards have. The credit card environment has PCI DSS (Payment Card Industry Data Security Standard) which has been around for quite a while and has increased in security over time. Merchants today never store credit card information. Credit card information is kept with PSPs and banks. However, the gift card environments are maintained by smaller entities. So, of course, fraudsters target the less secure environment to take over users' accounts.
Some fraudsters will take advantage of the lesser security around gift cards to commit ATO transfer balances of nearly depleted cards and collect the money for themselves. They might gather 5,000 cards with USD 5 balances on them.
Gift cards save time for fraudsters
Everyone knows that the concepts of love and time are closely linked. If a fraudster buys 1000 stolen credit card numbers on the Darknet (or sometimes even on the Clearnet or messaging apps), then they are buying from another fraudster, who probably has more than one buyer. Because the stolen credit card numbers are shared with multiple people, the value of the product quickly decreases. There is a time crunch - the fraudster has to convert the money on the credit cards as quickly as possible. A popular way to accomplish this is to buy multiple gift cards since there is no shipment involved.
Gift cards are great for money laundering
Fraudsters love gift cards so much that they create dedicated online shops to sell them at a steep discount on Darknet Markets, where one can purchase gift cards for 50% of the usual price. That money (usually in cryptocurrency form) will go directly to the fraudster. The legitimate shop will eventually just send the goods because they were purchased with a gift card. The transaction is clean except for the stolen gift cards, making it far more difficult to pin down the fraudster. In the end, the fraudsters have laundered money that they obtained from a shady source. This also means that serious fraud might be behind the operation. Fraudsters also sell stolen gift cards on the Clearnet or indexed Internet and then keep the customers’ personal information for future ATO scams. Stolen login info is a keep that keeps giving.
Gift cards numbers are easy to steal
A popular scam to get gift card numbers involves old-fashioned manipulation of people: fraudsters posing as a CEO email an employee. It’s easy to get a CEO’s last name, email address, photo, and other info since they’re public figures. Then the fraudsters send a spoofed email to an employee asking for the following: 'I need this purchase very quickly, please use the company card to buy 10 gift cards and send me their numbers.” Of course, it doesn’t work 100% of the time, but it’s a numbers game. It would be identified only after someone does the accounting and sees there was money taken out of the cards.
Also, there is a higher chance of a fraudster having physical contact with a gift card since they are probably just hanging in some display in a large store along with a lot of other gift cards or easily accessible near a checkout counter. Scammers have a range of tools that they can use to get access to the information on the gift cards, even if they’re nicely packaged. In contrast, people rarely make their credit cards available to passersby (or even their loved ones, in some cases) unless they’re stolen.
A love affair for the ages
The love affair between fraudsters and gift cards is not going to end anytime soon. If anything, the love affair will probably deepen with time. Knowing this, it is best to prepare your platform against future attacks.
Keep up with fraudsters’ tactics while protecting your good users! Get in touch with us to learn how.
