With digital gift cards rising to 67% of total gift card sales in December of 2014 (compared to 57% the previous year), it doesn’t come as a surprise to anyone that this channel is quickly becoming a highly desired target for hackers.
This is not a new problem, but is receiving an increasing amount of attention as the United States continues its transition to EMV-compliant chip cards and terminals. The improved security at brick-and-mortar stores will force hackers to use stolen card information online. We already know that card-not-present fraud increased 79% in the U.K. following implementation of chip and pin, and expect a similar increase here in the U.S. For hackers whose methods of counterfeiting magnetic stripe cards are becoming far more difficult to employ, they’re now turning to the next easiest way to use stolen cardholder information - online.
With increasingly fast methods of detecting compromised cardholders available in the marketplace, hackers know they have a limited amount of time to spend stolen cards. An easy way to get around this is to use the stolen information online (where there are less security measures in place) to purchase digital gift cards.
In a 2007 interview with USA Today, Paul Cogswell, vice president of loss prevention and risk services at Comdata said the re-sale of gift cards “extends the life of credit card fraud.”
With ecommerce fraud detection tools like Kount quickly encroaching on hackers’ ability to use the gift cards themselves, the hackers have moved to gift card re-seller channels like Raise.com to quickly offload the cards to unsuspecting consumers.
While sites like these do confirm the balances of the cards before they’re listed on their marketplace, what they aren’t often able to know is how they were purchased - specifically, whether or not they were bought with stolen card information. With fraud investigations at financial institutions allowed to take up to ten days before even deciding whether or not to refund a consumer’s account, hackers can quickly buy cards and resell them online before the original cardholder even catches on to fraudulent charges in their account.
Online gift card fraud is just as significant a pain point for merchants as it is for financial institutions. According to a study by LexisNexis and research partner Javelin Strategy and Research, the cost of fraud for merchants is steadily rising. In 2013, for every $1 in fraud, brick-and-mortar merchants lost $2.79. However, for online merchants, that number was $3.10 and is only expected to continue to rise.
Given that statistic, there are a couple other types of gift card fraud that merchants and financial institutions should keep an eye out for this holiday season.
- Hacked accounts: Gift cards or prepaid cards that have auto-refill turned on, and/or are linked to bank accounts are easy targets for hackers. Once the card number or account details are compromised, hackers can purchase new gift cards using the attached bank or PayPal account, and then spend or sell those gift cards on the aforementioned reseller sites for cash. This exact scenario played out earlier this year with Starbucks’ mobile payment application.
- Cloning cards: Whether through skimming cards in-store, or by taking them home to clone and return, fraudsters will steal the card information off the magnetic strip, much like they have done with credit and debit cards for years, and then counterfeit the cards. They will then wait until the original card has been activated, usually through a balance checker tool on the retailer’s site, and put their counterfeit card into use as soon as the original is activated with a balance.
The EMV transition is sending hackers scrambling to use existing stolen account information, and gift cards are and will continue to be an incredibly hot target. While no one has the silver bullet to combatting this, the answer lies in both securing online transactions so that the purchase of digital gift cards isn’t as easy, as well as finding a way to identify fraudulently purchased gift cards faster. The quicker one card can be identified as fraudulent, the quicker the remaining cards purchased in that lot can be shut down.
Get the latest Rippleshot research and industry news sent to you every Friday. Sign up for our Data Breach Ripples newsletter below: