[Editor’s Note: September is E-Gift Card Fraud Month at Card Not Present (sponsored by Kount). Gift cards have become a popular go-to gift all year long and digital versions are growing especially quickly. But, as is the case with just about every kind of online transaction, the more they grow, the more opportunities criminals have to leverage them fraudulently.]
As merchants prepare for the holiday season, they need to account for an increased level of attacks across all digital and card-not-present transactions. At the forefront of this initiative is a company’s protection of e-gift cards. Without protection, the issuing and support of e-gift cards can result in a loss of merchandise, unwanted chargebacks, as well as the potential loss of brand loyalty from customers.
To prepare a merchant’s fraud strategy it is important to understand how fraudsters think and the tactics they will use to exploit a merchant’s e-gift card program. Outlined below are seven of the most common fraud tactics used to compromise e-gift cards:
- Chargeback and Resell. This is the most common type of e-gift card fraud. Fraudsters use stolen credit cards to buy dozens or even hundreds of e-gift cards. They then sell the fraudulently-obtained e-gift cards on secondary marketplaces for immediate cash. With a redemption rate of 80 cents on the dollar, a fraudster can turn one hundred $100 e-gift cards into $8,000 in just a few minutes.
- Account Takeover (ATO). Fraudsters hack or steal a consumer’s credentials to take over the account and buy as many e-gift cards as possible. This is especially lucrative if auto-load is enabled on the account. They then resell the e-gift cards on secondary marketplaces for cash.
- Card Testing. Fraudsters will often test stolen credit cards that they just purchased on the Dark Web to see if they’ll work. Buying a $5 e-gift card makes this testing relatively inexpensive, leaving a big balance that the fraudster can use on other stolen goods.
- Race Condition. This vulnerability is not uncommon for websites with balances, vouchers or other limited resources (mostly money). It takes advantage of the fact that browsers temporarily cache data during web transactions, for example, as money is transferred from one account to another. One security expert was able to initiate simultaneous $5 transfers from one card to a second card using multiple browsers, confusing the system and in effect doubling the amount in the account.
- Brute Force. A security professional received a gift voucher that required activation on a web page. As he entered the validation code numbers, he noticed the web page was issuing a “Good” or “Bad” confirmation as each number of the code was entered. He quickly realized that the action had no limitations and could be repeated any number of times, effectively allowing any attacker to swiftly guess activation codes without having to steal user credentials. This is a rather elementary example of how weak back-end security processes can lead to fraud losses.
- Multiple Account Creation. To confuse fraud prevention and tracking systems, fraudsters will create hundreds of accounts using synthetic or stolen identities. This makes it easier for them to buy large quantities of e-gift cards without being detected.
- Device/Carrier Switching. 60% of overall fraud originates on mobile devices. That’s because fraudsters are able to defeat simple ad hoc antifraud tools like Device Detection by hopping across multiple mobile devices, carriers and ISPs. They can appear to be many different consumers instead of a single fraudster.
This type of fraud has been around ever since e-gift cards have been offered to customers, but savvy merchants have discovered ways to fight back. Learn the twelve best practices to fight e-gift card fraud in Kount’s eBook “E-Gift Card Fraud: The Gift That Keeps On Taking”.