Tricks and Tactics of eGift Card Fraudsters
eGift cards are one of the hottest trends in eCommerce. Digital gift card sales will grow 40% this year—from $10 billion in 2016 to $14 billion in 2017. In fact, during the holiday season, eGift cards will actually outsell physical gift cards. Perhaps that’s why 81% of leading internet retailers now offer digital gift cards.
One more statistic: 100% of fraudsters will use one or more of the following techniques to rip off merchants offering eGift cards:
- Chargeback and Resell. This is the most common type of eGift card fraud in which fraudsters use stolen credit cards to buy dozens or even hundreds of eGift cards. Then they resell the fraudulently-obtained eGift cards on secondary marketplaces for immediate cash.
- Account Takeover (ATO). Fraudsters hack or steal a consumer’s credentials to take over the account and buy as many eGift cards as possible. This is especially lucrative if auto-load is enabled on the account. Again, they can resell the eGift cards on secondary marketplaces for cash, or buy actual goods with the cards and resell those fraudulently obtained goods for cash.
- Card testing. Buying a $5 eGift card is an inexpensive way for a fraudster to test stolen credit card accounts, leaving as much money as possible in the stolen card account for other fraudulent activities.
- Race Condition. This vulnerability takes advantage of web browsers that will temporarily cache data during transactions, for example, as money is transferred from one account to another. One security expert was able to initiate simultaneous $5 transfers from one card to a second card using multiple browsers, confusing the system and in effect doubling the amount in the account.
- Brute Force. It’s important to make the gift card verification process as secure as possible. Here’s why: a security professional received a gift voucher that required web activation. He noticed the web page was issuing a “Good” or “Bad” confirmation as he entered each number of the code. He also noticed that there were no limits on the number of times he could enter a number for verification. It became apparent to him that this verification process—obviously instituted to make confirmation easier for legitimate customers—would also allow fraudsters using automated means to quickly guess activation codes.
- Bots/botnets. Fraudsters and criminal rings are becoming increasingly sophisticated. Using bots, botnets and automated technologies can exponentially increase the number of attacks that can be carried out in a given period of time, which increases their overall success. After all, a 95% failure rate on 100,000 automated transactions is still 5,000 successful ones.
Fraudsters and criminal gangs also employ sly tactics to hide their identities as they go about stealing eGift cards and redeeming them:
- Multiple account creation. The record number of breaches has weaponized consumer data. In 2016, there were 1093 breaches with close to 37 million records exposed. Yahoo revealed in December of 216 that 1 billion of its accounts had been compromised in a hack that had been going on since 2013. All of this identity data—cheaply and readily available on the Dark Web—makes it easy for criminals and fraudsters to create hundreds of fake accounts using synthetic or stolen identities. Once these false identities are created, it’s a simple matter to buy and resell large quantities of eGift cards without being detected.
- Device/carrier switching. 60% of overall fraud originates on mobile. Why? The way in which mobile networks operate make it relatively easy for fraudsters to defeat ad hoc/standalone antifraud tools like Device Detection by hopping across multiple mobile devices, carriers and ISPs. They can appear to be many different consumers instead of a single fraudster.
- Holiday volume. 73% of consumers buy eGift cards during the holidays. The surge in holiday eGift card volume makes it easier for fraudsters to “hide” within the stream of transactions. Another open secret is that many merchants loosen controls during the holidays—especially on high-volume days like Black Friday and Cyber Monday. Fraudsters will take advantage to try and slip through undetected.
- Phishing, SQL injection, social engineering. In a recent test, nearly 1 in 3 users clicked on a “phishing” link and 17% actually entered their usernames and passwords! It’s fairly easy for fraudsters to send legitimate-looking but malicious emails to tens of thousands of users. Just one single phishing attack like this could trick thousands of people into revealing their login credentials, leading to widespread account takeovers.
Fortunately, there are a number of best practices that eCommerce operations can adopt to protect against eGift card fraud. Download the eBook “eGift Card Fraud: The Gift That Keeps On Taking” to find out what you can do to fight fraud and protect this popular and valuable sales tool from being abused.