In recent months there has been a spike in gift card fraud in the retail industry as retailers are being flooded with fraudulent balance checks, and customers are complaining about their gift cards being drained. Here is what we know about these types of gift card fraud attacks:
- Attacks are a brute force guessing attack known as “card cracking”, which involves checking millions of gift card variations to verify that the card is active and find out the value of the card.
- Cards are then either used or resold on the dark web or secondary marketplaces.
- Attacks are distributed and utilize thousands of IPs across hundreds of IP orgs (could be utilizing a bot net).
- Many requests come from consumer ISPs ,which makes it difficult to block.
- Bot operators evolve as security controls tighten by running automated browsers and changing user agents/IPs.
This past holiday season, over $27 billion was spent on gift cards with the average consumer planning to buy three cards with a value of $46 dollars each. Gift cards have historically been a win-win for businesses looking to make pre-sales and consumers looking for optionality. However the rise in gift cards has resulted in an influx of fraudulent attacks on gift cards. There are a number of ways a gift card can be compromised or used fraudulently. Below we discuss how fraudsters can compromise legitimately purchased gift cards through brute force attacks on credit card balance checks. For those who follow the OWASP Automated Threat framework, this is a type of card cracking attack.
How the attack happens
- Fraudsters discover sequential patterns from stolen physical cards or store visits.
- They use advanced persistent bots to run brute force attempts, testing millions of variations against the online balance checker.
- Commerce operators notice a higher proportion of failed payment authorizations using gift cards.
- Valid numbers are identified, and balances are displayed.
- Fraudsters resell live cards on the dark web and secondary market websites.
- Randomize gift cards with numbers AND letters (not sequential).
- Monitor failed authorizations and abandoned baskets closely.
- Consider allowing checks only to authenticated/registered users.
- Consider limiting number of failed attempts by each registered user.
- Apply advanced bot-detection methods to not allow brute force automated checks of payment cards on your website.
The good news is that we have a solution to mitigate these attacks amongst other brute force attacks (login, checkout, etc.) in real time and currently protect leading retailers from automated fraud.
To learn more about our bot mitigation and other security offerings, visit our website or get in touch with us today.