Giftcard Fraud Rumors And Reality

Written by Evan Schuman
December 6th, 2006

As giftcards have soared in popularity in recent years?some $25 billion in giftcards are expected to sold this holiday season alone?the attempts to use them fraudulently have also soared. But some of the theft techniques being described to consumers are woefully out-of-date.

Does this mean that giftcards are secure financial tools for retailers and consumers? Not necessarily, but today’s giftcards are certainly no less secure than traditional credit cards, with most retailers and issuers willing to be flexible with consumers who have been burned.

The most popular giftcard fraud rumor hitting Web discussion forums and many newspapers is that there are bands of thieves who copy down giftcard numbers out in the open and then wait for a hapless consumer to buy?and thereby activate?the card. The thief then uses the card anywhere he doesn’t have to physically present the card, such as online.

It may be an interesting story, said giftcard fraud expert Paul Cogswell, but it won’t work and it likely never did.

“It flat out won’t work for you,” said Cogswell, the VP of loss prevention for CommData Inc., which issues about half the giftcards used in the U.S. “This is a recycling of an urban myth. It’s rare if ever that you’ve had a giftcard retailer that wouldn’t have anticipated this scam.”

The giftcard industry has gotten a lot more sophisticated in the last few years and now use quite a few security methods. The simplest one is to cover some of the identification number with a scratch-off adhesive, which makes it obvious that the card has been tampered with. An alternative approach is for retailers to use packaging that obscures much of the giftcard number.

Using a supplemental code?akin to the credit card’s CVC (card-validation code), which is not embossed on the card?is another popular tactic. That requires merchants to insist on the supplemental code, which not all retailers do.

But more recent high-tech approaches include capturing phone number calling in to check giftcard balance status?they use toll-free numbers, which can grab the incoming number even if caller-ID-block is used?and running them against a database, looking for various patterns. If a particular unused card’s balance is checked?suggesting a crook checking to see if it’s been activated yet?the card is disabled and the calling number can be blocked. The records can also show other card numbers that phone number has checked into, allowing them to be cancelled as well.

If the giftcard checking is done online, IP address tracking has also gotten more sophisticated. Security video camera footage is also now being catalogued, theoretically allowing footage to be matched to specific transactions. Let’s say a Starbucks customer complains that the giftcard balance is lower than it should be. That customer might be able to have them access footage of the crook using the bogus card replica.

But there are indeed many ways that crooks today can use giftcards effectively. The most popular method is using a giftcard to, in effect, extend the life of a stolen credit card. Under this scenario, the thief steals the creditcard. A few years ago, that card would have likely remained active for a few days after it’s reported stolen, said Joseph LaRocca, the VP of loss prevention for the National Retail Federation.

Today, however, the nation’s POS networks will likely have that card invalidated within minutes of it being reported stolen. That gives the criminal a very small window after the theft to access the money. A popular tactic is for the thief to immediately use the stolen credit card?while it’s still active?to purchase as many giftcards as possible, using up as much of the credit card’s balance as possible in the available few minutes.

Today’s networks do not automatically link giftcard numbers, so it will likely take a day or two?or more?before the police will identify what was fraudulently purchased. Once the credit card is shut down, police often don’t see a need to rush. Once the police contact the retailer, it will take more time to identify the account numbers of the giftcards that the thief purchased.

The connection will eventually be made, but it gives the thief a lot more time to convert the card into cash, either by purchasing products and then quickly selling them or even by selling the giftcards themselves, often at auction sites, LaRocca said.

Regarding the traditional giftcard fraud, much of it is up to the retailer to protect their cards. Smaller retail sites are the ones most likely to forego seeking additional security, but that’s not an issue for giftcards because “a lot of the smaller players don’t take giftcards online yet,” LaRocca said.

One security tactic that is not typically used yet is seeking photo id from customers using giftcards in stores. LaRocca doubted many retailers would want to bother giftcard customers by asking for additional identification.

The only benefit would be if the POS system was modified to allow for the cashier to enter the identification data. “So let’s say they capture it electronically. People don’t want to wait in line,” LaRocca said, for a very small boost in fraud-prevention for an offense retailers they are simply not seeing that often. “Weigh that against a cashier asking everyone in line for ID. It’s not always prudent to do that.”

An even more simple approach is to move giftcards away from the public area, forcing customers to ask for a clerk to get them from behind the counter. But that defeats some of the card’s attraction. “Consumers look to giftcards as a quick gift item,” LaRocca said.

But consumers make purchases based on their beliefs and perceptions, not necessarily on reality. Will consumer see giftcards as unsafe?

LaRocca hopes not, but he’s suggesting various things consumers can do to make them more comfortable with giftcards. Among his suggestions: keep giftcard receipts; before purchasing, make sure the PIN on the back of the card has not already been scratched off; never purchase giftcards from online auction sites, such as EBay, which are popular with thieves.

One giftcard site?called partnering with major retailers to sell discounted giftcards officially. Those private sites are much less likely to be attractive to giftcard thieves because of the additional scrutiny.

Of course, if consumers shy away from giftcards and try and actually think up personal gifts for loved ones, well, maybe that wouldn’t be such a bad thing.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.