This is page 4 of:
Target, Starbucks Suffer Mobile Gift Card Security Hole
How can gift cards be made more secure? Several ways.
As a short-term measure until more robust security measures are fully deployed, the gift cards can be placed behind the counter, alongside cigarettes, adult-themed items and restricted types of over-the-counter medicines. Because these fraud tactics required close examination of the items, this approach would slow down the assaults from customers.
Then again, most fraud attempts are inside jobs. As such, the “shove ’em behind a counter” tactic won’t do much to deter employee fraud, which could mean that this plan won’t make as large a dent as it could. Still, any reduction is helpful.
Speaking of the “Get ‘Em Out Of Sight” suggestion, there’s a non-trivial concern about out-of-sight out-of-mind. There’s a reason gift cards have been prominently displayed and it’s because marketing wants them to be as convenient for consumers to grab as possible. But that goal can still be achieved by replacing the real cards with cheap dummy cards.
Editor’s Note:
When someone brings one up to the cashier, the associate pulls out a real card from a drawer. This approach is not that different from what video rental stores (anyone remember those?) used to do, with empty video cases on the shelf and the real videos to be retrieved by a store associate as they’re being paid for.
This point gets into the area of actually improving card security, which would require POS and app changes. Forcing the customer to type in a PIN when the card is loaded with value is not especially onerous, nor is seeking that PIN for using the card.
Tokenization is a behind-the-scenes approach to secure the mobile process. It’s not clear if it would be needed, but some forms of tokenization might take some of the load off of retailers. Then again, a strict PIN approach might be sufficient.
This topic gets into one of the oldest Loss Prevention debates. Should checkout speed (how many customers can be processed in any one-hour period) trump security?
Scams using fake barcode labels on products have often been quite successful, relying on the fact that cashiers wouldn’t look up long enough to notice that a product scanning as a watermelon was actually a flat-screen television. When was the last time a chain pushed associates to take the time to look at and compare credit card signatures with the customer’s signature? (It sort of makes signing the credit card a nostalgic act.)
For those retailers willing to sacrifice speed for fraud reduction, these scams are not that difficult to detect. Look at the phone. Is that your chain’s app? Ask the customer to click on an icon. With an iPhone, a good technique is to simply ask for the phone to be tilted. If it’s just a picture, it will reorient and shrink, while the actual app would act differently.
Liability concerns notwithstanding, asking the cashier to briefly hold the phone to scan the barcode—while moving the image on the screen—wouldn’t be out-of-line. Still, these are time-consuming steps. If mobile apps become as popular as many predict, these verification tactics could become untenable. Then again, so could the fraud losses.
-Marc
May 13th, 2010 at 1:54 pm
How is this any more of a risk than regular gift cards today? Gift cards don’t have a second validation point. If someone gets access to a gift card, the same information is available and either the card can be used physically, or in many cases online.
It seems to me that all of the folks in this article are exagerating the point to gain attention for themselves.
I’d rather someone explain to me why I would pull out my phone, select an app (typically buried 3 pages back)then navigate to the right card, then select pay, show the bar code to the associate, they scan it 4 times, give up and then type the PAN in manually… instead of just pulling out my card from my wallet and swiping.
Mobile wallets are a long way away. But a retina scan being required when I get my Americano isn’t required.
May 13th, 2010 at 2:23 pm
Mike asked, “How is this any more of a risk than regular gift cards today?” It’s a fair question. The answer is in the ease of the fraud. It’s an order of magnitude more labor-intensive to create a duplicate bogus gift card that looks convincing. The magstripe would likely need to be forged as well. Not that it can’t be done, of course, as there is a lively business making and selling cloned cards with stolen information. But what makes these mobile holes so problematic is that they are so incredibly easy and inexpensive (free, really) to use. A security hole is only dangerous to the degree that thieves are going to try and leverage it. The mobile offerings seemed so much easier that it struck us as a much more ominous threat.
May 19th, 2010 at 11:19 am
Simple solution? Cover the gift card number with a scratch off coating (like the PIN). Educate clerks not to activate gift cards when the scratch off coating has been tampered with.