Usage of stolen payment data for eGift card purchases
Usage of stolen payment data for eGift card purchases
Usage of stolen payment data for eGift card purchases
This is the most popular type of fraud for electronic gift cards. Fraudsters use stolen credit card data to buy electronic gift cards, which are later sold in secondary marketplaces for cash. The cardholder later finds the fraudulent purchase and asks for the chargeback.
A variation of using stolen payment data for eGift card purchases
A variation of using stolen payment data for eGift card purchases
A variation of using stolen payment data for eGift card purchases
A fraudster places an order for goods using a stolen, but legitimate-looking credit card. That is, it utilizes the cardholder's actual personal and delivery information. Shortly after the transaction is approved, and before the cardholder realizes that the transaction has been fraudulent, the fraudster calls the store to cancel the transaction. Instead of having the refund be put on the credit card used for the purchase, the fraudster requests that the refund is placed on a gift card (which is generally not traceable). Upon receiving the gift card, the fraudster makes a new purchase with it. Later, the owner of the credit card notices the fraud and requests the chargeback, leaving the merchant at a loss.
Account Takeover (ATO)
Account Takeover (ATO)
Account Takeover (ATO)
In an ATO fraud scheme, fraudsters will leverage stolen login credentials to take over a consumer’s account, where they can update contact information so any customer service calls or emails get routed to the criminal. From there, criminals have many options to obtain gift cards: they can purchase multiple low dollar digital gift cards, transfer several amounts into one “master” account, or leverage a reputable account with a positive history of purchases to simply redeem a stolen e-gift card without scrutiny.
Acquiring numbers in bulk
Acquiring numbers in bulk
Acquiring numbers in bulk
Fraudsters will acquire gift card numbers in bulk from merchants, issuers, reward programs, etc. This can be done through several methods, like phishing, SQL injection, social engineering, fraudulent employees, and accidental disclosure.
Card Testing
Card Testing
Card Testing
Fraudsters usually test stolen credit cards by purchasing low-priced items. Card testing can be leveraged to purchase small increments of electronic gift cards that can be consolidated into one large amount. Fraudsters have numerous reason to practice card testing, such as getting validation that stolen data is accurate or becoming familiar with a merchant’s fraud controls.
Bots and trial & error
Bots and trial & error
Bots and trial & error
Many gift cards will require online activation before usage. Fraudsters can use bots to create millions of combinations of codes and test the systems in place, until a good combination is reached. Bots can also be used to find a match between a valid gift card number and a recently activated balance. Once the bot finds a match, hackers use the gift card themselves or sell it on the dark web.
Data theft before gift cards are activated
Data theft before gift cards are activated
Data theft before gift cards are activated
Gift cards work essentially the same as credit cards, with the option of being used online based on manual key entry of its information, or with a magnetic stripe. Gift cards may or may not have an additional level of security, sometimes they have a PIN number covered with a coating that needs to be scratched off. In many stores, gift cards are sitting out in an accessible place, making them easy target for fraudsters. The magnetic stripe number can be copied, photographed, or read with a magnetic stripe reader. The PIN number protection can be scratched off and then replaced with stickers sold online. From there, it’s a waiting game. Most merchants offer a way to check gift card balances online or through call centers. The fraudsters will wait until the cards are activated by a legitimate purchase. And as soon as they are, they will transfer balances to another card, or sell the card.
Reroute miles and loyalty points
Reroute miles and loyalty points
Reroute miles and loyalty points
Fraudsters can hack credit card rewards or travel loyalty accounts to quickly monetize the value of the credits into gift cards, which are hard to trace and can be easily converted into money. Usually, the site will give the fraudster a gift card number on the spot, which can be printed out and used in-store or online.
Buyers acting as an organized gang
Buyers acting as an organized gang
Buyers acting as an organized gang
Some gift cards are activated at the moment that they are scanned at the cashier, and the money is stolen before the completion of the purchase. In this scenario, fraudsters come in pairs.
- Step 1: Fraudster 1 takes note of the number of the gift card.
- Step 2: Fraudster 2 brings the gift card to the cashier and asks for it to be loaded. The card is then scanned, therefore activated.
- Step 3: Fraudster 1 asks for a money transfer at the gift card call center, quickly draining the gift card of its value.
- Step 4: Fraudster 2 cancels the transaction at the cashier. Both fraudsters walk out with the funds, no purchase was even required.
Fraudsters buying and returning goods: some stores
Fraudsters buying and returning goods: some stores
Fraudsters buying and returning goods: some stores
Some stores offer a return policy where items can be returned for a store credit higher than the purchase amount.
This has the value of keeping the purchase with the store and keeping the customer coming back. Here is an example of how this would work: a fraudster buys a $50.00 dollar shirt, which later is returned for a 120% store credit; the fraudster now can purchase any item worth $60.00 dollars ($50.00 x 1.20); the fraudster then returns to the store and buys a $60.00 item, which had only cost him only $50.00.
While this setup is done with the permission of the store, if it is used repeatedly with the intention of scamming the store out of return credit and especially when coordinated with employees of the store, fraudsters can make big profits with this scheme.
Usage of browser cache for duplicate credits
Usage of browser cache for duplicate credits
Usage of browser cache for duplicate credits
A researcher impersonating a fraudster found an IT glitch that let him transfer balances between cards without deducting any value. By initiating two identical web transfers at once, the fraudster was able to trick the system into recording them both. Normally, you could take a $10 gift card and move that money to another $10 gift card, which would leave you with one empty gift card and one with a balance of $20. In this case, the fraudster was able to duplicate that transfer, giving him an empty gift card and a $30 gift card. When these accounts reach zero, many of them are automatically reloaded, giving fraudsters quick access to new funds on the empty cards.
- 3-Way Call to check balance: a person lists a legitimate gift card for sale on a reselling website. The fraudster impersonates a potential buyer and makes an offer and asks the seller to confirm the balance on the card by calling the merchant in a three-way call. The fraudster then records the touch tone numbers of the gift card as the seller enters it, and can then intercept the full card number. This gives him full access to the gift card without completing the purchase.
- Clerk employees acting as an organized gang: as the buyer hands a gift card to the cashier for activation, the cashier activates a different card and hands the original back to the customer. The cashier racks up activated gift cards while handing out empty ones.