For many years, and again in 2018, gift cards remain the most popular present during the holiday season.1 Most gift card recipients check the balance on their cards at some point, and this is when fraud commonly occurs. Balance inquiry fraud is one of the most rampant types of fraud impacting gift cards today, in part because the implementation of EMV chip cards has driven fraudsters to easier targets.
Gift cards are a relatively cheap and easy target for fraudsters because they don’t have to have contact with the physical card. With more legitimate websites for trading and selling gift cards, it’s easier for fraudsters to turn stolen cards into profit.
Here’s how gift card balance inquiry fraud typically happens:
- The attacker finds a website where they can check a gift card balance
- The attacker enters a gift card number that may or may not be active
- The attacker writes a script to automatically retrieve the balance of that card number from the site, and then repeats the process incrementally, effectively “guessing” gift card numbers starting with the first match of a gift card number
- Security codes like CVV can slow this process, but the attacker can simply cycle through each possible 3-12 digit codes until a positive response is received
- The attacker then has a list of working card numbers and balances, which they can sell on gift card trading and selling websites
The good news
There are plenty of fraud controls a retailer can put in place to either prevent or significantly slow down balance inquiry fraud. Unfortunately, attackers are often able to come up with new ways to circumvent these controls.
With that in mind, it’s not necessary to always be the most secure in every realm of your business, but you certainly shouldn’t be the least secure. If you make it challenging enough for an attacker, they are more likely set their sights on easier, less secure targets.
What can you do?
Following are some of the more basic gift card fraud controls you can implement:
- Require a 3+ digit security code to be entered along with the gift card number for both instore and online transactions. Although this won’t stop fraud altogether, it is probably the single most effective control a retailer can implement because it slows down the process. (3-digit code adds an average of 500 more look-ups to each card, 6-digit codes would require 1 million attempts, 9-digit codes would require 1 billion attempts, and 12-digit codes would require 12 trillion attempts.)
- Require a challenge-response test that computer programs cannot readily pass. The most common is CAPTCHA. While some retailers think CAPTCHA is a nuisance for consumers because it adds an extra step for the legitimate gift cardholder, it’s far less hassle than adding funds to a card that’s been fraudulently depleted. Additionally, consumers are not just expecting reasonable security for their transactions, they’re demanding it. One tool to consider is reCAPTCHA from Google.
- Monitor for strange patterns in gift card balance inquiries. For example, if you typically see 1,000 inquiries a day and this suddenly increases to 1,000 inquiries every minute, chances are an attack is underway. Early detection is key because it allows you to take early countermeasures such as shuttering the site until the attack subsides, or implementing additional controls. You don’t need an analyst to monitor transactions 24x7. Instead, you can code in simple logic in the back-end to alert you when certain rates are triggered (e.g. 1,000/minute, 10,000/day, etc.). While fraud may still happen, you’re effectively limiting your exposure to a day or less, depending on the rates/limits you set.
- Have alternate gift card balance lookup methods available, and rely on these when your site is offline for maintenance during an attack-response.
Here are a few more advanced gift card inquiry fraud controls you should also consider, based on your threat-profile:
- Move your website behind a Web Application Firewall (WAF) with advanced bot-detection and shut-down services enabled.
- Employ rate-limiting. This can be accomplished with back-end logic on the web-app, on the front-end at the web-server level, at the WAF layer, or elsewhere in the technology stack. Note that depending on the implementation, it may impact the user-experience for legitimate card holders.
- Consider deploying timed-responses that provide a positive or negative confirmation to the inquirer within a set time period (e.g., 3 or 5 seconds). Most legitimate cardholders won’t care or even notice. For an automated script designed to execute a million times in a 24-hour period (86,000 seconds), adding a 5-second wait-time can derail an attacker. Note that timed-responses need to be implemented on the back-end response system, not a front-end web-server, but do need coordination and integration with the front-end to be effective.
- Utilize load-time field-name randomization, which makes automated scripting significantly more challenging.
- Employ multiple or different CAPTCHA types, and cycle through them at random. While CAPTCHAs are not bulletproof, it’s not terribly cheap or easy for attackers to overcome them. Some CAPTCHAs are as easy as a simple clicking an “I’m not a robot” button, while other are more difficult, using visually-twisted characters or pictures or math problems.
- Use a CAPTCHA-style method of presenting the response back to the inquiring party, which is easy for a human to figure out, not so much for a machine.
- It may be tempting to implement authentication controls for the inquirer such as passwords, user IDs, and secret codes sent via text message. While these tools can work, most run afoul of state gift card escheatment laws because they tie a retail gift card back to a specific individual.
If you’re unsure about hosting your own gift card inquiry website, consider outsourcing it to a third party. Keep in mind, though, that any third party can be an even bigger target and may have offline periods due to the types of attacks explained above. If any third party hosting provider guarantees a fraud-free experience, walk away. It’s not possible. Preventative controls are a must, but the ability to detect and respond when such controls don’t work is just as important.
Reach out to your relationship manager for more information.