Unwrapping holiday gift card fraud
by Carmen Honacker - Director of customer advocacy, ThreatMetrix - Friday, 29 November 2013.
Spending on gift cards is expected to hit new highs this holiday season – the National Retail Federation predicts that gift card sales will reach almost $30 billion. Unfortunately, cybercriminals are finding way to cash in as well. This leaves merchants with the pressing issue – how to capitalize on gift card revenue without increasing the risk for fraud?

Gift cards represent an important revenue stream – avoiding them altogether will undoubtedly cost you sales. Yet with the high transaction volumes during the holidays, retailers don’t have the bandwidth to manually analyze gift card sales or redemption. And the fraudsters count on the fact that retailers are too busy to track them.

Physical gift cards present a variety of security challenges – thieves have been known to steal, tamper with and replace gift cards from kiosks in brick and mortar stores. These exploits require comprehensive security measures – from costly in-store personnel to requiring additional identification when purchasing gift cards with a credit card.

But online activities are even more difficult to protect from fraud. Cybercriminals act on a global level, and online identities are fairly anonymous. With so many physical and virtual gift cards flowing through the economy, it’s not difficult for criminals to misdirect some of them, capitalizing on the profit.

The gift that keeps on taking

The gift card fraud risk doesn’t stop on December 25, as the cards purchased for the holidays will be redeemed throughout the year. The flexibility and anonymity of gift cards are very attractive for criminals - a gift card is like cash in hand. Here are a few of the most common online exploits involving gift cards.

Stolen virtual gift cards - For those last-minute gifts, nothing is as convenient as online gift cards or e-certs. Gift givers can send them at the last minute and they’ll arrive on time. If a criminal intercepts that digital certificate and steals the account information or redemption code, they can get to the goods before the intended recipient does. Cybercriminals will often redeem electronic gift cards for real physical goods, which they can then resell for profit in other countries or on auction sites.

Gift cards purchased with stolen credit cards - A gift card is one way to turn a stolen credit card into cold hard cash. Cybercriminals can purchase large quantities of physical or electronic gift cards using stolen credit cards. They can either resell the gift cards or use them to purchase goods for resale.

Theft of virtual and online goods - This holiday, the Xbox One and Sony PlayStation 4 (PS4) will drive sales of gift cards for games and gaming credits that will be redeemed both immediately and in the coming months. Unfortunately, virtual reality isn’t free of real crime – there’s a thriving black market in virtual goods such extra lives, points and customized features in online games. Even e-certificates for gaming points have value to the online fraudster.

Protecting online gift card transactions

Businesses cannot prevent people from losing their credit cards or from having their email (with electronic cards) hacked on insecure Wi-Fi networks. But they can try to protect the transactions that often lead to fraud losses.

One way cybercrime can be prevented is by analyzing online gift card purchases for the presence of stolen credit cards. These can be detected through a variety of risk factors, including a single device using several different credit cards or a transaction where the actual location of the device does not match the credit card holder’s address. Businesses should subject these transactions to additional scrutiny or real-time step-up authentication.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th