Approaching Valentine’s Day, or any other landmark sentimental day, gift card sales leap. The peak is the day before Valentine’s, as buyers of flowers, jewelry, stuffed animals and other gift products panic and retailers rejoice. For eleven years running, gift cards are the most desired holiday gift item, according to a survey commissioned by the National Retail Foundation, and they continue their popularity on gift-giving days beyond the holiday season. There’s joy among cybercriminals, too, and elevated danger of them stealing the money that was intended to show the love.
Who doesn’t use gift cards
Ninety-three percent of U.S. consumers purchase or receive a gift card annually, and the total volume of gift cards purchased in the U.S. is projected to reach $160 billion this year, according to studies listed at GiftCards.com. Most gift cards have some vulnerability to automated attacks, so the problem isn’t confined to digital gift cards. Thieves have noticed. Gift cards appear to have gained favor as a target for hackers, as fraud-related chatter on the “Deep & Dark Web” centered around gift cards rose greatly since mid-2016 according to intelligence firm Flashpoint.
What’s new in gift card bot scams
The good sentiments and dire pressures of Valentine’s Day may remain unchanged, but theft of gift card balances has changed radically. In the good old days, one saw individual hackers breaking into a single account using simple script bots or even social engineering.
Today, professionalized crime organizations target gift cards as a large-scale business, relentlessly deploying automated tools and new techniques to break through yesterday’s defenses. In recent years, PerimeterX has observed simple script bots – the traditional weapons used to attack gift card accounts – being replaced with advanced later-generation bots that are capable of intricate and subtle deception en masse. We expect this weapons upgrade by the attackers to continue in 2018.
Advanced bots enable attacks which, despite being automated and large scale, often make just one or two uses of each individual IP address and thus evade volumetric detection. These later-generation bots are adept at mirroring human behavior. Cybercriminals are learning to attack using tools and methods that are invisible to traditional protection measures.
Mobile channels are increasingly targeted, since visitors from mobile devices were the source of the majority of ecommerce traffic during the 2017 holiday shopping season, according to Adobe Digital Insights. Mobile shoppers also deliver a burgeoning share of sales revenue. Moreover, mobile apps are – almost without exception – not designed to be safe, as PerimeterX has found.
Gift card vulnerabilities
What makes gift cards such an interesting target?
First, gift cards are often sequentially numbered, making it much easier for attackers to find correct numbers. We discussed this vulnerability in our research last year. The page where consumers check their balance is often a vulnerable attack point. These factors work together to make gift cards an easier target than credit cards.
E-gift cards come with an additional vulnerability - account takeover attacks – that plastic gift cards do not have. Very few retailers have the most current and effective technology in place today to protect their gift card balance checker pages and their customer accounts.
Ripoff methods abound and evolve
Automation supports brute force attacks, where botnets try millions of combinations of pin codes and card numbers, in highly distributed attacks. These armies of bots are used to crack gift cards, and cash out the balances.
Cyberthieves also use stolen credit cards to buy fresh, new gift cards online. Gift cards that are stolen, or fraudulently purchased, can be resold on resale websites, with the hacker taking a markdown but walking away with cash. This approach relies on access to lots of “high-quality” stolen cards. In early February, US law enforcement took down InFraud, which allegedly provided an anonymous marketplace for stolen data and payment cards that led directly to over a half billion dollars of fraud losses.
In the mobile channel, attack methods include impersonation, emulation, and automation. For more detail, see this 2017 PerimeterX blog.
Retailers can stop gift card ripoffs, but passivity won’t work
Retailer are likely to incur several dollars in costs for every dollar that is stolen from a gift card. The costs include reimbursement, resources lost to administrating and correcting the complaints from rightful card owners, and reputational damage, as well as the loss of loyal customers.
Don’t wait for a massive gift card ripoff to hit your customers. Criminals will not miraculously overlook any retailer’s gift card programs; all retailers of size are on their hit list. Proactive counterattack against bot campaigns is a fiscal and marketing imperative. Waiting for significant losses to justify plugging the gaps is not a strategy. Here are some measures to take:
- Require a login to check gift card balances. You may be worried that it adds friction to the shopping experience, but consumers will tolerate having to create an account to see how much money they have. The login is a valuable barrier against bots.
- Subject certain transactions to greater scrutiny. According to the 2017 Global Fraud Index, the likelihood of fraud leaps dramatically as the size of the transaction rises. Retailers can monitor for unusually large purchases, and have human agents check into them. Accessing the e-gift card account from a different country is also a red flag.
- Defend against automated attacks specifically. Learn about automated attacks, so you can deploy the right defenses and protect your customers, your business reputation, and your infrastructure, which can be smothered by the sheer volume of bot activity.
- Deploy new-generation tools that intercept all bots. Behavior analysis can detect in real-time the profile of every user and interaction with your site or mobile app; and determine whether each user is a legitimate human customer, or a malicious bot, by comparing the behavioral fingerprint to the range of known human behavior. Traditional defenses that catch only basic bots have their place, but do not provide an adequate defense for your gift card programs anymore.
- Captcha. Requiring that single click at unexpected points in the purchase process, can weed out simpler bots.
Predicting Bot or Not with high accuracy helps retailers to #KickSomeBot and protect their gift card programs
The newest behavioral analysis and highest accuracy prediction of PerimeterX works by identifying reliable characteristics of human activity on your web pages, and then catching deviations from those telltale markers – in real time. This is radically different from the traditional approach of signature detection, where a bot – let’s call it the Valentine’s Day Heartbreaker – is identified, and a security tool waits until that particular bot’s signature is detected. The obvious downfall of that approach is that Heartbreaker 2.0 and 3.0 look a bit different, and skip past without raising alarms. Behavioral analysis doesn’t try to match the signature of a known bad actor. Instead, it says, “If you’re not human, you’re outta here.” It is successful because all bots deviate from human behavior in some way.
We hope you will examine the security of your gift card programs in view of today’s bot threats, and #KickSomeBot.