E-gift Card Bot Attacks and Their Impact on E-commerce Businesses
E-gift Cards are the New Gift Standard
E-gift cards have become one of the most popular gift options for most events including birthdays, anniversaries and retirements. They are extremely easy and fast to purchase, personalize and use without requiring an in-store visit. For the recipients, e-gift cards allow them to buy what they want and when they want it, saving potentially frustrating trips to the store to return or replace unwanted gifts.
According to Blackhawk Network’s State of Consumer Gift Card Preferences in 2018, 55% of consumers surveyed report being interested in giving or receiving digital gift cards that can be added to a mobile app or digital wallet, especially the younger generation. 55% of consumers are interested in giving and 67% are interested in receiving a digital gift card. From a business perspective, e-gift cards can attract new customers, increase brand awareness and increase revenue.
The gift card market has skyrocketed and is valued at over $381B for 2020. It is expected to exceed $575B US$ by the end of 2026, growing at a CAGR of 6.0% during 2021-2026. According to TotalRetail, digital gift cards accounted for nearly 20% of holiday gift card sales in 2019, and the rise of digital gifting continues to have a major impact on retail growth.
The most popular e-gift cards are issued by the top general merchandise brands such as Amazon, Target, Wish and Walmart. Big food and beverage brands such as Starbucks and McDonalds as well as sports and fashion brands like Nike, Adidas and Nordstrom have a significant piece of the e-gift card market. The smaller and boutique brands are also experiencing growth in gift card sales.
Every successful financial instrument with billions in revenue attracts bad actors, confirmed by the increasing risk to e-gift cards.
E-gift Card Cracking and Account Takeover (ATO)
In general, automated gift card attacks can be done in the main two ways:
- E-gift card cracking: Attackers brute-force e-gift cards by guessing combinations of digits and letters using enumeration that leverages automation. This means that scripts run millions of variations of these combinations, usually based on known used gift card numbers. Attackers can check balances and empty existing gift cards by purchasing items or transferring funds to other cards.
- Account Takeover (ATO) based e-gift card attack: This is an attack in which criminals take unauthorized ownership of online accounts using stolen usernames and passwords. The criminals gain credentials to a credit card or loyalty rewards program and then try to redeem the victim’s points for e-gift cards and eventually into hard currency using online gift card exchange services.
At PerimeterX, we have noticed that ATO attacks are increasing, especially leading up to the holiday season and other sales peaks. Recently, black-hat hackers have started to improve their tools and become more aggressive with their attacks.
The anonymity of stolen e-gift cards coupled with its wide acceptance in the dark web makes it the new virtual currency, similar to bitcoin. The issue has become a real concern for the American authorities, and the FBI issued a warning late last year against scammers that ask for gift cards as payment for goods or services in marketplaces.
Money laundering involving e-gift cards and other prepaid cards are on the rise due to the anonymity.
The stolen cards are being sold on both the internet and on the dark web as shown in the examples below:
E-gift Card Bot Attacks are a Threat to Online Retailers
For online retailers, automated bot attacks on e-gift cards represent a growing problem that impacts customer loyalty and conversions, with customers becoming frustrated over drained gift cards. It also imposes additional costs on the business to investigate the incidents and handle the legal and financial aspects of the damage. When stolen e-gift cards are publicly sold on the dark web, it also hurts the retailers’ brand reputation and customers’ trust.
Retailers also face additional problems that arise on the operational side. E-commerce businesses often use e-gift card validation services that prevent human e-gift card fraud. These services usually charge for every card validation attempt, which quickly adds up during automated attacks that can do millions of validations within an hour. The automated traffic also burdens the infrastructure, which can not only lead to excess infrastructure costs but also cause application slowdowns and downtime, ultimately resulting in poor customer experience.
Protecting Your E-gift Cards From Bots
Consumers and online businesses enjoy the benefits of e-gift cards, but the rising threat of bot attacks on e-gift cards casts a shadow over this lucrative payment channel. E-gift card theft hurts customer trust, impacts revenue and imposes unnecessary costs on the business.
Retailers need to be more mindful of this risk and implement technology solutions to mitigate bot attacks that abuse their e-gift cards and hurt their online revenue.
In the next blog, we will look into e-gift card cracking attacks: recent attacks and trends, methods and tools that are being used by the attackers, and what can be done to protect from them.