Poor risk management’s making gift cards a reward for fraudsters

Register now

Many companies don't think of their gift card or rewards platform as the first place to protect from fraud, which is why hackers pounce on this opportunity to steal loyalty and reward points to cash them for anything like vacations, digital goods and other services.

Just recently, a group known as the Fatal Error Crew breached the gift card platform of the C&A clothing chain in Brazil. These hackers broke into the C&A gift card platform and stole the ID numbers of gift cards, email addresses, amount loaded onto the cards, order number and date of purchase.

What’s more interesting is that, based on the hacker’s statement, their primary goal was not to make money with the stolen data — in their statement they say that they “do not endorse financial crimes” — but to give C&A some sort of lesson. Whether you trust that the stolen information is safe in their hands is another matter.
The reality is that the Fatal Error Crew hacker group can now use any of the information extracted from the C&A systems to commit gift card fraud. This means that C&A should implement security measures that go beyond static credentials and card numbers to detect anomalous activity in their gift card redemption placement. Security solutions that look for anomalous behavior based on the user’s inherent patterns can help companies like C&A mitigate post-breach threats like the one C&A is facing.

Gift cards are often not closely monitored or tracked, creating a security black hole. The techniques criminals use to exploit gift cards are as numerous as they are lucrative, starting from the basic online purchase of goods as a guest to avoid leaving a trace. Some companies already know the trick and force gift card users to create an account before they can use it.

Of course, this is not stopping fraudsters: There is software available for cheap that creates new accounts en masse and then bad actors can go in and cash out their stolen gift cards.

Reward or loyalty points are another particular high-value target for hackers because they don’t trigger a credit card payment event. Additionally, one in three program members only checks their balance once every few months and one in ten never check their balance according to the consumer fraud report from Connexions Loyalty. The report also reflects that U.S. consumers maintain approximately 3.8 billion loyalty program memberships in 2017 alone along with stored points and travel miles in the U.S. that are valued at $48 billion. That makes for a temptingly large target for bad actors.

If online companies are only monitoring the outcome of purchases and transactions, they are leaving themselves open to a whole world of risk they have no visibility into. Along with account takeover fraud, nontraditional risk points such as reward and loyalty points management or cash out out should be continuously monitored.

To spot high-risk activity, whether it is around the gift card or reward points environment, it’s not enough to verify the username, password and easily spoofed information such as location, connection and device. Instead, online companies need to utilize a multilayer security solution that includes technology that focuses on a user’s unique physical relationship with a device, such as passive biometrics. By factoring in myriad variables, ranging from patterns of behavior — how someone fills out a form or moves inside an account — right through to how hard a customer types on a device companies can detect high-risk behavior that normally goes unnoticed. These techniques, applicable to any placement, represent the cutting-edge in fraud prevention.

Gift card, reward points and payment information will continue to be exposed and available to whoever wants to purchase it. But it’s up to companies to implement security barriers that devalue this information.

For reprint and licensing requests for this article, click here.
Retailers Loyalty and rewards Payment fraud ISO and agent