The most requested item on holiday wish lists—gift cards—is popular among criminals, too. Unfortunately, many cards lack some robust protections that help curb fraud.
Chatter around gift cards on the dark web where criminals communicate has increased significantly over the last year, according to report this year from Flashpoint. Gift cards are especially attractive to fraudsters because they are low risk even if they get caught, says the report’s author Liv Rowley, an intelligence analyst, “You can pretty easily deny fraudulent activity,” she says.
And, unlike credit or debit cards, there are no federal laws limiting gift card loss liability for consumers. Retailers don’t have to swallow gift card losses, so they also aren’t as invested in safeguarding the funds as banks are with credit cards.
According to a ValuePenguin survey of 62 popular store gift cards, just 37% of gift cards come with the trio of features we think optimizes their security: theft and loss protection, a security code (or PIN) and online balance checks that combat bot attacks.
How criminals steal gift card money
There are a number of ways criminals can access gift card funds before you even use the card. Sophisticated hackers run automated bots through a store’s online balance check, trying random numbers and corresponding security codes, or PINs, until a gift card balance is found. Once a balance is detected, the hacker knows the card has been activated, and has available funds. The fraudster can then sell the card details, and balance, online at gift card exchanges or on the black market.
Other criminals use more rudimentary methods to get card numbers, such as scanning the magnetic strip on unsold gift cards in stores. Others scratch off the strip covering the gift card number and security code and replace it with a new strip, which they buy online. Then, they check the balance online, waiting until the card is purchased and activated. Once it is, they sell the card information.
While there’s no foolproof way to safeguard the funds on your gift card, there are ways to limit your exposure. Here are eight steps to protect yourself.
Get cards with secure online check balances
Stop fraudsters before they start by getting gift cards that make it hard for fraudsters to determine if a card has been activated and has an available balance. There are two ways to ensure this.
Choose a card that has an online balance check protected by a CAPTCHA, or a challenge-response test. Common ones require you to input random numbers and letters displayed in a box or to check a “I Am Not A Robot” box. This security mechanism won’t complete a transaction, such as an online balance check, if it detects the user is a bot.
Or, select a gift card that requires a user to log in to an account to check a balance such as Amazon or Netflix. This will “frustrate cybercriminal efforts because it adds another step for cybercriminals and the bot’s (balance) checking activity can be monitored and stopped by the (retailer),” says Rowley.
ValuePenguin found that three in five the gift cards in the ValuePenguin survey had an online balance secured by CAPTCHA or required an account log-in.
Choose a card with loss/theft protection.
Make sure your card recipient has some kind of recourse if they find a zero balance on their gift card--or even if they lose the card, for that matter. ValuePenguin found that just over half of the gift cards (53%) surveyed provided loss/theft protection. Notable retailers that don’t protect against loss or theft, according to the cards’ fine print, include Amazon, Walmart, Apple and Costco. Select one that explicitly offers this protection.
Document the card’s usage.
Retailers often require documentation to replace any gift card funds under their loss/theft protection policy. Keep a copy of the card’s number and security code, the original receipt showing the card purchase, and any receipts for transactions you’ve made on the card. If you’re giving a gift card, provide the recipient with the receipt as well, and let them know about the protection and how to use it if needed.
Buy well-packaged cards.
Choose cards with packaging that covers the card number and security code, and so would easily show any evidence of tampering. A scratch-off strip covering the card number and security code is not enough, because an artful fraudster could replace scratched-off strips with ones they bought online.
Avoid buying cards that are displayed in kiosk or rack that’s readily accessible, and might allow cards to be tampered with. Instead, ask for cards that have been kept behind the counter. Alternatively, purchase physical gift cards online. Fraudsters can’t easily access the details of these cards.
Go for an e-gift card
Skip the presentation and opt for an e-card. It’s harder for criminals to get an e-card’s details because those are protected by your recipient’s email username and password.
Change the security code, if possible
Some gift cards—such as ones with the Visa logo—allow you to personalize the security code or PIN. If changing the code is an option, register the card immediately after purchase, change the PIN and tell the recipient the new code.
Get a card your loved one will use quickly
The faster the funds are spent on the gift card, the less likely a criminal will get to them first. So, choose a gift card to a retailer that your loved one frequents, so the card won’t end up in a drawer unused. If you have any doubts, get a generic card from American Express, Visa, MasterCard or Discover that can be used in any store that accepts those logos.