If you use retail store gift cards, you should know: They’re not safe. Criminals are remotely draining their value, and unlike credit cards, consumers have no fraud liability protections. If your retail gift card is hacked, you are screwed — you have no rights to get the money back.
It happened to JoNel Aleccia of Seattle recently. She bought a $100 Nike gift card for her son-in-law at a QFC grocery store. By the time he got it, the card had only $6.76 in value left. She complained to QFC, who sent her to Nike customer service. Nike said the card was used for $93.34 on July 26 at a nearby factory outlet store. And that was it.
“Nike told me the card was used in Seattle and they’ve had no further response,” Aleccia said. She went to the QFC store where she bought the card, and a manager wrote down her name, but nothing further happened.
Fortunately, Aleccia’s story has a happy ending. After I contacted Nike about the incident, the firm told me it would refund her money.
But you might not be so lucky. So I’m recommending you stop buying gift cards; at a bare minimum, don’t buy them from third parties like grocery stores. And if you get a gift card, spent it immediately.
Gift card hacking has been around for a while, but it used to be hard work, barely worth the risk. Criminals had to write down card numbers, put the cards back on store shelves, than lay in wait until consumers activated them. It could be done, but criminals risked appearing on store video cameras. Because Aleccia’s card was used by criminals nearby, it’s a good guess that she was hit by this version of the crime.
But automated hacking — where attackers use bots to remotely find gift cards with value and sell them — presents a deeper threat to gift cards.
“Nike does not disclose our security protocols, but we do have systems in place to reduce risk for our consumers,” the firm’s Brian Strong said to me in an email.
Zach Stratton, a spokesman for QFC, says his firm does look into complaints from consumers about gift cards.
“It’s general procedure in the grocery industry for gift card sales to be final-no refunds or exchanges,” he said. “However,if a customer shares with us that they’ve purchased an undervalued gift card or they feel fraudulent actively has transpired, we generally will open an investigation. The investigation would require the customer to provide as much information as they can about the suspicious activity. During the investigation, our customer service team would contact the gift card retailer in an effort to recover the dollars for the customer.”
Retailers are under no legal obligation to do so, however, according to Christina Tetreault, a staff attorney with Consumers Union.
“Gift cards are not covered,” by the fraud laws that govern other kinds of plastic-card transactions, she said. “You will see some instances in some terms and conditions where the provider may offers those types of protections, but that is very rare.”
Making matters worse, there’s a new, more ominous flavor of gift card hacking that surfaced earlier this year. In March, security firm Distill Networks discovered a bot program called GiftGhostBot that was brute-force testing possible gift card account numbers at retailer websites. The bot hit balance-check pages, testing numbers to look for “hits” — active accounts with balances.
“On one customer website, the analyst team recorded 4 million bad bot requests per hour – nearly 10 times their normal level of traffic. On average, the operators of GiftGhostBot can test as many as 1.7 million gift card account numbers per hour,’ the firm said.
Once the bot detected a live card, it could offer it for sale on numerous forums where gift cards are sold for as little as 20 cents on the dollar.
Laura Hillman, a spokeswomen for Distill, told me on Friday that the risk from GiftGhostBot has passed.
“It looks like that particular bot syndicate has died down and we are not seeing it on gift cards at the moment,” she said. Clearly, the attack worked for a while, however.
More recently, security firm Flashpoint added another data point to the discussion. At least some retailers do a bad job of randomizing account numbers.
“Many gift cards are numbered sequentially. This characteristic not only eliminates the need for any
guesswork, it makes it relatively easy for cybercriminals to ascertain the numbering convention used for many gift cards,” wrote Flashpoint analyst Olivia Rowley in a report issued in May. “Armed with the numbering convention, cybercriminals can then test possible gift card number combinations on the targeted business’s gift card balance checker or via a third-party site with the same purpose. As manually checking hundreds of possible numbers would be an incredibly tedious task — not to mention the likely-low success rate for discovering valid cards — many cybercriminals turn to automation for assistance with this task.”
Rowley told me this weekend that bot attacks on cards are actually expanding into new criminal “marketplaces.”
“Cybercriminals employing automated checking of gift card balances in order to find those with balances for resale continues to be a problem,” she said. “Following the closure of the AlphaBay and Hansa marketplaces, many vendors of these products have become active on DreamMarket or are looking to establish their own personal shops.”
Don’t lose site of the point of this story: Unlike credit/debit cards, consumers have no fraud protection rights when dealing with gift cards. If the balance is stolen, it’s gone, unless a retailer decides to “do a solid” for a customers.
It’s hard to say how common gift card balance theft is. Payments security expert Avivah Litan, from the Gartner consultancy, said criminals who use to hack credit cards have turned to gift cards instead as response to the advent of harder-to-hack chip-enabled “EMV” credit cards. Gift cards still rely on old magnetic stripe technology.
“Gift card (and) loyalty schemes are on the rise and have been for a while,” she said.
Another hint: Rowley’s report includes a chart showing a dramatic increase in chatter about gift card hacking that began in late 2015, when EMV credit card rules kicked in.
There was a spike in gift card balance theft during the last holiday season — or at least, folks noticed the theft more. It’s easy to find stories about individual cards being drained (if $1,000!) both from major media and on discussion boards.
It’s critical to note that this problem has been around for a long time. About 15 years ago, a magnetic stripe crime expert demonstrated it to me at msnbc.com. At the time, major retailers giggled about the likelihood of the crime.
Then, the National Retail Federation issued a press release confirming that the crime existed, bu t its significance was being exaggerated by the media. That was in December 2006.
Use of the old magnetic stripe technology make giftt cards susceptible to old-fashioned card cloning. Someone can steal the balance from one card and easily “write” it on a second card to commit a crime. Just buy a $5 Nike card and re-write the magnetic strip with data from a $100 card.
RED TAPE WRESTLING TIPS
Consumers can protect themselves a bit. When buying a card, look carefully at the packaging. Does it look like someone bent the cardboard back to peek at the number? Are there any signs that the scratch-off area has been tampered with? if so, leave the store immediately. It’s logical to think that third-party sellers with massive walls of unprotected cards can be more easily victimized by the card replacement version of this crime, so buying cards directly from retailers probably helps a little. Also, if you received a gift, spend the value immediately. The longer the value sits there, the greater someone else will find it and use it.
But really, there isn’t much you can do to ward off gift card balance theft. More notably, if your retailer suffers an automated attack, there’s nothing you can do to protect yourself.
Other than this: Don’t buy gift cards unless you are assured they come with fraud protection. It might be a while. The Consumer Financial Protection Bureau’s new stored-value card rule, which does include fraud protections for some kind of pre-paid cards, specifically excludes gift cards.
Follow this story: AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.