Gift cards will be America’s second most popular present to give this holiday season, trailing only clothing. Six in 10 givers will buy someone spendable plastic, according to the National Retail Federation. But if gift recipients had their way, gift cards would be No. 1. (Clothing came in second, 61% to 55%. Books were a distant third. If you’re curious, women like gift cards much more than men.)
Givers will purchase an average of four gift cards worth $45 each; total spending will reach $27.6 billion.
All of you should seriously reconsider.
Most of that money will be at serious risk of being stolen by hackers, and precious few consumer protections are available to victims. Often, there is none. That’s so important it needs to be repeated. Gift cards don’t come with credit-card-style fraud protections; if they are hacked, consumers don’t have any right to a refund.
This has been true for a while, but it’s much more important to know now that criminals are working harder to steal from gift cards. Why? Because, you probably have noticed, most plastic gift cards still employ those 1960s-era magnetic stripes that credit-card issuing banks have abandoned. New chip-enabled credit and debit cards are much harder to hack (or harder to clone, anyway). So card hackers have turned to the less-protected gift card market. They have developed techniques to drain the value of gift card plastic while it stays (safely?) tucked away in your wallet or dresser drawer.
I first reported on this problem back in August, but now is when this story needs to grab your attention. Why? Well ’tis the season for you to load a lot of money onto these cards, and hackers have noticed. The “disappearing gift card balance” phenomenon first got the attention of media major outlets last holiday season.
How does the scam work?
It happened to JoNel Aleccia of Seattle this summer. She bought a $100 Nike gift card for her son-in-law at a QFC grocery store. By the time he got it, the card had only $6.76 in value left. She complained to QFC, who sent her to Nike customer service. Nike said the card was used for $93.34 on July 26 at a nearby factory outlet store. And that was it.
“Nike told me the card was used in Seattle and they’ve had no further response,” Aleccia said. She went to the QFC store where she bought the card, and a manager wrote down her name, but nothing further happened.
Fortunately, Aleccia’s story has a happy ending. After I contacted Nike about the incident, the firm told me it would refund her money.
But you might not be so lucky. So I’m recommending you stop buying gift cards; at a bare minimum, don’t buy them from third parties like grocery stores. And if you get a gift card, spent it immediately.
Gift card hacking has been around for a while, but it used to be hard work, barely worth the risk. Criminals had to write down card numbers, put the cards back on store shelves, than lay in wait until consumers activated them. It could be done, but criminals risked appearing on store video cameras. Because Aleccia’s card was used by criminals nearby, it’s a good guess that she was hit by this version of the crime.
But automated hacking — where attackers use bots to remotely find gift cards with value and sell them — presents a deeper threat to gift cards.
“Nike does not disclose our security protocols, but we do have systems in place to reduce risk for our consumers,” the firm’s Brian Strong said to me in an email.
Zach Stratton, a spokesman for QFC, says his firm does look into complaints from consumers about gift cards.
“It’s general procedure in the grocery industry for gift card sales to be final-no refunds or exchanges,” he said. “However,if a customer shares with us that they’ve purchased an undervalued gift card or they feel fraudulent actively has transpired, we generally will open an investigation. The investigation would require the customer to provide as much information as they can about the suspicious activity. During the investigation, our customer service team would contact the gift card retailer in an effort to recover the dollars for the customer.”
Retailers are under no legal obligation to do so, however, according to Christina Tetreault, a staff attorney with Consumers Union.
“Gift cards are not covered,” by the fraud laws that govern other kinds of plastic-card transactions, she said. “You will see some instances in some terms and conditions where the provider may offers those types of protections, but that is very rare.”
Making matters worse, there’s a new, more ominous flavor of gift card hacking that surfaced earlier this year. In March, security firm Distill Networks discovered a bot program called GiftGhostBot that was brute-force testing possible gift card account numbers at retailer websites. The bot hit balance-check pages, testing numbers to look for “hits” — active accounts with balances.
“On one customer website, the analyst team recorded 4 million bad bot requests per hour – nearly 10 times their normal level of traffic. On average, the operators of GiftGhostBot can test as many as 1.7 million gift card account numbers per hour,’ the firm said.
Once the bot detected a live card, it could offer it for sale on numerous forums where gift cards are sold for as little as 20 cents on the dollar.
Laura Hillman, a spokeswomen for Distill, told me in August that the risk from GiftGhostBot has passed.
“It looks like that particular bot syndicate has died down and we are not seeing it on gift cards at the moment,” she said. Clearly, the attack worked for a while, however.
More recently, security firm Flashpoint added another data point to the discussion. At least some retailers do a bad job of randomizing account numbers.
“Many gift cards are numbered sequentially. This characteristic not only eliminates the need for any
guesswork, it makes it relatively easy for cybercriminals to ascertain the numbering convention used for many gift cards,” wrote Flashpoint analyst Olivia Rowley in a report issued in May. “Armed with the numbering convention, cybercriminals can then test possible gift card number combinations on the targeted business’s gift card balance checker or via a third-party site with the same purpose. As manually checking hundreds of possible numbers would be an incredibly tedious task — not to mention the likely-low success rate for discovering valid cards — many cybercriminals turn to automation for assistance with this task.”
Rowley told me this summer that bot attacks on cards are actually expanding into new criminal “marketplaces.”
“Cybercriminals employing automated checking of gift card balances in order to find those with balances for resale continues to be a problem,” she said. “Following the closure of the AlphaBay and Hansa marketplaces, many vendors of these products have become active on DreamMarket or are looking to establish their own personal shops.”
Don’t lose site of the point of this story: Unlike credit/debit cards, consumers have no fraud protection rights when dealing with gift cards. If the balance is stolen, it’s gone, unless a retailer decides to “do a solid” for a customers.
It’s hard to say how common gift card balance theft is. Payments security expert Avivah Litan, from the Gartner consultancy, said criminals who use to hack credit cards have turned to gift cards instead as response to the advent of harder-to-hack chip-enabled “EMV” credit cards. Gift cards still rely on old magnetic stripe technology.
“Gift card (and) loyalty schemes are on the rise and have been for a while,” she said.
Also, note the increased presence of signs at retailers saying they won’t allow purchase of gift cards with credit cards because of fraud.
Another hint: Rowley’s report includes a chart showing a dramatic increase in chatter about gift card hacking that began in late 2015, when EMV credit card rules kicked in.
There was a spike in gift card balance theft during the last holiday season — or at least, folks noticed the theft more. It’s easy to find stories about individual cards being drained (if $1,000!) both from major media and on discussion boards.
RED TAPE WRESTLING TIPS
First, let me clarify some terms: There are lots of ways consumers can load money onto plastic, either for themselves or to be used as a gift. Prepaid debit cards — sometimes also called general purpose re-loadable cards — do come with traditional credit-card-style fraud protections now. New rules, courtesy of the Consumer Financial Protection Bureau, kicked in this October. If they aren’t marketed as gift cards, they are covered by Regulation E now, which limits consumer liability for fraud.
Store-based gift cards sold by individual merchants to be used at only that store or its affiliates are not covered by federal regulations. You or your gift recipient can lose the entire value of the card.
In between are prepaid cards that are marketed for gift-giving and can be used at multiple merchants, such as cards bearing a Visa or MasterCard logo. The fraud protections added to general purpose reloadable cards do not extend to gift cards, so federal rules don’t protect these cards or entitle consumers to refunds. But read the firm print; the issuer may offer liability protection. This Visa gift card, for example, makes clear in its terms and conditions that consumers will not be liable for “lost value on the card” if certain conditions are satisfied, such as the card has been signed on the back in permanent ink. (Note that in the general description of the card, the credit union says only the “unspent balance” would be returned to the consumer after a theft. That’s why it’s really important to read the fine print.)
As for gift cards, consumers can protect themselves a bit. When buying a card, look carefully at the packaging. Does it look like someone bent the cardboard back to peek at the number? Are there any signs that the scratch-off area has been tampered with? if so, leave the store immediately. It’s logical to think that third-party sellers with massive walls of unprotected cards can be more easily victimized by the card replacement version of this crime, so buying cards directly from retailers probably helps a little. Also, if you received a gift, spend the value immediately. The longer the value sits there, the greater someone else will find it and use it.
At a bare minimum, register the card online so you can recover unspent balance in the case of a lost of stolen card. But note that the mere presence of a “check your balance here” online tool makes some cards less secure, because of the attack style described above.
But in reality, there isn’t much you can do to ward off gift card balance theft. More notably, if your retailer suffers an automated attack, there’s nothing you can do to protect yourself.
Other than this: Don’t buy gift cards unless you are assured they come with fraud protection. It might be a while.
Follow this story: AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.