The BBC asked me to comment on the security of gift cards in connection with a story they were running on “You and Yours” (it’s about 35 minutes in if you are interested). The story was about a woman who had bought a gift card at Debenhams and given it to a relative. When the relative went to use the card, it was empty because it had already been used (in a series of transactions)
Obviously, I couldn’t comment on the Debenham’s example that triggered the story since I don’t know anything about it, but by way of comment, here’s a similar kind of fraud running in the US right now, discovered at Wal-mart.
They re-seal the Visa card into the seemingly new unopened box, sneak it back into Wal-mart and put it back on the shelves. Next, they just wait until somebody buys the card. Once the fake card has been scanned, the real card (in the hands of the thief) becomes active, funded and ready to use before the unsuspecting customer has any clue.[From ▶ Wal-Mart “VISA” Gift Card Scam 2013 – YouTube]
This is actually a well-known problem…
In another traditional scheme, a thief will apply a bar-code sticker over the genuine bar code of a gift card in a shop. When the sticker is scanned, it activates a blank card that the crook has stolen instead of the card the consumer is purchasing.[From Gift Card Scammers Skirt Security with New Tricks | Fox Business]
Again, speaking generally and not referring to either of these cases, gift card fraud is often collusive.
Many retailers are finding out that their biggest gift card fraudsters are their employees.[From Preventing Gift Card Fraud]
In some cases, an insider is either copying the card details by skimming or simply writing down the numbers and passing them to conspirators. This works because the details are copyable, which is why the payment card industry decided to move to chips. But chips are too expensive for gift cards, so they will remain magnetic stripe, and remain vulnerable.
So is they sky falling in? Well, no. The UK gift card and voucher market is already £5 billion and still growing. The gift card providers are developing a variety of countermeasures around activation and usage and I suspect they have a few more idea (based, largely, on mobile) up their sleeves. I was under the impression that gift card fraud in the UK was fairly low, so I asked Tony Craddock of Gx, who knows all about this kind of thing, and he confirmed this. In fact, he said that gift card fraud in the UK was “surprisingly” low, albeit growing.
In the US, where gift cards are a $100 billion+ market segment, the arms race between gift cards and fraudsters is far more active and accelerating. Since the gift card providers there have been implementing a variety of security countermeasures, so the fraudsters have been displaying energy and ingenuity in circumventing them.
In a classic gift card scam, a thief checks gift cards displayed in a store and writes down identifying information or lifts it from the card’s magnetic stripe using a scanner. The crook then goes home and repeatedly checks online to see when the card is activated (usually this is done when the cashier rings up the purchase of the card). Once activated, the thief spends the card balance online.[From Gift Card Scammers Skirt Security with New Tricks | Fox Business]
One the bigger problems in the US, though, where there is no chip and PIN at POS, is that counterfeit and stolen payment cards are used to buy gift cards. There’s even a problem with people using gift cards to encode the counterfeit magnetic stripe data!
A group of people used stolen credit card information to produce fraudulent cards and re-encode gift cards, then used the faked cards to buy large numbers of high-end items for later resale, police said.[From Gift cards used for taking from Target, police say – Chicago Tribune]
Now, I must confess, a few years ago, we did this. Go and get a blank gift card, or any old magnetic stripe card, and then re-encode it with your ATM card details. Then, when out about in foreign lands or dangerous parts of Woking, carry the apparently worthless card instead of your real ATM card. If you get mugged, it looks like a gift card (but of course it won’t work in the store terminals). If you don’t get mugged, and you need some cash, you can use it at the ATM. Chip and PIN put paid to this useful decentralised nerd-friendly crime prevention technique!
Anyway, for the Radio 4 show I said, essentially, that the security of the cards themselves was unlikely to improve. I said this because I’d been to a useful Money 2020 session on EMV migration in the US where it was one of the topics discussed. I hope I’m paraphrasing correctly from my scant notes, but broadly speaking I think the overall message was that gift cards will either remain stripe or vanish into mobile apps because the cost of chips doesn’t make sense in the gift card world. Mobile and e-gifting are growing rapidly so we may even see the stripe cards disappear as well. As Nate from City National Bank said at the Tomorrow’s Transactions Unconference in Palo Alto, mobile apps are going to get rid of plastic before they get rid of cash, and I suspect this true for gift cards as much as for other kinds of cards.
These are personal opinions and should not be misunderstood as representing the opinions of Consult Hyperion or any of its clients or suppliers