Criminals have discovered and used different methods to “steal” the “money” on your gift cards for some time now, but a new threat has surfaced this year which is distinctly different than previous methods.
In the past, it was typically necessary for the thief to be present in the store and handle the gift cards to get the numbers, or to steal the information. That could be done by hacking or by someone present in the store. Or, they could trick the customer into revealing the card number.
This year, a new method has surfaced and it poses a much greater threat. The hacker doesn’t have to be present and they don’t have to hack into the store. Instead, they take advantage of the methods the card provider uses for customer service.
Here’s how it works. An automated piece of malicious software (a “bot”) goes to the web site to check the balance on the card. It doesn’t need the actual card number. It guesses. In fact, in March, these bots were guessing as many as millions of card numbers every hour, just for a single gift card site. Some of the card numbers wouldn’t have been activated yet. Some of the numbers likely didn’t exist. But, with that many guesses, they would find some numbers that had a balance. Whenever the web site reported a balance remaining, the bot (malicious software) could make a record of it and pass that card number back to the hacker.
You might think that the site would just block these attempts. But the software is tricky and disguises itself to look like an ordinary customer. It changes its “identity” so that it looks like a different customer with every attempt. The only way to stop it is to stop all the real customers as well.
So, if you buy a gift card and it is activated, when the bot tries your card number, your balance will be reported and the hacker now knows that your card has money on it. If it is a card that can be used online, they simply need to shop online with it. If it is a card that must be used in a retail store, they can put that number on a plastic (counterfeit) card and sell it. Lots of people advertise that they buy gift cards (for a percentage of the value of the card). And many people would jump at a deal for a discount on a gift card. They shouldn’t be too hard to sell.
How likely is it that YOUR gift card has been hacked? Unfortunately, I haven’t been able to find that information. There are a lot of numbers to cycle through, but at the rate of millions every hour, they certainly will find a lot that are active. Details are not available on how they choose the numbers to guess. But there are ways to narrow down the numbers from all the possibilities to those that are most likely to be in use.
It is entirely possible that your card will never be hacked. But it is also possible that it will be soon, if it hasn’t been already.
There is nothing the retail store can do about this. It’s not their fault if your card number is guessed. There’s not much you can do to prevent it either.
If we want someone to blame, other than the criminals doing this, it would be the people who make the gift cards and then provide a way for the bots to discover which cards have balances. If the cards had security features (like a PIN), it could prevent most of that, if it implemented it well. But, until now, there hasn’t been an incentive to do that.
What can you do?
You can check the balance on your card to see if it is accurate. If it isn’t, contact the company.
* You could try going to the store where you purchased the card. But, if it was hacked by this method, the store couldn’t have done anything to prevent it and it’s not their fault.
* You can try calling the number on the card and/or the company where you can use the card. You might get a favorable response. Or, they may tell you that you are out of luck.
If you already have a gift card, you can use it for purchases until there is no balance left.
You may choose to stop using gift cards, at least until they put a solution in place that protects you against loss from these kinds of attacks.
You may choose to continue using gift cards and accept the risk. If so, I recommend only purchasing an amount that you are comfortable losing, in the event it gets hacked. Certainly you prefer not to lose anything. But, if you find value in using gift cards, whether for convenience or some other reason, and are willing to accept a loss of up to a certain amount in exchange for that benefit, you can limit your possible loss to the amount you have purchased.
If you give gift cards as gifts, you might consider giving something else, in case it gets hacked and your gift ends up worthless.
Assessing Your Risk
I wish I could give you some kind of statistics on how likely you are to experience a loss from this, but I haven’t found any information available yet. There is one way that you may be able to get some idea of your potential risk. Determine how easy it is for you to check your balance. The easier it is for you, the easier it is for the hacker.
If you can just go to a web site, put in your number, and get your balance, the hackers can use that site to guess your card number and steal it if they find a balance. However, if there is no online site that enables you to do that, you may be at less risk, unless the reason that it is not available is because it is being overwhelmed by hacking attempts.
You may need to call a number to get your balance. I tried that and, after a couple of attempts (I have a couple of cards for the same brand), the automated process was rerouted to a live person. I had to wait for someone to become available, and then they wanted me to give them information (name, zip code, etc.) before providing a balance. Those questions do not provide any additional security, since they didn’t have my name on file from when I purchased the card. The questions are probably for marketing purposes.
The point of this is that, the harder it is for you to get the balance on your own card, the harder it is likely to be for the hacker to guess lots of numbers until they find those that have balances. So, if you try to get your balance and it is an annoying process, the chances are much higher that your card number is safe. If it is really easy to get your balance, then the risk is higher that the hackers can get your card number and balance as well.
There are things that can be done by the companies who issue and process the cards
They can stop offering the ability to check your balance online. It is possible that some of the companies have already done this, at least temporarily. Of course, that makes it harder for legitimate customers to check their balances.
If they allow you to check your balance online, they can make it harder to do that. One option is the use of “Captcha” technology or some other method to assess whether it is a human or a “bot” that is making the request. But that technology is not foolproof.
They can introduce a method, such as a PIN, that must be used to actually use the card. If this is done, there needs to be a mechanism in place to prevent the guessing of the PIN. (Guessing expiration dates and security codes is actually being done with credit cards.) If the PIN were printed on the card but not used to obtain the balance, it would make it harder for the hacker to actually use the card. They may find a card that has a balance but not be able to use it without the PIN. Again, there would need to be a method to prevent repeated guesses of the PIN.
One additional step you can take is to communicate with companies that issue the gift cards you are interested in and tell them that you expect them to protect you. Ask them to provide a solution that is hard for a hacker to exploit. If enough people demand that, it could make a difference.
However, no matter what method someone is able to come up with, somebody will eventually find a way around it.
There are some things we can learn from this:
Convenience sometimes results in unintended consequences. Companies often do not consider the security implications of the things they do. Allowing customers to check their balance online allows a way for hackers to steal the card numbers.
When companies try to solve a problem, they sometimes make it harder than it needs to be. Sometimes they use that as an excuse way to collect more of your information and market to you.
Attackers will adapt and change methods. We have to keep alert and may have to make changes in what we do to remain safe. The malware changes its approach to avoid detection. When measures are put into place to protect against attacks, the malware creators find new ways to attack and to avoid detection.
Especially with new threats, there may not be as much information available as you would like. You may not be able to get details. You might have to make a decision based on limited information.
In the end, the real questions are:
* What do you have to lose?
* How can you limit that loss?
If any loss is unacceptable, you may choose to stop using gift cards altogether. If you could stand to lose $10 but not $100, you can limit your total gift card purchases to $10 (or to the maximum amount you can stand to lose). That gives you control over the amount of the loss.