Monday, January 06, 2014

Why crooks love gift cards and how retailers are to blame

It’s the holiday season and there are those that don’t feel like thinking about particular gifts can cop out by gifting a gift card. For those that have never used one, it’s relatively simple. The card number combined with an access code is usually enough information for a gift card to be used for a purchase. This is how it usually works when making online purchases. At the actual physical store, the use of a gift card typically requires the user to also be in possession of it.

Fraud liability lies with the purchaser

Gift cards are designed with convenience in mind with no regard to security or indemnity. If your bank issued a card with the PIN printed on it, you would immediately cut it up, cancel it and change banks. Unfortunately, this is exactly what most retailers do with gift cards.

Both the number and the access code are displayed on the actual card (both physical and virtual versions). This is all one needs to make a purchase using the card. The anonymous nature of gift cards is just as much of a problem. Crooks love anonymity because at no point can a transaction be linked back to them.

To add to the mess, most retailers have a statement in the fine print to “treat the card like cash as we cannot process refunds in the event of theft or loss”. We would not tolerate this type of behaviour from financial institutions, yet that’s exactly what we do each time we buy a gift card. At least financial institutions will indemnify cardholders from loss or theft. Retailers simply say “too bad, your loss, not our problem”.

Because retailers do not care enough to accept responsibility, at no point will they ever attempt to investigate the crime and the criminals that stole your gift card details get away scot-free.

Digital gift cards are less secure than physical ones

While gift cards are not secure for the reasons already mentioned, digitally-delivered cards are worse. With physical gift cards, the most blatant, practical example of fraud involves crooks cloning inactive cards from stores and subsequently waiting for them to be activated through a legitimate purchase.

The best way around this particular method of fraud is to cover the access code on each card with a layer that can be scratched off, which many retailers have implemented. This is a simple, yet effective way to reduce the risk because if a card has a visible access code, you know it’s been compromised. Unfortunately, the digital version of this “scratch layer” is often non-existent.

The most common method of retrieving a digital gift card involves accessing a URL. To understand why this is a problem, consider the fact that often, the URL to retrieve a gift card is derivable, even if encryption is used in the actual URL pattern. It is not too difficult for a skilled attacker to get the standard URL pattern by legitimately ordering a card and subsequently performing a brute-force attack, similar to how passwords are cracked, on the parts of the URL that change to retrieve other gift cards.

The digital equivalent of a “scratch layer” would be to make the retrieval URL accessible exactly once. This way, one would know upon an attempt to retrieve the card if it has already been compromised through its URL and contact the retailer to report the issue immediately instead of finding out after the card has already been used. Once a card has been used by the fraudster, it is too late and there is no recourse for the victim.

No protection against insiders

As is the case in many organisations, the insider with access is a huge risk in this particular context. Credit card numbers are partially protected through PCI-DSS requirements that mandate encryption of stored card details and audit of access. Gift card details however are not subjected to the same rules and thus can be stored in clear text and not be monitored when accessed without regulatory consequences for the retailer.

Organisations tend to ignore security when they are not liable in the event of a security incident. In the case of gift cards, no liability lies with the retailer. This means employees of a retailer storing gift card details in the clear have relatively easy access. In addition, even if the retailer happens to have audit mechanisms tracking access to databases storing gift card details, the fact that consumers are expected to “treat gift cards as cash” is a sure sign that a retailer will not spend precious dollars to investigate any potential internal fraud with gift cards.

Too many third parties involved

Another trend that contributes to the problem is the use of third parties to administrate and issue gift cards. For example, many large retailers in Australia use the same third party company to do this. The problem with third parties is that access to data is now expanded to people not directly associated with the responsible retail organisations.

As gift cards are not subjected to the same standards as credit card information, employees of the third party company potentially have full access to gift card details of multiple retailers and can exploit this access for personal profit much more easily than if they were attempting to steal credit card numbers.

No regulation, no deal

Gift cards are effectively cash cards. Retailers have said so themselves in an attempt to indemnify themselves from liability in the event of fraud. The problem is that they are indemnifying themselves at the expense of fraud victims, also known as customers. The relationship in this instance is completely one-sided in favour of retailers.

Financial institutions dealing with credit card details are not afforded the same cop-out liability statement. In fact, it is the opposite. Financial institutions are held liable in the event of fraud and we as consumers are protected.

Imagine if we were told that whenever we use a credit card, we assume all the risk? Mastercard, Visa and American Express would go out of business very quickly. Why are retailers not subjected to the same rules?

It is time we woke up and realised exactly how unprotected we as consumers are when we buy gift cards. If you feel the need to buy a gift card for someone else, do what Asians do instead and put cash in a red packet.

In Asia, giving a red packet to someone implies you are wishing them good fortune. Giving someone a gift card however, means you couldn’t be bothered. You may also have just gifted them a worthless piece of plastic which they will resent you for when they try to use it.

No comments: