If you're like most Americans, you have a few gift cards in your wallet right now. I have two, one has a snowman on it. In 2015, the average holiday shopper purchased two gift cards, and the total volume of gift card value is expected to reach $160 billion by 2018, according to Gift Card Granny.
Despite being great presents for many, prepaid gift cards can be a bullseye for fraud and money laundering. With tighter post-financial crisis regulation on larger amounts of money, and safer chip-enabled debit and credit cards, fraud has "shifted to the less valuable avenues -- or at least previously less valuable," says Stephen Ufford, CEO of Trulioo. "Any thinking person would ask where do I go next? One door closes, another opens. It's trickled down."
One way to get money from gift cards is to steal balances. An individual hacker, says Omri Iluz, founder and CEO of PerimeterX, could use "a large number of bots to bring a wave of checkers to a website." The bots would try millions of gift card numbers until it finds ones with balances. Then the hacker knows it has found a valid gift card number.
Another form of attack involves using stolen credit cards to buy gift cards. "It's much harder to buy an actual item because you need to handle shipping and reselling the item," he says. Gift cards are easy because they can be sold online.
That's what makes these kinds of frauds so easy. Whether it's someone else's gift card with a balance or buying a fresh card with a stolen credit card number, hackers can digitally sell those cards on gift card resale websites, and take the balance in cash.
Vehicles for money laundering
Gift cards are also a popular way to launder money, says Ufford. Buy small increment gift cards in the U.S., and then resell them on card marketplaces for cash.
"Buying $10,000,000 in Starbucks cards across the U.S. isn't that hard," says Ufford. A gift card reseller website may take a 5 percent fee, but "it's a check coming from a U.S. marketplace -- very legitimate." It's also low friction, and he says that 5 percent isn't a big price to pay to launder funds.
"It's not a brilliant plan. It's just low hanging fruit," he says.
Stopping gift card fraud
Any retailer that lets someone check their gift card balance online is a target, says Iluz. "The simpler the page, the better. If the page doesn't have a captcha on it or any other security measure on it, the attacker can send an unlimited amount of bots."
This is a retailer's first line of defense, he says -- anything that forces a bot to prove its human because the kind of large scale checking of gift card numbers "cannot happen with a human being. It's simply ineffective," he says.
This is especially important for small and midsized merchants, Ufford says. "Fraudsters are targeting less sophisticated merchants," he says. "Our answer is to make enterprise class tools that were previously only available to banks and retailers."
Another layer would help against fraud and money laundering: knowing who is selling the card and who is buying it, says Ufford. "There is a very prescriptive formula for knowing who the people are in the transaction, wherever they are in the world," he said. Things like name, address, date of birth, passport ID could all be used â of all users in the transaction. That needs to be done "online taking place in real time."
Consumers should also report if their gift card balance is stolen -- even if only a few dollars were left. That will help merchants know they've been targeted.
Regulators could step in too, at least when it comes to big balance gift cards. In 2011, the U.S. Treasury Department's Financial Crimes Enforcement Network proposed subjecting gift cards worth more than $10,000 to the same reporting requirements as other types of cash in that amount moving across borders, but it was tabled under pressure from the prepaid card industry.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.