It is a kind of brute force attack where cybercriminals enumerate millions of gift card number combinations to get valid ones that have balance using automated programs.

Gift card, also known as gift voucher or gift token, is part of the retailer stores' promotion strategy and the origin can be traced back to the early 1990s.

Issued by a retailer or a bank as a prepaid stored-value money card, a gift card is often treated as a cash card being given out by employers or organizations as rewards or gifts. The invention of gift cards is great. But there is a dark side. As more and more retail stores move their businesses online, the cyber environment breeds massive fraud targeting gift cards. This type of fraud is called gift card cracking (a.k.a token cracking, gift card fraud, enumeration attack). 

What is Gift Card Cracking?

Gift card cracking is a type of brute force attack where cybercriminals enumerate millions of gift card number combinations to get valid ones that have balance using automated programs. Once the cybercriminals identify the valid gift card number/code combination, (s)he uses them to make purchases or resell the gift cards on the dark web.

According to AARP and statista.com, gift card sales were around $160 billion in 2018, and $78 million among them were reported as lost in scams involving gift cards and reload cards.

The time came in 2020, with the outbreak of COVID-19 and lockdowns around the world. There are many shoppers being pushed to make their purchases online as many brick-and-mortar stores are either closed or follow the rule to keep social distancing. The nature of gift cards is that no bank account or ID is required and the fund transfer cannot be traced, making purchasing more convenient but at the same time leaving the e-commerce merchants vulnerable to financial losses and damaging customers' trust.

How does Gift Card Cracking Work?

Acquiring the list of gift card numbers/code

The first step of gift card cracking is to get the list of gift card numbers and activation code combinations. The attacker may go to the physical store to grab a gift card from the targeted e-commerce stores or retailers. The gift card numbers from the same merchants usually follow sequential numbering patterns so that the attacker only needs to attempt different combinations based on the one (s)he purchases from the physical store.

Instead of attempting different gift card variations, attackers can steal card numbers and activation codes by hacking into the company gift card database via brute force hacking, malware, or phishing attacks against employees.

Using an automated script program to test all the gift card numbers

Attackers write a script(automated scripts, bots) to test all the stolen gift card details on the website until all the records are tested and the valid pairs are found.

Earn a profit with stolen e-gift cards

The attackers may:

A. Use the stolen gift card to make purchases

B. Cash out certain types of gift cards on some platforms

C. Sell the gift card number/activation code on the dark web

How to detect gift card cracking?

Attackers usually use brute force methods to attempt thousands or millions of gift card records on the merchant's website in a short time. If you find that:

1. There is a spike in traffic visiting your sites, especially the checkout page;
2. The chargebacks increased in your payment system;
3. Multiple failed payments from the same user account, IP, browser user agent, or device ID;

then you must be alerted. Gift card cracking won't cause immediate financial losses to your business. But with more customers finding they are experiencing gift card scams, they will doubt the whole website's security level. What's worse, they will lose trust in the entire business.

Prevent Gift Card Cracking with Geetest Captcha

Don't worry, Geetest has introduced an effective bot management solution preventing fraud and threats like gift card cracking, web scraping, credential stuffing, and more. Geetest Captcha takes the following advantages to protect against gift card cracking.

Multi-Layered Security Strategies

Powered by machine learning analysis and the AI back-end engine, the 4th generation GeeTest Adaptive CAPTCHA is enhanced by active and dynamic security strategies. It offers 7-layer dynamic security protection with up to 4374 security strategies per cycle, which increases 3.714 times cost of cybercriminals.

Intelligent and Modular Operating System

GeeTest offers an advanced management system that can identify traffic anomalies in real time, set up customizable bot detection, and even configure tailored security strategies.

For example, through the GeeTest Traffic Analysis Dashboard, customers can configure limits on unsuccessful login attempts to stop both automated and user-based password-guessing attacks, which can be an effective method to prevent gift card cracking.

Customized Fun Captcha Test with Smooth User Experience

As an advanced Captcha solution, GeeTest Captcha can be the superior alternative to traditional captahcas. It ensures both ease of use and security in every interaction.

The CAPTCHA style, types, difficulty, and verification pictures can all be customized. For example, there are up to 9 types of fun Captcha tests, which optimize the user experience and reduce friction.

With over 10 years of industry experience, serving 360,000+ enterprises worldwide & processing 1,000,000,000+ requests per day, GeeTest offers a world-leading enterprise-grade bot management solution.

If you are looking for an effective and ease-of-use tool to prevent any fraud and threats, come and try the Demo of GeeTest Adaptive CAPTCHA, or register for a free 30-day trial now!