It is a kind of brute force attack where cybercriminals enumerate millions of gift card number combinations to get valid ones that have balance using automated programs.

Gift card, also known as gift voucher or gift token, is part of the retailer stores' promotion strategy and the origin can be traced back to the early 1990s.

Issued by a retailer or a bank as a prepaid stored-value money card, a gift card is often treated as a cash card being given out by employers or organizations as rewards or gifts. The invention of gift cards is great. But there is a dark side. As more and more retail stores move their business online, the cyber environment breeds massive frauds targeting gift cards and this type of fraud is called gift card cracking(a.k.a token cracking, gift card fraud, enumeration attack).

What is Gift Card Cracking?

Gift card cracking is a type of brute force attack where cybercriminals enumerate millions of gift card number combinations to get valid ones that have balance using automated programs. Once the cybercriminals identify the valid gift card number/code combination, (s)he uses them to make purchases or resell the gift cards on the dark web.

According to AARP and, gift card sales were around $160 billion in 2018, and $78 million among them were reported as lost in scams involving gift cards and reload cards.

The time came in 2020, with the outbreak of COVID-19 and lockdowns around the world. There are many shoppers being pushed to make their purchases online as many brick-and-mortar stores are either closed or follow the rule to keep social distancing. The nature of gift cards is that no bank account or ID is required and the fund transfer cannot be traced, making purchasing more convenient but at the same time leaving the e-commerce merchants vulnerable to financial losses and damaging customers' trust.

How does Gift Card Cracking Work?

  • Acquiring the list of gift card numbers/code

The first step of gift card cracking is to get the list of gift card numbers and activation code combinations. The attacker may go to the physical store to grab a gift card from the targeted e-commerce stores or retailers. The gift card numbers from the same merchants usually follow sequential numbering patterns so that attacker only needs to attempt different combinations based on the one (s)he purchases from the physical store.

Instead of attempting different gift card variations, attackers can steal card numbers and activation codes by hacking into the company gift card database via brute force hacking, malware, or phishing attacks against employees.

  • Using an automated script program to test all the gift card numbers

Attackers write a script(automated scripts, bots) to test all the stolen gift card details on the website until all the records are tested and the valid pairs are found.

  • Earn a profit with stolen e-gift cards

The attackers may:

A. Use the stolen gift card to make purchases

B. Cash out certain types of gift cards on some platforms

C. Sell the gift card number/activation code on the dark web

How to detect gift card cracking?

Attackers usually use brute force methods to attempt thousands or millions of gift card records on the merchant's website in a short time. If you find that:

  1. There is a spike in traffic visiting your sites, especially the checkout page;
  2. The chargebacks increased in your payment system;
  3. Multiple failed payments from the same user account, IP, browser user agent, or device ID;

then you must be alerted. Gift card cracking won't cause immediate financial losses to your business. But with more customers finding they are experiencing gift card scams, they will doubt the whole website's security level. What's worse, they will lose trust in the entire business.

Start your free trial
Over 320,000 websites and mobile apps worldwide are protected by GeeTest captcha

Hayley Hong

Content Marketing @ GeeTest