Gift cards have caused quite a headache for retailers in the last month, exposing another way that fraudulent activity can eat into razor-thin profit margins. Gift card fraud can range from physical theft to cloning to exploiting programming errors on the merchant side.
The methods of attack are very similar to what is seen with credit card fraud, but gift card fraud is less widely reported in the news. The reason is that, unlike data breaches that involve credit cards, personally identifiable information (PII) is rarely disclosed. Regardless, it is important for both merchants and customers to know how gift card fraud occurs, so they can recognize the behavior and protect themselves.
Jun 28, 2018 Vanilla Visa Gift Card Hacked November 2019. Got a Visa Gift Card for my birthday for $300.00. I made ONE purchase for $27.50 and the REST was STOLEN out of the account. Varian aas manual. NEVER buy one of these for a friend or family member. When I called Visa to get a refund. They said it would take 90 days to recover the funds. Make sure you have a unique gift card number. As a rule, it is indicated on the front side. Go to the store website and enter it in the field. You can check your gift card balance directly at the store. You can check the address of the nearest store on the company’s website. - I think my prepaid card was hacked. This review is from a real person who provided valid contact information and hasn't been caught misusing, spamming or abusing our website. I dont think my vanilla gc was hacked, I know it was hacked! I tried to use it the same day to purchase some items online.
On June 1st, Australian retailer Woolworth’s experienced a data breach that led to AUS $1.3 million worth of gift card numbers being leaked online. Several weeks prior, Starbucks had two high-profile gift card incidents – one involved a security researcher that discovered a race condition that allowed him to transfer card balances between cards without deducting any value, and the other involved the auto-load feature on cards that allowed fraudsters to quickly drain attached bank accounts. According to reporting by Brian Krebs, Starbucks itself was not hacked – the customers were.
The article goes on to explain that customers often use the same username/password combination across multiple sites and when a website is hacked, cyber criminals will often take the password dumps and try them on multiple sites. This is what most likely happened to the Starbucks customers; it’s very inconvenient and costly to the victim but avoidable, if good password habits are used.
There are many ways to commit fraud using gift cards and they are very alluring, for many reasons. First, and foremost, there’s a low chance of being prosecuted. The dollar amounts on each individual transaction are relatively small and not enough to garner the attention of large law enforcement agencies that have the ability to catch the perpetrators. Second, it’s very easy to commit fraud. Lastly, it’s easy to convert gift card value into money or merchandise.
How is gift card fraud commonly committed? There are three primary categories of fraud:
Hacking accounts
As described earlier with the Starbucks story, thieves can hack into gift card accounts and quickly drain them of money. If the auto-load feature is turned on, within seconds, a cybercriminal can quickly rack up charges and start the process of moving money off the compromised gift card account.
Another common route is using gift cards to quickly monetize the value in other hacked accounts, such as credit card rewards programs or hotel points.
This is how it works:
- A cybercriminal will obtain the username and password to a person’s credit card rewards program, usually through reused credentials or malware.
- They will log in and check the value of the account. For example, let’s say it’s $5,000.
- Credit card redemption programs offer many different items they can redeem in exchange for points. Several problems exist for the fraudster. They can’t exactly redeem for golf clubs – where would they ship them? Cash back is either redeemed as statement credit or sent as a check to the cardholder – also no good. Gift cards, however, are a perfect way to quickly monetize the hack.
- The redeemer instantly gets an e-gift card number that can be spent immediately, meaning the fraudster can exchange $5,000 worth of points for $5,000 worth of value on an e-gift card. The site will give the fraudster a gift card number on the spot, which can be printed out and used in-store or online.
- The fraudster will then use a service that converts gift cards into cash, such as cardcash.com or cardhub.com. One can usually get 60% of the face value of typical gift cards on sites like this. There are also physical kiosks in malls that offer the same service.
- The fraudster can now effectively convert a point or rewards on a hacked account into real cash.
Stealing numbers and cloning cards
Another very common method of gift card fraud is committed is through stealing numbers off physical gift cards. Gift cards work essentially the same as credit cards with a mag stripe—the gift card number is printed on the card for manual key entry and is also encoded on a mag stripe on the back of the card.
The mag stripe number is plain text and can be read with a mag stripe reader purchased for $15 from eBay or an electronics store. Gift cards may or may not have an additional level of security, a PIN number covered with a coating, similar to a lottery ticket, that needs to be scratched off.
Some merchants, such as Starbucks, do not require the customer to enter in a PIN number when using the card. The customer simply swipes the card and they’re good to go. Sirocco streamline 2 gas fire manual. Other merchants do use PIN numbers, which offers an additional layer of protection – the redeemer needs to have the physical card in possession in order to use it.
Gift cards are not usable until they are activated at the cash register. In many stores, gift cards are sitting out in an accessible place. People have been known to steal a stack of cards, bring them home, write down the numbers (or script it out using a mag stripe reader) and then sneak them back into the store and place them on the shelf.
Brazen criminals can write down or take pictures of the numbers down right in the store. From there, it’s a waiting game. Most merchants offer a way to check gift card balances online – the fraudsters will repeatedly check balances on the merchant’s website and wait until they are activated by a legitimate purchase. When they are, transferring balances to another card or converting into cash by using a third-party redeemer drains the balances out.
There are no reported incidents of POS skimmers used to grab gift card numbers, but this attack would work as well.
The addition of a PIN number can delay a fraudster, but not deter them entirely. Arma 3 star wars opposition mod. They can scratch off the coating, revealing the PIN and replace it with a new sticker easily purchased from eBay.
This type of fraud is fairly low-level and does not result in a huge loss to the merchant, but is quite a shock to the customer when the recipient of a gift card tries to redeem it and finds that the balance is zero. Some retailers will reimburse the customer with the face value of the gift card, but this ends up being a reputational hit for the retailer, as well as a headache for the consumer.
Acquiring numbers in bulk
Slightly more difficult, but much more rewarding, is to acquire gift card numbers in bulk from the issuers, merchant, reward redemption program, etc. This can be done through a multitude of methods, including phishing, SQL injection, social engineering and accidental disclosure.
Accidental disclosure is exactly what happened at Woolworth’s, where an employee at the company had a spreadsheet with 8,000 gift card numbers, totaling AUS $1.3 million. The employee accidentally sent the email to more than 1,000 people. Anyone who received the email could immediately go shopping or start to convert the gift card numbers into cash.
Advice for retailers
Vanilla Visa Gift Card Hacked Today
In-store security is important. Store gift cards behind the counter or locked in a cabinet. It’s not advisable to leave them out in an area that is publicly accessible because of the high probability someone will perpetrate one of the scams described above.
It’s even more important to have good policies and procedures in place for the central handling of gift cards numbers. First, require a PIN for the use of a gift card. Next, on a corporate policy level, never store the gift card PINs with the gift card numbers – keep the two separate. Last, limit online balance look-ups to several per hour, maximum.
Advice for customers
The best advice for customers buying gift cards is to only buy gift cards from reputable merchants. Always look at the physical card and look for signs of tampering, such as a scratched off and/or replaced PIN number. Most importantly – keep your receipt. If you get the card home and find it drained of funds, you may be able to recoup your losses by going to the merchant that sold the card or the store where the gift card is redeemable.
Gift card fraud is pretty unsexy when compared with the latest nation-state threat actors exploiting multiple 0-day vulnerabilities, but it is a significant problem that drains money from retailers and consumers alike. By being aware of how this fraud is committed, we can spot the scams and protect ourselves.
See how solutions like Tripwire equipped the Walgreens-Boots Alliance to continuously monitor and protect the business, while ensuring systems are reliable and secure.
About the Author:Tony Martin-Vegue is a 20-year Information Security veteran with expertise in network operations, cryptography and risk management. He’s worked for large global organizations, leading cyber-crime programs, enterprise risk management and security programs. He is a blogger and host of The Standard Deviant Security Podcast, a podcast that, with candor and cleverness, holds up a mirror to industry truths.Tony holds a Bachelor of Science in Business Economics from the University of San Francisco and has many certifications such as CISSP, CISM and CEH. He can be found on the web at www.thestandarddeviant.com and on Twitter @tdmv.
Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock
🏠 CreditCardGenerator.Money - CreditCard.RunA tool for creating fake credit card numbers & from BIN codes.
Datas updated at time.
Create MasterCard, Visa, American Express, Diners Club, Discover, JCB and Voyager credit cards & debit cards with $100,00 to $999,00 money amount balanced..
Vanilla Visa Gift Card Hacked
| Visa |
| 4625828834322878 |
| VALID THRU 06/25 |
| Shirley De mullerCCV: 626 |
Creating a fake credit card is one of the situations that raise questions in many people's minds. However, you don't have to worry. This does not endanger the security of your credit cards. A fake credit card number is just a number created with certain algorithms.
While fake credit card information and number seem like a scary situation, it's actually not something to worry about. If you may be saying why, this information is completely invalid and used to log into some websites. In other words, you can overcome this situation by giving invalid card information to a website where you do not want to share your card information on the internet. We may not be willing to provide our actual card information, as some websites contain highly questionable reliability. In such cases, instead of applying for false credit card information, you can try virtual card creation methods by contacting your bank.
If you are hesitant about credit card fraud, we do not recommend that you share your card information on websites. Although you can generate fake card numbers with some tools, it is worth remembering that this information is invalid. Even if you enter this information on their website, they will not accept it.
Is credit card generator illegal?
As a matter of fact, this situation cannot be considered legal. It can be considered a criminal offense to deceive systems while trying to shop online or providing fake information to places where you need to enter card information. For this, you should avoid such processes and tend to use virtual cards more.
Do Vanilla Visa Gift Cards Work Internationally
The virtual card can actually be called a fake credit card. In other words, you can produce a card completely independent of your original credit card information and use this card for all your internet purchases. Since the limit settings will be completely managed by you, you can use even without defining any limit if you wish. If you think that there will be legal problems with the use of fake cards, you should definitely try this method.
Do credit card generators really work?
No, such a thing is not possible. Credit card number alone is not enough to shop anyway. When you want to shop online with a credit card, you will be asked for a lot of information. If even a single letter of this information is wrong, it causes an error in the shopping. Since you cannot enter name and surname information, the credit card number cannot be verified and the fake card number you produced will not work.
Card information requested during shopping are as follows;- Card holder's name and surname
- Credit Card Number
- MM / YY (expiry date)
- CVV (security code)
Top 100 Random Fake Cards
| Credit Card Number | Holder | Expiry Date | CCV Number |
|---|---|---|---|
| 2281665397528866 | Betty Mcglasson | 06/22 | 194 |
| 5511146707919421 | Nicole Elston | 11/27 | 394 |
| 2720185075328389 | David Hillsbery | 04/22 | 431 |
| 2714501764180055 | Andrew Wetterstrom | 06/23 | 152 |
| 2349438282710068 | Kevin Hinde | 08/22 | 114 |
| 5180988160265804 | Kathleen Polk | 09/25 | 170 |
| 2712188952995577 | Barbara Mecatti | 08/26 | 204 |
| 2252557832208342 | Ryan Bolyai | 10/24 | 471 |
| 2229542144528991 | Jennifer Luce | 10/22 | 614 |
| 5358768313294596 | Anthony Hargraves | 12/22 | 280 |
| 2228219194789580 | Elizabeth Hargraves | 12/22 | 273 |
| 2273083995829282 | Kathleen Mccaffrey | 05/27 | 321 |
| 2223927289626153 | Susan Kortylewicz | 11/27 | 281 |
| 5501075447777058 | Jack Salmon | 05/22 | 459 |
| 2222677687906845 | Samuel Devegvar | 11/23 | 169 |
| 2224974801122872 | Rachel Severence | 04/27 | 167 |
| 2229870260934044 | Sharon Mcglasson | 02/24 | 363 |
| 2225827593908545 | Linda Macmillan | 04/26 | 129 |
| 2720395312058398 | Karen Ramon | 05/24 | 244 |
| 5572432469561346 | Jason Geltman | 07/26 | 473 |
| 2320299553581361 | Lisa Gold | 08/24 | 138 |
| 5252920739327891 | Virginia Chisom | 11/23 | 316 |
| 2226312799248573 | Christopher Starna | 12/25 | 271 |
| 2720008749822183 | Sharon Somers | 11/25 | 655 |
| 2275244913430706 | Donald Kortylewicz | 05/25 | 121 |
| 5497824715657732 | John Ramon | 02/24 | 487 |
| 2223314982881254 | Jason Riccio | 05/23 | 419 |
| 5566393255354379 | Elizabeth Lapierre | 01/22 | 510 |
| 5333340463504602 | Linda Mccoll | 06/27 | 560 |
| 2274660371223120 | Sharon Loescher | 05/24 | 194 |
| 2291949287779963 | Ronald Scheiber | 01/22 | 265 |
| 2446476282063015 | Gary Rozinov | 05/26 | 178 |
| 2227572351315834 | Jack Polk | 06/25 | 383 |
| 2265942947379425 | Gregory Wodtke | 04/26 | 214 |
| 2271238081052338 | Gregory Mill | 07/22 | 181 |
| 2720330339947166 | Kevin Crescenzi | 12/23 | 122 |
| 5565248922489530 | Paul Wodtke | 11/25 | 650 |
| 2227689717231008 | Emma Mccaffrey | 09/26 | 172 |
| 5584057255896253 | Samantha Meredith | 08/26 | 465 |
| 2249637635868926 | Rachel Chaudhuri | 11/22 | 462 |
| 5335138198238258 | Shirley Wardley | 07/26 | 114 |
| 2711213290965719 | Jennifer Too | 12/22 | 396 |
| 2225171233517303 | Donna Matloff | 01/22 | 636 |
| 2704979042141960 | Eric Dudash | 07/22 | 124 |
| 2281567416802712 | Thomas Chisom | 03/27 | 442 |
| 2715298133836520 | Joseph Omalley | 02/26 | 342 |
| 2229774570874884 | Christopher Vernon | 08/23 | 364 |
| 5132011626230533 | Brenda Bolyai | 10/23 | 293 |
| 5254775169346961 | Carol Nishimura | 02/24 | 124 |
| 2239158768502317 | Raymond Mcglasson | 02/24 | 462 |
| 2715539223666230 | David Mclachlan | 02/25 | 236 |
| 2228077233864586 | Samuel Smith | 02/24 | 251 |
| 2239827853882764 | Jeffrey Rozinov | 07/26 | 490 |
| 2720530238231550 | Dorothy Hargraves | 03/23 | 396 |
| 5462489681963455 | Gregory Taveras | 05/22 | 517 |
| 2226837921835772 | Catherine Devore | 05/24 | 653 |
| 2599655990735007 | Catherine Zao | 07/26 | 509 |
| 2720001809900742 | Rachel Lewington | 03/26 | 648 |
| 2283886921537391 | Melissa Wodtke | 12/27 | 658 |
| 2225625453453937 | Margaret Ramon | 02/22 | 259 |
| 2635903480582067 | Alexander Isabelle | 02/27 | 374 |
| 2229693689652421 | Debra Kuldell | 10/22 | 128 |
| 2223153498497373 | Dorothy Lewington | 08/26 | 185 |
| 2229037380697642 | Raymond Mccoll | 02/26 | 569 |
| 2244071799184018 | Kevin Mini | 08/23 | 498 |
| 2317130390000148 | Charles Cha | 08/27 | 618 |
| 5545991200906320 | Stephanie De muller | 11/25 | 570 |
| 2227860284527637 | Virginia Chaudhuri | 12/26 | 378 |
| 2237803833450529 | Brenda Bohyer | 02/22 | 612 |
| 2628928886306463 | Dennis Mill | 10/26 | 237 |
| 5104899616200787 | Janet Salmon | 08/27 | 404 |
| 2222945785886767 | Donald Kemp | 06/26 | 571 |
| 2277992344255666 | Christopher Mecatti | 07/27 | 406 |
| 2226825912170390 | Samuel Smith | 06/26 | 461 |
| 2720710501823529 | Michelle Radley | 12/23 | 549 |
| 5551260510583331 | Ryan Finley | 09/25 | 643 |
| 2277040190460160 | Samantha Rosovsky | 06/27 | 530 |
| 2268199227610840 | Barbara Leibniz | 09/25 | 119 |
| 2720704107708457 | Brian Zao | 10/26 | 273 |
| 2709158797568660 | Anthony Hinde | 03/23 | 411 |
| 2226022309526885 | Richard Ehrlich | 07/26 | 292 |
| 2647417016699705 | Daniel Hay | 08/23 | 491 |
| 5223621815621910 | Brenda Twiraga | 02/23 | 258 |
| 2226776267136660 | Carolyn Mcglasson | 06/23 | 370 |
| 2658848857334711 | Jack Gould | 12/24 | 541 |
| 2222588154802369 | Christine Wanzer | 08/23 | 166 |
| 5155457145489179 | Brenda Mclachlan | 04/22 | 277 |
| 2351106080791300 | Carol Taveras | 03/24 | 323 |
| 2267529301143113 | Edward Kuldell | 12/22 | 423 |
| 2237717728524612 | Dorothy Rosovsky | 04/27 | 175 |
| 2276775983262627 | Timothy Kierkegaard | 05/23 | 452 |
| 2717978169357768 | Jeffrey Leibniz | 03/23 | 298 |
| 2236145384778275 | Debra Hargraves | 04/25 | 510 |
| 2221805333358654 | Betty Bolyai | 07/25 | 222 |
| 2712160871126535 | Dorothy Marlowe | 02/25 | 201 |
| 2617866400485442 | Alexander Eichler | 10/27 | 252 |
| 2227881385434382 | Shirley Coontz | 10/27 | 491 |
| 2243095522025298 | Gregory Eichler | 02/23 | 600 |
| 5162815113256345 | Carolyn Lewington | 03/22 | 583 |
| 5393319628442582 | Jonathan De muller | 10/24 | 205 |