Gift Card Fraud

It’s becoming an organized crime tactic:

Card draining is when criminals remove gift cards from a store display, open them in a separate location, and either record the card numbers and PINs or replace them with a new barcode. The crooks then repair the packaging, return to a store and place the cards back on a rack. When a customer unwittingly selects and loads money onto a tampered card, the criminal is able to access the card online and steal the balance.

[…]

In card draining, the runners assist with removing, tampering and restocking of gift cards, according to court documents and investigators.

A single runner driving from store to store can swipe or return thousands of tampered cards to racks in a short time. “What they do is they just fly into the city and they get a rental car and they just hit every big-box location that they can find along a corridor off an interstate,” said Parks.

Tags: ,

Posted on December 31, 2024 at 7:02 AM14 Comments

Comments

Fazal Majid December 31, 2024 7:52 AM

The biggest crime in gift cards is the card themselves. The whole business model is predicated on recipients forgetting them or not using up the whole balance. Always give cash instead.

Paul Sagi December 31, 2024 10:00 AM

Nearly everything else (deodorant, razor blades, toothpaste, etc.) is locked behind clear plexiglass doors, why not the same with gift cards?
Or have the cards kept behind the checkout counter.
Or have the cards tagged (as many items are) to trigger an alarm if removed from the store without payment.
Or make the cards more tamper-resistant.
There are so many cameras inside and outside stores that it might be possible to identify and track the thieves. AI might help to do it in real time (exiting a store without paying would send an alert to stores and police).

Andy December 31, 2024 2:22 PM

Article is from April. And

Police said they found 2,260 Visa, Apple and Mastercard gift cards in his car. Xue entered the U.S. illegally months before his arrest, according to a prosecution motion

and

Criminals use software to automatically check gift card balances so they can be alerted when a customer buys and loads money onto a tampered card.

. No wonder the big stores had to settle the lawsuits…

Martin December 31, 2024 7:29 PM

An obvious fix would be for the point of sale software to display a newly generated PIN to the cashier who could then write that in marker pen on the packet or affix it as a sticker to the gift card (over the barcode in the window they uncover). This would replace the PIN on the card and prevent the remote software from checking the balance.

Carsten January 1, 2025 4:36 AM

Good new year Bruce!

I am unsure how this would work in Germany. The card is activated in stores by the cashier scanning it and the customer paying for it. If both conditions are met the point of sales terminal issues activation of the card code under the scratch and rub field.

If the card would be sold again the point of sales terminal would error and the tamper resistant scratch field would be damaged.

So unless you buy a card “too cheap” from an untrusted vendor, then it is nearly impossible to be scammed. I do believe it is people that may fall for the classic “too good to be true” kind of deal. Unless I missed something.

Cheers!

Carsten January 1, 2025 4:43 AM

Addendum
My bad I just realized they wait for the card being legitimately purchased. I still fail to see how the scratch field can be repaired, which you can already inspect in store and alter the cashier of tampering.

Other than that this raises new questions for me: How many API calls do these cyber criminals want to perform to activate the card faster than me? Unless I will wait weeks to use it as a gift for a special person or friend of mines?

It’s certainly an interesting scheme and devious! Thanks for the article. I just think people should always check in a store if the scratch field looks out of the ordinary.

I will not be so foolish myself and claim that criminals are not capable to peel off the tamper resistant field altogether and replace it with a new one bought from a large asian ACME company that can manufacture these.

Are we going back to holograms?
Proposal:
I suppose a simple 2FA/second factor field on the printed receipt by the cashier which you can cut off and use with the card code.

I may be overthinking things.

foobar January 1, 2025 1:54 PM

@Carsten: People have been arrested for x-raying unsold lottery scratch-off tickets before, and keeping the winning tickets for themselves. It’s not hard for organized criminals to acquired gift-card-codes without scratching off. Difficult for you & me, but not for organized crime.

It’s kind of like how you & I go see a movie in a theater, and it’s like we’re entering a demilitarized zone. Person & possessions subject to search & seizure. Cell phones confiscated for duration of the film. Etc. They’re terrified we’re going to video-record their movie. Whereas organized crime simply bribes or intimidates the projectionist and records the movie with professional equipment. Don’t assume that criminals have the same limitations we do.

@Martin: Gamestop will let you buy Steam gift-card-codes on the receipt. It’s very helpful at Christmas. Especially as Steam gift-cards are almost impossible to scratch off without rendering the underlying code unreadable. Nowadays with theft, getting the code on the receipt is an even better idea.

Walmart claimed to offer the same service for Tracfone codes. Unfortunately, ever since being bought out by Verizon, Tracfone now has so many similar-sounding plans, Walmart staff refuse to sell receipt-codes since they can’t figure out which plan you’re trying to buy.

Nevertheless, this idea of printing the gift-card-codes on the receipt is an idea who’s time has come, and people are starting to implement it.

MrDarcy January 3, 2025 12:28 AM

@Carsten: Perhaps it’s as simple as placing a sticker that has the same pattern as the scratch area on top of the scratched PIN. It just has to look good enough at a glance to trick the buyer. The recipient of the gift card probably won’t try to scratch the PIN until he’s using it, which is going to be days or weeks later, and by then it’s too late.

Make My Restaurant January 3, 2025 6:19 AM

The fundamental flaw with gift cards lies in their very existence. Their business model thrives not on the joy they bring, but on the likelihood that recipients will misplace them, forget to use them, or leave a few dollars unspent. This inefficiency benefits corporations far more than it does the people exchanging gifts. If you truly want to give someone a versatile, practical gift, skip the gift card entirely and opt for cash—it’s simple, direct, and ensures the recipient gets full value.

Dalin Owen January 3, 2025 4:03 PM

@Martin

Most gift card activation systems already print an authorization code onto the customer’s receipt.

The online stores should be able to, in theory, ask for that additional set of letters and numbers when redemption occurs.

Clive Robinson January 3, 2025 6:43 PM

@ ALL,

On the flip side of Gift Card Security…

Is when online versions allow you ID documentation (supposedly to prevent money laundering) get out by not even using passwords,

https://techcrunch.com/2025/01/03/online-gift-card-store-exposed-hundreds-of-thousands-of-peoples-identity-documents/

The “Know Your Customer”(KYC) systems are often badly implemented and thus many people are put at risk.

We know how to build better systems that can provide both the required level of “customer” checking and user anonymity at the “merchant” so any badly secured data by the merchant can not be used against the customer.

Paul Sagi January 4, 2025 8:32 AM

Doesn’t printing gift card codes on the receipt remove the need to open the card to use it?
Is it then possible someone returns the untampered card after using it, requests a refund and the store sells the card again (presuming each sale generates a unique PIN, limited of course by the length of the PIN)?

kurker January 5, 2025 12:22 PM

@Paul Sagi

Stores round here have a prominent sign on the Gift Card stand saying:

No Refunds on Goft Cards.

chris January 18, 2025 12:48 PM

The card issuers should be able to detect the repeated balance checks. And either rig the check to always say zero or just block the checks. In either case it should be reported to the police.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.