19
Dec 17

Buyers Beware of Tampered Gift Cards

Prepaid gift cards make popular presents and no-brainer stocking stuffers, but before you purchase one be on the lookout for signs that someone may have tampered with it. A perennial scam that picks up around the holidays involves thieves who pull back and then replace the decals that obscure the card’s redemption code, allowing them to redeem or transfer the card’s balance online after the card is purchased by an unwitting customer.

Last week KrebsOnSecurity heard from Colorado reader Flint Gatrell, who reached out after finding that a bunch of Sam’s Club gift cards he pulled off the display rack at Wal-Mart showed signs of compromise. The redemption code was obscured by a watermarked sticker that is supposed to make it obvious if it has been tampered with, and many of the cards he looked at clearly had stickers that had been peeled back and then replaced.

“I just identified five fraudulent gift cards on display at my local Wal-Mart,” Gatrell said. “They each had their stickers covering their codes peeled back and replaced. I can only guess that the thieves call the service number to monitor the balances, and try to consume them before the victims can.  I’m just glad I thought to check!”

In the picture below, Gatrell is holding up three of the Sam’s Club cards. The top two showed signs of tampering, but the one on the bottom appeared to be intact.

The top two gift cards show signs that someone previously peeled back the protective sticker covering the redemption code. Image: Flint Gatrell.

Kevin Morrison, a senior analyst on the retail banking and payments team at market analysis firm Aite Group, said the gift card scheme is not new but that it does tend to increase in frequency around the holidays, when demand for the cards is far higher.

“Store employees are instructed to look for abnormalities at the [register] but this happens [more] around the holiday season as attention spans tend to shorten,” he said. “While gift card packaging has improved and some safe-guards put in place, fraudsters look for the weakest link and hit hard when they find one.”

Gift cards make great last-minute gifts, but don’t let your guard down in your haste to wrap up your holiday shopping. There are so many variations on the above-described scheme that many stores have taken to keeping gift cards at or behind the register, where cashiers can more easily spot customers trying to tamper with the cards. As a result, stores that take this basic precaution may be the safest place to purchase gift cards.

Update, Dec. 20, 7:30 a.m. ET: Mr. Gatrell just shared a link to this story, which incredibly is about another man who was found to have bought tampered gift cards in the very same Wal-Mart where Gatrell found the above-pictured cards.

That story includes some other security tips when buying and/or giving gift cards:

When purchasing a gift card, pull from the middle of the pack because those are less likely to be tampered with. Also, get a receipt when buying the card so you have proof of the purchase. Include that receipt if you give the card as a gift. Finally, activate the card quickly and use it quickly and keep a close eye on the balance.

Tags: , , , , ,

36 comments

  1. Never mind the millions of dollars on gift cards that go unspent, and are service charged back to the seller.

    Just give cash.

  2. Why is it covered with a sticker that can be replaced? Why not a scratch-off material list instant lottery tickets? Or have they found a way to lift that and replace it?

    • The Peet’s coffee cards are scratchers. In addition, you can use their app to pay with a QR code. When you use the app, the redemption code is immediately verified. You can also see the remaining value on the card. Basically it makes the cards look like less of a black box.

      Needless to say, I am leery regarding cards and apps. (I wouldn’t be on the Krebs mailing list if I wasn’t a little paranoid.) The only thing that makes me accept this scheme is I get the cards at Costco. That provides a 20% to 25% discount, but more importantly Costco really stands behind what they sell. While I don’t like being tracked, Costco tracking has aided me with a warranty issue once.

      • Just an aside: by definition, paranoia involves *irrational* distrust of others.

        On the other hand, paying attention to the issues Brian brings to the table is a fine example of rational behavior.

    • Hey Bill – I got 10,000 scratch-off stickers in the appropriate size about a decade ago for $80 – you wouldn’t know if you saw them.

  3. Many open loop gift cards require online or phone activation before being used for ecommerce transactions, at which point the recipient provides their zip code. The criminal can only commit card-not-present fraud with this scheme (physical POS would require the mag stripe be counterfeited). Since they do not know the zip code that the user assigned, their attempts online would fail AVS (address verification service). Secure online merchants should use AVS, among other things.

    • But wait… in the story example, the criminal already knows the card number, the redemption code, and where the card was purchased, everything you needed to “online activate” the card as you suggest. Since the criminal is probably periodically checking to see if it is a valid card yet, when the card is valid the criminal just “online activates” the card with whatever AVS they want. It doesn’t matter what the card recipient’s AVS is, that information is not registered at the time of purchase (and probably can’t as it is a card purchase to give to a third party of unknown location). The criminal has already substituted their own AVS for the ecommerce purchases.

      • The card is activated at the cash register, where the OP says that the zip code is entered.

        I have never provided a zip code for a gift card nor have I had to register it online. All the criminal needs to do is monitor the card until it’s activated and then begin using it.

    • Having experience with a local gas station, easily 90% of credit cards are from local residents, almost all with the same zip/geographic code.

      I’d imagine that locals buying gift cards at the local Walmart or other retailer will use the same zip/geographic code when they set up whatever online scheme you describe.

      Locals buy things locally using local codes. Yeah, it really is that simple.

  4. This happened to me got a Walmart gift card at a charity auction. Was used when I tried to use it

    • Another possibility:
      The donor of the gift card had used up the funds in it, then donated it to the charity and took an income tax deduction for that amount.

  5. Very relevant article.

    Can i post your picture of the tampered gift cards on another website with a link to your article? They have a discussion going on the problem of gift cards that have been compromised.

  6. The problem is most people giving won’t open it.
    And most people receiving doesn’t know how it is supposed to look like in the first place.
    Most would feel uncomfortable to tell the gifter that the card is not working.

    Just give cash, less waste that way as well and gift cards make people overspend as they’ll tend to buy something more expensive so as to fully utilize the card.

  7. Alfonso C. Betancort

    The technology most widely used in prepaid cards (gift or not) used in the US is simply from the Stone Age.

    On the other hand, in Europe, what the purchaser receives is the equivalent of a chipped (secured) debit card, where its purchase, activation, transfer of funds, and assignation of PIN (signature number) will happen as a single concurrent transaction at the POS.

    The PIN can be changed at anytime by whom ever holds the card as long as he knows the active PIN number.

    It behaves like a debit card that has associated an account with fix amount where no new deposits can be made only withdrawals, usually thru purchases in the commerce who brands the card. As every debit card you can chose not support contactless transactions (unsigned) no matter the amount. Which is what most people actually do even with credit cards, they prefer to type the pin even for transactions below € 20, than risking fraudulent use in case of lost or otherwise.

    If you lose or deteriorate the card a new one will be reissued to the original purchaser or named beneficiary for a nominal fee.

    You only have to provide the Card Number and proof of ID of the original purchaser or of the named beneficiary.

    If you don’t remember the Card Number they will get it from the original ticket or they will trace back their e-copy of ticket from just the client’s credit card log of the original purchase.

    Upon reissuing the new plastic, the old one will be void. But the PIN will continue to be the same that was on the lost card until it’s changed by the customer.

    The US in payments security seems to be years away from Europe where it’s almost impossible to still find Cards that don’t require digital signature (PIN) for everything.

  8. beware of anything,watch out your credit cards,watch ,the ransom,watch out skimmer,watch out the,banking trojans,bewared,be careful !! lol:D so many dangerous things are out there all there to make you live in fair 24/7 days.
    seek protection asap !! lol

  9. “…(I wouldn’t be on the Krebs mailing list if I wasn’t a little paranoid)..” – made my day 🙂

  10. This happened to me with a pre-paid credit card (mastercard). I’m located in Canada, bought the card at a Metro grocery store. When I went to use the card it was maxed out. Called the number on the card and was told it had been used an hour after I purchased it.

  11. temp holiday workers at Walmart, Best Buy, etc… this is probably an inside job. I worked at best buy a decade ago and it was common for empoyees to rip off the customers.

    The main thing they would do is the promo’s if you back a $2200 TV you got a $200 gift card. If the customer wasnt aware the employee would pocket the gift card after directing the customer to a checkout line that the cashier was in on the scheme…. holiday temp workers are the worst.

  12. Oh how I hate Walmart !

    This article is even more proof that the big box store can care less about the people who shop there on a daily basis.

  13. Walmart Investigators claim they have software with the ability to monitor balance checks on non-activated gift cards. Supposedly, if a balance inquiry occurs and the card is not activated then it will flag the gift card number, and then make it where it cannot be activated. FWIW

  14. A year ago I won a $250 AMEX gift card. Didnt check the balance until I activated it but guess what? Thieves at the Best Buy store got to the GC number before me and already drain the funds

  15. i have just one question? why USA goverment dont stop FRAUD?
    as we see UK stopped,uk Soca was very succsful to fighitng against cyber crooks and fraudsters. and Europe there is no fraud too.
    So why USA dont just stop it like other countries do it and they do it very well ? anyone have answer ?

    • >i have just one question? why USA goverment dont stop FRAUD?

      Fraud against companies => high priority for law enforcement. Fraud against consumers: not important.

  16. “that cited the man’s youth at the time of the attacks and a diagnosis of autism.”

    Jared is taking notes. That’s the ticket!

  17. Bah, these days store gift cards are just used to anonymously buy crypto-currency and VPN/NNTP accounts.

  18. Why not just steal the card?

    • Because, until someone “buys” it at the register (with cash or debit or credit), there is absolutely no value associated with the card.

      Stealing it before it’s purchased is like stealing a piece of worthless plastic.

  19. I rec’d a Macy’s gift card for my BD 4 yrs ago. It was purchased at CVS. By the time I went to use it, it had already been used at Macy’s in CA. I’m in IL. CVS had no interest in the theft. Macy’s made good on it but I had to jump thru hoops with their security investigations. Having the receipt helped.

    Since then, I buy gift cards only at the store for that store and I pull the card from the middle of the rack. I always include the receipt. I once bought an Amazon gift card at the post office because I thought the rack was in a safe location.

  20. In reply to the Walmart system supposedly being able to deactivate a card based on balance inquiry, that did not seem to be the case for the $1,200 worth of cards that my wife and I purchased as gifts for family. These cards were cards purchased from a local store, four in total two for $500 and two for $100 mailed to their intended recipients and upon attempted use they discovered that the cards had a zero balance. Once I received the physical cards back (returned by mail), I took them to the local store where they were swiped, and each showed activity for a store number 9115 (varying dates with each card, some were used the day of activation), each card had been drained even though the last four digits and pin number were still covered by the scratch off material. Walmart has been very evasive with their response, sending us in a perpetual circle of calling this number, multiple visits back to the store of purchase, and then back around again. I filed a fraudulent claim with my bank as a debit card was used for the purchases, and then visited the CPFB to file a claim with them as well, since I was getting nowhere with Walmart. A valuable lesson learned, no more gift cards for our future gift giving from here forward.

    • Any luck getting your money back? I’m in an almost identical situation visited the store who told me to call the number on back of card which is useless and now back to store to talk to store manager I suppose.

    • Same thing occured to me..bought walmart gift card for my daughter..when she went to use it she couldnt because it said zero balance..i had receipt showing activation..walmart not doing anything about it..states its an online fraud thing…horrible no solution..

  21. I did a presentation at BSidesLV on gift card hacking. This looks like one of the methods I went over.
    https://www.peerlyst.com/posts/bsideslv-2017-cash-in-the-aisles-how-gift-cards-are-easily-exploited-will-caput