SHAPE is now part of F5,  Learn More
See why we are better together
Virtual Summit 2020 | App Security and Fraud Summit  Learn More
Watch On-demandSee why we are better together

GIFT CARD CRACKING

AKA Gift Card Theft, Gift Card Checking, Gift Card Fraud, Gift Card Bot, Token Cracking, Enumeration Attack

Gift card cracking is often both offline and online fraud

Gift card cracking is a type of brute force attack in which attackers check millions of gift card number variations on a gift card application to identify card numbers that hold value. Once the attacker identifies card numbers with positive balances, he uses or sells the gift card before the legitimate customer has had a chance to use it.

Shape prevents attackers from enumerating valid gift cards

Shape Enterprise Defense protects online gift card applications from automated requests. No real customers use automation on the application and, without bots, gift card cracking becomes an unattractive option for financially-motivated attackers.

Luxury Brand Combats Gift Card Fraud:

  • Both “balance lookup” on the homepage and “apply balance” during the checkout flow were under attack
  • Attackers were using the gift card balance lookup application 100x as often as real customers
  • Attackers stopped targeting the company after the retailer introduced Shape Enterprise Defense
98.5%
OF ALL TRAFFIC ON
THE LUXURY RETAILER’S GIFT CARD BALANCE WEB APPLICATION WAS AUTOMATED.

The 3 Steps to Gift Card Cracking

1. Narrow Down Possibilities

The attacker may grab a few unloaded physical gift cards from a physical store to see if the gift card issuer relied on sequential numbering patterns. This is not a required step, but it increases the attacker’s efficiency; for example, it may be that only the middle eight digits of a 16-digit serial number need to be cracked, as opposed to all 16.

Sometimes a web or mobile application will inadvertently help the attacker narrow the field of possibilities by providing feedback when an invalid number is entered, e.g., “all egift card numbers start with the digit 2.”
2. Launch Attack

The attacker writes a script to test all possible gift card number variations based on the sample acquired in Step 1, until a sufficient number of matches are found. Attackers may incorporate tools like Burp Suite into their tactics.

Shape has observed an increase in gift card cracking during the holiday season, as that’s when the majority of gift cards are purchased and activated.
3. Cash Out

Attackers will either use the cards themselves to purchase goods for resale or sell them online via a marketplace like Raise.com.

The Advantage of Monetizing Offline
Hear how and why attackers cash out a cracked egift card in brick-and-mortar locations.
Watch the Video

Latest Research

New Attack Trends in Retail
Webinar
See data from gift card cracking attacks across the Shape network and learn about monetization schemes.
Watch Webinar
CAPTCHA
Tough on Humans
Easy on Bots
Blog
Learn how attackers defeat Google’s Invisible CAPTCHA via an API.
View Blog
eBook
The Open Web Application Security Project (OWASP) Threat Handbook addresses the Top 20 most critical automated threats to web applications, including fake account creation (OAT-019).
Read eBook

Crack Down on Gift Card Cracking

Fill out the form to start trying Shape.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Policy.