Gift Card Cracking

AKA Gift Card Theft, Gift Card Checking, Gift Card Fraud, Gift Card Bot, Token Cracking, Enumeration Attack


Gift card cracking is often both offline and online fraud

Gift card cracking is a type of brute force attack in which attackers check millions of gift card number variations on a gift card application to identify card numbers that hold value. Once the attacker identifies card numbers with positive balances, he uses or sells the gift card before the legitimate customer has had a chance to use it.

Shape prevents attackers from enumerating valid gift cards

Shape Enterprise Defense protects online gift card applications from automated requests. No real customers use automation on the application and, without bots, gift card cracking becomes an unattractive option for financially-motivated attackers.

Luxury Brand Combats Gift Card Fraud:

  1. Both “balance lookup” on the homepage and “apply balance” during the checkout flow were under attack
  2. Attackers were using the gift card balance lookup application 100x as often as real customers
  3. Attackers stopped targeting the company after the retailer introduced Shape Enterprise Defense

98.5%
Of all traffic on
the luxury retailer’s gift card balance web application was automated.

The 3 Steps to Gift Card Cracking

1. Narrow Down Possibilities

The attacker may grab a few unloaded physical gift cards from a physical store to see if the gift card issuer relied on sequential numbering patterns. This is not a required step, but it increases the attacker’s efficiency; for example, it may be that only the middle eight digits of a 16-digit serial number need to be cracked, as opposed to all 16.

Sometimes a web or mobile application will inadvertently help the attacker narrow the field of possibilities by providing feedback when an invalid number is entered, e.g., “all egift card numbers start with the digit 2.”

2. Launch Attack

The attacker writes a script to test all possible gift card number variations based on the sample acquired in Step 1, until a sufficient number of matches are found. Attackers may incorporate tools like Burp Suite into their tactics.

Shape has observed an increase in gift card cracking during the holiday season, as that’s when the majority of gift cards are purchased and activated.

3. Cash Out

Attackers will either use the cards themselves to purchase goods for resale or sell them online via a marketplace like Raise.com.

 

The Advantage of Monetizing Offline

Hear how and why attackers cash out a cracked egift card in brick-and-mortar locations.

Watch the Video

Latest Research

New
Attack
Trends
in Retail

Webinar

See data from gift card cracking attacks across the Shape network and learn about monetization schemes.

CAPTCHA
Tough on Humans
Easy on Bots

Blog

Learn how attackers defeat Google’s Invisible CAPTCHA via an API.

eBook

OWASP outlines how to identify if your organization is suffering from token cracking attacks and how to prevent them.

Crack Down on Gift Card Cracking

Fill out the form to start trying Shape.

 

May 9th: Join a live webinar to learn how Starbucks partners with Shape Sign Up

NEW: 2018 Credential Spill Report Download