EDITOR’S NOTE: I’m on an annual blogging vacation for the last two weeks of the year. To make sure you still have content, some of the smartest members of the community have stepped up with guest posts in my absence. Special thanks to today’s author, my good friend Nathan, for writing this post while I’m on vacation. I’ll see you on January 1!
Spend any decent amount of time purchasing physical VISA/MasterCard prepaid or 3rd party gift cards and you’re bound to come across at least one that has been compromised. Purchasing a tampered gift card (GC) and dealing with the fallout is a seeming right of passage into the physical world of manufactured spend.
For the same reason GCs are useful to manufactured spenders in that they are available in high denominations and easy to liquidate, they are particularly attractive to scammers as they provide the added benefit of anonymity because all that is needed for redemption are the card details itself.
The process of compromising a GC will generally involve the scammer obtaining unactivated cards, bringing the cards to a location where they can record and/or remove essential card details, then placing the cards back on the shelves at retailers. A fraudster’s window of opportunity starts the moment after the GCs are loaded but before you or the recipient has the ability to use the funds or report the card as compromised to the card issuer.
Depending on the extent of the tampering, it may physically impossible for you to redeem / use the card since the magnetic stripe itself was tampered or the pertinent information was defaced. Other times, they will record the information and although you still have the ability to access the funds, they are hoping that they can drain the funds before you do.
Retailers and card issuers usually add hurdles to replace compromised cards and recover stolen funds. The best thing you can do is catch anomalies in the pre-activation phase, as sorting it out after can be a huge headache.
Common Card Features / Attack Vectors
- Activation Barcode
- Card Number / Redemption Code
- PIN (for some brands, synonymous with the redemption code)
Pre-Activation Inspection
Familiarize yourself carefully with the GC you are purchasing, it’s packaging, and card features. Try to find a safe source for cards (ie. freshly stocked cards or shrink wrapped bundles behind the gift card case).
If possible, open and inspect the packaging and/or card before activating. In general:
- Inspect the area over and surrounding the activation barcode carefully. Make sure the activation barcode is the original, nothing foreign is covering it, and if it was covered with a reveal tab or security sticker, it was not previously uncovered and re-applied.
- Check the card number and PIN to make sure they were not tampered with. Tampering includes details being scratched off altogether or security stickers removed and re-applied.
- Warped packaging could suggest that the package was opened and resealed.
- Most manufacturers use a type of one time use glue. Glue that is too sticky or too hard is usually a giveaway that the package has been tampered with.
- If the activation barcode is separate from the card number itself (common with popular brands such as Apple and Best Buy), there will often be an identification number on both pieces, make sure these numbers match to indicate the card wasn’t swapped.
- Apple uses the prefixes GCA or PBH. Best Buy uses a window number (https://imgur.com/qoSVcoV).
- Apple uses the prefixes GCA or PBH. Best Buy uses a window number (https://imgur.com/qoSVcoV).
- Check sequence numbers of the card batch.
- If the brand utilizes sequence numbers, a card out of sequence could indicate that cards were planted.
- When scaling, examining each card carefully can slow you down. If you determine one card from a batch is fine, the rest of the cards from that batch are more likely to be safe.
- Generally the register will show the last 4 of the serial number of the GC that will be activated. Make sure this matches with the serial number printed on the packaging as they are scanned in.
Activation Issues
If you discover you have a compromised GC after purchasing, act immediately. If you have access to the card details and/or the mag stripe hasn’t been tampered with, make it a priority to spend or use the funds as soon as you can. If you don’t have a quick liquidation plan in mind, contact the card issuer or the retailer as soon as possible. Usually the retailer will defer to the card issuer, but depending on the retailer and manager, they may be able to help you replace the card.
If a GC was purchased with a swapped barcode, you can use a barcode scanner (in a pinch there’s a free online version at https://online-barcode-reader.inliteresearch.com) to help determine which card the funds were routed to.
If you had activation issues and multiple cards were involved, make sure you leave the store with the correct cards as they can easily be confused.
– Nathan
Not all scam gift cards are easy to spot, watch out for this one before it bites you in the, err, foot.