Prevent Gift Card Cracking: Brute Force Enumeration


Thank you! 

A Distributed Cloud Bot Defense expert will contact you as soon as possible.

Gift card cracking is often both offline and online fraud

Gift card cracking is a type of brute force attack in which attackers check millions of gift card number variations on a gift card application to identify card numbers that hold value. Once the attacker identifies card numbers with positive balances, he uses or sells the gift card before the legitimate customer has had a chance to use it.

F5 prevents attackers from enumerating valid gift cards

F5 Distributed Cloud Bot Defense protects online gift card applications from automated requests. No real customers use automation on the application and, without bots, gift card cracking becomes an unattractive option for financially-motivated attackers.

Luxury Brand Combats Gift Card Fraud:

  • Both “balance lookup” on the homepage and “apply balance” during the checkout flow were under attack
  • Attackers were using the gift card balance lookup application 100x as often as real customers
  • Attackers stopped targeting the company after the retailer introduced Distributed Cloud Bot Defense



The 3 Steps to Gift Card Cracking

1. Narrow Down Possibilities

The attacker may grab a few unloaded physical gift cards from a physical store to see if the gift card issuer relied on sequential numbering patterns. This is not a required step, but it increases the attacker’s efficiency; for example, it may be that only the middle 8 digits of a 16-digit serial number need to be cracked, as opposed to all 16.

Sometimes a web or mobile application will inadvertently help the attacker narrow the field of possibilities by providing feedback when an invalid number is entered, for example, “all egift card numbers start with the digit 2.”

2. Launch Attack

The attacker writes a script to test all possible gift card number variations based on the sample acquired in Step 1, until a sufficient number of matches are found. Attackers may incorporate tools like Burp Suite into their tactics.

F5 has observed an increase in gift card cracking during the holiday season, as that’s when the majority of gift cards are purchased and activated.

3. Cash Out

Attackers will either use the cards themselves to purchase goods for resale or sell them online via a marketplace like