Gift card cracking is a type of brute force attack in which attackers check millions of gift card number variations on a gift card application to identify card numbers that hold value. Once the attacker identifies card numbers with positive balances, he uses or sells the gift card before the legitimate customer has had a chance to use it.
F5 Distributed Cloud Bot Defense protects online gift card applications from automated requests. No real customers use automation on the application and, without bots, gift card cracking becomes an unattractive option for financially-motivated attackers.
Case Study: Automated Gift Card Fraud
OF ALL TRAFFIC ON THE LUXURY RETAILER’S GIFT CARD BALANCE WEB APPLICATION WAS AUTOMATED.
The attacker may grab a few unloaded physical gift cards from a physical store to see if the gift card issuer relied on sequential numbering patterns. This is not a required step, but it increases the attacker’s efficiency; for example, it may be that only the middle 8 digits of a 16-digit serial number need to be cracked, as opposed to all 16.
Sometimes a web or mobile application will inadvertently help the attacker narrow the field of possibilities by providing feedback when an invalid number is entered, for example, “all egift card numbers start with the digit 2.”
The attacker writes a script to test all possible gift card number variations based on the sample acquired in Step 1, until a sufficient number of matches are found. Attackers may incorporate tools like Burp Suite into their tactics.
F5 has observed an increase in gift card cracking during the holiday season, as that’s when the majority of gift cards are purchased and activated.
Attackers will either use the cards themselves to purchase goods for resale or sell them online via a marketplace like Raise.com.