Blog

What is Gift Card and Loyalty Program Abuse?

August 29, 2024 | 5 MIN READ

by Jeff Harrell

A stylized image of a card with a bow on it and copies of that card with a warning sign on them going off into the distance.

Gift cards and loyalty programs are used by retailers to increase customer traffic, build brand awareness, and gain new customers. However, they also attract the attention of fraudsters who exploit these systems, causing substantial financial losses and undermining customer trust. This blog explores the nature of gift card and loyalty program abuse and how proper cybersecurity measures – specifically API security and bot management – can mitigate these risks.

What is Gift Card and Loyalty Program Abuse and Fraud?

Gift card and loyalty program (or reward program) abuse and fraud typically involves unauthorized access to card numbers, account takeover, and/or balance theft. Attackers employ various attack techniques on relevant applications and their APIs (login, card processing, balance check, etc.) to perform carding attacks (testing stolen card details), account takeover, and balance theft. Attackers employ business logic abuse to try and get applications and APIs to do things they weren’t designed for, or simply brute force attacks that flood web applications and APIs with traffic. These attacks are often multi-faceted, involving several tactics and techniques, which makes identifying and preventing them difficult.

Impacts of Gift Card and Loyalty Program Abuse and Fraud

Gift card and loyalty program abuse and fraud are high priorities because they can directly cost businesses money while at the same time eroding customer confidence. If a customer attempts to make a purchase with a gift card only to find that their gift card, perhaps received as a gift for their birthday or other holiday, is empty, they would be understandably frustrated. The impact of these kinds of fraud can include:

  • Loss of customer confidence due to stolen gift card funds or loyalty points
  • Loss of revenue from goods obtained through fraudulent gift cards or loyalty points
  • Increased infrastructure costs sustained from bot attack traffic volume
  • Increased customer service costs related to fielding customer requests related to the fraud
  • Increased cybersecurity personnel costs to track, mitigate, and monitor the attacks
  • Potential fines for non-compliance with PCI DSS or other relevant regulations

Preventing Gift Card and Loyalty Program Abuse and Fraud Attacks

As with most types of cyberattacks and online fraud, a muti-faceted strategy is best employed to protect the business and its customers. Using Cequence’s Discover, Comply, and Protect framework provides a holistic protection plan:

Discover

In order to protect your applications and their APIs, you need to uncover what APIs exist, and where they are located. Utilizing both an outside-in and inside-out approach, Cequence discovers internal, external, and third-party APIs ensuring organizations know where all of their APIs are and that they’re alerted when new APIs are deployed. Cequence provides a free assessment to show the attacker’s view of your network, and you can try it here.

Comply

Once you have a proper catalog of your APIs, you want to ensure that they are documented, tested, and assessed for risk. Cequence inventories all APIs, highlighting those without documentation. Cequence also provides API security testing to identify and remediate vulnerabilities either in the CI/CD pipeline or at runtime.

Protect

There are two critical parts to protecting against these kinds of attacks – detection and prevention. Identifying and monitoring the attacks is difficult due to the highly varied and frequent evolution of the attacker’s tactics. Cequence’s behavioral fingerprinting goes far beyond simple IP addresses as an identifier and includes the tools, infrastructure, and credentials used by the attacker to identify them and monitor them even as they change tactics to avoid detection.

Once the attacks are identified, you need some way to stop them and prevent them in the future. Most solutions require some sort of CAPTCHA or other method to “prove you’re human,” but that method requires changes to application code, doesn’t support APIs which can be attacked directly, and perhaps most importantly, causes customer friction. Cequence takes a network-based approach that provides native mitigation without any application changes, and offers mitigation options including logging, rate limiting, deception, and blocking.

Case Study: Large Fashion Retailer Stops Gift Card Fraud

A U.S.-based fashion retailer came to Cequence with a significant bot and gift card fraud problem. Their existing Web Application Firewall (WAF) was not scaling to meet the attack volume. Attackers were using the retailer’s systems to validate stolen credit cards, purchase gift cards, and then purchasing products with the fraudulent gift cards, directly costing the company money. They deployed Cequence, which accurately identified malicious traffic, ensured legitimate customer traffic would not be affected by any mitigation efforts, and blocked the fraudulent attacks – all without requiring application modification. Estimated cost savings were upward of $100 per customer account.

For additional perspective, read the “Testing Your Loyalty” article by Cequence’s Andy Mills in Retail Technology Magazine.

Cequence can help your business combat gift card and loyalty program abuse and fraud. Contact us to discuss your situation and how Cequence can help.

Jeff Harrell

Author

Jeff Harrell

Director of product marketing

Jeff Harrell is the director of product marketing at Cequnce and has over 20 years of experience in the cybersecurity field. He previously held roles at McAfee, PGP, Qualys, and nCircle, and co-founded the company that created the first commercial ad blocker.

Related Articles