That gift card may not be so giving

Don’t let it steal your PII

By Robert E. Holtfreter, Ph.D., CFE, CICA
robert-holtfreter-80x80-new   Taking Back the ID: Identity theft prevention analysis

Duke Winston was relieved to get past the holidays and use the gift cards he received as Christmas gifts. He’d been promoted and wanted to upgrade his wardrobe. Winston decided he wanted to buy a new suit and blazer for about $450 with a $500 gift card. The cashier scanned the card and told him he only had $100 left. Winston said the gift card had a $500 value and this was the first time that he had used it. He paid the balance due with a credit card and went home to call the gift card company. A customer service operator told him that other recent charges on the card totaled $400. Duke said he hadn’t made any purchases with the card except for the suit and blazer. He then realized he was a victim of gift card fraud.


Although this case is fictional, it’s representative of fraud that thrives on these ubiquitous cards, which are often the perfect gift for giver and recipient. According to a recent industry survey, gift card sales were projected to reach $29.8 billion in 2013, which provides plenty of opportunities for fraudsters to drain cards before they can be used. 

The main key to pulling off an identity-robbing gift card scam is the unique barcodes and/or magnetic strips on the backs of the cards, which track transactions and outstanding balances. 

Because barcode information is stored at the point of sale, consumers won’t lose remaining balances if cards are lost or stolen. (However, they’ll have to remember the cards’ barcode serial numbers, which most won’t do, to retrieve any monetary value.) 

The barcode numbers, similar to credit card or checking account numbers, represent consumers’ personal identifiable information (PII). The Duracard website explains how this unique gift card barcode works

Each gift card is printed with a unique serial number barcode with or without human readable characters. When a customer purchases a gift card, the barcode (on the packaging) is scanned or its human readable characters are keyed into a point of sale (POS) system. The point of sales system recognizes the gift card’s unique serial number and prompts the cashier for a value to be assigned to it. For this example, the customer wishes to put $50.00 on the gift card. The cashier takes the customer’s $50.00 and keys in this amount. The point of sales system then assigns this value to the gift cards serial number. The value of the gift card is not stored on the card but within the point of sale system. 

When the customer returns with the card, the barcode is scanned or the human readable characters are entered. The point-of-sale system then displays the stored value assigned to its serial number. The customer may add additional funds to the card or use its value to make a purchase. The history of the transaction and remaining balance amount is stored within the point-of-sale system for reference and future transactions.

The following two “Card Not Present” scams were reported in the article, “Gift Card Fraud,” on the Fraud Guides website. 

In the first scam, a fraudster — often a store clerk — grabs a few unsold gift cards off a rack, writes down the unique numbers on each of the cards (or records them with a strip reader) and then puts them back. 

Shoppers purchase those compromised gift cards and store clerks activate them by scanning the barcodes and charging them with monetary amounts. The fraudster visits the cards’ websites, enters the numbers he copied off the cards and makes online fraudulent purchases using the PII (barcode information) on cards that have remaining balances. The gift cards’ owners don’t realize they’ve been scammed until they try to use them. 

In the second scam, the fraudster grabs a gift card off the rack, slits open the packaging or peels it off the cardboard holder, steals the unsold card and replaces it with a used gift card whose funds have been drained. The new stolen card is activated when a customer purchases the “new” gift card and the clerk scans the bar code on the packaging and loads it with a monetary amount. The consumer is left with a worthless card while the fraudster uses the balance on the new stolen card to make fraudulent purchases. 


For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.