Gift Cards May Not Be Your Safest Choice This Christmas

Last updated September 28, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Thinking gift cards for Christmas? Hackers are thinking the same, so if you want to enjoy your Holiday Season, you may want to avoid them altogether. Cybersecurity firm “PerimeterX” is already recording spikes in gift card scams, and it’s only going to get worse in the upcoming weeks.

This year, the e-gift cards sector has exploded, mainly due to the COVID-19 pandemic. People buy everything online, and these gift cards are a great way to pass something useful to a loved one immediately, whereas physical items take time to arrive.

Gift cards are amazing targets for hackers because if they find a way to compromise and steal money from them, the victims are unlikely to notice. They’re simply not as closely monitored as regular credit and debit cards are. Moreover, the card purchaser usually sets up a weak password, so they’re easier to break.

Apart from using the cards directly, the actors can resell them on the dark web, convert them into cash by using platforms like “cardcash.com,” or use the account to buy more e-gift cards. Due to the lax policies that underpin this field, the anonymity of these hackers is never really threatened, and hiding their traces is fairly easy.

Source: PerimeterX blog

“Verified” e-gift cards are sold on the dark web for about 35% of their purchasing value, or even less. The payment methods involve cryptos like Bitcoin and Ethereum, so again, no trace is left behind.

If you’re thinking that you can save money by grabbing one of these “special offers,” remember, there are no guarantees you’re getting what you’re playing for on the dark web, so you’ll most likely get scammed and lose your $35 for nothing.

Source: PerimeterX blog

If you are an e-gift card issuer and you want to ensure that your customers will enjoy the service as it was meant to be enjoyed, there are a couple of things you can do. First, generate random card numbers using a large number of combinations that are hard to guess. Secondly, monitor application traffic patterns and try to identify and stop potentially malicious activity. Thirdly, do not rely on CAPTCHA, but adopt newer challenge types instead. And finally, implement machine learning systems that can distinguish bots from real persons.

If you stand on the consumer side, the only thing you can do is trust larger entities that are more likely to invest in proper protection systems that can keep the bots out of their site.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: