We live in a world which each day is becoming more and more digital, which leaves us open to risk.  One of the frequent targets is financial instruments, that we as security professionals can stop from occurring. A recent issue that I experienced was a gift card that was purchased, approved, and activated at the cash register when it was obtained. While at a security convention I received a cash gift card as the door prize. I got home and opened the gift card; excited to go buy something on Amazon.

I registered the card, and I ordered my gift, the kids insisted I buy something for myself – so I bought myself an NCC-1701 Enterprise, and the gift card was declined. I had kind of noticed when I opened the card that the little safety seal didn’t seem to be particularly sticky, and it just felt weird as I opened it. I started looking at it and the first thing I thought was, “Well, wow! This kind of stinks. I’m at a security conference and we’re talking about security and everything, then I get a card that’s already spent.”  So, I called the gift card company and asked them about the gift card. I gave them the information and they looked up the card and it said there was a $100 transaction on it yesterday. The day before I got it!

They said, “Yes, it was spent at Target in Long Beach, CA.”

I said, “Well, I’m in Columbus, OH and I wasn’t in Long Beach yesterday, nor did I have the card in my possession.”

So, I submitted all the paperwork, and they sent me a new card.

Being a security professional, this really started me thinking. Why don’t we make more of an effort to secure gift cards? As I was looking at the gift card that I had received it had the purchase amount approved and activated so that means the moment it was purchased it was activated. Which means I could literally take it out of the package scan it and buy something else.

From a security standpoint why don’t we add a step to authenticate the potential user and the card and merge the identity? All you would need is some type of web portal where you enter the number, at least a portion of the number. Actually, you already enter the account number and expiration date to check the balance, why not just add an email/cellphone number to receive a link to Activate the card? Then you have married the identity of the card to the potential user, and you have eliminated a great amount of fraud because you don’t have an automatically activated financial instrument. The fraud that occurred to me for the gift card that I received as a door prize was stolen before I ever received the card. Before the card was ever purchased. The data was lifted by the perpetrator then stored, and they just waited until the card was activated. Now if you put in a process to validate the potential user you serve yourself in several ways. Not only are you reducing fraud, but if someone is lifting the numbers they must use some type of e-mail address, so it generates a breadcrumb for investigation.

Additionally, you’re creating a database of potential customers as well. I know it’s the “evil corporate thing,” but you’re able to generate a flow of income by selling that information, of course with permissions of the agreement and everything (which no one ever reads), and then you can sell that to other card companies or advertisers. I mean you’ve got all the data from the card, so you know what they bought, you know where they bought it, and now you’ve got their e-mail address from the gift card. Which means now you can even further target market as such.

Why are we not doing something like this? There are so many upsides, and the only downside is what? We get less fraud?