Gift card scamming has become a problem at the scale of hundreds of millions of dollars per year, but it’s not just something for consumers to worry about. As Black Friday weekend and the start of the holiday shopping season approaches, security teams are hard at work to implement fraud mitigation strategies to prevent disruption over a high-impact weekend. One form of gift card fraud targets online retail and ecommerce, causing reputational damage and eroding consumer trust in major retail brands.
While it may be possible to apply some of these defense strategies in legacy web application firewalls (WAFs), the complexity of working in regular expression rules and ensuring the new policies get applied properly across the site would not be as easy.
In this blog, we will walk through how a Fastly customer was able to detect and mitigate gift card fraud and how you can utilize these same techniques ahead of the holiday shopping season.
How the Attack Works
Many types of illegal data can be purchased off the dark web. This can include personal information like email addresses, phone numbers, and Social Security numbers, but it can also include other valuable information like leaked databases of retailer gift card numbers.
One of Fastly’s customers (who we’ll nickname “Retailer”) started to notice attackers exploiting their gift card payment option by hitting it with tons of purchase requests using leaked gift card numbers. Many of these leaked numbers were already used legitimately and had no balance remaining, while others had small or large amounts of value remaining.
The attackers worked through their list of card numbers on the Retailer’s site, often needing to retry the same number at lower and lower prices in an attempt to hit the gift card’s available balance. As the attackers were looking to maximize every gift card value, this heavily-computational activity generated a high volume of requests per second (far faster than normal human behavior) and became a red flag for fraudulent activity.
Detection and Mitigation
The Retailer’s security team noticed the high volume of gift card attempts and reached out to Fastly’s technical account management team (TAM) for help. We helped them put an easy stop to it by leveraging the Templated Rules in our NGWAF. You can easily create custom rules in the NGWAF using any identifier you want, but we have a bunch already built for you and ready to go. We thought we should make sure everybody knew how easy it was to do, but you can always call us if you want a hand!
Results
Once the excessive attempts were identified, they were added to the blocklist as known attackers. This stopped them from being able to make any more gift card attempts, but being on that blocklist means they are also blocked from accessing the site overall and attempting any other type of malicious activity.
The quick and easy application of new rules in the NGWAF helps ecommerce sites and etailers respond quickly to new attacks in really effective ways. In this case, some simple rules applied intelligently at the application layer were able to put a stop to a relatively sophisticated attack and delivered benefits in a few important ways, mainly in savings, site performance, customer satisfaction, and visibility.
Savings
- Stopping fraudulent charges. Stopping the malicious attacks saved the retailer from having to fulfill orders that were fraudulent
- Stopping attacks without requiring significantly more security checks. This solution is able to identify and stop attackers after a handful of security checks, and then block them based on IP so that the rest of the requests don’t even need to be checked. This keeps our customers from having to perform more security checks per second just to keep up with each new attack, and it means they don’t have to upgrade to a new plan to stay safe.
- Reducing processing costs. This approach also eliminates the costs associated with attempting to process all of the malicious transactions, keeping costs down with their payment processing vendors, and ensuring they’re only paying to process legitimate attempts.
Performance
- Origin servers stay healthy. The retailer’s system doesn’t get bogged down by malicious transaction attempts and keeps its capacity clear for legitimate purchases. It also means that the team doesn’t have to begin to plan for capacity at origin to keep up with fraudulent traffic in order to stay reliable for valid attempts.
- Offloading security to the edge. The NGWAF can handle all of this at the edge using the power of Fastly’s network, which means you can offload even more work from your origin, and know that Fastly’s speedy network won’t slow you down while providing improved security.
Customer experience
The last thing any retailer wants is a bad experience for their customers, and if a customer tries to use a gift card only to find the balance has been drained through no fault of their own, then there’s no good way out of it. Either the retailer gives the customer a new gift card to make it right, in which case their margins on that card’s value go negative, or the customer is out of luck and leaves with a bad perception of the retailer.
Utilizing the NGWAF’s templated rules to prevent gift card fraud helps ensure that customers have a good experience and leave happy, and prevent issues that erode brand value and customer trust.
Visibility
Fastly’s NGWAF provides easier and better visibility than legacy solutions. In the example of this particular retailer, their security team was able to have the NGWAF report the gift card numbers used in malicious attempts in real time so it could be checked against a known list of invalid and blocked card numbers. These attempts could be blocked immediately without any additional information and added an extra layer of protection.
Conclusion
More consumers than ever are shopping online throughout the holiday season, which is why it's never been more important to modernize your WAF. Compared to legacy WAFs where this kind of response might be difficult and take a long time to get right, this solution is easy to implement safely and site-wide using the NGWAF, and this is just the beginning of what can be done with Templated Rules and custom rule building.
