Gift card scamming has become a problem at the scale of hundreds of millions of dollars per year, but it’s not just something for consumers to worry about. As Black Friday weekend and the start of the holiday shopping season approaches, security teams are hard at work to implement fraud mitigation strategies to prevent disruption over a high-impact weekend. One form of gift card fraud targets online retail and ecommerce, causing reputational damage and eroding consumer trust in major retail brands.
While it may be possible to apply some of these defense strategies in legacy web application firewalls (WAFs), the complexity of working in regular expression rules and ensuring the new policies get applied properly across the site would not be as easy.In this blog, we will walk through how a Fastly customer was able to detect and mitigate gift card fraud and how you can utilize these same techniques ahead of the holiday shopping season.
One of Fastly’s customers (who we’ll nickname “Retailer”) started to notice attackers exploiting their gift card payment option by hitting it with tons of purchase requests using leaked gift card numbers. Many of these leaked numbers were already used legitimately and had no balance remaining, while others had small or large amounts of value remaining.
The attackers worked through their list of card numbers on the Retailer’s site, often needing to retry the same number at lower and lower prices in an attempt to hit the gift card’s available balance. As the attackers were looking to maximize every gift card value, this heavily-computational activity generated a high volume of requests per second (far faster than normal human behavior) and became a red flag for fraudulent activity.Stopping fraudulent charges. Stopping the malicious attacks saved the retailer from having to fulfill orders that were fraudulent Stopping attacks without requiring significantly more security checks. This solution is able to identify and stop attackers after a handful of security checks, and then block them based on IP so that the rest of the requests don’t even need to be checked. This keeps our customers from having to perform more security checks per second just to keep up with each new attack, and it means they don’t have to upgrade to a new plan to stay safe. Reducing processing costs. This approach also eliminates the costs associated with attempting to process all of the malicious transactions, keeping costs down with their payment processing vendors, and ensuring they’re only paying to process legitimate attempts. Origin servers stay healthy. The retailer’s system doesn’t get bogged down by malicious transaction attempts and keeps its capacity clear for legitimate purchases. It also means that the team doesn’t have to begin to plan for capacity at origin to keep up with fraudulent traffic in order to stay reliable for valid attempts. Offloading security to the edge. The NGWAF can handle all of this at the edge using the power of Fastly’s network, which means you can offload even more work from your origin, and know that Fastly’s speedy network won’t slow you down while providing improved security.
While it may be possible to apply some of these defense strategies in legacy web application firewalls (WAFs), the complexity of working in regular expression rules and ensuring the new policies get applied properly across the site would not be as easy.In this blog, we will walk through how a Fastly customer was able to detect and mitigate gift card fraud and how you can utilize these same techniques ahead of the holiday shopping season.
How the Attack Works
Many types of illegal data can be purchased off the dark web. This can include personal information like email addresses, phone numbers, and Social Security numbers, but it can also include other valuable information like leaked databases of retailer gift card numbers.One of Fastly’s customers (who we’ll nickname “Retailer”) started to notice attackers exploiting their gift card payment option by hitting it with tons of purchase requests using leaked gift card numbers. Many of these leaked numbers were already used legitimately and had no balance remaining, while others had small or large amounts of value remaining.
The attackers worked through their list of card numbers on the Retailer’s site, often needing to retry the same number at lower and lower prices in an attempt to hit the gift card’s available balance. As the attackers were looking to maximize every gift card value, this heavily-computational activity generated a high volume of requests per second (far faster than normal human behavior) and became a red flag for fraudulent activity.