While effective in driving sales, gift cards have also caused fraud headaches for retailers for years. Gift card fraud can range from physical theft to gift card cloning to exploiting errors on the merchant side. One newer gift card scam involves gift card cloning.
To clone a gift card, thieves steal information from inactivated cards on stores shelves, duplicate the cards using a magnetic card reader/writer, and wait for the cards to be activated. Once activated, they spend the cloned gift cards before the purchaser tries to use their legitimate card. One of the biggest mistakes retailers make is the open display of inactivated gift cards, making them physically accessible to thieves.
A good description of how gift card cloning works comes out of a 2009 case from Beaverton, OR. At the time, this was the first local police had dealt with a gift card cloning case, but not the last. Sealtiel Chacon Zepeda was standing at a Fred Meyer sales register spending a gift card when curiosity struck. He wondered how gift cards worked, how the little magnetic stripe on the back of them turned cards into store credit and how easily he could reproduce the information stored on the card. Twenty hours of Internet searching sparked an idea that led to Zepeda stealing $6,000 from local stores and causing numerous customers to be holding useless gift cards they had legitimately purchased or received as gifts.
This story shows how potentially easy it is for anyone, not necessarily someone who sets out to commit a crime, to become an expert in gift card cloning. Zepeda simply cloned gift cards that others had purchased using software he found online. He used a card swipe device containing a magnetic reader that was capable of rewriting a card’s information. The case came to light when local Fred Meyer stores started receiving complaints from customers attempting to redeem their gift cards, only to find out that their cards had a zero balance.
Many stores, including Fred Meyer, offer a service for customers to check the balance on their gift cards online or over the phone by entering the gift card’s number. When backtracking the rash of customer complaints, Fred Meyer’s fraud investigators detected that the cards had been tampered with when they saw that each card in question had racked up many balance inquiries per day.
Since most legitimate customers check their gift card balance only periodically, the huge numbers of inquiries per card suggested the work of a non-human inquirer. The culprit was a computer program that Zepeda downloaded to electronically check each card’s balances hundreds of times a day. Police were able to link Zepeda to the crime through his computer’s internet protocol address combined with in-store video surveillance. They finally caught him using a cloned Fred Meyer gift card.
After being caught, Zepeda agreed to give the police a full description of his gift card cloning activities. After researching how gift cards work, he purchased a magnetic stripe reader online. He then began stealing blank gift cards on open display at numerous retailers and scanning them through his reader. He would return some of the scanned cards to the stores and wait for the computer program to alert him to when the cards were activated and loaded with money. Using a magnetic card writer, Zepeda then rewrote a leftover stolen card’s magnetic stripe with the activated card’s information, a classic example of gift card cloning.
After his arrest, police found about 1,000 stolen gift cards from many retailers at Zepeda’s residence. Remarkably, Fred Meyer was the only retailer to work with authorities in this case. Zepeda pled guilty to five counts of computer fraud but only received 18 months of formal probation and no jail time.
Gift card cloning continues to become more popular, although still not as popular as straight credit card fraud or debit card fraud. The reason is that gift cards are often issued for relatively small amounts, and this type of crime requires a lot of logistic movements on the part of the thief. When executed at a sophisticated level, credit and debit card fraud can yield far greater profits for a thief. But that’s another story.
Nevertheless, all merchants need to take basic precautions to prevent gift card cloning. Cards should be secured so they are only accessible to store employees. Requiring a PIN also offers an additional layer of protection, as the redeemer needs to have the physical card in their possession in order to use it. Retailers should also implement programs and procedures to identify automated gift card balance checking, thus signaling potential criminal activity.
This article was originally published in 2016 and was updated April 18, 2017.