Gift Card Grinches: Stopping Bots From Stealing the Holiday Spirit

The holidays have come and gone, so it's time to analyze what transpired last November and December. No one wants to ask for more “things,” but the holidays is the time for giving — which is why gift cards were the most requested present, showing up on 60 percent of wish lists, according to a survey by the National Retail Federation (NRF). However, nothing is more upsetting for consumers who go to use their gift card only to find out that it has been fraudulently drained by hackers before it can be used.

Analysis of online traffic patterns during the 2017 holiday season by Akamai showed that retail sites experienced the most web attacks compared to other industries. And as the holiday season ramped up last year, we saw those same threats come back like the Grinch to steal the holiday spirit.

On Black Friday 2017, Akamai observed a spike in bot traffic — i.e., website requests from automated online programs not driven by human users — that was more than double the usual volume. It’s easy to panic at numbers like that, but it's important to remember that most bots are fairly benign and even beneficial. One example of this is the web crawlers used by search engines to categorize internet content and set search rankings. Retailers would be lost without these kinds of bots. Others are not necessarily malicious, but simply unwanted, such as price scraper bots from competitive stores.

Then there are the actively bad bots, which are one of the major vectors of gift card fraud. Hackers have recently started using large networks of compromised computers to act as bots that can test millions of account number and PIN combinations at a time. This is an evolution of the “brute force” method of hacking that leverages its access to thousands of devices to prevent detection from traditional methods.

The plague of bad bots is more than just a security risk; it's also detrimental to user experience. Each additional bot request increases the load on a website, consuming resources or reducing performance. During peak human traffic times like the holidays, additional spikes in bot traffic will cut into slim profit margins by raising hosting costs or slowing shopping experiences to reduce conversions.

To deal with the plague of bots and prepare for 2019 holidays, retailers need to rethink the way they look at bot traffic. The old way of managing bad bots is to block all bots or take the hit. With the rising trend of malicious bot activity and the increased competition in e-commerce, a more nuanced approach is important. This should start by acquiring a global landscape of bot activity. Since a given bot may only visit a website for an attack a few times, it's hard to establish a pattern of malicious behavior. However, looking at the bot's behavior on a global scale may reveal more.

If consumers have the ability to check their gift card balances online, retailers need to protect that page from fraudulent bots that automate the process of going through millions of account numbers and PIN combinations to find accounts with positive balances, then drain them. To protect consumers from this theft, retailers need to consider an advanced bot management solution that identifies bot traffic and takes the appropriate actions against the bot to keep the retailer secure.

It’s also important to make sure that accounts are hard to crack. The more complicated the PIN linked to a gift card account, the more time it takes for a hacker to break into it. Using long alphanumeric PINs can stop less sophisticated attacks or at the very least give the legitimate user more time to use their card before a hacker gets to it.

Another thing consumers can do to protect themselves is check that the physical card hasn't been compromised before it leaves the store. Fraudsters aren’t always hiding behind a computer — sometimes they’re about compromising physical cards in person. By training cashiers and shoppers to check on the integrity of the gift card before activating it for a sale, they can identify if a card looks tampered with and lock down the account and change the PIN before making it available again.

Boosting customers’ holiday spirit is core to retailers success in 2019. Therefore, it's critical for retailers to keep a close eye on gift cards and how they're being used to make sure they aren't stolen away by a digital Grinch.

Renny Shen is director of product marketing at Akamai Technologies, a globally distributed intelligent edge platform and internet security provider.