I recently received a visa gift card from work at a sum of $500. The card was from "Universal Gift Cards", who provide corporate gift cards for companies to hand out as bonuses etc.
I activated the card in Jan and used it once in Feb for a $140 item.
I went to use it today for an $80 item and the card kept being denied.
I logged in to check the balance, and find that it only has $6.40 on it?!
Checked through the transaction history and it turns out that there have been fraudulent charges being made on the card from the very first day it was activated. Multiple purchases from the USA until the card was drained and many attempts after.
I did a quick review search online and found that this is not isolated at all and almost everyone who has received one of these has experienced the same issue..
Given that the card information was stolen and used on the same day as activation, and not likely stolen from an online phishing scam or similar, it would suggest that an employee of some form has access to all the card information and is using it or selling it to people to make several attempts to make purchases. Probably to fake companies who don't actually sell anything.
Anyway, I've lodged a complaint and expect nothing from it, given their reviews.
But if anyone receives a gift card from these people, use it straight away. Or if you are someone in charge of giving out corporate gifts, stay well away from these people as they clearly can not be trusted.
Firstly, I’m sorry to hear you lost funds on your Universal Gift Card, and I hope you’re able to dispute the transactions with the gift card issuer and can hopefully get your money back.
Unfortunately, you’ll find this is not an issue merely restricted to Universal Gift Cards.
Any card that supports card-not-present transactions (e.g. Visa, Mastercard, American Express) is susceptible to BIN attacks, where someone will attempt to guess and check multiple combinations of card numbers and expiry dates (and in some cases, CVC2/CVV2 values) until they find a combination that works. Having said that, prepaid gift cards (such as your Universal Gift Card) are particularly susceptible for a few of reasons:
They do not have the fraud detection or prevention features a regular bank (e.g. CommBank) may employ to try and prevent suspicious transactions. Basically, if a merchant agrees to request payment from a prepaid gift card and there are enough funds on the prepaid gift card, the gift card issuer will approve the transaction every time.
Prepaid gift cards cannot support 3D Secure, so there is no way for the merchant to request the person attempting to pay to verify they are the authorised cardholder.
Prepaid gift cards are generally made in batches with pre-determined expiry dates, so there are relatively few expiry dates around for a given prepaid gift card, which means there are less expiry dates an attacker needs to test when guessing and checking potential card details.
Prepaid gift cards only have six or seven numbers in the card number unique to that card for a given denomination, which means there are not many numbers for an attacker to guess!
Some merchants will only require a card number and an expiry date to process a transaction. (Yep, the CVC2/CVV2 is still not required for all transactions!)
Coles Gift Mastercards have a generally bad reputation on this site, because there was a large wave of fraudulent transactions last year, plus the gift card issuer has not made in their terms and conditions whether they will refund anyone who reports a fraudulent transaction.
Of course, BIN attacks are only one explanation. As you pointed out, it may be an insider attack or someone who has gained access to a database with details of activated Universal Gift Cards. It could even be someone who has compromised your email systems or your company’s email systems, but considering how fast the card was drained, I am doubtful of that…
My rule of thumb is that if you get your hands on a prepaid Visa or Mastercard gift card, use it ASAP. Don’t hold onto it for too long, otherwise you’re increasing the chances of falling victim to a BIN attack.
On the other hand, EFTPOS gift cards are not susceptible to BIN attacks, as it cannot support card-not-present transactions. There are other ways someone can fraudulently redeem funds from an EFTPOS gift card (e.g. card skimming, a business having their EFTPOS machine swapped out without them knowing, someone breaking into a database that contains details on the information embedded on the EFTPOS gift card’s magstripe), but they’re far more sophisticated than BIN attacks. I guess if you ever want to give a corporate gift, an EFTPOS gift card is not the worst idea.