: Online gift certificates: Systems to avoid fraud What good methods are there out there for avoiding fraud with electronic gift certificates (ones which are created and the information distributed
What good methods are there out there for avoiding fraud with electronic gift certificates (ones which are created and the information distributed electronically via website)?
I'm looking to audit/redesign an existing system, and want to get a good overview of the parts of the system that would be good to put in place to decrease fraud.
A few parts that I can think of that I am interested in to start with:
Rejection criteria
Flagging criteria (e.g. if the date range between purchase and use is huge, different countries of origin, etc)
Theft indications
Prevention of oracle attacks on a gift card system (e.g. randomly trying gift cert authentications until one works)
Data to include as part of the gift certificate for later authentication.
Authentication systems for verifying that the gift certificates actually match.
etc
I don't think it matters too much for the topic (unless there are libraries to check into?), but I'm running a site with a php backend.
More posts by @Alves908
2 Comments
Sorted by latest first Latest Oldest Best
Some good practises to consider:
Create unique, hard to guess certificate keys
Keys should be hard to guess even if that means that they're also harder to type. You may wish to consider random.org to generate true random alphanumeric keys using their HTTP api. The site seeds the pseudo-random string generation algorithms that programming languages use with atmospheric noise, which is said to generate less guessable 'random' numbers.
There are other ways to generate truly random codes using hardware random number generators.
Secure the gift card claims process
Do all you can to prevent brute force attacks against the forms that process your gift card codes.
You don't want to give attackers an easy method to test generated keys, so limit the number of gift code claim attempts by time, IP address, and user account, and force users to be registered and logged in to attempt a claim. It's easier to block access by user account than it is by IP band.
Consider linking certificate codes to an email address or account
When your user buys a gift card and you ask them for their friend's email address, check to see if their friend's already registered with you. If they are, link the gift code to the friend's account so that they it can only be claimed by that user.
Alternatively, credit the friend's account directly rather than generating a key code and send them an email to confirm that their account's been credited (without requiring them to sign in and input a gift code). It's hard to crack gift codes when they don't exist. If the friend doesn't have an account, invite them to sign up with a registration link that pre-fills their email address, then credit their account with the gift amount when they've completed sign up. Again, the idea is to remove the dependence on gift codes.
Consider expiring gift cards after a fixed period
Flickr does this with their gift accounts; if the gifted account code is not used within 24 months, the gift amount is credited back to the purchaser. It prevents hundreds of dormant codes lying around on the system that could get matched against a guessed code.
Use an activation process for physical gift certificates
Codes will be preprinted (and masked using a foil), but they should remain inactive until after the point of sale. iTunes gift voucher cards are activated at the tills, for example, which makes them far less attractive to shoplifters.
Secure the email delivery system
Send transactional email containing voucher codes through mailservers that only you use, and only you can access. Consider deleting all copies of outgoing mail that may be stored on that server by default.
Track claimed codes and render them unusable
Naturally, track claimed codes and mark them as so to ensure they're not reused.
Lock down your servers, then create and follow a security policy
Use good passwords, patch your server software, issue and claim codes only over HTTPS, and write and adhere to a sensible security policy. Making your gift card system bulletproof is a waste of time if the systems it depends on are vulnerable.
Have each gift certificate also have a PIN number associated with it. The PIN number should not be displayed together with the gift certificate (i.e. never appear on the same page or same email). This will prevent snoopers from getting both pieces of information. They would have to intercept the webpage and the email to successfully steal an online gift certificate. This is commonly done with gift cards issued by brick and mortar retailers who also sell goods online.
If you really want to clamp down on fraud you can try to create your gift certificate numbers to pass algorithm checks like the Luhn Algorithm. This would prevent users from generating or entering random numbers and PINs in an attempt to brute force a gift certificate number. You can find out more about the Luhn Algorithm and see code samples for creating and validating multiple languages at Wikipedia. There is also a PHP library freely available to use as well.
I wouldn't see delayed usage of a gift certificate as being a potential red flag or reason to reject one as it is very normal for users to wait a while for using it. They may forget they have it or simply not want to use it when it is first presented to them. The only reason you would want to eventually cancel a gift certificate is because you want to encourage its use within a specified timeframe. If this is the case I recommend waiting at least six months before deactivating a gift certificate as doing it sooner then that leaves you wide open for a chargeback (disclaimer, I wrote that article).
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.