Truth 21 Gift card or gift horse?
When I was growing up, my parents would tell me the old adage, “If it seems too good to be true, it probably is.” Generally, these words of wisdom would be offered after I just got done telling them how I was going to make a million dollars by getting involved in one pyramid scheme or another that one of my friends had already fallen for. Of course, my parents were always right, and my friends always lost their money. As I have grown older and hopefully slightly wiser, I find myself using these same words when I speak to others about identity theft. “If it seems too good to be true, it probably is.”
The setup
As with many forms of identity theft, it all starts in a seemingly familiar way. You check your mailbox, and among the numerous bills and junk mail, you come across a letter that piques your interest. On the outside, it is labeled “Sweepstakes winner! Prize enclosed!” You open the envelope to find a $50 gift card for a popular home improvement store inside. Included with the gift card is the letter that explains how you won.
Congratulations!
[Real store name here] has selected you to win this $50 gift card valid at all [store name] locations. This special gift is yours to keep with no obligation. Over the past 20 years, communities throughout the United States have helped build [store name] into the best do-it-yourself hardware store in the world, and this is our special way of saying thank you to all our valued customers.
For security purposes, this gift card has not yet been activated. To activate, simply call this toll free number 800-XXX-XXXX and follow the automated attendant.
We thank you again for your support over the past 20 years and look forward to working with you and your community for years to come.
Signed …
So you call the 800 number included in the letter. When the line is answered, you hear a woman’s prerecorded voice congratulating you again on receiving the free gift card. She then asks that you use the keypad on your phone to input the number located on the gift card below the barcode. You look at the gift card and type the numbers into the phone. When you are done, the automated system responds and spells out your last name and asks you to type 1 if that is your name or 2 if it’s not. You press the 1 key. The automated voice now explains that, for security purposes, you need to verify your social security number (SSN) by typing it into the keypad. This is required to verify that the person who is attempting to activate the card is truly the intended recipient. You type in your SSN and, upon completion, the automated attendant congratulates you again, explains that your card is now active, and wishes you a great day.
What happened?
So, what really happened behind the scenes? Well, the first time I performed this attack, I wanted to make sure I made it as convincing as possible. Of course, the home improvement store scam could just as easily be any other well-known store chain. The trick was to make sure whatever I chose would be well received and worth the effort of the recipient to activate it.
The 800 phone number was purchased online and was set to forward to another phone number I had purchased for the attack. The auto attendant I used was simply software I found online and modified for my needs. One of the most important aspects of the attack was the validation of the victim’s last name. By spelling this out to the victim, the auto attendant was given a level of legitimacy. In reality, I simply had a database of the cards I was sending out, and I assigned each card to a specific person, so that when the victim typed in the card number, my database had a corresponding last name. For my tests, friends and coworkers let me use their names and addresses. However, a real identity thief could simply buy this type of mailing list online. Hundreds of Web sites sell complete mailing lists including name, address, and in some cases, even household income level.
As for the gift cards, there really was no value to them. In my case, I simply used gift cards that I had already cashed in. Had I been a real identity thief, it would have been just as simple to steal them from the store, as they are not activated until the time of purchase, so they have no value and are not kept secured.
I have heard of other ways of performing this type of attack. In some cases, the letter is from a bank, charity, or research firm. The letter explains that the recipient must take a survey first, and the gift card is provided as a thank-you. Often, the message tells the victim that the IRS considers the gift card to be the same as cash; therefore, the victim’s SSN needs to be verified for the gift to be reported. I found that this additional explanation was not needed. This attack can also be done with an online Web site instead of an 800 number. The only difference is that the victim is required to go online to activate the card. No matter what the spin, the ultimate goal remains the same: to get the victim’s SSN. Since the identity thief already has the victim’s name and address, once he has the SSN, he has everything he needs to become that person.
Of the people who actually took the time to call in, 100% of them gave me their SSN.
I found this type of attack to be very successful and, more importantly, of the people who actually took the time to call in, 100% of them gave me their SSN.
Because this type of attack is so easy to avoid, there is only one major rule that you need to follow. Never give your SSN over the phone. Period. I have yet to find one legitimate reason that any organization should require such information. In some cases they may require the last four digits, but never anything more.