Gift card fraud exploits security gaps in authorization processes. If your employer or client issues gift cards, do you know the kinds of scams fraudsters might attempt?A young man walked into a Sony retail store in Central Valley, New York not long ago. With the help of a salesperson, he selected a wide-screen television, a sound system and a laptop. The total cost of these items was nearly five figures.
"And what payment method will you use today?" the salesperson asked as they approached the counter.
"A couple of gift cards," the customer said, presenting them.
The salesperson, who happened to be the store manager, looked at him for a moment. "Let's see how much is on them," she said. Running the first card through a special reader, she squinted at the display, and passed the card through again. After double-checking the second card as well, she told the customer, "Each of these is supposedly worth $5,000." She laid both cards on the counter and wrote their serial numbers on a scrap of paper.
"Yup," the man said. "Everything alright?"
"These are extraordinarily large denomination cards. So I have to ask you for some identification," the manager replied.
"Absolutely," the customer said, patting his pockets as he snatched up both cards. "But I think I left my wallet in the car."
"I see," the manager answered. "I'll be back in a moment."
Inside a black glass dome on the ceiling above the service counter, one of the store's digital video recorders took in the entire scene. It captured no sound, but was placed to view both sides of the counter. Nearby, other cameras took side-profile footage of that area and the entire store.
These devices recorded how, when the manager turned away, the customer quickly left the store and blended into the crowd of passing shoppers. A moment later, the manager was on the phone to Sony's corporate office in New Jersey. Soon she was reading the serial number of each card to Lynn Schiess, CFE, LPQ, LPC, who at that time was a fraud specialist in Sony's loss prevention unit. (Schiess now is a loss prevention auditor with apparel manufacturer Lacoste.)
Schiess discovered that the cards had been purchased recently in a nearby store that had been closed for more than a year. That just didn't add up. Clearly, someone — perhaps an employee in another store — had coded the cards in an unorthodox manner, which cast doubt on whether Sony had ever received payment for them. As Schiess would eventually learn, Sony's internal controls at the time didn't provide for post-transaction assessments of how customers had paid for gift cards. And that turned out to be a major unmitigated fraud risk.
Schiess didn't have much to go on in attempting to track down the culprit(s). She watched the video footage of the young man in the store and realized that by itself the recording was useless for identification purposes. So, Schiess and her supervisor began reviewing exactly how store employees loaded cash values on gift cards in the amounts that individual customers requested and how they initially configured the cash-loading devices.
She knew that each store had one or more machines for activating and adding cash value to cards. But she couldn't figure out how someone could have used an activation machine for a closed store to create two gift cards whose cash value had probably been falsified. The answer to this puzzle became clear, however, when a co-worker Schiess didn't know all that well became unusually chatty with her.
THE CURIOSITY FACTOR
Schiess and her colleagues in the corporate office relied on an IT technician for help with their PCs or applications. This bright employee knew that Schiess' team investigated fraud in Sony stores.
The IT technician, after five years on the job, had mastered the help desk and had been given additional responsibilities. However, unbeknownst to Schiess, the technician's recently expanded role included maintaining a supply of — and initially configuring — the devices that stores used to activate gift cards and add cash value to them.
Part of that preparatory process included assigning to a machine a unique store identification code and running a test transaction on a gift card to confirm the machine would operate properly in the store. After the technician had determined that a card machine was working and had sent it off to a store, standard operating procedure called for him to remove the cash value from the card he had used, which remained in his possession. And therein lay another fraud risk: At that time Sony internal controls didn't require tracking the serial numbers of the cards on which the technician had performed these test transactions.
Soon after the unidentified customer tried to use the bogus cards, the help desk technician began to frequently stop by the loss prevention unit "just to chat," which he had never done before. Schiess thought this was odd but not necessarily suspicious. Regardless, she mentioned it to her supervisor, who had worked in loss prevention for decades.
"[My supervisor] immediately interpreted our help desk guy's behavior as a red flag," Schiess recalled. "In his experience, some fraudsters had drawn attention to themselves by trying to find out whether investigators knew about their fraud."
So Schiess and her supervisor visited the IT department head on the chance that the technician's behavior might be related to the falsified gift cards. When they told him about the case, he immediately brought up the technician's new and pivotal role in the gift card process and agreed to keep an eye on the technician while Schiess pursued her investigation.
Schiess' next priority was to confirm the identity of everyone involved in the attempted fraudulent redemption. She now had a credible fraud theory — one that focused on an employee in the corporate office, not in a store — and she set out to find evidence supporting or disproving that theory.
FAMILIAR FACE
Schiess' investigation continued with a background check on the IT technician, including an online search for information about him and people with whom he associated. When she discovered he had a Facebook account with a public profile and photos, she immediately recognized a face she had seen in the video of the attempt to use the $5,000 gift cards. The bogus customer and the IT technician were friends. Next step: perform an admission-seeking interview.
Schiess and her supervisor confronted the technician with this evidence. He promptly confessed and vented his pent-up resentment against the company, which he felt had denied him a raise and bonus that his hard work more than justified.
Not long after he began working with gift cards, he said, he had come across the unique identification code of the closed store.
Soon thereafter, an operational store needed a gift card activation machine. At that point, the fraud triangle's three components (pressure, rationalization, opportunity) coalesced in the IT technician's mind. He already was motivated to seek revenge and had fully rationalized his moral entitlement to it. Now, with a tempting opportunity to commit lucrative fraud in what he perceived as a low-risk situation, the technician launched his rash, short-lived plan.
This is how he did it. Just before legitimately configuring the activation machine, the technician temporarily assigned the closed store's code to it and fraudulently issued himself two unfunded $5,000 cards. He then changed the store code to that of the operational store and sent the machine off to it. There was no audit trail to follow; only he knew he had "borrowed" the activation machine to give himself a $10,000 gift. Feeling confident, he then recruited his friend to convert the cards into assets they could keep for their own use or sell for a tidy, illegitimate profit.
Schiess' supervisor obtained a signed confession from the IT technician, and then Sony pressed charges and terminated him. Ultimately, he received probation. Sony had suffered no loss, but Schiess was acutely aware that serendipity had played much too large a role in solving the case.
"It was pure luck that this fraudster was nervous enough to draw attention to himself and careless enough to use as an accomplice someone whose photo was on the technician's public Facebook page," she said. "I knew we needed better controls and risk assessment reports to help us keep tabs on these exposures. Otherwise, frauds like this would continue to occur."
DÉJÀ VU WITH A TWIST
A year after the above case, business appeared to proceed normally in another Sony store. Anyone looking at soundless footage from its security camera over the sales counter would have seen the store manager, in plain view, using a gift card activation machine connected to a point-of-sale (POS) register. And he wasn't alone; other employees also were visible nearby, interacting with the manager. It seemed as if nothing out of the ordinary was happening — even though the manager was in the process of stealing $280,000 worth of gift cards.
He didn't know it, but Sony had taken the previous gift card fraud seriously and had greatly improved internal controls. Schiess and her colleagues in the finance and IT departments had created reports to identify indications of potential gift card fraud whenever they appeared.
Sony expected the reports to cover an important security flaw in the company's gift card activation and POS systems. Management had decided that the cost of a hardware upgrade to eliminate the flaw was greater than any losses the exposure would allow. They reasoned that the reports would alert Schiess to any such frauds. And indeed the reports detected and flagged the manager's fraud — but not immediately.
Although the company knew of the security flaw, the manager had discovered it by accident. One day, about a week before his fraud began, the manager was legitimately activating a gift card for a customer. The customer presented a credit card to cover the funding for the gift card, but the customer's credit card issuer denied the transaction. Because the customer didn't have enough cash to pay for the gift card, the manager cancelled the gift card transaction, returned the gift card to the usual storage cabinet and gave it no further thought.
However, a few days later, another customer asked to buy a gift card, and the manager used the same card he had cancelled earlier. When he began to add cash value to it he discovered that the value he thought he had erased was still on the card — even though Sony had received no funding for it. The stunned manager put the card aside and activated another for the current customer. Then the manager began planning a fraud in which he would intentionally initiate and cancel gift card activations after adding large amounts of cash value to the cards. His fatal flaw was to assume that the company was unaware of the security flaw he had discovered by accident.
At first, the manager fraudulently added relatively small amounts to gift cards. No one inquired about these transactions, so he plunged ahead. In just one week, he issued himself $280,000 in illegitimate, unfunded gift cards. Well before he finished his spree, however, a report tipped Schiess off to the high number of gift card cancellations in the manager's store. She reviewed the store's security video and saw the manager processing stacks of gift cards with nary a customer in sight.
"He just went wild and fraudulently activated more than 100 cards," Schiess said.
Other employees, who were arranging displays and performing similar routine tasks, had no idea the boss was stealing. But Schiess combined intelligence from reports and video and knew exactly what the manager was doing. She alerted the finance department, which deactivated the falsified cards before anyone could use them. The manager confessed, and Sony reported the fraud to law enforcement, who arrested him.
"We learned from our experience," Schiess said. "Improving internal controls saved us from incurring a huge loss. And our discovery and prosecution of these frauds might have deterred other employees from committing similar abuses."
No comments:
Post a Comment