[Pyramids]

Contrary to what the article states, this is almost definitely not due to skimming of any kind. It is most likely related to a database leak or breach, whether it is documented or not is another question.

Also, typically these are not "actual" (card-present, pin entered) debit transactions. Starbucks, much like Amazon, authorizes some online purchases as pinless debit card transactions, due to the lower processing rate incurred by the merchant. This can all be done completely online, for example, via Starbucks Online Reload system.[1]

This is truly nothing new, Gift card fraud has been booming since 2006-2007, when companies (starting with Starbucks, followed by Subway, Walmart[2], Whole Foods, etc.) began offering reloads to existing cards. Unfortunately, most of these companies have laughably bad fraud detection.

For example, Whole Foods uses a platform formerly known as "Giftango", which was rebranded as "InComm" in the last couple weeks. They quite literally will let a credit card thief reload hundreds of dollars from an IP anywhere in the world, to any gift card powered by their platform. No fraud scoring, velocity checks, geolocation, etc. You can imagine how easy this would be just by taking a look at their default gift card management portal, used by Whole Foods.[3]

Conveniently for credit card theives, WalMart even offers an option to reload a spreadsheet, or a CSV list of cards off a single credit card, easy right?[4]

Overall, I think this problem is only going to grow, especially with Cardpool acquired by Safeway, and now offering instant cash for gift cards in stores. This is an extremely easy method to cash out these fraudulently created gift cards, conveniently located at your local grocery store.

[1] https://www.starbucks.com/card/reload/one-time

[2] http://www.walmart.com/cp/Reload-Gift-Card/1097444

[3] https://app.giftango.com/GiftCardPortal/WholeFoods/GiftCardP...

[4] http://www.walmart.com/cp/Reload-Gift-Cards/416242

[martingordon]

You would think that pinless debit card transactions would carry higher fees since there is a higher risk of fraud. Any thoughts as to why it's the opposite?

[Pyramids]

I wouldn't say there is any higher potential for fraud, as they're essentially verifying the same about of data. It may make it slightly more difficult to recover funds if your card is used without your permission, however.

The processing rate is typically lower because of agreements between issuing banks and debit processing networks, and is a somewhat hot topic at the moment as technically pinless online debit transactions are only intended for when the customers identity has been "confirmed", such as individuals with running accounts at a wireless carrier.

However, for whatever reason, some big companies are being allowed to use the MasterCard Debit/Maestro/Visa Debit/STAR/PULSE networks in this manner. In this case that company is Starbucks.

I'd estimate the rate paid by Amazon/Starbucks for processing pinless debit is 0.8% or less. Compare this with the 0.9 - 2.2% interchange fee (depending on card type) they'd incur if they processed these transactions as credit. It might not sound like a lot, but at that scale it probably ends up being millions per day saved.

[mikeash]

It's not pinless debit versus regular debit, but rather pinless debit versus credit.

[TheCowboy]

Do you know if InComm/Giftango take on any of the burdens of fraud?

There already seems to be a big moral hazard problem with credit card companies and merchants, where the merchants have to cover the entire loss if I understand correctly.

I'm hoping competition from startup payment processors might put pressure on credit card companies, as this ends up costing businesses and consumers a lot of money.

[Pyramids]

As far as Giftango goes, they simply provide the platform, Whole Foods (or whomever is the actual gift card merchant) is responsible for any fraud which occurs due to abuse of the platform. Assuming the fraud was successful, Whole Foods will lose both their product and their money.

[Expeck]

While I agree that it is not due to skimming, I dont think it is database leak or breach. If it was, thieves would probably go for smaller transactions (since they are harder to notice ) on large scale. My guess is that she either got phished or shopped on compromised website. That could also explain hosting purchase.

[Pyramids]

Phishing for credit card information alone is extremely rare, as it doesn't make any financial sense to people whom are committing fraud, if someone were phishing they'd be interested in login information and identity data instead.

In my experience, most database breaches result in data being sold, not used. It's more profitable and results in far less risk (Ex: 100k cards @ $2/ea via anonymous payment methods) vs attempting to use the cards.

As such, the people who end up actually creating the transactions are usually low level individuals whom are trying to figure out a way to "cash out"

Not to say there isn't a chance you're right, but card data is cheaply and readily available elsewhere, which is why I don't think this was related to a phishing attack. If there were other signs (ex: bank logins compromised, credit inquiries, etc.) then I'd be much more inclined to agree. Either way, it's hard to come to a certain conclusion based on the information provided in the article.

[mathattack]

What makes you say it was from a database leak?

I had a fraud issue caught by a bank once. What's strange is they caught the test at a bar I had frequented. That made me assume that it was skimmed. (But perhaps they saw many others tested there?)

[Pyramids]

It's unlikely for a skimmed card to be used online in this fashion, because the thieves wouldn't typically have the CVV2, only the CVV1 which is included on the magnetic stripe track. Most merchants which offer gift card reloads will decline on an incorrect CVV2.

Additionally, cost benefit wise, card data sells for $2-3 max, while track data sells for much much more ($25-50), and typically someone capable of acquiring this data themselves would not be wasting their time with Starbucks card reloads.

[mathattack]

Interesting. Thanks!

[CamperBob2]

Wow. I can't believe the banks aren't bending their pet Congresscritters' ears, demanding new laws to regulate these practices.

[samstave]

The last thing banks want is any regulators looking into how easily they can launder money.

Who cares about gift card fraud when they are laundering billions for criminals, cartels etc.

If you get too much oversight, they might accidentally find all the other crap banks are upto.

If there is any institution you can be assured of fraud; it's banks.

[CamperBob2]

But this particular fraud costs them money.