Gift card and merchandise rewards is an industry that’s been around for years, but it continues to surge in popularity, offering consumers flexibility and convenience while giving businesses opportunities to build customer loyalty and drive sales. However, as this sector grows, so do the security threats targeting gift card apps, platforms, and digital payment systems.

According to a recent PaymentsJournal article, consumers are increasingly drawn to digital gift cards due to the overall plethora of gift ideas online, the ease of mobile payments, and personalized gifting options. Yet, the same digital shift that makes gift cards so popular also introduces a range of potentially dangerous cyber threats and related fraud. 

From account credential hijacking to man-in-the-middle attacks, businesses in this sector must prioritize cybersecurity to protect their customers from scammers and maintain their trust.

Gift card and rewards apps under attack

Account credential hijacking

One of the most common attacks in the gift card industry is account credential hijacking. Cybercriminals and scammers use phishing schemes, social engineering, or brute force methods to steal user login information, allowing them to gain access to gift card accounts. 

Once they have access, hackers can deplete gift card balances or sell the stolen cards on black markets. To combat this challenge, gift card apps must implement strong multi-factor authentication (MFA) and monitor user activity for signs of suspicious behavior.

Application repackaging

In an application repackaging attack, cybercriminals modify a legitimate app by injecting malicious code and distributing that newly recreated “repackaged” malicious app through unofficial channels. Users then accidentally or unknowingly download these repackaged apps that can steal their personal information, including much-coveted gift card details. 

Developers in the gift card sector need to invest in app hardening and code obfuscation technologies to make it difficult for attackers to reverse-engineer and modify their legitimate mobile apps.

Man-in-the-Middle (MitM) attacks

Gift card transactions, especially those involving digital wallets and mobile payments, are vulnerable to man-in-the-middle (MitM) attacks. In these attacks, cybercriminals intercept communications between the user and the platform to steal sensitive information such as account credentials or gift card codes. 

Robust encryption protocols and secure API communications are proven tools for defending against such attacks.

Supply chain attacks

Another significant threat facing the industry surrounds the software supply chain itself. Hackers target third-party vendors or software providers to inject malicious code into gift card platforms or mobile apps. 

These attacks can compromise entire systems, leading to data breaches or theft of gift card balances, making the implementation of secure software development practices and consistent software updating essential for mitigating this risk.

Must-have app shielding features for gift card and rewards developers

For gift card businesses, implementing robust app shielding solutions for both iOS and Android platforms is no longer optional; it should be a critical component of an overall cybersecurity strategy in order to help prevent fraud.

Here are some key features/benefits to look for in an app shielding vendor to prevent gift card scams:

  • Android & iOS app hardening with code obfuscation

Some app protection vendors offer code obfuscation to make it much more difficult for attackers to reverse-engineer the app by essentially making the code itself unreadable. Many app security vendors provide basic app wrappers, which are the weakest form of security for apps. 

Be sure to look for advanced, layered app protection, such as code obfuscation, if you’re looking for professional-grade app hardening used by banks, e-commerce, and healthcare organizations. There is no need to settle for less than you deserve when it comes to protecting your valuable apps.

  • Anti-tampering measures

Tampering with apps is a common method attackers use to alter code, introduce malware, or bypass security features. 

With anti-tampering measures, developers can safeguard their applications by embedding mechanisms that detect and respond to any attempt to modify the app during runtime. These measures can trigger responses such as shutting down the app, sending alerts, or even applying self-protection techniques, ensuring that any malicious activity is addressed immediately. 

This layer of defense is vital for protecting sensitive data and maintaining the integrity of your app. Note: Frida is a popular tool used by attackers and scammers to manipulate apps. Professional-grade mobile app shielding solutions should prevent attackers from using popular tools like Frida to tamper with gift card apps, so be sure to look into this.

  • Device integrity checks

In environments where mobile apps process sensitive information, such as gift cards and rewards, ensuring the integrity of the device is critical. Device integrity checks are essential for confirming that the app is operating on a secure, non-rooted, or non-jailbroken device. 

If the app detects that it’s running on a compromised device, it can take preventative actions such as limiting app functionality or restricting access to certain features. This ensures that vulnerabilities introduced by altered operating systems do not put your app or users’ data at risk.

  • Threat detection and response

Some in-app shielding vendors also provide real-time threat detection and response capabilities, enabling gift card companies to monitor and respond to suspicious app activity so that they can stop attacks before they cause damage. Not every vendor has this; be sure to request a product demo.

  • Addresses OWASP Top 10 Mobile App Vulnerabilities

A professional mobile app shielding vendor can offer developers a security solution that helps address the OWASP Top 10 Mobile App Security Vulnerabilities, ensuring a robust defense against known attack vectors.

  • CI/CD integration

Continuous Integration/Continuous Deployment (CI/CD) tools can automate security testing throughout the development process, ensuring that vulnerabilities are caught and fixed before release. 

Ask your in-app shielding provider if their app protection is compatible with most browsers, frameworks, markup languages, and libraries across hybrid environments: Angular, EmberJS, Ionic, JavaScript, Meteor, NativeScript, Next.js, Node.js, Nuxt.js, React, React Native, Vue, Webpack, HTML5, Xamarin, and Swift for iOS, Kotlin/Java for Android.

If you’d like to dive deeper into those threats, you can check Issue #13 of our threat roundup, which takes a look at Storm-0539, a threat actor targets US retail corporate employees with smishing messages on their personal and work mobile devices for gift and payment card fraud.

Can gift card fraud be tracked?

Yes, gift card fraud can be tracked through various sophisticated methods. Many retailers employ advanced analytics to monitor transaction patterns and flag suspicious activities.

For instance, sudden spikes in gift card purchases or redemptions from unusual locations may trigger alerts. Some companies use machine learning algorithms to detect anomalies in real-time.

Blockchain technology is emerging as a powerful tool for tracking gift cards. It creates an immutable record of each transaction, making it easier to trace the movement of funds.

Several retailers have implemented unique QR codes on gift cards, allowing customers to verify authenticity and balance. This also enables companies to track each card’s journey from activation to redemption.

Law enforcement agencies often collaborate with gift card issuers to investigate large-scale fraud operations, using data analysis to uncover criminal networks.

10 popular gift card and rewards companies

To illustrate the scale/popularity of the gift card and rewards industry, here are 10 popular gift card and rewards companies from around the world, ranked by estimated mobile app downloads:

  1. Ibotta

  1. Users/Downloads: Over 40 million downloads
  2. Country: United States
  3. Description: Cashback app for groceries and other everyday purchases, both in-store and online.

  1. Rakuten (Ebates)

  1. Users/Downloads: Over 20 million users
  2. Country: Japan
  3. Description: Offers cashback for online and in-store shopping with major retailers. Known for international reach and high cashback rates.

  1. Fetch Rewards

  1. Users/Downloads: Over 20 million downloads
  2. Country: United States
  3. Description: Simple rewards app where users scan receipts from any store to earn points for gift cards.

  1. Swagbucks

  1. Users/Downloads: Over 15 million users
  2. Country: United States
  3. Description: Rewards app offering points for completing surveys, shopping online, watching videos, and more.

  1. ShopBack

  1. Users/Downloads: Over 10 million users
  2. Country: Singapore
  3. Description: Cashback is a platform popular in Southeast Asia and Australia that offers rewards for online purchases at major retailers.

  1. GoPay (Gojek)

  1. Users/Downloads: Over 10 million users
  2. Country: Indonesia
  3. Description: Part of the Gojek super app, GoPay offers cashback and rewards for services like food delivery, transport, and online purchases.

  1. Quidco

  1. Users/Downloads: Around 10 million users
  2. Country: United Kingdom
  3. Description: A UK-based cashback app offering rewards for shopping online and in-store with thousands of retailers.

  1. TopCashback

  1. Users/Downloads: Over 9 million users
  2. Country: United Kingdom
  3. Description: Known for offering some of the highest cashback rates for online shopping.

  1. CashKaro

  1. Users/Downloads: Over 5 million users
  2. Country: India
  3. Description: India’s largest cashback and coupon platform with a focus on local online retailers.

  1. Shopkick

  1. Users/Downloads: Over 5 million downloads
  2. Country: United States
  3. Description: Rewards users for visiting stores, scanning items, and making purchases, with points (kicks) redeemable for gift cards.

Avoid gift card draining by implementing a strong app shielding system

The gift card and merchandise rewards industry continues to grow, but so do the security risks that threaten it. Unfortunately, mobile apps are often the weakest link in an organization’s security stack, but that doesn’t have to be the case. 

From account credential hijacking to man-in-the-middle attacks, companies need to employ robust cybersecurity measures to safeguard their platforms, apps, APIs, and customers. By leveraging mobile app shielding, businesses can ensure that their apps are equipped with layered security that protects against ever-evolving cyber threats and fraud while addressing OWASP’s Top 10 Mobile App Vulnerabilities. 

Verimatrix XTD is the #1 app shielding solution for a reason: we work with gift card organizations to safeguard their most important digital assets from a wide array of cyberattacks, ensuring their success in this highly competitive (and exciting) market.