PLEASE TAKE NOTE: The title is correct, this is how to scam users of garage sale groups. The intended audience, however, is victims and group administrators. The goal here is to convey how easy it is to defraud people into purchasing gift cards, and why they should not be allowed for sale in these groups.
You should never purchase used gift cards from anybody without the authorization of the selling store, and their support transferring your balance to a new gift card.
Short Version of the Scam
When you purchase a gift card from somebody on the Internet, you may find that paying $50 for $100 of merchandise credit is a fantastic tradeoff. The fact is, you will pay $50 and they will keep the $100. Leaving you out money.
How this scam works
This is nothing new, it is very similar to how credit card fraud has worked for years, however there are many site admins and potential consumers unaware of this tactic.
How Payment Cards Work
Your older credit cards, and the majority of gift cards in the world use a magnetic stripe (the black line on the back of your card). This mag stripe, from a fundamental level, operates exactly like old cassette tapes. When you swipe your card, the equipment reads the card and a special number comes up. This number does not include your balance, but does generally contain the card number, expiration, the name of the card holder, and a few other pieces of information.
This information does not ever change. This is the problem with credit cards, and why EMV “chip” cards were introduced, they reduce the attack surface and greatly increase the complexity of this issue.
The scammer’s shopping list…
The scammer will buy a valid gift card (let’s say it’s $100 worth), and a card reader / encoder. The latter device is roughly $30 from Amazon, and there are plenty of legitimate reasons to sell and own these devices. At this point, an attacker has all of the tools they need.
The scammer reads the card’s data into a computer, and encodes it (sort of like saving a file) onto an extra card that they picked up.
Selling the Gift Card
The card will be listed for sale in multiple areas, usually for some money off the face value, and with the caption “Got this for (insert holiday), don’t shop there” or similar. Sometimes this will be backed up with a picture of the register receipt.
A buyer is found through one of these garage-sale groups, and you meet up. You first call the store to verify the $100 balance, and sure enough — the card is loaded legitimately. You gladly pay your $50 for the card, and you both leave happy. You may head straight to the store, you may wait a few days, or you may be extra hilarious and gift this card to somebody.
Hook, Line and Sinker
As soon as you leave, the attacker has a duplicated gift card of yours and can call a friend at the store to purchase another gift card, food, clothes, or anything else with that card. By the time you get to the store, that card will have a $0 balance, and the Facebook / Craigslist / etc account will be long gone.
Buying Gift Cards Legitimately
The majority of stores expressly prohibit transferring cards between people, and for this reason. The best way to do this safely is that both you and the seller meet at the store in question, and you purchase a new gift card with the card they’re selling, you can then dispose of the depleted card, and your new card will not be vulnerable to this scam, as the seller will not posses a duplicate of your gift card.
There are also websites that may have additional mechanisms for exchanging gift cards, though you should always keep in mind how this works. Companies will often state directly on the cards “TREAT THIS CARD LIKE CASH”, claiming that losing the card or other conditions will prevent them from issuing a balance. Furthermore, as far as the store is concerned, you spent the balance, and store clerks will almost never check a gift card for validity. Even if they do, there’s embossers for that.