Ohio Wal-Mart Gift Card Thief Gets $11K Just For The Asking

Earlier this month, a man called a 24-hour Wal-Mart in Columbus, Ohio, at 1 AM and told an associate he was with Wal-Mart's IT department. The caller instructed the associate to activate gift cards, read him those card numbers and then scratch off the tape on the back of the cards so she could tell him the authorization codes, police said. And the associate obliged. Hours—and more than $11,000 in online fraud—later, the store realized it had been had.

This incident, which police are still investigating, raises the issue of associate training. Preliminary information given to police by Wal-Mart did not indicate that the caller gave the associate any reason to believe he really was from Wal-Mart IT. Nor was any reason offered as to why an IT person would make such a request. Was the thief assuming the 1 AM crew might be more accommodating and less suspicious?

How many chains have IT authentication procedures, including passwords or callback mechanisms? For that matter, why not have rules forbidding associates from divulging of sensitive information to anyone on the phone unless specifically instructed to do so by the store's general manager?

The irony is that IT spends millions on sophisticated encryption and protection techniques, all of which can be circumvented by a persistent thief doing rudimentary social-engineering scams. How many Wal-Mart stores did the thief have to call before finding a cooperative associate in Columbus?

The incident reportedly happened on September 5 at the Westpointe Plaza Wal-Mart near Columbus, said Columbus Police Detective Susan Collins, who added on Wednesday (Sept. 22) that Wal-Mart had yet to indicate how it arrived at the very specific fraud figure of $11,054.60. Nor did the retailer say how many—or the nature of—the transactions involved. A Wal-Mart spokesperson on Wednesday (Sept. 22) also said she had yet to hear back from store officials about the incident's particulars.