Wired is reporting a giant dark web scheme to sell counterfeit coupons costing the consumer packaged goods industry tens of millions of dollars. The scam is simple because no one thought that anyone would try it. So no one added any security into the coupon chain. Later, they bolted on a blacklist, but that is easily bypassed.
When I started to read about it, I thought “what’s the big deal – so someone is duplicating the coupons that manufacturers put in the paper”. That is not quite it. These guys make their own coupons where no coupons exist and since there is no security in the system, the retailer scans in the bogus coupon and the manufacturer eats the loss because they don’t want to retailers to stop accepting their coupons.
On Thursday the feds indicted Beauregard Wattigney of Louisiana on wire fraud and trademark counterfeiting. It seems like even the law hadn’t thought about this and counterfeiting coupons is not it’s own crime.
He is charged with making bogus coupons and selling them for everything you can imagine – alcohol, cigarettes, cleaning supplies, video games. The FBI accused him of doing $1 million of damage, but Jane Beauchamp, president of a firm that tracks brand fraud estimates the damage at “tens of millions”. In addition to selling packages of coupons, he is also accused of selling people classes to teach them how to do this themselves (and likely create their own, at home, business). He is even accused of launching a service where people could generate the own coupons on demand.
Here is the core problem:
GS1, the global standards organization that companies as diverse a Coke and Mattel support, defined a bar code standard without considering security. Likely the standard was developed years ago, when no one considered the possibility of bar code fraud and certainly before the Internet. In any case, according to Wired, the first 6 characters of the bar code are a company code, which you can copy from any coupon the company ever created, the next 6 digits are an offer code, which for the purposes of a fake coupon, can be a random number and the remaining digits are the discount in cents and the number of items you have to buy to get the discount.
Wattigney is accused of selling these on Silk Road and Silk Road 2 and the feds caught on to him when they took down Silk Road.
Apparently, the retailers do not have a way to check with the manufacturers at the time of coupon acceptance. I am sure that 50 years ago when couponing started and you could get 10 cents off a box of cereal, the cost of creating such an exchange was mind boggling. Now, it would not be a big deal. But that 10 cents off idea has morphed and Beauchamp said that these coupons were giving people $7 off one product, $9 off a different one and costing the manufacturers $2 million each on just those two coupons.
Wattigney is not the first guy to try this and now that Wired spilled the beans, it could become more common, forcing stores to do something about it. Two years ago, Lucas Henderson was sentenced to three years supervised release and forced to pay $900,000 in restitution. Henderson was a Lubbock, Texas college student.
According to expert Beauchamp, stores like Target and Walmart rely on a industry group, Coupon Information Center, which maintains a blacklist of known bogus coupons. If a fraudster creates a new coupon, it won’t be on the blacklist and as long as it looks OK to the cashier, the user gets their discount. If it is caught by the system, the customer just makes up some excuse like a friend gave it to me and walks off.
Coupon Information Center president Bud Miller says they have other security measures but wouldn’t say what they are. Given that Wattigney cost the brands millions, I would say that whatever those measures are, they are not working.
One interesting part of this is that the two prosecutions described above are Americans in America. What if bogus coupons become the next Chinese import. Miller says that prosecution is one of the measures, but prosecuting fraudsters from less than friendly countries is not likely.
And all because security was not baked in.