The Simple Trick Ashley Madison's Users Could Have Used to Protect Themselves

It might seem strange in the age of cryptocurrency and consumer-level VPN services, but it turns out that the easiest ways to remain anonymous while making purchases online might also be the simplest: just use a gift card.

Right now, there are a number of services that offer "anonymous" payments through gift cards. The cheating site Ashley Madison, for example, offers the option to purchase subscriptions with gift cards. "Trade a Major Brand Gift Card," the site encouraged on its payment page. "Walmart, Starbucks, Home Depot, Best Buy and more. 100% Anonymous. We accept any gift card balance of $49 or more."

Those who used this option were probably protected from the recent cyberattack on the site, which resulted in the theft and apparent publication of all its data on users, including real names, addresses, and credit card details.

So how is it that companies like Ashley Madison are able to accept Starbucks cards as cash?

One way is through a gift-card redemption services like Pay Garden. These companies have deals with some gift-card network companies that sell gift cards for brands like Starbucks and Best Buy, allowing them to basically buy back the unused balance on cards for a fee.

Neither Ashley Madison nor Pay Garden responded to requests for comment, but this type of service also appeals to companies like VPN service Private Internet Access, which also allows users to purchase their IP masking services with gift cards through Pay Garden.

The payment method, PIA president Jonathan Roudier assured me, preserves complete anonymity.

"Any anonymous payment will make sense with our business," Roudier said. "So that's why we accept gift cards. In terms of quantity, cryptocurrency accounts for about five percent and the gift card represents around one percent."

Roudier added that while this is only a small percentage of his company's business, it still accounts for 45,000 single-use gift cards in the last year alone. The question remains, however, whether or not this purchasing method is really "fully anonymous."

The theory is that gift cards and prepaid credit cards—those Visa or Mastercard-branded cards that can be used anywhere—have less stringent registration policies than real credit cards. Some don't require any registration until after a few uses and others ask for just a name and address, which retailers can do little to verify. And since merchants only check to see that the address info you providing as billing info matches with the card's registration, you could pass what's called an Address Verification Test conducted by that merchant with "123 Fake St., Anytown USA," as long as the two sets sync up.

If you go an extra step and register while logged onto a Tor browser or through a VPN, there'd also be no way to track the IP address that registered the card, which, as far as online smokescreens go, is pretty good.

People who go out of their way to do this, however, are quick to note that it's not likely to make someone completely untraceable.

Ryan Barrett, a 33-year-old software engineer from San Francisco who used either gift cards or cash almost exclusively for 12 years, said this method probably won't help you duck the FBI because of how convoluted the steps are to ensure your entire paper trail is covered.

"I think if your goal is preventing identity theft or committing a crime or something like that, I don't expect that this is strong protection against anything like that," Barrett said. "It's more just personal work and hobby; it's not practical."

Instead, he said this method probably works best for avoiding things like automated advertisements and credit-tracking software. Basically, if you want to avoid being targeted by corporations or software, then this is an OK way to do it, Barrett said.

"Computers don't know what a real address sounds like," Barrett added. "People do."

Madeline Aufseeser, an analyst with Aite Group who covers prepaid cards and payment systems, agreed and said cards being used for "nefarious purposes" is rare, if not impossible.

"It's the same as using cash to a certain extent—it could be assuming the card has not been registered," Aufseeser said. "I don't have a problem with people using these cards anonymously, what I have a problem with is the implication is that people are using them anonymously to make illegal purchases. Because that's not the norm."

Part of the reason this method might not be the norm for criminals are the extraordinary lengths one has to go to maintain privacy using it.

For 12 years, Barrett was about as off-the-grid as a software engineer can be. He didn't have a cell phone, he owned his car and property through an LLC, he used his credit card only to buy gas, and what he couldn't buy with cash—like online purchases—he bought with $50,000-worth of disposable, prepaid gift cards.

His preferred cards came from Simon, a large chain of malls that sells Visa, Mastercard, and American Express branded gift cards that can be used anywhere, including online stores. They can be bought in denominations of $500, which Barrett could pay in cash, and required only an address to be registered, which could be easily falsified, making them ideal for preserving anonymity.

For a while, the only downside was that the cards couldn't be reloaded, which meant he had to go to the mall and buy a new one every couple months. Barrett jokes that "finding a reloadable card that only asked for an address, that was the holy grail for me."

The other problem was the Patriot Act, which required some prepaid cards to be registered with a Social Security number in order to combat money laundering.

Barrett, who stopped using prepaid cards a couple years ago and started using his wife's information when purchasing items that require credit cards (she doesn't mind, he says). He never had any problems using Simon cards before he made the switch, he said.

When asked about the possibility that people might be providing false information to remain anonymous, a representative from Simon said "we would never discuss this level of detail in public," and would not confirm what information they ask for when registering a card online.

To find out, I used cash to buy a $20 American Express-brand Simon gift card at the Newport Centre mall in Jersey City. I then tested whether or not I'd need to register the card or give up any information to make a purchase. I didn't. Using a Tor browser, I created a new Gmail account, which I then used to create an Amazon.com account under the name Steve Brule—a man who claims to live at 350 Fifth Ave, the address of the Empire State Building. My single purchase was a 25-cent piece of L-shaped PVC pipe which I had sent to an Amazon Locker at a 7/11 on Broadway with free Amazon Prime shipping.

I then tested what, if any, information was needed to actually register the card. Unfortunately, Simon's American Express cards can only be registered by phone, meaning I had to give up my cell number. But once I was on with the Simon customer service rep, I only had to provide a name and address to fully register the card. I chose John Smith and 350 Fifth Ave again, pretending to be Steve's only roommate in the lonely Empire State Building.

While Simon now has my number, it stands to reason that some of Simon's other brands of gift cards could be registered online, since they do have an online registration portal. There are also a few ways I could've kept my number private, like buying a burner or using a payphone. So while it may be a little tricky to register anonymously, it's not exactly brain surgery.

More importantly, as a friendly robot voice clarified while I was on hold to register the card, "most merchants do not require that you register your American Express gift card before making an online purchase." Bottom line: I can buy all the L-bends I want and no one would be the wiser.