You’d have to do an awful lot of shopping at Kohl’s to earn nearly $600,000 in Kohl’s Cash. But a New Jersey couple has admitted to coming up with a more creative way to get their hands on such a huge amount – by devising a computer program to help them steal it.
Pavan Gurram and Vanaja Gattupalli pleaded guilty to wire fraud in federal court last week, in Kohl’s home state of Wisconsin. The two admitted to using custom-made software that generated working Kohl’s Cash bar code numbers and PINs, then using more than 7,000 of the codes to buy hundreds of thousands of dollars in Kohl’s merchandise.
Shoppers earn $10 in Kohl’s Cash for every $50 they spend. They can then use the Kohl’s Cash on a later purchase. Unless, that is, someone else uses it before they do.
In a criminal complaint filed in July, investigators say Kohl’s first became suspicious that something was up, exactly one year ago. On November 2, 2014, Gurram allegedly used ten Kohl’s Cash certificates – the maximum number allowed in one transaction – to buy a $1,000 diamond bracelet on Kohls.com.
But later that day, a Kohl’s customer who tried to redeem $550 in accumulated Kohl’s Cash certificates, was shocked to find that they only had a balance of $3. A few days later, a customer trying to use a $40 Kohl’s Cash certificate had their transaction denied, “because that particular certificate had already been redeemed.”
It seemed that duplicates of the Kohl’s Cash codes had been used before the rightful owners got a chance to use them. And investigators say all of the missing Kohl’s Cash was traced back to Gurram’s diamond bracelet order.
So the investigators started digging further. Over a yearlong period that began in June 2014, they said Gurram and Vanaja Gattupalli redeemed 7,113 stolen Kohl’s Cash certificates to place 1,083 orders on Kohls.com, for merchandise worth a total of $223,295.23.
They’re also accused of selling other Kohl’s Cash codes online for about 40% of their face value. Buyers “would request from Gurram a specific value in certificates, and Gurram would direct the third party how to pay,” investigators said.
As for all the stuff they bought online, some of it they’re accused of keeping, some was sold online, some was sent to relatives in their native India – and some was returned to their local Kohl’s store for gift cards – many of which the couple also allegedly then sold online.
And how did they pull it all off? Investigators say they exploited weaknesses in the way Kohl’s issues its Kohl’s Cash.
“Kohl’s uses a sequential numbering algorithm to generate rewards cash certificate bar code numbers,” the criminal complaint reads. So, “using his knowledge and skills as a computer programmer,” Gurram allegedly created “an automated computer process that located, identified and provided certificate bar code and PIN numbers for rewards cash certificates in a sequential manner.”
Kohl’s loss prevention tested this theory, investigators said, and “was able to create an automated process to generate Kohl’s certificate bar code numbers, conduct a balance inquiry on Kohls.com, and return both the certificate number and current balance for approximately 3,000 certificates in less than one hour.”
It almost makes you wonder – if generating custom-made Kohl’s Cash is this easy, why don’t more people do it? And is your Kohl’s Cash balance at risk of vanishing before your eyes as well?
We may never know – Kohl’s representatives did not respond to a request for comment about whether they have any plans to make Kohl’s Cash certificates more secure, or whether your Kohl’s Cash is safe.
Gurram’s alleged methods are similar to those used by others who have managed to “hack” other retailers’ sequentially-numbered coupons. Some online communities share information about how to “crack the code” on retailer coupons with unique ID’s, and generate their own working coupon codes. The problem is, some unsuspecting consumer is going to be issued an actual coupon with that code – and be dismayed to find that someone else has already used it.
But Gurram’s alleged offense was much more serious, since the codes that he’s accused of using are not mere percent-off coupons – they’re the equivalent of cash. And the way he’s accused of generating those codes, was much more high-tech. Police executing a search warrant on the couple’s home reported that “seized computers were actively running programs used by the defendants to steal Kohl’s rewards cash certificate information.”
Gurram pleaded guilty to three counts of wire fraud; his wife pleaded guilty to one. Gurram faces a maximum penalty of ten years in prison, while Gattupalli faces about a year, though prosecutors are expected to recommend shorter sentences in exchange for the couple’s cooperation.
Meanwhile, they’re on the hook for almost a million dollars in forfeiture and restitution. As part of their plea deal, they’ve agreed to turn over $368,987.64 in cash and merchandise – including everything they bought online, and cash for the merchandise and coupon codes that they sold. They’ll also have to pay $587,526.86 in restitution to Kohl’s, representing the total value of the Kohl’s Cash they used or sold to others.
The two are set to be sentenced in January. And unfortunately for them, they can’t pay their penalties with Kohl’s Cash.
You may also like: