How 3 Billion+ Mobile Coupons Forced a Rethink of Single-Use Security at CodeBroker

When a Single Delivery Event Exposed Weaknesses in Coupon Security

In late 2023, CodeBroker completed a global campaign that delivered over 3 billion mobile coupons to customers via SMS and email links. At first glance the project looked like a scale problem: deliver a lot of offers, track redemptions, report ROI. The turning point came the moment operators saw duplicated redemptions at multiple retailers and a cascade of contested transactions. That single event changed everything about how CodeBroker thought about "single-use" coupons.

This case study explains the technical problem, the architectural strategy they adopted, the step-by-step implementation, measured outcomes, and practical lessons. The goal is practical: explain why a signalscv.com design that looks simple - issue a code, mark it used - fails at extreme scale and in the messy real world of mobile links, point-of-sale systems, and human behavior.

The Redemption Security Challenge: Why Simple Tokens Failed

On paper, a single-use coupon is trivial: generate a random code, mark it redeemed when used. In production with millions to billions of claims, a set of hidden problems appear:

Token copying and reuse: SMS and email links get forwarded, cached, or screenshot. Static codes issued to multiple recipients were reused across transactions. Race conditions at point of sale: two cashiers scanned the same code near-simultaneously; without atomic checks the system allowed both redemptions. Offline redemption paths: some retailers accept codes offline and later reconcile, creating windows where prevention must happen elsewhere. Scale of state: tracking 3 billion unique tokens in a database requires storage, indexing, and fast writes to avoid user-facing latency. Fraud and chargebacks: duplicated redemptions caused merchant disputes, increased refund rates, and damaged trust.

CodeBroker’s initial implementation used opaque alphanumeric codes stored in a central database. The database accepted the first write as redemption, then updated the token status. That worked at low volume but collapsed under concurrent scans, network partitions, and aggressive attackers who tried to redeem the same code simultaneously at different retailers.

A Cryptographic Single-Use Model: Reducing State Without Sacrificing Control

Rather than doubling down on the naive stateful approach, CodeBroker adopted a hybrid model that combined cryptographic token properties with a disciplined redemption ledger. The core ideas:

Make tokens tamper-resistant and self-validating using an HMAC signature so they cannot be forged. Embed minimal metadata in the token (offer ID, expiry, merchant whitelist) so basic validation can occur without database lookups. Keep a lightweight redemption ledger that records the single-use event and supports atomic checks for concurrent redemption attempts. Design for eventual connectivity: accept offline attempts but validate and reconcile using cryptographic proofs and time windows.

Think of the token as a sealed envelope with the offer printed inside and a tamper-evident tape. Anyone can look at the envelope and know what the offer is, but only the holder who can prove they have the envelope at the right time can redeem it. The ledger is the official stamp that says the envelope was claimed.

Implementing the Single-Use Security Model: A 6-Month Roadmap

Implementation fell into four workstreams: token design, redemption API and ledger, merchant integration, and monitoring + incident response. CodeBroker executed them in parallel over roughly six months.

Month 0-1: Token design and crypto choices

Selected HMAC-SHA256 with a 256-bit key stored in an HSM-like key vault service for signing tokens. Defined token payload fields: offer_id (32-bit), issued_ts (Unix seconds), expiry_ts (Unix seconds), merchant_id (16-bit), nonce (64-bit). Built a compact base32 encoding so tokens fit into SMS and QR payloads under typical carrier limits.

Month 1-2: Building a stateless validator

Developed a "stateless validator" library that could verify token signatures and check embedded metadata without any DB call. That reduced latency for routine validation. Implemented strict clock skew rules: validators accept tokens only if issued_ts <= now <= expiry_ts + grace_window. Added merchant whitelist checks embedded in token or queried from a small in-memory cache to guard against cross-merchant reuse. </ul> Month 2-4: Redemption ledger with atomic operations
Designed the redemption ledger as the single source of truth for consumption. Each ledger record is a mapping of token_id -> redemption_event. Used a Redis cluster with persistent backing for fast atomic compare-and-set (CAS) operations to reserve a token at redemption time. If CAS succeeded, the ledger wrote a durable record to a columnar DB asynchronously for reporting. Implemented idempotency keys and retry logic so POS retries wouldn’t cause duplicate ledger entries.
Month 4-5: Offline and asynchronous reconciliation
Defined an offline redemption protocol for merchants with limited connectivity: accept a cryptographic proof (signed transaction bundle), then submit to CodeBroker for verification and ledger claim within a 48-hour window. Created a reconciliation pipeline to process late submissions, detect duplicates, and settle disputes using timestamps and merchant-provided transaction IDs.
Month 5-6: Monitoring, alerting, and incident runbooks
Built dashboards tracking redemption velocity, CAS contention rates, failed signature checks, and late reconciliation counts. Created runbooks for high contention (e.g., sudden mass-scanning), key rotation events, and merchant dispute handling. Rolled out blue/green deployment for validators to test resilience without disruption.
From Fraud Spike to Sub-0.02% Abuse: Measured Results After Delivering 3B Coupons Results are measurable across three dimensions: security, performance, and operational cost. The campaign metrics after six months: Metric Before After Duplicated redemption rate 0.37% of redemptions 0.018% of redemptions Average token validation latency (ms) 120 ms (DB lookup) 28 ms (stateless + CAS) Successful offline reconciliations (within 48h) N/A (ad hoc) 98.6% success Chargebacks from duplicate redemptions $1.1M in 12 months $85K in 12 months Cost increase for infrastructure (annualized) Baseline ~12% higher Two numbers matter most: duplicated redemption rate and chargebacks. The change reduced duplicated redemptions by about 95%, and chargeback costs fell by roughly 92%. Latency improved because the stateless validation removed synchronous DB reads in the common path. The trade-off was modest infrastructure cost increase for the ledger and a small operational burden for key management. 3 Critical Security Lessons from High-Volume Coupon Distribution These lessons are practical and counterintuitive unless you've seen the failure modes firsthand. Stateless validation cuts latency but does not eliminate state. Making tokens self-validating avoids DB hits for common checks, yet you still need a ledger to record a single-use event. Treat the ledger as a small, fast, highly available system optimized for atomicity rather than a giant cold store. Design for real-world channels: SMS, screenshots, and forwarded links are the threat model. People forward coupons. They screenshot them. They save them in notes. Build tokens assuming they can be copied, then make redemption the moment of truth, not the token itself. Offline and reconciliation paths must be engineered up front. If merchants accept offline redemptions, fraud prevention must extend into the reconciliation phase. Cryptographic receipts, time windows, and merchant transaction IDs are essential to adjudicate disputes. Analogy: think of token issuance as printing tickets and the ledger as the turnstile at the gate. The ticket's watermark prevents counterfeits, but the turnstile must record entry before you let the person proceed. If the turnstile is slow, duplicates happen. If the turnstile is offline, you need reliable later reconciliation to avoid letting everyone through twice. How Your Promotions Team Can Adopt This Single-Use Model If you run large-scale digital promotions, here is a practical checklist and a short roadmap to adopt a robust single-use security model inspired by this case. Practical architecture checklist
Use an HMAC-signed token with minimal embedded metadata. Keep keys in a managed key store and rotate them on a schedule. Implement a fast redemption ledger with atomic operations (Redis CAS, strongly consistent KV store, or a transactional DB with optimistic locking). Build a stateless validator library for front-line systems to validate tokens without DB access. Design an offline redemption protocol with signed receipts and a defined reconciliation window. Instrument key metrics: contention rate (CAS failures per second), token signature failures, offline reconciliations, and chargebacks.
90-day implementation roadmap for an existing promotions platform Week 1-2: Define token schema and select crypto primitives. Prototype token encoding and verify SMS/QR payload sizes. Week 3-6: Build stateless validator and integrate it into web and POS endpoints. Add feature flags to route a subset of traffic to the new flow. Week 7-10: Deploy a small-scale redemption ledger supporting atomic reserve operations. Run load tests with synthetic concurrent redemptions. Week 11-12: Implement offline receipt format and reconciliation pipeline. Pilot with a handful of merchants. Week 13: Roll out to production gradually, monitor metrics, and be prepared to revert to legacy flow if CAS contention spikes unexpectedly. When evaluating vendors or building in-house, ask for specific SLAs on atomic redeem operations and proof that the vendor has handled offline reconciliation. Marketing claims about "single-use by design" are necessary but not sufficient; demand measured outcomes like CAS contention rates and reconciliation success percentages. Final Thoughts: Security Is a System, Not a Feature Delivering 3 billion coupons exposed the difference between a feature label and an operational guarantee. A "single-use" checkbox is cheap. Guaranteeing single-use in the real world requires a system that combines cryptography, fast atomic state, pragmatic offline handling, and disciplined monitoring. There is no free lunch. Expect modest infrastructure and operational cost increases. Expect to invest in merchant education and testing. The payoff is a predictable reduction in fraud, a clearer reconciliation path, and measurable cost savings from fewer chargebacks. In this case study, the moment duplicated redemptions spiked was the same moment the team stopped accepting "good enough" and built a system that could actually enforce single-use under real-world pressure. If your campaigns are moving into the millions or billions of coupons, treat single-use security as an engineering project that needs explicit architecture, testing, and measurement. Design tokens to be self-validating but rely on a small, fast ledger to assert uniqueness. Plan for offline merchants, rotate keys, and keep your eyes on the numbers. The real metric is not the feature checklist but the percentage of disputed redemptions and the cost of those disputes - that's where the business impact shows up.