Say someone put in a bunch of random letters and numbers hoping by chance to guess the code of an existing gift card that they don't actually have, and it turned out to be a valid code. Is anything stopping them from going ahead and using it for themselves?
For example if someone else buys it and then tries to redeem it, they wouldn't be able to, so what options would be at their disposal?
Who would investigate something like that, the bank or the company?
Videos
The likelihood of two randomly generated code colliding is basically the same as a user guessing a valid code - and you cannot prevent users from guessing. So you must have a key space so much larger than the number of actually used codes that random collisions are extremely unlikely as well (though, thanks to the birthday paradox, probably not unlikely enough to ignore them completely, at least if you want your codes to be reasonably short), and checking against existing codes and re-generating in case of a collision is a perfectly viable strategy.
Use an N-bit serial number R, combined with an M-bit hash H of the concatenated pair (R, S) where S is some secret "salt" S which you do NOT publish. Then encode the pair (R,H) alphanumerically in any reversible way you like. If you like algorithms like MD5* or SHA, but the bit count is too high, then just take the M least significant bits of a standard hash algorithm.
You can verify easily: decode the alphanumeric encoding so you can see R and H. Then compute H' = hash(R+S) and verify that H = H'.
edit: R can be an incrementing serial number or random or whatever, just make sure you use each value not more than once.
*before someone says "MD5 is broken", let me remind you that the known weaknesses for MD5 are collision attacks, and not preimage attacks. Also, by using an unpublished, secret salt value, you deny an attacker the ability to test your security mechanism, unless he/she can guess the salt value. If you feel paranoid, pick two salt values Sprefix and Ssuffix, and calculate the hash of the concatenated triple (Sprefix,R,Ssuffix).
how do i get the code for an Amazon gift card if the card was sent via email, and there is no link in the email just a "apply to your amazon account balance"
I'm sure I'm not the only one that tried to do this when I was younger. Why can't you put in a random code for something like iTunes? Isn't there bound to be a gift card with that code on it out there somewhere?