Warning! Coles Prepaid MasterCard Compromised (Multiple) CHECK Your Cards NOW!

Hi OZBargainers,

I just found 3 of my Coles Prepaid MasterCard have been compromised (I have checked 26 cards in total which were purchased before when there were promotions at Coles).
They were compromised since 25/09/2021 and were used to purchase Google Play credits in USD on 28/09/2021 through out the day, from 13:00 to 22:00 from my records.

Here are the screenshots for transaction histories.
https://imgur.com/a/EhY9rYN


The first card had a Google auth transaction on 25/09, and then was used to purchase several Google Play credits for US $5, $10 ,$10 and $10 on 28/09.
The second card had no auth transaction but directly paid for US $5 Google Play credits on 28/09.
The third card was only used to do an auth transaction on 28/09, as it only had around $2 balance left at that time.


Probable Cause
From the discussion below, this huge compromise should be a because of the brute force attack.
Merchants like Google/Amazon and potentially many more that does not check CVV on the cards.
All these Coles gift cards have got the same name and specific expiry dates eg. 08/25 06/26, 09/26.
The only thing the fraudster needs to guess is the 6 random digit numbers and once they get one right they'll just keep using it while there's still a balance on it.


Suggestions

  1. Do not stock these cards, only buy them when you gonna use them quickly after the purchase.
  2. If you still have a lot of balance, you can prepay your utility bills, convert to other types of cards, say Prepaid EFTPOS or buy other gift cards like Amazon and Prezzee Gift cards or other gift cards via ShopBack (this card is not accepted by CashRewards).

More than welcome for any other ideas and suggestions.
Thanks for reading!

Credit to:
@meowsers for bringing up the contact details.
@Eugklng, @cwongtech, @NoGiveJustTake for the explanation of this compromise.
@thekensai for providing updates.
And all other OzBargainers that spread this post, provide updates and make contributions here.


Update 1
A couple of OZBargainers have confirmed the same situation. So it’s nothing to do with how we used the card. This is a systematic issue.

Update 2
A friend of mine found an unused card got compromised as well. So no card is safe now. Make sure you check all you cards and spend them as soon as possible and report immediately if you have losses.

Update 3
From @thekensai: Coles Financial Services is calling back and asking for account details to provide refund.

Related Stores

Coles Prepaid Cards
Coles Prepaid Cards

Comments

  • +2

    mine got compromised as well. $100. all google play purchased and currency conversion fee on 28 Sept. brand new unused. update called the 1300 095 072 coles card hotline and was told they are looking into it.

  • +3

    Surely Coles will see that this is fraud and will refund all victims. Their reputation is at stake.

    • +1

      I wonder if it's Coles that'll be on the hook, or Mastercard, or whether the merchants (e.g. Google) who accepted transactions without CVV will be on the hook. Google have a good reputation for fraud refunds from their app store, which seems the source of many transactions here.

      • The refund will be from Google of course.

    • Hopefully. If they can’t handle this properly, no one is going to buy them anymore.

  • +1

    Thanks for the heads up OP!! Mine were safe but bought Prezzee gift cards using my coles mastercard gift cards.

  • Thank you for the notice!
    None of my cards ($100s and $250s purchased in June 2021) are compromised but not taking any chances.

    • Converting them to Prezzee.
    • Also trying to overpay each of my bill/utility account. I rather overpay my bills than have these mobs steal them.

    EDIT: Accounts I overpaid (in credit): Aussie Broadband (no fee), Origin Energy (0.73% fee), Energy Locals (1% fee)

  • +6

    You can also top up your health fund with no surcharge. I usually pre-pay a year in advance anyways before 31st March each year to lock in the lower rate.

    • +1

      Thanks for the tip!
      Just used my entire card stash on my PHI.

  • +1

    If this is a real issue - and from the look of it the problem is real - this is being kept very quiet.

  • Thankfully the ones I had left over didn't get compromised, but I have now used them on Amazon gift cards (some direct, some via Shopback for that sweet 2%)

  • +3

    Same thing appears to be happening to the crypto.com VISA cards. Got a $1 google charge today (no more fortunately) but others not so lucky.
    https://www.reddit.com/r/Crypto_com/comments/q0xoea/multiple...

  • My coles credit card got comprised last week.

    $729 went out to a furniture shop which i have never shopped and it was in another state.

    I made a claim , got sent a new card and funds got transferred back yesterday.

  • ithanks for the heads up,

    cleared out my remaining cards

    • -1

      What did you end up buying?

      • Converted to prezzee, Amazon and shopback GC

  • So it's maximum 3 x 1,000,000 possible combinations passed through Luhn algorithm and handful of valid until dates, no CVV required by Google or Amazon. Sounds doable.

    • +1

      they need a class action law suit to stop them accepting credit cards willy nilly. it can affect lots of innocent card holders, even if they are ultimately do not end up out of pocket

  • +3

    check your balances here : https://psc.colesprepaidcards.com.au/

  • Hey OP, what are you going to do with the 23 cards that are not compromised? Just curious as I have 5 cards and can't think of things to buy except for woolies gift card.

    • +4

      As suggested above you could prepay utility/NBN/health cover bills or buy Prezzee gift cards. Note buying several egift cards from Woolies over a short period will trigger a pause/block due to security checks.

      • Thanks.

  • +1

    spent all mine today. so 1 card x $100 got cleaned out. Hopefully, Cole will restitute the amount. not buying anymore of these until security is improved.

    • I don't think there's any way to improve security other than restrict transactions without CVV.

      • +3

        Since this card has a set of ID and code to login, it is possible to add an on/off switch in the account.

        • Of course there is the way. But the issuer already sold product to you and got the money, so there's no incentives for doing anything to solve your problem.

        • This is deffo the best idea

          • +1

            @King Tightarse: A better one is to set online shopping off as default. You need to login to turn it on after activation but it does not affect instore shopping.

      • They could at least randomise the cardholder name rather than fixed it at PREPAID CARDHOLDER.

        • +3

          Names don't do anything though for a transaction.

          The expiry should have been randomised.. 12 months in a year, it would at least increase the possibility 60 times per combination (assuming 5 year variation of expiry)

          Issue here is the CVV wasn't needed (secure parking and amazon are two merchants I know you can enter cards in without CVV)

        • +1

          It's not fixed to PREPAID CARDHOLDER, you can use literally anything you want there, it's simply ignored.

          • @DainB: If even names are ignored then there's totally 0 security with these cards and only CVV stands in between the hackers and your money and some merchants like Google/Amazon thinks the 3 digit CVV is rather inconvenient to ask for them

            • @Eugklng: Well, other than 1 in a million chance of someone guessing number of your card, yes, pretty much.

              • @DainB: It looks like there's many of these cards active though..

                807 Coles stores in Australia
                Let's say each store sold around 100 x $100 cards
                100 x 807 = 80700
                80700/1000000 = 8.07% of those numbers million numbers are active.

                So more like 8 in 100 chance guessing the number of a card.

                That's a pretty good chance of brute forcing a valid 16 card code, if you have 10 digits already. Especially if you have a computer code/program to automate brute forcing it, if you knew the expiry.

                • @cwongtech: Yes, from criminal's point of view it's a worthwhile operation, especially considering some people never opened package after activation and not aware their balances are being drained.

  • Does this also happen to sealed cards that haven't been opened? Mine are still sealed

    • +4

      If it's indeed brute force card number attack, and it looks very likely it is, then yes.

  • +3

    Does anyone know the consumer laws very well here with regards to such unauthorised transaction done on platforms that do not even bother to check the CVV? Where does the liability sit with such fradulent transactions?

    And can anyone figure out why Coles kept insisting on the receipt in order to start their investigation into this matter?

  • +4

    Sounds like something that should be on "A Current Affair".

  • +4

    Props @george668, really appreciate you bringing this to our attention. I can't even remember how I came across this post, but I'm really glad I did! I hope you and the other affected users in this thread are able to recover any fraudulent charges made on your cards.

    Luckily none of my cards were affected, so I've used up most of my remaining balances buying various discounted eGift cards. If anyone is looking to do the same, this wiki might be useful: https://www.ozbargain.com.au/wiki/discounted_egift_cards

    As a general comment, it's quite surprising and pretty poor form for any company in this day and age to not require CVC verification for purchases. Also, it seems to me that other prepaid credit cards could be susceptible to this kind of brute force attack, since I would assume many would share the same exploitable weaknesses such as having the same expiry date and card numbers sharing the same leading 8 digits.

    I guess the lesson out of this for me is to not buy prepaid credit cards unless I plan on using them relatively soon after purchase!

  • Surprised there is no option to have any transaction that dont have a CVC automatically declined.

    I'm down to my last card and a few dollars left on another, but no suspicious transactions.

  • +2

    Sounds so bad man, Coles definitely should consider taking some action.
    But as a general rule you also should not be hoarding on these and Only buy when you need them.

    • +1

      Cards are issued by Indue Ltd, Coles just allowed them to use their name for exclusive product sold only at Coles. That's a bad optics for Coles for sure but they not really have anything to do with them.

  • +1

    Just checked 14 of my 15x250 cards (1 was already all used up), the 3 that have been used already have not been compromised and the other 8 that have yet to be used have not been either.

    • +1

      Better check it frequently as the situation remains fluid

    • The ones that have been used, what are the transaction details?

      • what are the transaction details?

        all correct that I recognise.

  • This happens with regular credit cards as well, but to a lesser extent. I've had a new credit card that was never ever used before and sat in a locked cupboard used to buy an iPad in Brazil a year after activation.

    Just hassle Coles and Google and you will get your money back eventually under MasterCard participant rules. The amount lost will determine whether it is worth your time however…

  • +2

    Thanks gosh i saw this.

    Used all my cards to pay bills just now. 1 card compromised and in dispute with coles and google.

  • +1

    Thanks for the post.

    Luckily none of my remaining 5 $250 cards are compromised. Just used all of them to avoid headaches of disputing with Coles and Google.

  • Luckily I used 8 cards last week to pay bills. Just loaded up the remaining 7 cards on other bills etc. Luckily none were compromised, but wasn't interested in sticking around to see if they will later on.

  • +1

    i hope people are raising this with COles/Indue ?

    • i think the predicament for some people is that they haven't kept the receipts and coles is demanding proof of purchase

      • fair enough. i wonder if date stamped bank statement is enough

        • If they wanted to play hardball, my guess would be probably not, as the last three digits of the card ID are recorded on the receipt at activation.
          https://www.ozbargain.com.au/comment/11149275/redir

          Still worth a try if you're stuck. The other suggestion is if you have a FlyBuys card and scanned it at the time, then that might be another possible alternative

  • +4

    Thanks OP for making this post, 2 of my 12 Cards ($100 each) got comromised. Contacted Coles and the guy gave me a lot of time to understand the issue. Adviced me to email them the card ID and the disputed transactions. Cannot believe that this is happening. There is no way to temporary block the cards except to call them and give them the card id for each. Then when you want to unblock the card you have to call them again. I am so grateful that this post was created. I have kept all the receipts and scanned flybuys cards for each of those transactions though.

  • +1

    I did not use the two compromised cards anywhere. I also noted that the first 9 numbers of my $100 cards are the same, also same expiry. Therefore only 7 numbers to be guessed ramdomly by those who steal these card balances. This is so shit.

    • +2

      only 6 needed. last one is checksum

      • Ok cool. So there is no way to block these cards using app or online?

        • Nope. But all this wouldn’t even be possible if merchants like Google make use of the damn CVV when verifying the card since it is put there for such a reason.

          • @Eugklng: So true.

          • @Eugklng: Not really, it's just a checksum of the numbers, easy to generate from the numbers themselves …

            People keep saying that, but the only real checks on CC are Names and Postcodes (both missing on these types of cards - so easy to randomly generate)

            • +1

              @7ekn00: It is not a checksum. Google it. In fact the only way hackers can get the CVV is either through key logging or phishing attacks.

              • @Eugklng: Or, worse case, 1000 random guesses (which can be tested and verified in under 5 secs) … Google it …

                • @7ekn00: Guessing CVV by itself assumes you already know the credit card number. If that’s the case then yeah brute force will be 1000 tries and you will eventually nail it.

                  But for this situation, they’re guessing the credit card numbers and if you coupled it with the CVV, the number of possibilities has multiplied by 1000 times making it no longer that easy to simply brute force it

              • @Eugklng: They're referring to the last digit of the credit card number:
                https://en.wikipedia.org/wiki/Luhn_algorithm

                CVV is a different kettle of fish as you've suggested. But CVV isn't required for all Google transactions (for whatever reason).

    • The thing you need to keep in mind is that any card that can be used for online purchases is susceptible to BIN attacks (i.e. brute force), as they all have a 6-9 digit bank identifier card at the start of the card and a check digit at the end. There’s really nothing stopping your debit or credit cards from being hit as well.

      I guess EFTPOS gift cards will become more popular from now on…

      • +4

        I think the inability to correctly guess the expiry date of the card makes the brute force a lot harder to achieve. All these prepaid cards have pretty much the same expiry dates

  • Has anyone tried to add this prepaid MasterCard as payment method in ShopBack to buy gift cards with? Seems like ShopBack does not accept them for me, kept saying an error about “unusual card linking” activities.

    • you cannot. shopback only accept cards with verified ID

      • I have used a few before and worked but stopped working all of a sudden

        • +1

          it is just a switch which they can turn on and off

      • I have used them many times and also today.

    • +2

      I used 4 cards yesterday no problems. Just wouldnt let me buy more than 1 card at a time.

    • Accepted 2 yesterday, but the 3rd one didn't work.

      • Yeah I think they got a limit. I’ve added like 2 from memory and stopped working after that

  • Those with compromised card - what's the card expiry date?

    • +1

      It doesn’t matter. Mine’s are across 2024 to 2026

  • +1

    Thanks OP - mine wasn't compromised fortunately. Used it all up on a Prezzee gift card.

  • Just realised my council rates are overdue as their newly introduced e-notice did not reach me. Time to pay up and use these gift cards. Anyone knows if the City of Canning (WA) can accept multiple payments?

    • In my experience it depends on the payment processor

      Some councils can accept custom amounts, some can't

      If there's post @ billpay, normally it's the same surcharge as if you were to pay on the council's website but you can type whatever amount you want

      • Thanks. It appears they've used BPOINT and custom amounts are allowed and have waived all surcharges because of covid to encourage card payments.

        https://www.bpoint.com.au/pay/CityOfCanningRates

        So looks ok and time to drain out those dodgy gift cards here.

        • +2

          no surcharge. lucky you! if only my council was as generous

  • -2

    You can also purchase a Only 1 Visa Gift Cards with No Purchase Fee to mitigate risk from Coles

    • +1

      Note that these Only One Visa cards are category-restricted and can only be used at certain categories of merchants. See https://www.ozbargain.com.au/comment/11147427/redir and the pictures of the card in that thread's OP which show that the card can only be used at festivals, bars and concerts.

    • +3

      And mitigate risk of being able spend your own money too.

  • -1

    Why do so many people have 10+ of these cards in their possession? I mean, I know that there are promotions that can net $10-20 per card (I've partaken myself) but are people really that desperate to essentially prepay months worth of expenses and go through the hassle of using these cards daily, with added security risks.

    Just seems very strange to me. If you have access to $3k plus in up front funds then you are not on struggle street and should have more respect for your time and realise this is just not worth the hassle.

    I've partaken in these promotions myself, but I fully use the full values within 1-2 days, usually hours.

    • +3

      Why do so many people have 10+ of these cards in their possession? I mean, I know that there are promotions that can net $10-20 per card (I've partaken myself) but are people really that desperate to essentially prepay months worth of expenses and go through the hassle of using these cards daily, with added security risks.

      Well we didn't know there were security risks.

      It's essentially 5-7% off whatever expected expenditure you have..

      • You guys must have hit a lot of different Coles stores to stock up in the last good deal (10% or equivalent back in FB points). I recall the deal became so popular that the cards ran out really quickly on the first day itself (with people hiding before and whatnot).

Login or Join to leave a comment