Warning! Coles Prepaid MasterCard Compromised (Multiple) CHECK Your Cards NOW!

Hi OZBargainers,

I just found 3 of my Coles Prepaid MasterCard have been compromised (I have checked 26 cards in total which were purchased before when there were promotions at Coles).
They were compromised since 25/09/2021 and were used to purchase Google Play credits in USD on 28/09/2021 through out the day, from 13:00 to 22:00 from my records.

Here are the screenshots for transaction histories.
https://imgur.com/a/EhY9rYN


The first card had a Google auth transaction on 25/09, and then was used to purchase several Google Play credits for US $5, $10 ,$10 and $10 on 28/09.
The second card had no auth transaction but directly paid for US $5 Google Play credits on 28/09.
The third card was only used to do an auth transaction on 28/09, as it only had around $2 balance left at that time.


Probable Cause
From the discussion below, this huge compromise should be a because of the brute force attack.
Merchants like Google/Amazon and potentially many more that does not check CVV on the cards.
All these Coles gift cards have got the same name and specific expiry dates eg. 08/25 06/26, 09/26.
The only thing the fraudster needs to guess is the 6 random digit numbers and once they get one right they'll just keep using it while there's still a balance on it.


Suggestions

  1. Do not stock these cards, only buy them when you gonna use them quickly after the purchase.
  2. If you still have a lot of balance, you can prepay your utility bills, convert to other types of cards, say Prepaid EFTPOS or buy other gift cards like Amazon and Prezzee Gift cards or other gift cards via ShopBack (this card is not accepted by CashRewards).

More than welcome for any other ideas and suggestions.
Thanks for reading!

Credit to:
@meowsers for bringing up the contact details.
@Eugklng, @cwongtech, @NoGiveJustTake for the explanation of this compromise.
@thekensai for providing updates.
And all other OzBargainers that spread this post, provide updates and make contributions here.


Update 1
A couple of OZBargainers have confirmed the same situation. So it’s nothing to do with how we used the card. This is a systematic issue.

Update 2
A friend of mine found an unused card got compromised as well. So no card is safe now. Make sure you check all you cards and spend them as soon as possible and report immediately if you have losses.

Update 3
From @thekensai: Coles Financial Services is calling back and asking for account details to provide refund.

Related Stores

Coles Prepaid Cards
Coles Prepaid Cards

Comments

        • +1

          I got them with the straight-up discount (you paid either $94.50 cash for a $100 card, $231.30 cash for a $250 card AND you earn your credit card points too)

          Drove around for the first day (the staff put strict 5 card limits per customer per store)

          I got lucky because as I was shopping in a coles one day, the staff refilled it shelves so I was able to buy 5 x 250s more further into the promo

    • Panicking buy plus no limit set by Coles. It was always limited to 1 bonus reward per flybuys BS.

  • +1

    Thanks for the post!

    I checked my cards and can see that one of them has been compromised, purchasing on-demand videos in USD back in June - probably wouldn't have checked it otherwise!

  • Thanks, converted all my remaining Coles Prepaid Gift Cards into Prezzee Smart eGift Card

  • fk, found 2 of the cards got compromised as well

    • -8

      I have XX + cards used to below $2 and the poor buggers would have wasted their time .
      Is there a need to say I'm not worried about checking them ?

      • +3

        Damn that's crazy bro but I don't remember asking?

  • I have emailColes yesterday and this is why I get from them this morning:

    "Unfortunately, we are unable to cancel any unauthorised transactions that may occur on your cards as it is up to the cardholder to keep the card details secure once the card has been purchased. For more information regarding this, please refer to page 7 of the Coles Gift MasterCard Conditions of Use, which we have attached for your convenience.

    However, given the nature of your situation, we have referred your enquiry along with the details you have provided to our relevant support team to investigate further, we do apologise for any inconvenience this may have caused you.

    Please allow a response time of 5-10 business days."

    Anyone got a similar response?

    • +1

      Did not get any responses from Coles. Also did not get anything from Google where I’ve flagged out those unauthorised transactions. Will share it here when I do hear from them.

      Perhaps if don’t hear from them by next week maybe we all should escalate this to a regulatory body instead to get this rectified

      • How did you complain to Google? Asking because those fraud transactions were not from your google account right? Or did you attach the card with Google?

        • +1

          It’s not. I don’t even own an android phone but I do have a google account. I raised it up because I’m telling google one of your account holder(s) are fraudulently buying credits on a card that they do not own.

        • +3

          possibly this form https://payments.google.com/payments/unauthorizedtransaction…

          Use this form to report unrecognized charges:

          • Items that you don't recognize in your Google Account
          • That start with "GOOGLE *" in your billing or bank statement

          and there is an option "report without signing in" (since it is not associated with your google account)

    • +4

      it is up to the cardholder to keep the card details secure once the card has been purchased

      They do realise that this is happening to cards that have been sitting in a drawer unopened? Perhaps they could enlighten us on how else we can "keep the card details secure".

  • +5

    as it is up to the cardholder to keep the card details secure once the card has been purchased

    A bit rich for Coles to blame it on the cardholder with the crap security involved with the cards .

    • I heard using bold format can offset downvote effect.

      • +1

        I'd suggest you go to jv school to learn .

    • +2

      Firstly, it’s not Coles who operates the cards. Coles merely acts as an agent on behalf of Indue (the card issuer) to sell and promote these cards, and also lend their brand to these gift cards.

      Secondly, page 8 of the Conditions of Use states that Indue actually can and will investigate disputed transactions “in certain circumstances” (whatever they are):

      We have the ability in certain circumstances to investigate disputed transactions which occur on your Gift Card and attempt to obtain a refund for you.

      In accordance with the Mastercard scheme rules, our ability to investigate a disputed transaction on your behalf is limited to the time frames imposed pursuant to those rules.

      The maximum timeframes vary between 75 days and 120 days from the time of the transaction so it is important that you notify us as soon as you become aware of a disputed transaction.

      However, I agree these cards have crap security. Does Indue think it is reasonable for you as a card holder to call up the Customer Service Centre every time you want to block or unblock your card? You can only do that during their Customer Service Centre operating hours, you’ll be wasting your time calling them to block/unblock cards, and you’ll also waste their operators’ time too.

      My guess is that Indue only wants to do the bare minimum to support these gift cards, because going above and beyond the bare minimum would cost them time and money (but that’s my two cents).

      • I though Ebay was bad enough security with normally 3 digits easy to guess then 10 to get through to get to the compromise area .
        This card takes the cake with only 6-7 digits needed .

      • +3

        Agreed, surely an easy function to implement would be the ability to enable/disable cards online, and have 5 lockout attempts per 24 hour period if you incorrectly enter the card login details. Cards should come disabled by default until activated manually by the user.

        • +2

          Agreed. Other things they could do include:

          • Blocking cards by default after you purchase the card, so you have to go to their website (or call them) to unblock it before you use it for the first time.

          • Blocking international transactions by default.

  • +5

    A couple of months back one of our staff members lost their balance on a prepaid visa card by checking the balance.
    When we started the investigation the staff member intended on going to https://www.universalgiftcard.com.au/ to check the balance but went to .com instead.

    Well, the scammers registered the .com domain and copied the entire .com.au site so it looked the same. The only difference was the .com site asked for the cvv number and auth number.

    When we rang to tell universal gift cards they said it has been ongoing for a while and have been unable to get the site shut down. Eventually, it got shut down but I can now see the site's backup but redirects to a .net domain, it's still the same shitty copy paste job.

    So be careful when you check the remaining balance on cards.

    • I was a bit worried about checking my balance thinking that was part of a scam. Scammer goes to forums and makes everyone check their balances… sounds crafty.

      Felt better when the balance checking site didn't ask for the proper card number and PIN.

    • +1

      it got shut down but I can now see the site's backup but redirects to a .net domain, it's still the same shitty copy paste job.

      After I saw your post I filed a report with the registrar of that .net domain name. Now the universalgiftcard.com domain name is now redirecting to a .org I've also contacted the registrar of the new domain.

      I'm still pressing the registrar of record for universalgiftcard.com to actually cancel that domain name registration at the moment. But they are going to just continue to ignore it on that one given the schottie registrar but in a couple of more days I'll have enough to escalate it higher. This is all pretty basic stuff that the guys that own the actual original domain name could be doing.

      • I wonder who this Shalyn Gates is… looks like both the *.com and *.org is owned by the same person… plus +100 other domains too!
        Domainbigdata-universalgiftcards

        • +1

          Given the history of that Whois data it's probably the previous owner who sold it on an aftermarket domain site.

          Given that Zenith Payments were stupid enough not to pay what I can imagine was a relatively small amount or pick a different domain name when they were rolling this brand out I'm sure it wasn't too long before some enterprising person realise the value of the .com.

      • Good work we have also done the same but it took a long time for them to respond.
        Originally the domain register was tucows for the .com site.

        • +1

          Yeah they probably moved it for protection as tucows once fully investigated would've taken care of this domain.

          Later today I'll write out an email for Verisign and ICANN. But this process is going to take a bit longer considering it's coming from me instead of coming from Zenith Payments.

  • +4

    Firstly, it’s not Coles who operates the cards. Coles merely acts as an agent on behalf of Indue (the card issuer) to sell and promote these cards, and also lend their brand to these gift cards.

    Yes but because Coles sells the cards under its own name (and goodwill) I think that Coles will come good as it is clearly a card security issue and not due to customer's fault or misuse in any way.
    Hopefully they will then request that Indue strengthen the cards' security somehow or perhaps stop selling the cards.
    Luckily Coles has a brand name to uphold.

    • +5

      Agreed, Coles will not be immune to any backlash, since their name is plastered all over the cards and the card packaging, so a lot of people will associate this mess with Coles, not Indue!

    • Agreed, the optics really aren't good. Hope this gains some traction and gets plastered on a crappy tabloid news website soon.

      • +3

        I’m wondering which would happen first:

        • a Daily Mail article
        • a Yahoo7 News article
        • an A Current Affair story
  • +2

    Of course it will be interesting to see how much trouble people will have to go through and how long it will take to get a refund.
    It could well be that even with 10% discount (less if one considers the $7 fee) these cards will no longer be worth the risk and the hassle.

    • -1

      If another one of Indue’s prepaid gift cards is any indication, it could take several months to get a refund.

      • Do you think it would be better pursuing it through Google then? Or it would just make it messier?
        Where would Google refund the charges? On the already compromised card?

        • That may work, but there’s also a chance Google will most likely tell you to go to your card provider.

          • +1

            @WookieMonster: Also Google's process is all online, possibly with less feedback.
            The Coles number allows people to talk to an operator and eventually keep ringing them back to speed up the process.

  • +2

    Idea - could consider raising a dispute with the bank you used to purchase the gift cards. This will fall under the 'goods not as described' category which is a perfectly legitimate reason to dispute a transaction.

    You may need to sign a stat dec and provide a fair bit of evidence though.

    • +1

      That would be very good if you purchased them with Coles Mastercard!

      • Hmm that would be pretty funny actually. Wonder if there's any conflict of interest there. Hopefully not.

        • Considering Citigroup issues Coles credit cards, there probably won’t be any “conflicts of interest”.

  • +2

    anyone who just caught up with this, try this before you check your sealed card

    for every card, shoot the following scenario in a continuous video

    1. the sealed package in every direction highlighting the seal
    2. take out the card from the package
    3. google current time
    4. check the card balance on https://psc.colesprepaidcards.com.au/
    5. dump the video if the card is intact, otherwise upload to youtube/facebook/twitter

    i'm not sure whether this will prove helpful in case google / coles tries to play dumb and numb

    • Its a `^ ing mess .
      Anyone can figure out what Scammer's spend their cards on .
      Set it up with a well known scamming country and chase your refund .
      I'd say right now the effort chasing credits is not worth the time .

  • +2

    The card was issued under licensed of MasterCard. I think MasterCard have some clauses about chargeback. We may explore that option.

  • Has anyone seen any unauthorised transactions occurring after 28/09/21?

    • Yes, 01/10 on one card
      02/10 it was pending as auth charges, then its recorded as 04/10 as its final entry

    • +1

      Two of my cards got compromised. Both transacted on 3 Oct 2021. Only this post made me check the balance.

  • So they are still going at them.

    • Well I alerted them on 04/10 (Monday) via a phone call, tried to call them again (06/10) and they told me to email [email protected] with the issue and photos of the back of my cards.

      I checked my cards again two nights ago (after burning quite a bit up as fast as possible) and it seems no further cards affected.. but only time will tell.
      For now, if you have cards that still have balance, best to burn up the balance as fast as possible

      • +4

        UPDATE:

        I just got a call from the Coles prepaid team and they have asked for my BSB and ACC number over the phone to provide a refund!
        They say I will get a refund in 5 business days!

        Calling number came from (07) region which belongs to Queensland.

        So anyone who's reported the issue, get excited when you see a (07) number come up!

        • I just got a call from the Coles

          or was it the hackers, not content with just your cards, wanting to clean out your bank account?

          • @c64: Better use OSKO, ie phone number

            • @Neoika: anyone can do a reverse name lookup of an osko-registered phone number. wondering about a missed call? why not try looking it up using your online banking.

              • @c64: Caller has your number anyway. BSB & number can be easily messed up, but phone number with name is not for the purpose of deposit.

        • Dont give BSB and ACC number over the phone. They will pay it to the wrong account and dispute with you. There will be no record of what you provided.

  • +1

    Well it is still money…you don't want to burn it up just for the sake of it.
    It would be good to transfer the balance to some safer card. One thing could be to buy Coles Myer Gift Cards or Woolworths Gift Cards, but that limits where you can use them. People have suggested buying Prezee gift cards, but again it would be limiting the use.
    I am quite sure Coles will come good. They know that the problem is with their card's security because there are many people and cards affected in the same way. So they would be found at fault if they forced people to escalate the matter to AFCA and it would not be a very good PR outcome. Indue would just recover the amounts from Google anyway.

  • +2

    I used to buy them regularly until I read about this scam months ago. I won't be buying any more until they fix it. I emailed them about it actually, asking what they planned to do about it. Answer: Nothing. Just report it to us if you get ripped off. Sorry, not good enough Coles.

    • +3

      And when you do report them they will just say this: “Unfortunately, we are unable to cancel any unauthorised transactions that may occur on your cards as it is up to the cardholder to keep the card details secure once the card has been purchased.”

      As they have said to me.

      • Is this reply from the current issue?
        Did you hear again from them?

        • +1

          Yes that was their reply when I first contacted them. After I replied to them about making a formal complaint to ACCC, this is what they have replied to me today:

          "We have received an update from our support regarding your enquiry that we would like to update you on. Due to privacy and security protocols we will need to update you over the phone, and ask that you please call us on 1300 095 072 at your earliest convenience. Alternatively, we can call you if you provide us with a preferred time within the operating hours indicated below."

          • +3

            @io: I have spoken to them over the phone now and they asked me my bank details to initiate a refund. I emailed the bank information instead as I fear that if I give them the information over the phone and they send the money back to a wrong account.

  • +3

    I buy cards like this when I have extra so I can use them when I don't

    Opened the ones discussed here and they are both fine, $250 & $100, I have used them now and purchased Prezee cards today

    Thanks for this post and this discussion, I am not very tech savy and as I had the physical card would never had thought they could have been hacked. I have lots of giftcards here for different providers, grab them when they are on special for gifts etc… this will make me much more aware

    Good luck to all of you that have money taken, I hope it works out for you

  • +5

    just got a call from coles prepaid giftcard team, asking for my bank account and apologised for the inconvenience. looks like coles is not going to dodge the responsibility after all?

    • That's really good news!

      I linked them to this post as the "social media post" that alerted me to the issue (which is the truth)

      Maybe they can see there is high visibility and that it affects A LOT of customers

    • Great! I thought it would be the case, but you never know…
      When did you first contact them and email them?

    • That's great to hear!
      Who did you call? Coles Financial (1300095072) or Coles?

      • (1300095072)

    • I contacted them on Monday as well and followed up with an email with the card and receipt. Still have not heard from them yet.

      I did however spend the remaining balance on amazon as a way to stop those fraudsters. I wonder if that complicates their process?

  • +1

    Shouldn't Coles and the major problem maker Mastercard take this crap off the shelves due to the security ?

    A few refunds mean Jackshit until the recall is done .

  • +3

    Many had to make unplanned purchases to use up remaining cards/balances. Surely this is sufficient ground for complaints.

  • I suppose as a gesture of goodwill they should at least refund the $7 card activation fee as well.
    I guess people may think twice to buy them again in the next promotion.

    • Are you serious ?
      The boys will buy as many as they can get their hands on and consolidate them in hrs .

      • Consolidate?

      • +2

        Not this boy at least! Not anymore, the administrative time to deal with these are not worth the few dollars saved (for me atleast). I have learned my lessons.

        • -1

          We don't deal for a few bucks Bud hehe .

  • +4

    Coles called from a Queensland number and asked for my bank account details. They will refund the money that were fraudulently spent, so in my case it’s all those google transactions and their associated overseas conversion fees. Expect about 5-7 working days for the refund. Was not given the amount they will refund so be prepared to check it to ensure they are correct

    • How many cards did you claim? I haven't receive calls.

      • +1

        Just 1. They did say they’re being overwhelmed with such calls and they did apologise for the delays. So it’s likely they’re just inundated with this issue and will eventually get to you.

        • Thanks for the update mate! All the best

        • Did they refund full remaining balance of the card plus disputed transactions and cancelled card or just amount that you were disputing?

  • +1

    Thanks to the OP for the alert. I had over 15 cards left totalling over $2500. Fortunately none of them had been compromised, and over 2-3 days, I used them all up by prepaying private health insurance, and buying GCs including $1700 worth of Coles Myer GCs.

    • and buying GCs including $1700 worth of Coles Myer GCs.

      Definitely a good option, however now you can only spend the money at Coles Myer and associated shops.

      • That's just ~ 2 months grocery shopping for us at Coles!

      • You can use them to buy more Coles Gift Mastercards (lol) or EFTPOS gift cards (or any other third-party gift card sold at Coles)…

        • Yes but all other ones have an activation fee.

    • How/where did you buy Coles Myer GCs ? Needing to clear mine too. Thanks

      • In-store: Coles, Kmart, Target, Myer, Liquorland, First Choice Liquor, Vintage Cellars Coles Express, Officeworks(?)

        Online: www.giftcards.com.au (but I’m not sure if they accept Coles Gift Mastercards as a payment method online, plus it’ll need to be posted to you for a small fee)

        • Thanks. Converted all to Coles Myer GCs at Kmart !

  • Thanks for alerting us.
    Just checked my 20+ cards, everything is fine.

    • +1

      Only fine for now - you better convert them to another format

      • +1

        Well now that Coles know about the problem and have acknowledged by providing refunds, it is just a matter of checking the remaining cards every week or so and contact them for a refund again if required.
        Since they now know about the security problems it is up to them to fix it … or keep refunding.

        • +1

          They'll only refund the purchase price according to the comment below. If so, better to use them up.

  • Resolution I got is refund of purchase price into bank account, which in my case is less than value of the card. Complaint about helpline giving wrong info about they couldn't block uncompromised cards went nowhere. They infact can do so according to their manager. Anyone thinks it's worthwhile to go through AFCA?

    • -1

      Woah that is huge!
      So you are saying that Coles only think they should pay back the card purchase fee IE $6.30 and as for the dollar balance, up to $250, we are shit out of luck?
      Seriously, they think the consumer wears the loss of the balance and that is all?
      This is very f-ed up if correct, we should all move all out remaining balances out ASAP

      • I think it makes sense. For easy illustration, I just pick $100 card as example. One person paid $94.5 for it during the sale, but CFS cancels the card and should only refund $94.5 to him, unless he can prove that he paid $105 for it.

        Just like someone missed out Klarna $100 rebate due to Kogan canceled purchase.

      • I have received a refund in the past and they refund the face value of the card eg. $100 or whatever was spent but not the fee $5 or $7.

Login or Join to leave a comment