Warning! Coles Prepaid MasterCard Compromised (Multiple) CHECK Your Cards NOW!

george668 on 02/10/2021 - 21:43
Last edited 18/10/2021 - 09:56 by 1 other user

Hi OZBargainers,

I just found 3 of my Coles Prepaid MasterCard have been compromised (I have checked 26 cards in total which were purchased before when there were promotions at Coles).
They were compromised since 25/09/2021 and were used to purchase Google Play credits in USD on 28/09/2021 through out the day, from 13:00 to 22:00 from my records.

Here are the screenshots for transaction histories.
https://imgur.com/a/EhY9rYN

The first card had a Google auth transaction on 25/09, and then was used to purchase several Google Play credits for US $5, $10 ,$10 and $10 on 28/09.
The second card had no auth transaction but directly paid for US $5 Google Play credits on 28/09.
The third card was only used to do an auth transaction on 28/09, as it only had around $2 balance left at that time.

Probable Cause
From the discussion below, this huge compromise should be a because of the brute force attack.
Merchants like Google/Amazon and potentially many more that does not check CVV on the cards.
All these Coles gift cards have got the same name and specific expiry dates eg. 08/25 06/26, 09/26.
The only thing the fraudster needs to guess is the 6 random digit numbers and once they get one right they'll just keep using it while there's still a balance on it.

Suggestions

  1. Do not stock these cards, only buy them when you gonna use them quickly after the purchase.
  2. If you still have a lot of balance, you can prepay your utility bills, convert to other types of cards, say Prepaid EFTPOS or buy other gift cards like Amazon and Prezzee Gift cards or other gift cards via ShopBack (this card is not accepted by CashRewards).

More than welcome for any other ideas and suggestions.
Thanks for reading!

Credit to:
@meowsers for bringing up the contact details.
@Eugklng, @cwongtech, @NoGiveJustTake for the explanation of this compromise.
@thekensai for providing updates.
And all other OzBargainers that spread this post, provide updates and make contributions here.

Update 1
A couple of OZBargainers have confirmed the same situation. So it’s nothing to do with how we used the card. This is a systematic issue.

Update 2
A friend of mine found an unused card got compromised as well. So no card is safe now. Make sure you check all you cards and spend them as soon as possible and report immediately if you have losses.

Update 3
From @thekensai: Coles Financial Services is calling back and asking for account details to provide refund.

Financial Debit Card Gift Card MasterCard Prepaid Credit/Debit Card

Related Stores

Coles Prepaid Cards
Coles Prepaid Cards

Comments

        • asc on 09/10/2021 - 19:16

          Interesting. I argued with them over they should refund face value of the card but Coles stubbornly refused. So basically i got back $94.5.

          • Neoika on 09/10/2021 - 19:21

            @asc: Her exp is when the sale was for points rebate and she paid full face value of $105.

      • Coops1 on 22/10/2021 - 22:28

        How the heck did you come to that conclusion. He got back what he paid for the card. Issue solved. Inconvenient, but solved.

        • King Tightarse on 23/10/2021 - 08:45
          +1

          You replied to a comment from 12 days ago when the issue was just emerging and the parameters were unclear. We all understand it better now

    • demiurge on 09/10/2021 - 19:17

      You should not get a refund for more than your payment. You paid $X for an item, you get $X refund. How much the item is worth in your opinion is irrelevant.

      • truetypezk on 13/10/2021 - 14:17

        My previous experience with fraudulent cards was a full refund. I.e. face value + card fee, while I paid at a 10% discount. Maybe they have changed that if too many people need to be refunded. It even made me think I should just tell them all my cards are fake and get full price refunded to my bank account:)

      • Coops1 on 22/10/2021 - 22:28

        This.

      • USER DC on 08/11/2021 - 08:04

        How much the item is worth in your opinion is irrelevant

        Okay mate let me buy, everything you bought on sale @exact same price, including any bitcoin you bought last year or any earlier than 1 year.

        How about that ??? dhhhhhh.

        Soon you'll realize its always about

        How much the item is worth.

  • c64 on 09/10/2021 - 12:39
    +2

    surely coles gift mastercards would be a strong candidate for Choice's shonky awards 2021 https://www.choice.com.au/shonky-awards & https://choice.community/c/spot-a-shonky/77

    buy i gift card and then when you go to use it you find someone has spent it all for you

    • popsiee on 09/10/2021 - 13:27
      +4

      I think a better promotion point is : Once you buy a gift card the race is on who can spend it first .

      • Kyle-K on 12/10/2021 - 15:53

        You should pitch that to one of the TV networks it would make a great brand Thai in reality TV show.

        • Kyle-K on 12/10/2021 - 18:29

          Race to spend! Coming in 2022 to Channel X.

      • 42 on 13/10/2021 - 07:56
        +1

        Gift Card Hunger Games

  • pe arl on 10/10/2021 - 01:19
    +2

    No word from Coles yet. And from Google:

    After reviewing your claim, we were unable to confirm fraudulent activity in this case, so no refund will be provided by Google at this time. If you would like to pursue the matter further, you can reach out to your financial institution.

    Not surprised, but seriously? If repeated, unrecognised payments in a foreign currency by a dodgy unassociated account don't look fraudulent, what does? Classic response.
    Plus the decision is final, no avenue for comment. Awesome :)

  • Mad Max on 12/10/2021 - 11:22

    Did anybody get a refund yet?

    • Eugklng on 12/10/2021 - 12:13
      +1

      Got the call, gave them bank details but no money yet.

      • cloudy on 15/10/2021 - 11:45

        Been a week now since my call and no money yet.

        • Tsquared on 18/10/2021 - 16:25

          Same here. I called up a week ago, got a call today to say they are investigating but no refund yet.

          • io on 18/10/2021 - 22:39

            @Tsquared: Same here. Investigation going on, no refund yet.

            • Tsquared on 25/10/2021 - 20:52

              @io: I have received refund today after 2 weeks from initial phone call.

  • asc on 14/10/2021 - 20:09
    +2

    https://9now.nine.com.au/a-current-affair/scammers-fraudulen…

    Similar issues with Australia Post prepaid mastercard.

  • cloudy on 15/10/2021 - 11:45

    Still anyone got e refund yet?

  • Mad Max on 15/10/2021 - 12:39
    +5

    No refund yet. We should all call them and complain to keep the heat on. Will do now.

  • Eugklng on 16/10/2021 - 17:45

    Still no refund for me as well. Not sure what's happening there.

  • royalty on 18/10/2021 - 00:50

    I just found out about this and checked my unused cards (multiple $250 and $100), relieved to see that they still had the full balance on them, decided to use them up by paying off council rates etc. for peace of mind.

    All of my cards had expiry of 09/26 and last 8 digits were different on each of them, contrary to 6 mentioned by OP.

    • samehada on 18/10/2021 - 01:15
      +3

      your last 8 digit is in fact only 6, the first digit is the same for $100 or $250, the last digit is checksum digit.

      • royalty on 18/10/2021 - 09:31

        oh okay, thanks for clarifying!

  • jassssone on 18/10/2021 - 09:49

    I got 2 cards hacked as well. Do I need to call them or email them?
    Thanks

    • scrypton on 18/10/2021 - 15:46

      I think calling would be your best option.

    • cloudy on 18/10/2021 - 17:20

      After calling they just say email them with the back of your card and a contact number. Calling them was useless

      • jassssone on 18/10/2021 - 18:00

        Cheers, I did this way, called and emailed, they email back says they will investigate and let me know

      • io on 18/10/2021 - 22:41

        Right. Useless to call. They tell you to email the details.

  • el8 on 18/10/2021 - 10:02

    just spoke to them - they are processing the refunds today, so hopefully be in our bank accounts tomorrow.

    • Mad Max on 19/10/2021 - 09:14

      Did you get the refund today?

      • cloudy on 20/10/2021 - 10:28
        +1

        Not me, still zip

      • Eugklng on 20/10/2021 - 18:43

        Nothing for me. Somehow got this feeling like they’re backing out from this?

  • zuruhara on 18/10/2021 - 11:15

    Does this hacking only affect latest cards/batches? Or any cards?

    • King Tightarse on 18/10/2021 - 11:30

      Any

      • mrvaluepack on 18/10/2021 - 15:22

        But the new cards haven't been activated yet right? So its a race to spend it once activated?

        • scrypton on 18/10/2021 - 15:37

          In a nutshell, yes.

        • c64 on 18/10/2021 - 16:47
          +1

          the coles gift mastercards are activated when you buy them

  • jmc787 on 18/10/2021 - 21:13

    Thanks for the headsup I have a $250 Mastercard from universalgiftcard which was activated but unused.

    I've suspended it after checking balance was intact and no transactions. The unsuspend option is there for when I want to start using it.

    • mrvaluepack on 18/10/2021 - 21:21
      -1

      how did you do that?

      • jmc787 on 18/10/2021 - 21:25

        login to universalgiftcard.com.au, this one is a prepaid Mastercard gift card, but it is not Coles brand and was not purchased at Coles

  • madmo on 18/10/2021 - 21:49

    Damn I have 8x 50 cards. Can we use this cards at Woolies to buy a high value apple gift card?

    Or getting a Coles Myer gift card from Myer?

    • WookieMonster on 18/10/2021 - 22:21

      Can we use this cards at Woolies to buy a high value apple gift card?

      Yes. People did that in the last Apple gift card deal at Woolworths without any issues. The good thing about Woolworths is that their self-service checkouts allow for split payments when purchasing an Apple gift card.

      Coles Myer gift card from Myer?

      That will probably work, although you can also get a Coles Group & Myer gift card from Kmart or Target if that is more convenient for you. I would also mention First Choice Liquor and Liquorland, but I'm not 100% sure whether they can actually do split payments on gift card purchases.

  • CheapZeng on 20/10/2021 - 14:12
    +1

    I just found that a $250 Coles Prepaid Mastercard I got in June was used to pay a bill or something in the Philippines. Has this happened to anyone else?

    The card has been in my drawer and was never used, so it seems to been brute forced?

    I called Coles and emailed them. They replied that it wasn't Coles responsibility and referred to page 7 of their terms.

    Any advice for what I should do now? I've been scamed over $200!!

    • mysterytal on 20/10/2021 - 14:36

      Page 7 - You are responsible for all transactions made using
      your Gift Card. We are not responsible for any
      unauthorised or fraudulent transactions, which
      may occur using your Gift Card. We will not refund
      you the value of any unauthorised or fraudulent
      transactions that may occur.

      So they're denying all responsibility. Interesting…

    • Rodo on 20/10/2021 - 15:34
      +1

      Send them something in writing detailing exactly what has happened with a screenshot of the transaction list showing the fraudulent transaction and indicate that if they do not help then you will make a formal complaint to the ACCC (Australian Competition and Consumer Commission). Ensure you state in your email that if you do not receive a response within 1 week that you will then take further action. If they do not help/respond then contact the ACCC. Failing that, hopefully someone else here, maybe WookieMonster, can provide you with more advice.

      This seems to have happened to many people including io - see here. They all appear to be still waiting for their money back.

    • WookieMonster on 20/10/2021 - 15:57
      +5

      Please note I cannot weave magic!

      You could reply to the Coles Gift Mastercard team by stating that page 8 of the very same Conditions of Use states the following:

      We have the ability in certain circumstances to investigate disputed transactions which occur on your Gift Card and attempt to obtain a refund for you.

      In accordance with the Mastercard scheme rules, our ability to investigate a disputed transaction on your behalf is limited to the time frames imposed pursuant to those rules.

      The maximum timeframes vary between 75 days and 120 days from the time of the transaction so it is important that you notify us as soon as you become aware of a disputed transaction.

      So my suggestion is you reply stating that you would like to dispute the transaction, as per page 8 of the Conditions of Use. However, the problem is that you may have exceeded the maximum timeframe for disputed transactions as laid out by Mastercard.

      If you’re still getting nowhere with the Coles Gift Mastercard team, you could always complain to AFCA, as Indue (the gift card issuer) is actually a member of AFCA. If you go down this path, make sure you take note of when you call Indue and who you spoke to, as well as keeping copies of emails. However, you may not get very far if you are outside the disputed transaction window.

      • CheapZeng on 20/10/2021 - 16:12
        +5

        Thanks for the info. Ozbargain is such a wonderful community.

        I'm still within the 75 days for Mastercard, the transaction were on the 5 October.

        Seems like people were getting hacked between September and October.

        I'll call Mastercard and keep you guys posted.

  • winterr on 20/10/2021 - 20:37
    +5

    Called Coles Financial Services yesterday. Was told:

    • Google charges have been blocked
    • They are undecided on if will be refunding back onto Coles Prepaid MasterCard or into bank account (was asked for BSB and ACC number)
    • Refunding purchase fee is up in the air
    • mysterytal on 20/10/2021 - 21:47

      "Google charges have been blocked"

      When adding the card to Google play it now comes back with "Your card issuer has declined this request"

      Does that mean it's now safe (safer) to hold a balance on this card?

      • jmc787 on 20/10/2021 - 22:17
        +7

        Nope, the scammers will find just another way to drain them, it seems like there is a massive security problem with this product, blocking one vendor does not fix the underlying security issues

        • samehada on 22/10/2021 - 19:01

          What I can see is the massive security issue with Google Play payment system for processing transactions without CVV. They need to take responsibility for letting their payment system being abused by hackers.

  • Matt P on 20/10/2021 - 23:04

    Glad i saw this. Just dumped the $250 card i bought today onto my rates.

  • toobzy on 20/10/2021 - 23:20

    Just checked and 2 cards drained to google on the 29th and 4th oct. What email address do we email? Do we need to get a reference number or something from calling them first?

  • Mad Max on 21/10/2021 - 09:59

    Did anyone get a refund yet?
    Yesterday I was told that I was next on the spreadsheet to get a refund so I expected funds to be transferred overnight, but nothing yet.
    They first started saying 5 days. Then another 5 days. It is now 10 business days and still no refunds.
    Is it time to refer this to AFCA or should we just be patient and wait a bit longer?

    • Eugklng on 21/10/2021 - 15:03

      Still no refund.

      • el8 on 21/10/2021 - 19:05

        followed up with them again - and was told its in the queue to be processed! not sure how long this will take :(

  • cateyneow on 22/10/2021 - 10:47

    anyone else? i tried to pay the ATO and then it said declined due to insufficient funds, then i logged on and it says ato has taken a charge of $100 and Current balance$100.00 but available balance is 0?

    • cwongtech on 22/10/2021 - 11:06
      +1

      It'll show up in your ATO balance.
      You should be paying $99.80 for a $100 card btw, due to 0.20% surcharge.

      When mine declined on that, $99.80 went through but I had a residual 20c left on the card (i.e. surcharge wasn't taken on that payment by ATO)

      • cateyneow on 22/10/2021 - 11:11

        Yes the other 6 went through fine, ie 99.80 and 20c

        Auth-Crd 53149510 Mcht ATO PAY 99.80
        Auth-Crd 53149510 Mcht CARD PA 0.20

        but for the last one, perhaps I wasnt thinking and forgot to type 99.80

        Auth-Crd 53149510 Mcht ATO PAY $100

        Thank you for your assurance, I will wait a few days to see what happens.

        How many were you able to put through?

        • cwongtech on 22/10/2021 - 11:15
          +1

          How many were you able to put through?

          3 at a time before it keeps declining.

          • cateyneow on 22/10/2021 - 11:25

            @cwongtech: Did you try on different days to see if you were able to put more through again? or switch accounts ie BAS and income tax account?

            • cwongtech on 22/10/2021 - 11:50

              @cateyneow: Seems to reset in the morning and late at night, it works but you just got to wait a little bit.

              • cateyneow on 22/10/2021 - 14:44

                @cwongtech: Thanks heaps

                I was able to put through $500 last night

                and only another $100 for sure, with the other $100 making it to $700 a mystery

                Did you use the $100 or $250 gcs?

                • cwongtech on 22/10/2021 - 15:26
                  +1

                  @cateyneow: I used both.

                  My payment got stuck on 2 x 250s, they now both have 50c residual (Payment is $249.50, with 50c expected for surcharge), however I have manually calculated my outstanding, debt and it appears the 249.50s that got stuck have been reflected in my ATO balance.

                  • JIMB0 on 22/10/2021 - 17:05

                    @cwongtech: Looks like you just saved yourself 50c

                    • cwongtech on 22/10/2021 - 17:07

                      @JIMB0: Two cards failed, so $1.

                      Time to hit the loose change menu at McD!

                  • cateyneow on 22/10/2021 - 17:34

                    @cwongtech: Cool you mean stuck as in the declined transactions?

                    Maybe I’ll try again tonight

                    The ato is making me doing something as simple as paying my own tax look like some kind of unauthorised scheme

                    Have you tried other ways to use the cards effectively?

                    • cwongtech on 22/10/2021 - 18:15
                      +1

                      @cateyneow:

                      Cool you mean stuck as in the declined transactions?

                      So there appears to be a few scenarios for ATO:
                      - It hangs for 2 seconds then payment successful (normal)
                      - Instantly declines after 0.5 secs (too many cards, try again later, your card won't be charged)
                      - Hangs for 2 seconds then "Something went wrong" - this is when your card goes into auth, and only the payment amount gets charged (you evade surcharge!)
                      - Payment declined - insufficient funds [use another card]

  • rainex on 22/10/2021 - 17:19
    +1

    Keep calling coles (1300095072) and getting the same response: "We are not liable for fraudulent activities", and I was told I can't talk to the supervisor/lodge a complaint. The only thing I could do is to ring the merchant (which is 100% a dead end).

    Desperate and frustrated… what are our options now?

    • WookieMonster on 22/10/2021 - 18:01
      +1

      Have you asked the Coles Gift Mastercard staff to review the following content on page 8 of the Coles Gift Mastercard Conditions of Use?

      We have the ability in certain circumstances to investigate disputed transactions which occur on your Gift Card and attempt to obtain a refund for you.

      In accordance with the Mastercard scheme rules, our ability to investigate a disputed transaction on your behalf is limited to the time frames imposed pursuant to those rules.

      The maximum timeframes vary between 75 days and 120 days from the time of the transaction so it is important that you notify us as soon as you become aware of a disputed transaction.

      My suggestion is you call Coles Gift Mastercard again, stating that you would like to dispute the transaction, as per page 8 of the Conditions of Use. (I’m assuming you’re within Mastercard’s timeframes for disputed transactions?)

      If you’re still getting nowhere with the Coles Gift Mastercard team, you could always complain to AFCA, as Indue (the gift card issuer) is actually a member of AFCA and gift cards issued by members of AFCA can be the subject of AFCA complaints. If you go down this path, make sure you take note of when you call Indue and who you spoke to, as well as keeping copies of emails. However, you may not get very far if you are outside the disputed transaction timeframes.

      • rainex on 22/10/2021 - 18:08
        +2

        Tried. Called multiple times. Suspect they all stick to the scripted response from now on: "page 3 states we are not liable for any fraudulent transactions"… "you can't contact my supervisor about your request/dispute"…"there's nothing we can do. you are welcome to file your compliant with AFCA"…

        Emailed but hopeless…

        • Yola on 22/10/2021 - 18:20
          +1

          I for one am not buying anymore of these cards and have not done so during the current sale until this issue is resolved and everyone is refunded their money. If everyone does this and their sales drop they will have to do so.

        • Mad Max on 22/10/2021 - 18:27

          Are you disputing Google internet charges in US$? Did they tell you before that your card and name were on a spreadsheet for refund?

          • cwongtech on 22/10/2021 - 18:31

            @Mad Max:

            Are you disputing Google internet charges in US$?

            3 cards reported to google, all denied.

            • Mad Max on 22/10/2021 - 19:02

              @cwongtech: I believe Coles Gift Mastercards/Indue are investigating the issue and likely to refund the unauthorised transactions carried out online with transactions on Google in US$.

        • WookieMonster on 22/10/2021 - 18:35
          +1

          I’d go to AFCA in that situation. They’re a free service, but it will take up some of your time.

          I find it mind-blowing that some people on OzBargain can get a refund for fraudulent transactions, whereas others are having lots of problems.

          • Eugklng on 22/10/2021 - 18:36
            +2

            @WookieMonster: I still have not got my refund despite being asked for my bank account number and I think many here still have not got their refunds despite being told they will be. Are they having a change of mind?

            • WookieMonster on 22/10/2021 - 18:39
              +1

              @Eugklng: Possibly a change of mind, or possibly that their banking institution really sucks.

              I think the folks who have been promised a refund via bank transfer and have not received anything yet should submit complaints to AFCA (including you).

  • rainex on 22/10/2021 - 18:56
    +5

    Change of plan…instead of chasing down the coles rabbit hole, I am contacting the media to see if there is any interest from their side.

    • WookieMonster on 22/10/2021 - 19:07
      +3

      First stop, A Current Affair?

      • rainex on 22/10/2021 - 19:24
        +1

        Sent tips to 7, 9the age, afr, dailymail, but sure just added this to my list! Thanks for this and all the help you provide throughout this thread!

    • Mad Max on 22/10/2021 - 19:12
      +3

      That will work if you can get some traction with ACA or similar TV program. Then Coles and Indue will move quick 🚀
      Make sure you mention that, after creating all the inconvenience and loss to their customers due to the lack of security of their cards, now Coles and Indue are running another promotion on the same cards showing a deliberate and complete lack of care for their customers.

      • Eugklng on 24/10/2021 - 09:44

        Can you really 100% blame Coles/Indue? These cards do have the CVV as an added security feature that’s there specifically to fight against such brute force attacks but it’s merchants like google and amazon that have opted not to ask for it.

        • kelasen on 24/10/2021 - 09:55

          It’s the static expiry date which is the main culprit.

          • Eugklng on 24/10/2021 - 10:10
            +2

            @kelasen: There’s probably not many ways to randomise the due dates since it’s only a month and a year and the year can’t be too far off such that the card has a longer validity nor too near causing premature expiry.

            It is just a bad product period and if they really want to continue selling it should put in other measures like the ability to easily disable/enable the card or even a 2 factor authentication.

  • cwongtech on 22/10/2021 - 19:54
    +1

    Indue refund received.
    94.50
    94.50
    42.96

    My bank is CBA

    • cloudy on 22/10/2021 - 19:56

      So lucky, I just checked nothing for me yet

    • io on 25/10/2021 - 00:51

      For the $42.96 refund, was the refund equal to (lost amount in that card - 5.5% discount) = $ 42.96? For me, they only partially refunded $50 whereas I have lost $75 in that card.

  • el8 on 22/10/2021 - 20:05
    +1

    received my refund as well!

  • Eugklng on 22/10/2021 - 22:30
    +1

    My refund is in as well.

  • io on 24/10/2021 - 00:19
    +2

    Received $94.50 for 1 card. But only $50 for another card of which exactly $75 was compromised. Now will chase up why $75 less discounts were not refunded. Oh such a pain! Did not participate in the current promo.

  • cloudy on 24/10/2021 - 19:22
    +2

    Got my refund

    • 1000060 on 25/10/2021 - 11:41

      Congrats! When did you report this and when did you receive the refund? Also the refund amont is discounted? Say 5.5% off for $100 cards and 7.48% for $250 cards?
      Thanks!

  • Iwantthatbargain on 24/10/2021 - 22:38

    Have they blocked all cards? I tried to use my cards to buy Woolworths gift cards, but I am not able to use them now.

Login or Join to leave a comment
Login Join