A Woolworths Rewards card was hacked, points used at a servo

virhlpool on 29/10/2022 - 22:47
Last edited 30/10/2022 - 14:08

My Woolies Rewards card was hacked today and the points worth $100 were used at a servo in NSW in a single transaction (from my activity statement, I can't say if it was only fuel or some other purchases too, though it's irrelevant). Usually I don't accumulate $$ in my Rewards card but I had received these recently as a promo bonus from a Woolies Insurance deal and I was yet to use them.

This is the first time I have experienced anything like this - upon Google and OzBargain forums search, I found a few posts about such events/ experiences from the past. I would like to know if this has happened to any OzBargainer recently.

It's still beyond my understanding as to how can one know the $$ balance in a Reward card so randomly. I understand that stealing barcodes or numbers from various sources isn't impossible but stealing the cards based on the exact balance on them isn't possible without access to a systematic database (which only employees would have access to or probably not even them). Leaked username and password of the Rewards account could be a possibility but I suspect it's something beyond it because so many people losing their Rewards account's login details every year doesn't sound very realistic. I will appreciate if someone can share info if they have faced such an event in the recent past.

Be careful with your Rewards cards, folks! It doesn't seem to be a rare crime.

Update: EDR customer care weren't even surprised to know about this when I reported this. They tackled it as if it's normal. I doubt if they are putting any effort to stop this either unless they are working on some better technology behind the scene.

Financial

Related Stores

Everyday Rewards
Everyday Rewards
Marketplace

Comments

  • Muzeeb on 29/10/2022 - 22:56
    +3

    An interesting recent article

    I have never heard of gridware until 30 seconds ago. But anyway….

    • virhlpool on 29/10/2022 - 23:02
      +2

      A vulnerability exists in an app functionality that allows anyone to enter a random card number and find a card’s point balance. After entering the number in a rewards card app, the barcode can be produced, which can then be scanned at Woolies checkouts to claim a discount.

      Interesting.. I don't understand this part. Which app functionality are they referring to and if it's true, wouldn't Woolworths know about it?

      • Muzeeb on 29/10/2022 - 23:03

        As I said I don't know the source but the article mentions ozbargain so it has to be legit IMHO.

        And the author seems qualified…

        An emerging thought leader in cybersecurity

    • Stopback on 29/10/2022 - 23:05

      Make your passwords stronger by including numbers and special characters like ILOVE2ReadB00ks! and 2beornot2B?

      It's very rare for someone to brute force your password. As long as it's different and at not password you should be fine

      • knobbs on 31/10/2022 - 10:04
        +2

        They don't need passwords, all they need is your everyday number/barcode, scan it at checkout and click redeem on points

  • dcep on 29/10/2022 - 23:20
    +1

    I thought only mydeal got leaked , not woolies rewards ?

    ohh, found it .. https://au.news.yahoo.com/woolworths-shuts-down-hacking-clai…

      • DoctorCalculon on 02/11/2022 - 19:36

        You assume they actually care. They have known about this issue for a long time.

    • Neoika on 30/10/2022 - 08:12
      +1

      "Red tape and bureaucracy often get in the way of developers writing good, secure code," he explained. "It's a huge industry-wide problem."

      This is the key problem.

  • Iwantthebestprice on 29/10/2022 - 23:31
    +4

    Call woolies and explain the situation they will give you the points back, it’s bad because woolies refuse to accept there terrible IT system is to blame and after a year of this going on they have not introduced 2FA… which would solve all of this!

    • virhlpool on 29/10/2022 - 23:59

      Agree. It's hard to introduce 2FA for scanning a card though.. I can't think of an easy workflow since the scan has to be quick at the point of checkout otherwise it will create another problem all together if a 2FA method took more time. Even Flybuys don't have 2FA but surprisingly this hack issue seems to be far more common with Rewards compared to Flybuys.

      • Iwantthebestprice on 30/10/2022 - 00:01
        +1

        Flybuys do it just fine. Take your points turn to $ and set a pin and when you set a pin it sends a message with a pin, wollies is being very lazy here

        • kerfuffle on 30/10/2022 - 03:02
          +4

          Flybuys also require you to have the physical card though unlike Woolies.

      • Neoika on 30/10/2022 - 08:04
        +2

        Two ways that are not complicated

        • EDR can ask for a PIN on the screen before redemption.

        • Redemption instore is only allowed via Everyday Pay.

  • Ms Bargainer on 29/10/2022 - 23:46
    +2

    Someone used my points last Saturday, at Ampol in another state. I rang EDR and they reinstated my voucher and issued a new card.

    • virhlpool on 30/10/2022 - 00:04

      Mine was used to an Ampol too.. Interestingly, they used my $100 EDR balance and also paid using their credit card (or maybe another stolen Rewards card) since the total expense was a tad above $100. Unfortunately, unlike a transaction in Woolies or BigW, you can't see the receipt of Ampol transactions within Rewards app so it's hard to know if they made that additional small payment through their own credit card - it will be stupid for them to do so if they did as it can easily reveal their identity if Woolworths investigated the case.

      • Neoika on 30/10/2022 - 08:07
        +2

        Ampol is not a EDR redemption location. It must be a Woolworths owned or EG location.

      • abr83 on 30/10/2022 - 16:22

        There are no Woolworths-owned Petrol stations, and Ampol-owned locations (Ampol Foodary and Ampol Woolworths MetroGo) are not EDR redemption locations as they use different Fujitsu POS as opposed to the POS that EG locations use.

        I suspect it would've likely been an EG/Ampol co-branded location owned by EG, although some may still have the Woolworths branding on the shop (but are being phased out by EG), so you may want to chase up EG if that's the case.

        • virhlpool on 30/10/2022 - 19:03

          EDR customer support also confirmed that my points/ balance were used at a petrol station which would accept EDR card - I am not sure what branding the petrol station has but it would be one of those which are partly owned by Woolies.

      • DoctorCalculon on 31/10/2022 - 00:07
        +2

        it will be stupid for them to do so if they did as it can easily reveal their identity if Woolworths investigated the case.

        You assuming that they are using credit cards under their own ID.
        Even if they did, WW is so f#$%ing lazy, nothing will be done about it.

        • Gervais fanboy on 31/10/2022 - 00:19
          +1

          I had my rewards dollars compromised too, the scammers paid for the deficit using cash.

  • Gervais fanboy on 30/10/2022 - 00:26
    +2

    This scam is getting quite common now..
    I’d recommend everyone to change their redemption settings to either - Savings for Christmas or Convert to Qantas Points.

    • DoctorCalculon on 31/10/2022 - 00:10
      +1

      Savings for Christmas

      This won't necessarily protect you, especially for the month of December.
      Folks have reported lost EDR $ as those nasty hackers were able to bypass this with ease.

      • Gervais fanboy on 31/10/2022 - 00:18

        Well, atleast the user’s rewards dollars would be safe until December.
        Also, I don’t think the scammers have yet been able to ‘bypass’ alternate redemption preferences yet.

    • modsec802 on 31/10/2022 - 14:42

      or just use them as soon as you get them

  • MeesusEff on 30/10/2022 - 05:35

    I had a weird one few years ago, I completed my shop and got $20 in Rewards dollars, the person who used the same self check out right after me redeemed it and I had no idea until I checked why my points didn't come through. I could see the receipt on my account, luckily live chat credited it back to me easily but they couldn't explain that one.

  • c64 on 30/10/2022 - 11:05
    +1

    the whole system is insecure. they should have a pin for redeeming points at the checkout.

    i scanned some groceries and my card at a woolworths checkout. i had a $10 reward balance. then i decided i wanted something else, so i asked the checkout attendant to clear all the items off the machine. she did so, but my card was still left active on the machine. someone else immediately comes along to the machine i just used and their purchase appeared on my card activity. luckily for me they did not notice the $10 balance or they could have spent that.

    • 76F on 30/10/2022 - 15:26

      Similar thing happened to me – the next person's transaction appeared in my account. Support couldn't explain it either.

    • DoctorCalculon on 31/10/2022 - 00:15

      luckily for me they did not notice the $10 balance or they could have spent that.

      Haha! This happened to me as well. I ended up getting all the points from this random person.
      A week or so later, all my favourites got mixed up. :(

  • JIMB0 on 30/10/2022 - 11:09

    There's several ways to find out the balance of an account. You'd think leaving it as save for Christmas would be safe but they seem to get around that as well. Either by entering your password or intercepting the text message.

    • Garrettau on 31/10/2022 - 22:35

      Can you share how to find out the balance?

      • JIMB0 on 01/11/2022 - 09:34

        The most obvious is it prints on the bottom of the receipt. They could brute force it by making a small purchase.

        • Garrettau on 01/11/2022 - 17:52

          But the card number is masked

          • Neoika on 01/11/2022 - 18:15

            @Garrettau: Still not masked at the 3rd party store like Ampol, not many though.

          • JIMB0 on 01/11/2022 - 21:40

            @Garrettau: You could theoretically sit at a checkout making small purchases on various generated rewards cards until you strike one that has dollars off next shop.

  • GourmetFoodie on 30/10/2022 - 13:22
    +1

    Basically the safest approach is just to redeem your points as soon as you get them. They seem to go after higher value balances.

  • Stuntdriver on 31/10/2022 - 08:10
    +1

    someone hacked my maccas rewards account, i stupidly had a saved credit card attached to the account and they went on a spending spree buying about $150 of maccas in a few hours (hopefully they get diabetes and die). Macdonalds couldnt give a (profanity) just told me to report to credit card which luckily they gave my money back. Haven't been back to maccas in 6 months since it happened due to their lack of care about this situation.

  • knobbs on 31/10/2022 - 10:02

    This has happened to me and lost almost $700 in points. Been a month and a half of "it team investigating" and that is all I get. Plus they can't get past 1yr history on their own system and are "investigating" because it should be more.
    Don't know what else I can do

Login or Join to leave a comment
Login Join