• expired

10% off $50 TCN Him Gift Cards (In-Store Only) @ Shell Reddy Express & Shell Coles Express

286
10% off $50 TCN Him Gift Cards (In-Store Only) @ Shell Reddy Express & Shell Coles Express
Go to Deal
Traveller36 on 06/09/2025 - 14:40 reddyexpress.com.au (829 clicks)
Last edited 06/09/2025 - 15:29 by 2 other users

Saw this while fueling up at Shell Reddy Express in Wantirna South, VIC.

10% off HIM $50 gift cards purchased from 4/9/25 to 10/9/25 and subject to availability.

TCN Him Gift Cards are also 10% off at Woolworths for Everyday Rewards members this week.

Where is this gift card accepted?
99 Bikes, Academy Brand, adidas, Aquila, Archie Brothers, ASOS, Barbeques Galore, BCF, Bonds, Booktopia, Calibre, Calvin Klein, Champion, City Beach, Cotton On, Culture Kings, Decathlon, Dr. Martens, Drummond Golf, Dymocks, Edge Clothing, Elite Eleven, Factorie, Fine-Day, Foot Locker, Ghanda, Glue Store, H&M, Hallensteins, Holey Moley, Hype DC, INTERSPORT, Jay Jays, JB Hi-Fi, JD Sports, Just Jeans, Kingpin, Kogan, Macpac, Neverland, Nike, Platypus, PlayStation Store, rebel, Reebok, Scotch & Soda, Seed, Strike, Supercheap Auto, Surf Dive 'n Ski, The AFL Store, The Athlete's Foot, The Good Guys, Timberland, Timezone, TK Maxx, Tommy Hilfiger, Uber, Uber Eats, Unison, Universal Store, Van Heusen, Weber, Xbox, Zone Bowling.
This is part of Father's Day deals for 2025.
Other Father's Day Gift Card The Card Network

Related Stores

Shell Coles Express & Shell Reddy Express
Shell Coles Express & Shell Reddy Express
The Card Network
The Card Network

closed Comments

  • skwashd on 06/09/2025 - 14:52
    +20

    Buying TCN cards is risky.

    • HaydosK on 06/09/2025 - 14:54

      They patched it

      • skwashd on 06/09/2025 - 14:55
        +4

        The last thing I read, said they'd committed to fixing it but hadn't deployed the patch.

        • HaydosK on 06/09/2025 - 14:56
          +4

          Check the comments of the video. Also I knew how it was done and checked that page today and it has a captcha.

          • skwashd on 06/09/2025 - 15:01
            +20

            @HaydosK: Oh, they patched it yesterday. It took it blowing up in the media after he made a video for the company to act. They ignored the guy reporting the issue for over a month.

            This isn't the response of a competent financial services business.

            If this can make it live, it makes me wonder what other security issues their systems have.

            • HaydosK on 06/09/2025 - 15:02

              @skwashd: Yeah I'm going to be extremely careful when buying them in the future.

          • SarcasticEmu on 06/09/2025 - 22:19
            +3

            @HaydosK: Oh! Thank God! They put in a captcha the state of the art security. We're saved!!! So instead of taking 10 seconds to force the pin it takes 10 minutes.

      • cheaptech20 on 06/09/2025 - 19:55
        +9

        But if the card you buy today is already compromised, then the patch is worthless

        • HaydosK on 06/09/2025 - 22:04

          Do you even know what the problem was?

          • raperozbargain on 06/09/2025 - 22:20
            +1

            @HaydosK: He's correct. If the hacker already redeemed the card, it would be a fcking headache to ask for a refund. Is it worth risking over a 10% discount? Your call then :)

          • donga100 on 06/09/2025 - 23:04
            +5

            @HaydosK: The problem was that they get the card number and then run a script to alert them as soon as there is a balance. This is why the guy on Youtube lost his money in the time it took him to get home from Woolworths and buy on JB Hifi website. If any of these cards were on the shelf before the security flaw was patched they are potentially compromised. I wouldn't buy any until they have confirmed a full recall.

            • timedzone on 07/09/2025 - 00:17
              -6

              @donga100: To be frank, I think Simon is the first person who has ever conducted that attack on TCN. It simply does not make sense for scammers to do it this way. Furthermore, if these attacks have been systematically carried out over a prolonged time, even crap companies like TCN should have noticed.

              I am a computer dev and a lockpicking enthusiast, so I would consider myself having a more balanced view on physical security and digital security compared to most people in either profession. In this case it is certainly more sensible and even safer for the criminals to simply steal a bunch of cards, tamper them and redeployed them. I think most of the giftcard churning community would have come across quite a few tampered cards.

              Additionally, if you know TCN cards well, you would realise that their 50212510 cards are sequential and highly predictable. TCN only fixed this flaw with their newer 50212512 cards. Theoretically a knowledgeable hacker won't even need to go to the store to photograph the cards before they can come up with valid card numbers.

              While the purported "hacking" of the TCN cards certainly makes a sensational story, it is most likely irrelevant to the actual compromises we have seen. The bottom line is to realise even if they fix the flaw and replace the cards, you are still not safe.

      • timedzone on 06/09/2025 - 20:50
        +3

        Don't get too excited about the security flaw, because it doesn't matter at all in real life. Scammers don't actually use this exploit to bruteforce the PIN when they can simply remove and replace the PIN stickers, probably all under 10 seconds.
        Most of the time they will remove some cards numbers as well to increase their chance, so as long as those are intact you are pretty unlikely to get a targeted card.

        https://files.ozbargain.com.au/upload/187505/123832/1.jpg
        https://files.ozbargain.com.au/upload/187505/123833/2.jpg
        https://files.ozbargain.com.au/upload/187505/123834/3.jpg
        https://files.ozbargain.com.au/upload/187505/123835/4.jpg

        3 is the restored card btw.

        You can look for subtle horizontal lines near the PIN region by tiling the card at an angle against a light source. However, if the scratcher used a blade that closely match the width of the PIN sticker, it would be extremely difficult to spot. Also look out for dirt traces under the clear part of the PIN stickers. With their volume I would say it is going to be very hard to keep their blades clean.

        • HaydosK on 06/09/2025 - 22:05

          Ok. I don't buy tcn anyway but ultimate gift cards have better security and thats what I have been buying recently anyway.

          • timedzone on 07/09/2025 - 00:28
            +1

            @HaydosK: Actually they have the same problem. With the sealed packs (so does apple gc, Coles mastercard and vanilla cards and TCN eftpos cards), it is pretty easy to open them nicely and reseal them if you are willing to sacrifice half of them. You would first need to preserve the bottom half of the pack, i.e the card itself and the back of the pack by cutting off the top carefully. You can then take another pack, preserve the top cover carefully while not bothering about the bottom. I find the best way to do this is to simply cut open the pack from the centre and tear your way radially outwards.

            In this way you can easily obtain 2 parts both perfectly preserve, defeating any possible fancy holograms/anti tear/tamper evident features.

            Then you simply reseal the packs with some light cyanoacrylate glue for a neat finish.
            I found the most reliable way to identify cards tampered in this way is to take a few of them(say 7-8 pcs), pile them up and look at the sides. If you spot any irregularities in the cards, such as unevenness or misalignment or variation in thickness, it is likely to be a suspicious one. These cards are extremely difficult to spot on itself if repackaged carefully, so always take a few and spot the difference.

            I would encourage everyone to try it out yourself so you can get a better idea of what the finished product might look like. I certainly dont believe in security by obscurity and knowing how criminals do it should help you not falling a victim.

        • SarcasticEmu on 06/09/2025 - 22:25

          I was like that will never work you'll have to get… And I'm like Ah! Duh!

    • Silmo on 06/09/2025 - 17:10
      +4

      Yes this, its IMPORTANT to highlight that although its patched, unless they change all current cards in the market, there is still risk someone had taken a photo and identified the pin through the non captcha page before they patched the system.

      Is there a way to know when the card was produced? Then we can get those that are produced after they have patched the system.

      • subnebula on 06/09/2025 - 21:02
        +2

        From my understanding the pins can only be cracked after the card is activated. The exposed API that was being called by a script would only respond that the guessed pin was correct if the card number was also valid and activated.

        So assuming it's been patched correctly, then any existing cards that are still in stores should be safe even if they've had the card numbers photographed.

        I'm not 100% convinced that it has been completely patched though, it still seems risky to buy the cards. It's not the page that needs the captcha but the API endpoint, so if they haven't put the captcha or protections in front of that then they haven't actually fixed anything.

        • HaydosK on 06/09/2025 - 22:08
          +1

          I know how it was done and on the webpage it does have the captcha. I assume if it bypassed that using API the YouTube guy would have told them to fix it. There is enough spotlight on this. Hope they fix other issues while they are at it.

        • alcadive on 07/09/2025 - 09:02

          I think he was using browser automation to use the front-end forms, that’s why captchas would have stopped it. If he had access to the API it wouldn’t have even taken 10 minutes. Of course a rate limit on the API would help too, hopefully that’s part of their patch.

          • subnebula on 07/09/2025 - 14:02
            +3

            @alcadive: I tested before it was fixed and the website made a request to the API, so I grabbed the url for the API endpoint and was able to call it myself easy enough with the card details he used in the video, all I needed was a customer id that gets generated by the old form to send along with the request and that customer id was valid for at least a few days.

            After it had been patched on the site I checked what API endpoint was used and it's now different and requires a captcha token to be passed with the card details.

            In saying that though, the original API endpoint still exists and I'm able to call it with no captcha token, the only thing is now it responds with "invalid customer identifier" for the customer id I generated with their old form, and I've not bothered figuring out how to generate one without that form.

            So in the video he might have been using browser automation, but it was (and maybe still is?) possible to get straight to the API endpoint without going through the browser.

            • alcadive on 10/09/2025 - 04:42

              @subnebula: That’s wild. I wish I could have played around with it before it was fixed. Thanks for the info

      • HaydosK on 06/09/2025 - 22:06

        Did you even look at the video and the vulnerability??? It needs to be activated first for them to crack it. If you buy now you aren't vulnerable to this anymore.

        • SarcasticEmu on 06/09/2025 - 22:27

          10000 rotating proxies and captcha solver say you're wrong.

  • VantageXL on 06/09/2025 - 15:00

    I'd be curious to know if anyone has successfully purchased these as I had someone tell me that their TCN Him gift cards failed to activate at two separate Reddy Express locations when purchased on Thursday and Friday.

    • justtoreply on 06/09/2025 - 15:16
      -2

      Try paying cash

      Sounds dumb, but seriously.

      • Craze on 06/09/2025 - 15:29
        +3

        I might be wrong, but think it's an issue back end activating a purchased card. I don't think the method of payment (cash or card) will make any difference?

        • justtoreply on 06/09/2025 - 16:02
          -1

          I get what you're saying, but trust me

        • timedzone on 07/09/2025 - 00:40

          Paying with cash and if it fails to load you can walk away with your cash.
          Paying on card and you can come back tomorrow for the manager:) Well maybe you can lodge a dispute too.
          Paying by Shell GC? Good luck mate!

  • trixieb on 06/09/2025 - 15:26
    +2

    I would avoid as there could be activation issues as mentioned above.

    Please read the first comment here.

  • Big-Deal on 06/09/2025 - 15:28

    Use Shell GCs for extra 2% off

    • ozBForLife on 06/09/2025 - 15:49

      can buy GC using a GC!?

      • rpb on 06/09/2025 - 17:43

        Has worked previously. I have done several times but not for a few months

      • timedzone on 07/09/2025 - 00:42

        Yeah Coles group has stopped all BIN based measures against card inception. Go Woolies!

  • cheaptech20 on 06/09/2025 - 19:57
    +7

    Avoid TCN. A friend bought one today for $100, after the vulnerability was patched. She thinks it's already been stolen.

  • subnebula on 06/09/2025 - 21:06

    Seems smart to avoid TCN gift cards for the time being, until it's been confirmed that the patch they implemented actually fixes the exploit.

    • cheaptech20 on 06/09/2025 - 22:17
      +2

      Problem is they fixed the exploit, but existing cards on the shelves are ALREADY compromised. So really they need to recall all cards… or find a new way of issuing the pin etc.

      • subnebula on 06/09/2025 - 22:22

        From my understanding the pins can only be cracked AFTER the card is activated. So existing card should be safe, assuming they completely fixed the exploit.

        • SarcasticEmu on 06/09/2025 - 22:37
          +1

          Still very much crackable.

          Similar to salting your passwords when finding a vulnerability in your database but not patching the vulnerability.

          And with the news coverage more skilled crackers now know the vulnerability exists.

        • timedzone on 06/09/2025 - 22:38
          +2

          Best practice is definitely to return a generic nondescriptive error for both unactivated cards and wrong PIN, but knowing TCN well I am not holding my breath on that:) But unfortunately they already know your PIN so it doesn't really matter.

  • brad23man23 on 06/09/2025 - 21:15

    I bought some today from Woolies - other than taking a few hours to activate they worked fine for me - saved us $40 on the cards and then an additional $30 with the JB hifi perks voucher I used

  • gviddy on 06/09/2025 - 22:26
    +5

    You will have seen the video the guy posted about how easy it is to hack. The worst bit being how they treated him when he was trying to let them know of the hack. STAY AWAY FROM THIS!!

  • alcadive on 07/09/2025 - 09:14
    +1

    Even if the vulnerability being discussed here is fixed, look at how atrocious their customer service will be if/when something else goes wrong.

    I’m boycotting TCN since the QANTAS fiasco.

    Their whole IT system is obviously garbage. There needs to be tighter regulation on these pseudo finance companies.

    • cheaptech20 on 07/09/2025 - 09:33

      Do you have a one liner TLDR on the Qantas one?

      • alcadive on 07/09/2025 - 09:41
        +2

        Multi-line TL;DR

        Nearly everyone got sent a duplicate card for each one they purchased and TCN decided to just block them all until they eventually sorted out the issue. From memory it happened on a Friday and wasn’t resolved until the middle of the next week.

        There was no official communication from TCN the whole time this was happening. All I got was a canned response to my support ticket after everything was over.

        • timedzone on 07/09/2025 - 15:23
          -1

          Well to be fair, although I dont like TCN, I have to say it has done us a huge favour and quite possibly intentionally backstabbed Qantas by not blocking the cards over the entire weekend when it could be easily done. What more could you ask for?
          Quite a number of us have advocated the community to just use up the cards first and worry about the very remote possiblility of restitution later, because TCN will 100% IA all the cards, or at least the unspent cards.
          If you chose to wait out on it, you should have reasonably expected TCN taking some time to sort it out. Actually they only took less than 1 week and it was well beyond my expectation.

        • cheaptech20 on 07/09/2025 - 16:36
          +1

          Wow!! That's insane. Will avoid!!

  • arcticmonkey on 07/09/2025 - 11:03
    +1

    Avoid TCN. They don't even do the basics well.

  • nadstar on 10/09/2025 - 11:23

    Bought 10 * 50

    Have to purchase one at a time

    Each person max 5 cards

    I had my partner with me

    • Al Mawsil on 11/09/2025 - 01:39

      let me know if they work

Login or Join to leave a comment
Login Join