my new woolworths rewards card has been hacked, points already used in other state while i only received today
Applied the card last month with 5000 points bonus, i received the card today, login, and found the points were used in other state two weeks ago.
Anyone same situation with me? Who can access the card number before me? The envelope received today sealed in a unopened condition.
What do you mean by check number? Even if a reward number is found that way, why would someone use unless there is a way to know that the card has got reward money in it.
The check number is the last digit of a barcode.
From my example above 935300000000 is the membership number and 8 is the check number. The resulting barcode is 9353000000008.
thanks Tyler.
They definitely do this, or something very close to it. (source, I may have signed up my goldfish and my neighbors goldfish and so forth and noticed the numbers are close to sequential.) This is a pretty massive fail by itself. Allowing people to check the balance of points and offers available on a card with just the number and no password, email, or anything is another massive fail.
Some of my poor pets had the points transferred to Qantas. Some had the balance spent before they could buy fish food.
http://www.smartcompany.com.au/industries/retail/concerns-wo…
I'd say they got your email account/login from somewhere and printed off a temp card and used it that way. When you sign up you are immediately ready to earn points and can use a temp card until the real one arrives in the mail.
Best speak with their support
May be Woolies stuffed up and sent you the wrong card?
Why the heck you can see the amount on someone else's card before you shop on the Money App???
At least give the scammers a hard time by making them have to give me free points before they can try to fail to cash out. This is another reason why as soon as I get $10 off, I spend it immediately. I know the system is flawed and everything about it. It was only time some genius figured out some pattern in the card numbers.
It isn't just Stocard which is to blame, the backend used to generate temporary cards can be accessed via a simple link.
https://www.woolworthsrewards.com.au/#/print-temp-card?edr=[Insert Number Here Without Brackets]
I sent this link in my email to them as well about half a year ago; you don't even need to be logged in to generate a card number.
I think you still can, because I just typed my own in and got a new fresh print of my card. This has not been patched. They also need to block Stocard from generating barcodes if they plan not to implement some PIN system.
This loophole needs to be (profanity) closed already; I sent them communications in the past which resulted in them blanking out some digits on their receipts, but apparently this wasn't enough to close this particular loophole because the points are on your card before the card reaches the client.
They need to upgrade firmware on all their machines to allow some sort of PIN code to be entered after you scan your woolworths card. Much like how the Coles e-gift card works, you scan and then press your pin. This would allow them to not have to reissue all cards with a swipey strip.
This is definitely a massive breach. I mean who the heck runs the IT department at Woolworths. Get your act together.
I'm not going to shoot them an email again because they didn't implement all my fixes, but if you are reading this. Make these changes ASAP.
HALF A FREAKING YEAR AGO GUYS! WAKE UP!
ALSO GO CHECK THE FACE OF THE PERSON WHO IS REDEEMING IT. YOU HAVE THE TIME & FOOTAGE AT KINGSGROVE!
Ah, you can print the temporary card(s lol) and spend them as soon as the points are added
the hackers will be found..if they were dumb enough to pay by CC or DR card they will be caught..cctv as well
Quick, mobilise the Points Squad to check the store CCTV for somebody who redeemed $10 worth of points. Lucky Peter Dutton has his super security department to cover these crimes.
Points Squad - "we've secured the 20megapixel CCTV footage, quick let's identify these point theives. Okay, zoom in and enhance!!! THAT'S THEM!!! in the peaked caps, wearing sunglasses and with beards and long sleeve shirts…..hmmm sort of hard to identify them….wait a minute!!…let's do a trace on the CC or DC they used to pay for it……WE HAVE THEM NOW!!!!……they used cash……..wait a minute……one of them is wearing adidas sneakers….size 10 I believe…and made with in the last 5 years….all we have to do is track down who has bought size 10 adidas sneakers in the last 5 years and we have our culprit….HAHAHAHAHA, FOOLS!! when will they learn they can't outwit the Points Squad….to the Points Squad helicopter!!!
I am over-caffinated.
I like altomic over-caffeinated
Um, no, from the pattern, I guess possibly hundreds in total were taken from various different people.
I'm sure most people here create a dodgy account that was a new person, but still. It's controversial and some real people are going to be affected.
Creating an account and redeeming yourself is a whole lot different from punching numbers into a bot and then vaccuming up "other" people's points. Especially since we don't know how many of those accounts were from legitimate people….
HUGE DIFFERENCE MATE. I WONDER WHO IT WAS… LMAO
Yeah, not sure why you were downvoted.
I'm not sure about my own post as well.
I think someone on Ozbargain is running around scared and downvoting stuff to hide it from outside the community.
He/She will be found and prosecuted.
Everyone else who used fake names, well… I doubt that would be enforced but the one person who seems to be vacuuming up a lot of the credits for accounts they didn't create are probably going to get screwed hard.
My points were hacked as well
What did Woolworths say when you called or did online chat with them?
I wonder if we will go into a recursive loop situation where newscom.au and Ozb continuously reference each other. Kinda like 2 out of office email accounts sending each other out of office emails. :)
and it says Numerous customers? I can only see two
Several, check the other thread. Possibly hundreds more that haven't come forward but will have a salty taste in their mouth about shopping at Woolworths because they didn't get their points.
It made the news. Woolworths IT department should be replaced for incompetence.
hacked as well… Call 1300101234 - support number and they will verify the DOB, Address and Name
Will send you another card with 4000 points - 20$ worth. Cheers
Glad they are doing this but they still haven't fixed the hole in their system. It's going to keep happening into the future as I have described in my -5 voted post.
It will probably spread to others with near 2000 point balances as well…
I warned them, but they didn't do their due diligence.
First they need to do is catch that con-artist that used several tens of thousands of points from various cards.
I love how brilliantly simple this is, just wish I had thought of it first!
Actually, no I don't… I'd hate to have to deal with the charges when the one or two people get found.
Customer service cancelled my card after the theft, reapplied the missing points to a new card and sent it out to me. Once again the points where stolen before i received the card. Im in SA and now have had my points stolen at Merrylands, Matraville and Chullora. WTF
hacked as well..and I had more then 1 card
Now it's also on The New Daily, The Register and even 1688.com.au. Did any member actually get interviewed by those news outlet?
No, all the quotes seem to be lifted from this and original deal
Pretty funny that News quoted OzBargain user "RubertMurduck"
In other unrelated news, a media pack has formed outside of the house of the guy who had his hubcaps stolen.
Given the job losses in media, it's highly unlikely they have any resources for investigation. It's just cut-and-paste "journalism". Stories which are click bait are favoured, to bring in banner ad revenue, which ironically is hastening their demise by growing the Internet giants.
My girlfriend's points are gone too, redeemed in Parramatta, she's never been to NSW in her life…
But they seem to have upped their IT security considerably. Went to check the balance of a gift card and had to spend what felt like an eternity on their picture-captcha. From roads to store fronts to cars to street signs, the whole lot. Facepalm!
Those picture-captcha are useless. I seem to be able to by-pass those (on all/ most websites, not just Woolies') on my personal computer (which has pop-ups blocked) but not on my work computer (which probably doesn't have pop-ups blocked).
They should seriously require people to log in before they can see their balances.
That's why the 'facepalm'. To spend the giftcard I need only card number and PIN, but to check the balance I need to get past the captchas in addition. Crazy!
Woolworths confirmed it was investigating the complaints, but denied there was a flaw in its app.
That explains why they're not showing the balance in the app anymore.
Just came back from oversea to find that my woolworth reward dollars were redeemed while I was away. Ask my partner to check and hers was gone as well.
I'm glad I found this thread and the updated comments on the original deal, as I've had the same problem. However when I emailed customer service they simply sent out a new card but did not refund the points. I assumed it was my word against theirs (saying I had never used the card and they would not believe me) but now I know this is a larger issue I'll be on to them tomorrow for my POINTS. What a joke, though.
Very common, heard this so many times (I work in IT). The Woolies cards are very insecure because they chose to use the barcode numbering scheme used on grocery items and they don't use a PIN to give some security to the card. Simple to generate those barcodes on-line, print them out and try your luck and see if you get a hit. And if the scammer has some info about you, such as a balance and card number then they own you.
Picking up receipts was another common way of doing it. The full Woolies Rewards card number AND info about your points used to be on your receipt until very recently. Unbelievable it went so long at Woolies with such hopeless security. You may have noticed the changes in what is on the receipt over recent weeks. It first went to masking most of the number, but still giving points information, now it doesn't even show the points anymore, just tells you to go to the rewards website to see your balance. Improvements, but still not enough. Woolies outsource parts of their IT dept to India. Skill levels are very low there, so this kind of incompetence is common. But ultimately you have to blame Woolies management. Scams can originate in India too e.g. selling huge lists of rewards card customer details, such as barcode and balance, by the staff in India that work on the systems. I haven't heard of the latter happening for Woolies though, but you never know, that kind of stuff is kept very hush hush when it happens as it could collapse the entire Woolies scheme.
Also be careful if you see random points on your account from places you didn't shop - this is where people are trying their luck in the hope that the barcode they have duplicated has bonus credit, but it hasn't, so the points form that shop just get added to the real account (yours). Be careful if you see this happening to you, good idea to swap your card for a new one with a new number.
Woolies will just give you points as compensation if you get scammed because it's significantly cheaper than the millions of dollars they would need to spend to secure the system.
1 way to protect yourself is to change your redemption setting to "bank for Christmas" and only change it back to "automatic savings" when you want to use the points
Possibly someone ordered a bunch of Woolworths Rewards cards, noticed a pattern in how they are numbered, created barcodes for the next numbers in the sequence and used them to redeem your points.
It's entirely possible that for Woolworths rewards they just increment each member number by 1, and because the membership number is also a barcode, the only security in it is knowing the last number is a check number.
E.g. My card could be 9353000000008 and the next person would be 9353000000015