Got Scammed and lost $1500 on Gumtree -_-"

I thought I was being careful, but sadly not careful enough to account for the failures in lose implementation of JB Hifi's gift card policies.

  1. Had 3 x $500 gift cards from JB Hifi, from the promo in Dec last year
  2. Listed it here for a couple of weeks, no takers.
  3. So then I listed it on Gumtree.
  4. "James" contacts me, from ACT.
  5. Asks me "Do you have proof of balance picture? or receipts?"
  6. Not knowing any better, and assuming that a hidden "PIN" code is required to actually redeem these cards.
  7. I provided the card numbers, to allow him to check the balance on the cards.
  8. James says he'll pay at the end of the day.
  9. I get messaged here on Ozbargain, snowymatthew, so I decide to allow them to pay instead.
  10. I receive payment, via PayId.
  11. I send copies of the unscratched cards, and then again with the card numbers and PIN codes revealed.
  12. Following day, snowymatthew tells me there's issues with the card.
  13. Since the PIN codes are all revealed now, I confirm the balance on the cards.
  14. Discover they've been redeemed in ACT.
  15. Blah blah … I'm %^&*
  16. Returned the money back to snowymatthew.

So, it looks like James has been able to convince someone at JB HiFi to redeem the cards, with the PIN codes, and without the physical cards. I checked the terms and conditions: https://www.jbhifi.com.au/pages/how-do-i-use-a-gift-card-to-…. "Redeeming in-store at JB Hi-Fi … The actual gift card MUST be presented.". From responses from various stores, staff are not "meant to" accept anything by the physical cards … there lies the issue.

The presence of the PIN code in this instance gives a false sense of security.

Even retracing all the steps taken, I don't think I could have foreseen this - other than "don't use Gumtree". So, I guess this is a warning to others, that the card numbers only are enough to redeem a gift card. Meaning there's no real way for a buyer to validate available credit, or for sellers to have any form of security over the gift cards. This to me, is easier than counterfeiting money and JB accepting it, at another customer's expense.

Expensive lesson, and usually careful with these things. But, aw well, not expecting such a positive outcome. If anything, it just ruined my day.

Since then;

  1. Left my details with the store to follow up
  2. Filed a report with ACSC
  3. Emailed JB Hifi, asking how and why cards can be redeemed by the card number only, without the physical card which is contrary to their terms.
  4. Contacted Gumtree seeking assistance.
  5. I asked James to pay, as agreed and I would cease the police report.

So yeah, great first day back at work. -_-" And now have to deal with the missus.

And not that it means much, but this is the lovely guy that benefited from this all. https://www.gumtree.com.au/s-seller/1170622367193

I really didn't like the idea of having $1.5K in gift cards lying around, just didn't feel secure. And it really had to happen.

Update: So, it would seem kinda useless at this point. But because of the way that I shared the photo with James, it shows an account of his.

(Mod: removed personal information - please see commenting guideline)

Key updates:
* By RNDM on 07/01/2020 - 14:35
https://www.ozbargain.com.au/comment/8208345/redir
* By snowymatthew on 08/01/2020 - 16:47
https://www.ozbargain.com.au/comment/8213127/redir
* By RNDM on 14/01/2020 - 13:30
https://www.ozbargain.com.au/comment/8235494/redir
* By RNDM latest
https://www.ozbargain.com.au/comment/8239312/redir

Related Stores

Gumtree
Gumtree
JB Hi-Fi
JB Hi-Fi

Comments

  • Wow, what a story, and a great lesson for many to be learned here, hope things will turn out okay, please give us updates what is going to happen, can't wait!

  • LOL you can see he has already sold the gift cards to others.

    • +1

      I think he has done this multiple times, as he has sold a few JBHIFI cards, and it looks like he purchases nintendo switches and sells them.

  • Did you get the gift cards from redeeming the plans then cancelling them? If so good luck getting the money back if it’s linked to that as your proof of purchase…

  • +2

    I really do hope @RNDM keeps this thread alive for all of us. One of the few threads that makes it to the front page and I'm intrigued for the end outcome.

    With my magic online detective skills I can deduce Snowymatthew is innocent (sorry for the earlier accusation) and James from gumtree is a scumbag. Prove me wrong.

    So from what I gathered from this thread alone is that physical gift cards using the numbers can be loaded up on apps such as Stocard or other barcode generator tools to bypass the requirements of the pin as they are then deemed as a digital e-voucher by the system when scanned which are treated differently?

    YMMV as some users claim you don't need the pin and some users claim you need the pin. Also from this thread this is true for other stores besides Coles/Woolworths which do require the pin?

    Purely evil scenario. What is stopping someone camping a week before Christmas/boxing period and keeping track of the gift cards stacked on the shelf knowing that these gift cards most likely won't be received by their loved ones by that time. That window of opportunity would allow scammers to load up the card numbers and trying their luck?

    • +13

      I don’t have an update for today - just yet, but I do have a few thoughts on how to take this further if nothing progresses. So I’ll keep it alive.

      • Why did you give the card numbers to the Scumtree guy if you are like me and believe like me it can't be checked without a pin ?

  • So from what I gathered from this thread alone is that physical gift cards using the numbers can be loaded up on apps such as Stocard or other barcode generator tools to bypass the requirements of the pin as they are then deemed as a digital e-voucher by the system when scanned which are treated differently?

    If that is the case JB need to implement immediately a Amazon gift card system of scratching off the card number !

    Anyone can get some card numbers , wait for them to be activated and abuse it meantime .

  • Can u confirm whether the balance was redeemed before or after you gave the pin to snowy?

    • +5

      If this was the case then gift cards wouldn't be on shelves with their card numbers visible to everyone who looks at them. Literally every gift card you buy would potentially be compromised.

      This really comes down to terrible store policy of being able to bypass the use of pins.

      • +2

        Gift cards are only activated when you purchase them though?

        • +3

          That's not to stop someone storing them and using them after activation if it really was as simple as generating pin numbers based on the barcode.

          The Melbourne Cup ticket that was stolen only needed the barcode to be scanned to redeem it from the ATM. There was no need for a pin (based on a quick google of the story).

      • -2

        As far as I know, they aren't exposed. You have to grab them in order to see the numbers.
        Some stores leave the Gift Cards close to the security dude or the counter.
        I would buy only from these stores and prefer to grab one from the middle tho.

        Nowadays you cannot trust sh1t!

        I am from a third world country where your own family won't think twice to (profanity) you up if they have a chance. I have seen the same here, in some cases worse.
        I have been living here in Sydney for 6 years now, it is safer and so on but I don't trust my shadow.

        No matter what you are selling here in Australia, no matter the price, there is always someone trying to be smarter than you.

        Silly example, a dude lost his bike by allowing test drive and guess what? Since he gave the keys the insurance will not cover it!
        Basic rules: Take photo from the driver license that might be fake anyways, take at least 50% of the price as insurance, check the notes to make sure they are not fake, and so.

        It sucks but at least you won't have problems :)

        • +2

          PINs are most likely completely random and not based on the card number itself.

          I went to my local Woolies yesterday to have a look at a JB Gift Card out of interest (not sure what E-Gift Cards look like) and the card numbers are written on the back.

          • -5

            @Nebargains: @Nebargains

            Yep, they are in the back. You have to grab it in order to see the numbers.

            PINs are most likely completely random and not based on the card number itself.

            If you are sure about that, share you credit card number here and wait to see how many minutes until you receive the first notification from your bank :)

            It is not random. Even those business credit cards that has a device that generates random pin numbers to make hack activities more difficult, they are randomly generated taking your card numbers as base, otherwise, how do you think the bank knows it if it was in fact 100% random?
            The bank knows that the pin informed belongs to let's say 100 random possible pins generated by that device which is linked to your card and allows the transaction.

            The problem is bigger than you think.
            Basic rule: Never share it!

            • +6

              @ratoloko: Credit card's pin is personal, so it is definitely not related to credit card number.

              Also the difference is, you can actually buy stuff with credit card numbers, site like amazon does not even ask for cvc.

              Gift cards on the other hand rely on store's policy which dictates whether pins are require. JB doesn't, that's why we have this thread. Don't try to act like you are smarter than everyone in the room.

            • +2

              @ratoloko: Credit card numbers follow a pattern and have to comply with the Luhn Code which is a very simple preliminary check to see if they're valid. The CVC/CVV is random, and is stored by the bank/issuer to match your card. To check if the CVV is valid the processor has to talk to the bank and ask if the CVV matches the card number. There is no algorithm to crack the CVV. If there were, then it would be trivial to create a list of all credit card numbers and CVV's; literally no credit card number would ever be secure - whether you shared it or not.

              • @macrocephalic:

                To check if the CVV is valid the processor has to talk to the bank and ask if the CVV matches the card number

                And you only get so many 'checks' before the card is locked/blocker too!

    • +2

      If you follow the thread above, you do NOT need pin with JB Hifi cards and that is the whole commotion.

      • yeah, that sucks :(

      • From personal experience at JB Hi Fi, when you use a physical gift card you need a pin as you need to swipe it in the eftpos machine. When using a egift card you don't need the pin in store because they scan the bar code. When using either type of gift card on line you need the pin. If there's a way to store the physical gift card code in an app and bypass the pin I don't know it.

    • +1

      did you censor the word stupid?

  • +1

    Hopefully JB helps out the OP and fixes their system so it cannot happen again.

    Good thread - OP is realistic and not here just to whinge. Raising awareness that there may be a flaw in redeeming gift cards helps the whole OZB community.

    What's the best way of a large transaction? Guessing cash only and meet up in a JB store so thibgs can be confirmed? And maybe for large purchases, both parties swap license information?

    I have heard of escrow type services, with trusted third parties, but have seen examples (albeit in online trading for digital game items) where fake escrow accounts have popped up (doing several small transactions honestly, to gain a good rating, then scam a large transaction).

    • +3

      This is more than JB's system and policy though. Anecdotally, the whole gift card system needs a rework as users are reporting similar NO pin needed for other stores and their gift cards. (So what's the point of the pins if you can just generate a barcode???)

      Any malicious individuals can in theory compromise a crap ton of gift cards across Australia wide by simply noting the card number at the back of the cards and waiting for them to be bought and activated.

      I believe this thread alone and as a community we should make enough noise to raise awareness to the flawed the gift card system.

  • +1

    Was personally surprised on the weekend when i went to Supercheap to use my $300 gift card to only swipe it and the transaction was done.
    No need to even take the pin number sticker off the back of the card.

    • +1

      That is quite common with physical card when redeemed in store. The same thing with DJ's gift cards.

      The issue is when they allow redeeming gift card without the physical card and without PIN.

      • +1

        Not exactly hard though to make a fake card by printing to a blank, or putting a sticker over the back of an old gift card for example. So it is pretty slack that they aren't requiring the PIN….

        Personally OP's plight has made me hesitant to buy gift cards. Easier to just give cash in the future.

    • +2

      Bunnings giftcards have no pin at all lol

      • They also give you cash back for change if you have less than $10 remaining

      • I once did a refund at Bunnings without receipt so they said can only give credit on returns card. However, on using the returns card not in full, I got cash back on the change which I thought was strange. Had I known, would have brought $1 item instead.

  • +34

    Hey OP - if you don’t have an update soon, can you please make one up? I’m too invested in this for it to just fizzle.
    Cheers.

  • +1

    Does anyone know or have friends that work at news.com - they have journalist that can investigate this and shed light to scams with giftcards perhaps? Would be an interesting article for that type of website.

    • +23

      News.com.au has actual journalists?

      • +1

        That's what I mean, 'journalists' that will cover this story :D

        • if someone writes it for them and mentions a company willing to make a contribution…. yea ofcourse.

      • +5

        Why not? This story is far more interesting than the sensationalist garbage they usually publish.

        • -2
          1. No proof
          2. Much more click worthy stuff going on in the world

          You need multiple examples of this, not just a possible rogue employee/gumtree scam.

          How would you put the story together? Guy makes mistake, blames JB, loses money?

          • @Pootie Tang: The story is lack of security with regards to gift card transactions. Not the OP and the Gumtree scammer.

          • @Pootie Tang: "Ozbargainer breaks the internet, and that's a good thing!".

  • +2

    Not sure if this article has been posted before but it mentions that JB has $253m is unclaimed giftcards

    https://www.smh.com.au/business/companies/gift-card-sales-so…

    • +3

      And that is why stores love selling gift cards and happy to give 5% discount on them.

      • That's right. A $253 million interest free loan. It is in their best interest (and all businesses who offer gift cards) for people to have confidence in their systems, policies and security.

        All they do is protect themselves from theft and fraud and not the gift card holders. Luckily I don't think this is a major issue just yet.

        Once JB and other stores start seeing a decline in interest free loans because of threads like this they might improve their processes for taking gift card payments.

      • To be fair sometimes you can buy e gift cards on the spot and use them. I actually do that with JB cards a fair bit through Suncorp app. The beauty with JB cards on this app is that you can buy them to the nearest dollar.

        I didn’t even realise the cards had a pin until this thread as JB staff just scan the barcode on my phone screen.

        • That's with egift cards. If you have a physical card you need to swipe it through the eftpos machine and enter a pin.

  • -4

    I am curious as to whether JB will reimburse the OP. I figure it will depend on whether they can catch 'James'.

    The JB's terms and conditions include that GC may not be exchanged wholly or in part for cash. Clearly this covers interactions with JB stores but it may preclude the on-sale of existing cards. JB would not want to encourage after market sales of discounted GC.

    Moreover, although the OP provided a nice explanation, it is also possible the OP gave the details of the cards to a mate in the ACT (with or without the pin code) and the rest is a good story/cover. Identifying the actual user of the card is important.

    It would be handy to know if JB does pay, as I 'need' more stuff and being able to share a GC with an interstate mate sounds nice.

    OP, did you get a report on what the cards were used to purchase and when it occurred? Some of my giftcards provide a log on their use - sometimes you have to call to get more information. It is something that the police may like to look at.

    • +1

      If and only if you had read the above thread!

  • -2

    Lucky I never bought on Scamtree

  • For my local JB even the serial number and PIN isn't enough. They request physical print out of the digital gift cards.

    • You can use it online with the pin.

      Also, making a physical copy is also very easy. The barcode is a standard one which is generated from the number. If you have the template (from an existing gift card), you can print as many as you want.

      • Yeah, I argued that with them and they still rejected. I should've placed the order with click and collect paid via gift cards lol.

  • +5

    The scammer clearly works at JB HIFI.

    • His scumtree history is selling alot JB HIFI giftcards so its likely

      • It also explains how he manages to use the card without the pin.

    • Or he has a friend that works at JB.

    • +3

      The card would most likely be suspended. This guy tried it: https://www.ozbargain.com.au/comment/8206831/redir

    • +7

      You can redeem online and it takes just a few seconds to write a curl script that tests every pin

      Yeah nah, the back end blocks you after a few failed attempts.

      Its not like you're the first one to think of doing that.

      I have never actually done it

      and yet here you are telling us how easy it is to do….

      • -1

        Doesn't mean it isn't possible, just not obvious. There are usually multiple APIs to do the same thing. I have brute forced pins before where the frontend locks you out.

        If they suspend the card, I won't bother testing it though.

        It's obvious there is a flaw somewhere if the guy redeemed it without a pin (not necessarily online).

  • +1

    This sounds like a JB hi-fi security issue. They can find out which staff member, and also would have camera vision of the customer. I wouldn't let this go.

  • +1
    1. I provided the card numbers, to allow him to check the balance on the cards.

    How could he check the balance without a PIN?
    You need a PIN to check balance on website

  • +1

    may have been mentioned already, but JB Hi fi will be able to track the transaction. THe time of it and details of it.
    They will(should) have CCTV from the registers when it was paid, and surroundings of the store.

    • -1

      but this is alot of work and back tracking, quoting privacy law and not being allowed to release this info will be much easier for the manager/IT guy

      • +1

        I don't know why people keep quoting privacy law. When you walk into a shop there is a reasonable expectation that your movements and your transaction will be recorded. The only way the cctv footage is private is the fact that it belongs to JB.

      • +1

        Why would JB HIFI want to incriminate themselves?

        If OP isn't lying, which I believe he isn't, this is a scam which involves an employee granting a new pin based off a photo alone which incompetence or gross negligence.

        • an employee granting a new pin.

          No, JB Hi Fi in-store payment system doesn't require a PIN.

      • It won't take that long, they will know the time easily enough and should have access at office to all recordings and slept to the time frame

    • +3

      You've been watching too many CSI type shows.

      The local store manager might take the time to investigate if it was JB's own money that was lost, but since it was only the customer's money they will "make a note of it" and forget about it.

      15 years ago when I worked in a retail store, I remember a specific instance when a shoplifter went in, picked up a 5CD changer stereo box off the shelf and walked out the front door with it. I questioned him for a receipt but wasn't allowed to physically stop him. The centre security guards chased him, but managed to lose a him (they lost a guy who was carrying a box three times the size of a carton of beer.

  • +3

    OP, what's the latest in this one? It's like a thriller episode that I can't wait to know the climax of.

  • I asked James to pay, as agreed and I would cease the police report.

    Police will have no interest in this unfortunately.

    JB is your best to follow up.

  • What if James was innocent the whole time ???

    • The who is real culprit.

      • +1

        Beyond the 2 current suspects, I only see 2 options in this alternate reality:

        Option 1: OPs partner
        "Honey, I took a trip down to Canberra and used those cards you had lying around. Surprise!"

        Option 2: OPs split personality, like in that Secret Window movie with Johnny Depp that I just ruined for everyone. But hopefully less stabby-stabby.

        • Or a 3rd party has access to the email accounts - sender or recipient. But what's the likelihood that their just waiting for an email with gift card photos.

  • +2

    FWIW, I commonly put my gift cards onto an app such as stocard or Google pay and use it in store. I put the pin in the notes and take photos of the card, but all the cashier ever does is scan and it goes though "pin is only needed for online purchases"

    However, I remember when using ~$250 of gift cards in a purchase, the store required me to provide id.

    Probably already mentioned, but might be worth contacting the store it was used it, or even head office to ask about the Id of the person who used the card

    • Do the apps create a barcode for physical cards since there isn't a barcode on them and the need to be put through an eftpos machine which then requires a pin to be input.

      • +1

        It creates a barcode from the gift card number.

        I did the same with Bunnings GC - Bunnings don't even have pins on their physical cards.

  • What's a decent price to pay for a $500 gift card for JB Hi Fi taking into account the risks? There must be plenty of $400 or $500 gift cards out there from all the JB deals of late.

    • +1

      Easy sell at 92 - 93 % . Last time I got some did some stacking at around 80% , left them around for 2 mths traded out of them a week ago .

      Wouldn't advice not using them immediately though :)

    • ~5-10% discount seems to be the going rate. Not sure if the savings are worth the risk.

    • +4

      Would have to be well over 5% since you can get 5% off with no risk through membership with Entertainment Book, automobile clubs, some health insurance co etc.

  • Fascinating read and I agree that JB is ethically responsible to refund this. Whether they're legally liable is a different question - this is a loophole which should be closed by ACCC.

    I'm curious - is there any safe way for either a buyer or seller to do this transaction, if in different locations, without risk?

  • +3

    Apologies if someone else has already raised this but you quoted JBs policy:

    "Redeeming in-store at JB Hi-Fi … The actual gift card MUST be presented."

    So how is it that you expect Snowy to be able to claim the gift card without the physical card? (He alleged he tried and was only stopped because there was no value).

    It's a bit moot at this point but the reason why I raise it is because you're using failure to adhere to the policy as a defence but at the same time expecting it to work in your favour when onselling to someone else? (All due respect to your loss)

    • Online with the pin

    • The terms and conditions outlined are the terms in which JB will execute. These are terms which define what JB hifi can and will not do, these do not limit my actions. My criteria have already been met once I have either paid for the gift card, or in my case, simply signed up for a 12-month Telstra plan. Once these criteria have been met, then the gift card is due, and my actions following have no impact on this agreement.

    • I was stopped by the cashier at JB MQ because I couldn't present the physical cards not because there were no value on the cards

  • +21

    Thank you all for your support, and I can fully appreciate the amount of interest this story has built up. I haven't been providing updates, simply because there hasn't been much to tell.

    I too wanted to know the progress of JB's findings and reached out to them today. All I know is, "inquiry is in hand and has been handed over to the Woden and Chadstone store managers for investigation".

    For now, I can't expect much more. At least they haven't simply dismissed the matter.

    • -1

      If you call them at least once a day, or possibly more often if really dedicated, I imagine they'll get onto it more quickly.

    • Still sounds like you've exposed a known deficiency in the system. Maybe it's time to reach out to ACA?

      • "Maybe it's time to reach out to ACA?"

        I think this is a good story for ACA, because who would think that a PIN is just an option when making a purchase.

        • +1

          If Op needs a contact at ACA, I’ve got the details of one of their reporters handy. She reached out after the baby toddler town collapse.

Login or Join to leave a comment