Stolen Woolworths Reward Dollars from Account

Ocker on 14/09/2021 - 19:36
Last edited 26/10/2021 - 09:36 by 1 other user

Happened to notice, just by accident, that the Reward Dollars on my Woolworths Reward Dollars account was almost zero, whereas it should be $60 plus.

Logged into my account and saw that someone in WA (I am in Victoria) had redeemed $60.00 from my account balance a few weeks ago

Weird part is that on checking the transaction the person bought $61.50 of groceries, redeemed $60.00 of my points and charged $1.50 to a Mastercard debit card.
Anomalies are (a) why would someone commit fraud and then charge to a debit card that can be traced (b) how did the person seemingly know the balance of my reward dollars so as to buy just enough goods to use them up and (c) to redeem points one needs a membership card to scan at the checkout.

Smacks of an inside job to me!

Contacted Woolworths by an online chat session, which took 35 minutes to be connected, which was better than a quoted 59 minutes for a person-on-person chat. Response was basically "OK we will look into the matter" - that was two weeks ago and heard nothing since.

Those with Woolies Reward accounts may be wise to keep tab on their account.

Mod Note: Thread was accidentally merged into the wrong thread, leading to comments being in the wrong order.

Food & Grocery Reward Points

Related Stores

Everyday Rewards
Everyday Rewards

Comments

  • drazman2000 on 25/10/2021 - 22:40
    Merged from Woolworths Everyday Rewards Card Hacked / Skimmed

    So I went and did my weekly woolies shop last night and this morning around 10am I get a SMS from EDRewards with a verification code. As I didn’t initiate the request I went to the app and saw that my whole balance of EDreward dollars was wiped clean and used to buy alcohol worth $305 at a BWS about 20km from me. (All those points accumulated from the Apple promo gone!). I had $300 in my account.
    I immediately called EDRewards and cancelled the card. They have raised an incident to investigate further and hopefully return my reward dollars to me.

    I have my rewards card stored on my iPhone and Apple Watch so I just tap it on the EFTPOS machine to add the card to my shop. I did notice a suspicious person hanging around the self service check out area who did not buy anything and I’m assuming he some how skimmed my card number from my phone. But this is a massive assumption.

    I am baffled as to how they got my number and balance as all my receipts are digital and I don’t have any emails saying a log in was attempted the only notification I got was the verification SMS.

    I have also reported this to the police who will investigate it as I have the receipt (from the app) of what the person purchased time and date and as the value was above $300 they had to top up $5 which they used a credit card for so hopefully they can trace back to someone unless the CC is stolen.

    Has anyone experienced this / know how they could have got my rewards number and balance?
    I also recommend switching to bank for Christmas and switch back when needed to safe guard your hard earned point building as there really is no security and anyone can use your dollars if they have your reward card number!

      • elgrande on 14/09/2021 - 19:38
        +2

        Thats not an acceptable response time, I'd email Brad.

      • MeesusEff on 14/09/2021 - 19:45
        +2

        I had something similar happen, I made my purchase and checked later that $20 was redeemed from my account. I could see the receipt on my account and it was the next person who used the self check out and got some fancy Japanese lunch. I went on live chat and they credited me back the $20.

      • coffeeinmyveins on 14/09/2021 - 19:46
        +1

        Smacks of an inside job to me!

        Yeah a lowly woolies employee is going to get themselves fired over $60

        • Matt P on 14/09/2021 - 20:42
          +1

          Hearing a few of these stories in the facebook groups.. If its an inside job they'd be getting alot more than 60 bucks one off

          Security is far too lax with ED. Flybuys is a lot better

          • coffeeinmyveins on 14/09/2021 - 20:56
            +1

            @Matt P: Lax how? If I checkout using my rewards card, are you saying an employee can just go and find the number and use it?

            That is a hilariously stupid thing to do because their employee card would be against the machine used to access my order and they would be instantly fired and up for fraud or something. I can't see anyone being that stupid, let alone enough people for it to be a number of stories circulating.

            Overall I've found FB to be absolute garbage:

            1) Points take up to 24 hours to appear on my account, sometimes more - EW is instant
            2) Using the actual points is a pain. I need to bring my physical flybuys card and enter a pin number. Woolies I can just use my digital card on my phone.

      • USER DC on 14/09/2021 - 20:35
        +2

        You can request a new card number from the rewards team claiming that it was unauthorized transaction. But I personally believe that Rewards team is not really going to compensate you fully, probably gonna tell you bs like you didn't secure your account good enough etc. Keep in mind Rewards team can easily track the user by cameras, and card used but they likely wont.

        The truth is that ANYONE who knows your Rewards Card Number, can ask a staff member (at a manned checkout) to enter the Rewards card number, and it will work in same way as someone scanning the rewards barcode. Hence the customer can claim your points simply by knowing your rewards card number. (With no questions asked). May be he told wrong number by mistake or may be staff member accidentally typed wrong rewards number. But it is also totally possible that may be you gave photo of your rewards card to someone you know (e.g. your friend, or family member) and they used that card again and got option to redeem ED Rewards Dollars

        • MrHyde on 14/09/2021 - 21:04
          +2

          If someone knows the number; they dont even need to ask a staff member to add it in. Can just generate your own bar code with that number using any of the 100s of online barcode generators. There is nothing special or hidden in a Woolies Rewards barcode.

          • kyle on 14/09/2021 - 23:35
            +1

            @MrHyde: Just enter into Samsung Pay. Easy.

          • Forfiet on 15/09/2021 - 00:18

            @MrHyde: my cards barcode is on my phone….

      • Neoika on 14/09/2021 - 20:43

        You can set it for Xmas and change to Auto Redeem in the APP quickly before checkout.

        • King Tightarse on 17/09/2021 - 13:53

          Yes, I did that but it actually takes up to 2 hours to change over

          • Neoika on 17/09/2021 - 14:32

            @King Tightarse: No, should be instant now.

            • King Tightarse on 17/09/2021 - 15:57

              @Neoika: I got in the habit of keeping my rewards 'banked for Christmas' as I got ripped off too a few years ago.
              A few times it hadn't changed to 'money off your shop' by the time I went to the supermarket, so I learned to do the two hour delay.
              Have they changed it?

      • screensaver on 14/09/2021 - 20:51
        +1

        This happened a few years ago so they set up a 2 step authentication. The same hackers must be back somehow,

        • virhlpool on 30/10/2022 - 00:24
          +1

          Which 2FA? There's none at the moment.

      • c64 on 14/09/2021 - 21:29
        +1

        might be a prepaid gift card

      • JIMB0 on 15/09/2021 - 08:01
        -1

        Anyone can find out the balance.

      • lakes_8 on 25/10/2021 - 22:27

        Happened to me today.. 180 redeemed and paid $5 on a visa card

      • drazman2000 on 25/10/2021 - 23:19

        This happened to me today redeemed $300 and paid $5 on VISA. I have reported to Police and EDR.

    • FLICKIT on 25/10/2021 - 22:58
      +1

      Sounds a bit like this:
      https://www.ozbargain.com.au/node/651164

    • drazman2000 on 25/10/2021 - 23:18

      Cool thanks. I didn’t see that when I searched. Must be a wide scaled scam that’s happening! I urge people to report to ED and Police! As it is fraud!

    • WookieMonster on 25/10/2021 - 23:40
      +3

      I actually thought about this scenario a while ago after seeing the forum topic @FLICKIT has linked to, and I think could be due to a number of reasons:

      • An insider attack or one of Everyday Rewards' systems being compromised.

      • One of your devices has been compromised, meaning that any time you access your Everyday Rewards account, they can see your Everyday Rewards number.

      • The email account associated with your Everyday Rewards account has been compromised. Unfortunately, emails from Everyday Rewards usually display your redemption option (and if it is Money Off Shopping or Bank for Christmas, your Everyday Rewards Dollars balance).

      • Someone looked over your shoulder as you got your wallet or phone out. You've indicated this could be a possibility, but unless your Everyday Rewards card number is visible when you tap your phone on the EFTPOS terminal, I'm not sure how likely it is.

      • Someone brute-forced your account number and got lucky. I've discussed the (rough) mathematics and mechanisms of brute-forcing your way to an active account here after someone asked me the likelihood of this very thing randomly happening to them.

      • Someone you know also uses your Everyday Rewards account (e.g. friend, housemate, partner, kid), and they accidentally somehow showed your Everyday Rewards number to someone lurking at a checkout area.

      • Someone you know also uses your Everyday Rewards account (e.g. friend, housemate, partner, kid), and they used your Everyday Rewards account without your permission.

      I find the fact that they used a card to settle the $5 rather interesting. For all we know, they could have used a Coles Gift Mastercard, so who knows how traceable that would be.

      Anyway, considering the odds of anybody randomly guessing your Everyday Rewards account number is approximately 1 in 199,000,000, plus the fraudulent redemption transaction happened not far from you, I don't think that person came across your account by just guessing and checking (especially since they coincidentally happened to spend all of the Everyday Rewards Dollars in one hit).

      I honestly think it was a targeted hit, but who knows how they managed to target you… I really doubt there was anything as sophisticated as your device being hacked or Everyday Rewards' systems being compromised.

      Also, I think it is time Everyday Rewards finally adds a way to authenticate who you are when redeeming Everyday Rewards Dollars (e.g. two-factor authentication to your mobile number or email or Everyday Rewards app, asking you to enter your PIN at the checkout). As much as I sometimes think that Flybuys Dollars is archaic in not letting you use a mobile phone to redeem your Flybuys Dollars, at least they require you to have your physical Flybuys card and ask you for a PIN to validate it is you.

    • thewinchester on 25/10/2021 - 23:54
      +1

      Someone looked over your shoulder as you got your wallet or phone out. You've indicated this could be a possibility, but unless your Everyday Rewards card number is visible when you tap your phone on the EFTPOS terminal, I'm not sure how likely it is.

      As he’s tapping from an Apple device, the Card ID isn’t displayed on the screen of their device - so it won’t be the vector of compromise here.

      • WookieMonster on 26/10/2021 - 00:00

        The plot thickens…

      • drazman2000 on 26/10/2021 - 07:56

        I believe the rewards card in Apple wallet is not encrypted and is always emitting the signal. So if the scammers have a device that requests the number they can easily skim just by walking past your phone.
        For future safety I have removed the card from my iPhone but kept it on my watch.

    • bdl on 26/10/2021 - 00:07
      +2

      This may be linked to the breach they had around Oct 14, the email they sent out is below. It seems the only thing that didn't leak was whether you preferred low fat milk or not. My account was locked out and I had to contact their call centre to have it unlocked, and received this email a few days later. As you can see the Rewards cards numbers were leaked. Maybe worth using the IDCARE services mentioned. I've just switched to the "Save for Christmas" option for the time being - thanks to the other posters for that heads up:

      "
      This email is to notify you that we have identified, through our routine security measures, an instance of potential unauthorised access to your Woolworths Online account. We also want to let you know the steps we have taken, and measures we suggest you take, to safeguard accessing your account and personal information.

      As a precautionary measure, and noting your Everyday Rewards account is linked to your Woolworths Online account, please reset your passwords by clicking the links below if you have not already done so.

      Woolworths Online
      Everyday Rewards

      We have robust security measures in place to safeguard your information and have no evidence to suggest that any of our systems have been compromised or breached. Your account was accessed with your correct username and password, so your details may have been compromised or stolen from another source.

      Through such access, the following types of your personal information may have been accessed:

      • First and last name
      • Preferred name (if provided)
      • Email
      • Mobile phone number
      • Secondary phone number (if provided)
      • Date of birth
      • Mailing/residential address
      • Everyday Rewards Card number
      • Rewards balance
      • Redemption preference (Qantas Points, Bank for Christmas or Automatic Savings)
      • eReceipts (card numbers are masked)

      Please be assured your payment details were not accessible.

      We want to support you in managing your privacy. We recommend you take the following steps to safeguard your information, including on other websites or accounts where you may have used the same or similar login details:

      • Change any passwords to your email and for any other accounts where you have used the same or a similar password to your Woolworths Online and Everyday Rewards accounts. Remember to log back in with your new credentials.
      • Keep an eye on your online accounts where you have used the same or similar login details, and let the relevant providers know if you suspect any unusual activity.
      • Use caution by not clicking on links or opening attachments to emails or social media messages if you are not sure that they are genuine.
      • Visit Stay Smart Online which provides simple, easy to understand advice on how to protect yourself online as well as up-to-date information on the latest online threats and how to respond.
      • Read the Office of the Australian Information Commissioner's helpful tips on protecting your identity online.

      • If you are concerned about the potential misuse of your personal information, we have arranged free support from IDCARE, Australia's national identity and cybersecurity community support service. Please engage an IDCARE Case Manager via IDCARE's Get Help Web Form at https://www.idcare.org/contact/get-help if you have broader identity security concerns or by calling them on 1800 595 160. Alternatively you may visit IDCARE's Learning Centre for further information and resources on protecting your personal information at https://www.idcare.org/learning-centre. IDCARE's services may be accessed by providing referral code WWG-IDC when completing its Get Help Web Form.

      For any questions, please call the Woolworths Online desk at 1800 000 610 or click here.

      Warm regards,
      Your Woolworths team "

      • kiitos on 26/10/2021 - 08:14
        +1

        Wow, what was the subject of the email and who was the sender?

        • bdl on 26/10/2021 - 11:00
          +2

          From:Woolworths <[email protected]>
          Subject:(my first name), an important update from Woolworths regarding your online account

          From memory I was locked out Tuesday Oct 12 or Wednesday Oct 13, this email came through 9am on Thursday Oct 14

      • Loopholio on 26/10/2021 - 09:48
        +1

        I'll keep an eye out for this email. Luckily I already have the save for Christmas enabled.

    • bigsaver on 26/10/2021 - 13:12

      sad to hear.. from a risk perspective or even financially why wouldn't you just use the $10 2000 points as they become available? If anything it's more likely points are going to lose value over time?

    • bamzero on 26/10/2021 - 14:59

      Does the phone also show the barcode or membership number when you tap?

      That's all they'd need to redeem, say if they were sneakily filming you at the checkout.
      Of course they wouldn't be able to check the balance but does it show that on the self-checkout screen?

      The two-factor authorisation is more of a PITA than anything since it doesn't actually stop you redeeming anything.
      It feels like every second time I open the Money app my card needs re-validation (and admittedly makes me use a weaker password than I normally would so it's easier to re-verify)

    • angelique008 on 22/03/2022 - 16:47

      I think it’s an employee working from Healthy Place. Remember those survey points we all got we had to type in our Woolies rewards numbers for that. They’ve kept record of these numbers and entered them in a barcode app and scanned them to spend the points. They know exactly who have been rewarded those $60 worth of points. Or it could be Woolies staff entering the numbers in barcode app?

      • kickling on 22/03/2022 - 16:50

        Unlikely. This issue was happening to me over three years ago.

        But, like I said in another post, it could be an inside job of some kind.

        For someone to repeatedly get new member numbers, passwords and/or phone numbers instantly is no coincidence.

        • angelique008 on 22/03/2022 - 16:52
          +1

          Oh I see. Yeah it’s so easy to make a barcode out of those numbers and the insider knows the members’ balances. They should be like flybuys and require PIN number for redemption!! So sad.

  • monkeyer on 26/10/2021 - 09:55

    I reckon it’s an issue with Woolworth’s back end. I’ve noticed for the last month or so I’ve been getting staff discount when I scan my everyday rewards card. When I look at the transactions in the app it appears my account has merged with a staff account interstate

    • WookieMonster on 26/10/2021 - 10:10
      +1

      I hope you’re not locked in a race with someone to see who can redeem Everyday Rewards Dollars first!

      • bdl on 26/10/2021 - 11:01
        +3

        "There can be… only one"

  • kickling on 27/10/2021 - 21:52
    +1

    Can't believe this is still an issue. No improvement on the security of WW dollars redemption. I got brute forced a few years ago, two years in a row both leading up to Xmas (the scammers know that ppl hoard their dollars to reduce the pressure on Xmas time).

    Now I just activate the "save for Xmas" feature and release/lock when I want to use… But it really shouldn't have to be like this.

  • drazman2000 on 10/11/2021 - 09:04

    OP did you manage to get your dollars back from WWs? I’m still trying and not getting anywhere other than “it’s under investigation”

    • oznerd on 15/11/2021 - 17:57

      Happened to me yesterday, im in NSW, someone used my $398 from Box Hill VIC, under investigation now. WWs reward is in mess, many other issues with account as well while I was chatting with them, what a joke.

      • Neoika on 15/11/2021 - 19:15

        How come not $390/$400? No one can redeem $8 EDR. As I mentioned above, you should set it for Xmas(especially for such a big balance) and change to Auto Redeem in the APP quickly before checkout. The first time switch needs verification, but after that it is no longer required. After switch, it is immediately ready to use, no waiting period. I set it up with several accounts and I think so long as you do not log out the App, it is that easy.

  • King Tightarse on 15/11/2021 - 19:40
    +1

    Hey a question for the experts: having selected "Save For Christmas" to protect our EDR points, they will all become automatically available on December the 1st, right?
    Are we all about to become vulnerable and hack-able on December 1?

    • Neoika on 15/11/2021 - 19:51
      +1

      I vaguely remember the EDR balance @ $30+ needed manual unlock in the App/via email link last year.

      In addition, if you switch to "Save For Christmas" between 1 Dec to 1 Jan, $EDR'll be locked again for the Xmas next year. You can do this to lock them again.

      • King Tightarse on 15/11/2021 - 20:33

        Ah I see. So it requires manual re-locking.
        Still I think the hackers may well be getting busy as many would not be aware or have forgot

        • Neoika on 01/12/2021 - 10:21

          It is the same as last year. I just switched to auto redeem and back for one account with $20. The rewards are locked again.

          • King Tightarse on 01/12/2021 - 10:30

            @Neoika: Ah so thats the process? I will give it a go now

            • Neoika on 01/12/2021 - 10:31
              +1

              @King Tightarse: For $30+ rewards, you do not need to do. Manual unlock required. Unless you'll split spend them later.

              • King Tightarse on 01/12/2021 - 10:45

                @Neoika: Ah I see. Yes, I have more than $30. I toggled it to 'money off shop' and back and the date still remained 'available from 1/12/21' but if it requires a validation step it should be safe.
                I will try it on another ac count that has less than $30 and see what happens

                • Neoika on 01/12/2021 - 10:45

                  @King Tightarse: One-off validation unless you log out.

                  The shoes with a lock icon indicates "rewards locked".

                  • King Tightarse on 01/12/2021 - 11:51

                    @Neoika: I cant see that on desktop- is it in the app?

                    • Neoika on 01/12/2021 - 11:54
                      +1

                      @King Tightarse: Yes, App.

                    • Neoika on 01/12/2021 - 12:11
                      +1

                      @King Tightarse: Use dual APP on your device. Xiaomi phone has it as inbulit function. You can download more similar APPs. I have 4 Rewards accounts stay logged in on one phone, three duplicated APPs.

                      Obviously, lots of hassle to manage the multiples on the desktop.

    • Grale on 07/12/2021 - 10:43

      I did the "Save For Christmas" and got an SMS verification code this morning (which I did not request) and upon checking, all my everyday rewards dollar has been redeemed at a Big W store in VIC (I'm in WA). So they are able to access it all the same…!

      • King Tightarse on 07/12/2021 - 10:53

        Someone somehow got into your account and changed it and then spent it. Did you have a complex or a simple password?
        These days they want a mix of cases and numbers and some random characters. Something basic like Johnno1975 is too easy

        • kickling on 07/12/2021 - 11:42

          Yeah but there is 2FA now.

          They should not be able to turn off the Xmas lock without that code.

          • King Tightarse on 07/12/2021 - 11:44

            @kickling: Must have hacked his email too? Seems a over the tops just to get at his rewards dollars

            • kickling on 07/12/2021 - 11:47

              @King Tightarse: He/she mentioned that the 2FA code was by phone SMS.

              So to me, there is a flaw in the system where 2FA is in reality not required to unlock the Xmas lock.

              • King Tightarse on 07/12/2021 - 11:53

                @kickling: Yes, but I think you ca also ask to be emailed a code - although this requires two hacked accounts. Email and EDR but I have no idea how they are actually doing it. Just guessing

                • Grale on 07/12/2021 - 11:55

                  @King Tightarse: I checked my email activity and there was nothing suspicious. As far as i know, i only got the sms verification code which should not have allowed said person to access it. Upon login, you do get a request to choose where the code is sent to.

                  • King Tightarse on 07/12/2021 - 12:05

                    @Grale: They could completely delete the code from the email but it seems too elaborate - they must have some other tricks up their sleeve

                    • Grale on 07/12/2021 - 12:15

                      @King Tightarse: I was looking through login activity. Regardless i have 2fa enabled so don't think this was the point of compromise.

                  • kickling on 07/12/2021 - 12:05

                    @Grale: Better raise this with the WW reward team.

                    I know that a few months ago, even with the Xmas lock, you could shop online at bws and redeem your points. So I'm guessing there are similar flaws still available.

                    • Grale on 07/12/2021 - 12:09

                      @kickling: Yes i have already raised this with WW. Plan is to report this to the police next. I need to double check but i swore they managed to switch my reward choice from "bank for christmas" to "automatic savings". Not sure if this triggered automatically from 1 dec, but if not then it's a concerning sign.

                      • Grale on 07/12/2021 - 12:12

                        @Grale: Ok can confirm that reward choice was changed around the same time i got my sms verification

                  • kickling on 07/12/2021 - 12:07

                    @Grale: Also, would you be using a 3rd party card/barcode storage app?

                    If yes, might have been another way they can get your membership

                    • Grale on 07/12/2021 - 12:09

                      @kickling: Good point. I do use stocard so they might have accessed it that way…. Zzz

                    • Grale on 07/12/2021 - 12:11

                      @kickling: Just checked and it looks like that app is only usable from my device. Could be wrong though.

                      • King Tightarse on 07/12/2021 - 12:18

                        @Grale: Oh wait - rewards under a certain value become spendable on 1st of December
                        Neoika was explaining it the other day - there is a threshold below which I think there is no 2FA code after Dec 1 until Jan. It's all above in this thread.
                        What they need is another 'completely locked' option that does not self-mature and become spendable

                        • Grale on 07/12/2021 - 13:11

                          @King Tightarse: Hmm not sure about this. But i am pretty sure he switched out of bank for xmas prior to using it.

  • Ocker on 20/11/2021 - 20:07

    Just received a (genuine) email there has again been multiple attempts to hack my (new) Everyday Rewards account.

  • Grale on 07/12/2021 - 10:21
    Merged from Everyday Rewards Account Got Hacked

    Hi guys,
    Got an SMS this morning with a verification code from Everyday Rewards which seems odd since I was still in bed.
    Anyway, decided to log into the app to check and true enough, someone had used my rewards to purchase something.
    Has this happened to anyone and any idea how it happened?

      • Grale on 07/12/2021 - 10:32

        thanks! i tried looking for it but must have used the wrong search words!

    • avoidfullprice on 07/12/2021 - 10:45

      Has your email been compromised?

      Potentially the person has requested the verification code by email then add your rewards barcode onto their phone.

      Can you access the e-receipt see they have used your rewards dollar recently?

      • Grale on 07/12/2021 - 11:57

        Yep i can see what he purchased as i had signed up for ereceipts. What do we report this as to the police? Cyber crime?

        No details were changed and email activity (which has 2fa) looked fine. So I'm really curious as to how it happened.

    • Ocker on 07/12/2021 - 10:51

      This hack seems to be happening all too often.
      Might be time to get A Current Affair onto the case to alert the wider community

  • kickling on 08/12/2021 - 15:57

    Anyone know if you can use your dollars at WW in-store to buy gift cards?

    Would be one solution to hard-lock your rewards.

    • Neoika on 08/12/2021 - 16:15

      No. There is one way if you shop online often: redeem rewards for online shopping and then cancel the order. Credits code for online shopping will be issued for it. Valid for one year and can stack with other promo codes and eGCs.

      • kickling on 08/12/2021 - 18:44

        Ah yeah. Hard way to go about it but at least works.

        I guess I'll try use them up to pay for petrol

        • Neoika on 08/12/2021 - 18:46

          You may be able to convert credits code to Wish eGC by contact CS, but my last exp was early this year.

  • Niko123456 on 14/12/2021 - 15:24
    +1
    Merged from Someone used my Woolworths Rewards card..

    I just got a notification that someone used my Woolworths Rewards card (I got an electronic notification). They purchased some baby formula at a store in Qld (I live in Wollongong). They used my 10% off offer…

    Frankly, it's lucky I cleaned out my $210 of banked for Xmas Woolies dollars..

    So there you go, a new bloody scam to worry about…

    • MS Paint on 14/12/2021 - 15:30

      Been around for ages. Nothing new here. You can call them but they won't give a sh!t. They will just give you a coupon or $10 to STFU.

      • Niko123456 on 14/12/2021 - 15:43

        So what happens to the rewards number/barcode? It seems like a major hassle having to get that changed!

        Makes you wonder why the inbound and the outbound number are the same..

  • Niko123456 on 14/12/2021 - 15:42

    Wow, amazing how many people have exactly the same experience.

    Quite frankly, what's amazing is that there is obviously a very big flaw with Woolworths 2FA. Like others, I also got hit by a request for a 2FA code..

    So HOW exactly is the 2FA being bypassed?

    • No Username on 14/12/2021 - 15:46

      I think you can request 2FA code via SMS and Email.

      So either one of them is hacked or you have a RAT installed on the computer or mobile phone.

      • Niko123456 on 14/12/2021 - 15:48

        Can you hack SMS?

        I still think the more likely scenario is that the 2FA system has been compromised.

        • No Username on 14/12/2021 - 15:52

          You can either request a new sim of the user if they have enough information or the phone could be infected which allows the attacker to view whatever they want.

          • Choc0 on 14/12/2021 - 17:32

            @No Username: THat's a lot of effort to go to in order to get into someone's loyalty card that may or may not have a balance…

            • kickling on 14/12/2021 - 22:58

              @Choc0: There used to be a way that you can preview the balance or scrape the balance data. That was over a year ago though. And I hope they closed that loop

  • BlueSkyHarvest on 26/12/2021 - 21:56
    +2

    $100 stolen from my EDRewards account 26Dec21 17:44.

    The thief knew to spend $100. They knew my EDRewards number had $100 credit.

    At 17:12, I got a verification text message from Woolworths EveryDay Rewards AND an email advising my Rewards choice had been updated to 'money off shopping'.

    The e-receipt showed the thief was in Top Ryde Woolworths and used checkout POS 087 paying the small excess with a $20 note and received change.

    I rang the store within the hour and suggested they look for someone going through the checkouts on 20 minute rotation draining multiple EDRewards credits. The store will have video of them but the staff advised me that only the manager can access video and only uses it for large thefts. I feel that collectively this crime syndicate does represent a large theft and video should be used.

    How they were able to switch the Rewards choice when the verification code came to my phone is puzzling. Seems like a flaw in the system such that 2FA in reality is not required to unlock the Reward choice.

    I understand the thieves can use an on-line barcode generator for scanning an EDRewards number at the checkout. But who sells the information of which EDRewards numbers have credits and how much the credits are? Is this an inside job? Or has the EDRewards database been hacked?

    • King Tightarse on 27/12/2021 - 09:05
      +1

      "Seems like a flaw in the system such that 2FA in reality is not required to unlock the Reward choice."
      First let me say sorry, that really sucks if you carefully saved it up and somebody just came a long and took it. Some people are just amoral bastards.
      I have no idea how they are doing this but I do know that changing to "Money Off Shop" definitely requires another confirmation once logged in to the account, although it can be via password or emailed code if receiving a code by phone has already been used to log in in the first place.
      I really don't know how they are doing it, I would love to understand it and I really do hope that you get your money back.

    • bluesky on 27/12/2021 - 14:35
      +1

      You have taken all steps to alert and inform them as soon as you are aware. Do push for EDR to compensate you the amount. And I hope everyone who loses money this way will too. Wish you all the best in recovering this money. Unless they are bearing the loss, I doubt they will ever fix the vulnerabilities. From Google, this problem and its variations have dated quite a while back. And is still happening.

    • cheapasschips on 27/12/2021 - 22:01
      +1

      "@BlueSkyHarvest" let me know how you go with customer service, I'm in the same situation and will be raising a ticket first thing in the morning.

      $100 stolen 27 Dec 21 20:18.

      E-receipt shows this thief was at Store 1105 Baulkham Hills (not too far from Top Ryde) and used checkout POS 001 paying the excess with a $20 note and received change.

      Items also included a fair few baby products and treats…way to be a great parent/role model…

      • BlueSkyHarvest on 10/01/2022 - 15:31
        +2

        Was told by customer service on 27Jan I would be getting my $100 back.
        Replacement EDR card turned up today. No $100 refund yet.
        Rang today (15 min wait) to ask about the $100 refund.
        - told "still in process to be investigated. Being escalated with back end team. They will refund the $100 and I should expect a message about it in the next few days."

        Agree with bluesky; EDR need bear the loss as increased incentive to fix their 2FA vulnerability. Been going on for many months.

Login or Join to leave a comment
Login Join