Stolen Woolworths Reward Dollars from Account

Happened to notice, just by accident, that the Reward Dollars on my Woolworths Reward Dollars account was almost zero, whereas it should be $60 plus.

Logged into my account and saw that someone in WA (I am in Victoria) had redeemed $60.00 from my account balance a few weeks ago

Weird part is that on checking the transaction the person bought $61.50 of groceries, redeemed $60.00 of my points and charged $1.50 to a Mastercard debit card.
Anomalies are (a) why would someone commit fraud and then charge to a debit card that can be traced (b) how did the person seemingly know the balance of my reward dollars so as to buy just enough goods to use them up and (c) to redeem points one needs a membership card to scan at the checkout.

Smacks of an inside job to me!

Contacted Woolworths by an online chat session, which took 35 minutes to be connected, which was better than a quoted 59 minutes for a person-on-person chat. Response was basically "OK we will look into the matter" - that was two weeks ago and heard nothing since.

Those with Woolies Reward accounts may be wise to keep tab on their account.


Mod Note: Thread was accidentally merged into the wrong thread, leading to comments being in the wrong order.

Related Stores

Everyday Rewards
Everyday Rewards

Comments

      • Here is what the Top Ryde thief bought:

        1339 Top Ryde PH: 02 9308 7343
        Cnr Devlin Street and Blaxland Road
        TAX INVOICE - ABN 88 000 014 675

        Description $
        The Cooks Cuts Beef Cheek $9.30
        Tomato Gourmet 1.197 kg NET @ $9.90/kg $11.85
        Peach White Flesh 1.162 kg NET @ $4.50/kg $5.23
        Cucumber Lebanese 0.727 kg NET @ $3.90/kg $2.84
        Grape Red Seedless 1.030 kg NET @ $9.90/kg $10.20
        Woolworths Free Range Eggs 700G 12Pk Qty 3 @ $4.50 each $13.50
        ^#Blackmores Fish oil 1000mg 200 Amb $14.80
        ^Appletiser Juice Sparklng Apple 750ml $3.15
        D/F Thick & Creamy Vanilla 4 X 110g Qty 2 @ $4.00 each $8.00
        ^#Coca Cola Cans 30x375ml 24.15
        Potato Brushed 2Kg $5.50
        ^Promotional Price
        14 SUBTOTAL $108.52
        ROUNDING -$0.02
        TOTAL $108.50
        REWARDS SAVINGS $100.00
        Cash $20.00
        Change $11.50

        Taxable Items

        TOTAL includes GST $3.54

        You saved $121.05 􀀀
        YOU JUST SAVED $100 THANKS TO EVERYDAY REWARDS!

        Thank you for shopping with us
        POS 087 TRANS 225 17:44 26/12/2021
        WOOLWORTHS GROUP LIMITED

        • You saved $121.05

          Sucks to lose your EDR - but look at the savings!!

        • My $50 was stolen @ Top Ryde as well for A2 baby formula.

      • Got my $100 back 18Jan22 from theft 26Dec21 17:44, reported next day.
        Rang 10-Jan-22 to remind EDR staff - told "being escalated".

      • My $60 was spent in February 2022 on baby formula and a flat sheet :(

  • +2

    I had $40 stolen from my account last night, at Blackburn North (VIC) woolies (I am in TAS). I got a message at about 5:20 with a login code (which I didn't see at the time) and at 5:41 they went through the checkout (They just purchased fruit and Yakult Fermented Milk Drink)

    I've raised a ticket with the online team who will investigate.

    What I find interesting is that the password I use(d) for EDR is only used for that site. They guy on the phone was adament they would have accessed my emails to get in but I have 2FA on with Google and didn't get any login attemps, there are also no unknown devices/IP's in my login history.

    • +1

      Does your receipt say self serve or cashier?

      I do wonder if you can get by any security by going through a cashier service lane, as the operator asks you if you want to redeem your dollars. This is what happens at WW petrol.

    • they would have accessed my emails to get in but I have 2FA

      Best to setup 3FA.

  • +2

    Argh, I’ve been done as well.

    Got a verification code unsolicited. Logged into account and $110 gone. They’ve bought baby formula and used a gift card for remaining $1.50. Interstate. Done after hours so can’t contact them til tmrw.

    What’s the point of 2FA?

    Is there an email address to contact? Don’t have time to sit in chat or on phone for ages tomorrow. Can’t find one on website.

    • What’s the point of 2FA?

      I have set my redemption preference to Bank for Xmas as a workaround.
      If these bastards can bypass EDR's dodgy 2FA implementation, I guess there is no point anymore.

      In any case, it does smell like an inside job.

      • +1

        just a note of caution, my setting was set to "Bank for Xmas" and they managed to switch it even with 2FA enabled.

        • Were you compensated the amount that was stolen from your EDR card?

          • @DoctorCalculon: oops! missed this.
            I eventually got it back but it was pretty stressful and I had to keep following up to get any traction.

    • They’ve bought baby formula

      I wonder who would be buying that ???

      • Now I know why Daigou shop sells baby formula much cheaper than supermarket or pharmacy.

    • I don't think they are bypassing the 2FA. From what I've gathered if you've banked your reward $ they aren't spending it, and they would need to bypass the 2FA to access the setting to change it. However they always seem to be spending the right amount to use it up so they must be able to see the balance.

      I reckon it's a loophole in another of their brands app/website, BWS or Big W maybe, that is showing the balance without needing to complete the login process.

      • If you mean they are not bypassing 2FA in the sense that the 2FA doesn't work properly therefore there is no 2FA to actually bypass, then I'd say that's correct.

        • Yeh, it's a half assed 2FA.

    • Did you guys have any outcome of that? I just got done for $160 and they also purchased baby formulas and baby wipes.

      • Also I live in Canberra and shopping was done at Kellyville NSW

        • Kellyville, Baulkham Hills, and Top Ryde
          - these three are all in the same vicinity of Sydney
          - nice to match up the three self checkout face recordings
          - and look for number plate recognition matches on car park exit in the hour after the 3 checkouts

          • @BlueSkyHarvest: Also near Woolies head office in Bella Vista in the case of Kellyville and Baulkham Hills

  • Here are news articles from last year with similar stories to folks here:

    https://au.news.yahoo.com/disturbing-warning-for-woolworths-…
    https://au.news.yahoo.com/woolworths-shoppers-lose-hundreds-…

    Response from Woolworths:

    "We’ve found no evidence to suggest our IT systems have been breached or compromised in any way,” the spokesperson continued.

    "This indicates fraudsters have likely obtained these members’ login credentials and account details from online scams or other sources.

    I am just finding that hard to believe.

    • +1

      They are too confident in their system. I doubt very much that fraudsters have obtained passwords etc.
      They have some or other technique to discover the balance, get in and change to 'money off shop' and then generate the Woolies card and spend it.
      So many people are reporting the same thing: receiving an unsolicited notification that there settings were changed
      There is some kind of loophole or technique and Woolies IT staff are missing it

      • +3

        There is some kind of loophole or technique and Woolies IT staff are missing it

        Possibly a former Woolies IT staff member who would know about such things.

      • +1

        Yeah my card happen only got hacked after I recently purchased apple gift cards and had $210 something on it, card always has $10-$20 dollars on it and never got hacked. So something is definitely not right. I feel like it’s inside job with someone who has access to card numbers and balance.

        • +4

          I feel like it’s inside job with someone who has access to card numbers and balance.

          Woolies is claiming complete ignorance, and blaming users for having their accounts hacked.

          Furthermore, there are no preventative measures that you can take other than to spend your dollars as fast as you can before you get hacked.

          • +1

            @DoctorCalculon: Did anyone actually ended up getting their money back on card? As long as I get mine back I really wouldn’t care too much and just spend it as soon as I can.
            Reading above posts looks like they can bypass christmas spending option or other forms of 2FA as well so system is definitely compromised.

            • +3

              @RobotWizard: Got my $100 back. Took 3 weeks (included early January holidays). I also did a reminder phone call after a couple of weeks.

  • +1

    They can use a bar code generator on their phone to scan your number at the checkout.
    They know how much to spend.
    They can over ride the 2FA but it generates an SMS to your phone, then promptly an email comes advising that you have unlocked your "Bank for Xmas"
    Numbers with their balance are likely sold on the dark web with the 2FA over ride method included
    Maybe there is a dark web hackers collective who share the EDR vulnerability
    A common purchase is baby formula - ?orphans in the making?

    • +1

      A common purchase is baby formula - ?orphans in the making?

      That is the pattern I am seeing in almost all of the comments here.
      Most likely a daigou syndicate operating in cahoots with an EDR employee.

  • My wife just realised that someone cleared out over $1000 from her EDR and bought some Chinese Baijju.

    Hate to think that some Dude is enjoying the Baijiu during the Lunar new year while reading the post and laughing at us.

    • +1

      Wow why would you keep $1000 worth of points in EDR? I'd be redeeming it as part of my normal grocery shopping as they're not doing anything sitting in your account (unless you were banking points for a big redemption).

      • From a savvy person's perspective, it is not wise to bank EDRs. However, some people have to do it like this because they will be tempted to spend the $1000 cash in their bank for something unnecessary. It takes me a few years to understand this behavior.

        • +1

          My wife and I run two EDR accounts. Her account had a high amount in there for a while because our flybuys was being hammered with better deals, so we never got a chance to actually go shop at WW. That's one reason why someone might have a high balance at any point in time.

  • +1

    I also got done at Kellyville like Robotwizard. All $170 taken from my account with the few dollars balance being paid by cash. Receipt was mostly nappies, baby food, formula. Nothing on it would match any of my receipts with my regular shopping. Plus I live in Vic.

    Contacted EDR today via the online chat - entered "account compromised" to the digital assistant, then as soon as I was connected with a real person, they said "May I kindly ask are you referring to the following transaction? 14/01/2022 Kellyville 172.05"

    So I didn't even have to say anything…the support rep had clearly seen it straight away in my account and knew that's why I was contacting them…..interesting eh….I wonder if it's the same people who got Robotwizard (and possibly others?). The support rep then issued me a new EDR card no and said "an investigation will be raised to have the $170 credited back".

    One thing that I never noticed before until this mess is just how stupid their 2FA implementation is. I never regularly log in to my EDR account as I use the app but when I logged in to reset my password after discovering the dollars were gone, I realised you don't need the 2FA to log in at all. Just user/pw. 2FA is for changing stuff once you're in. By contrast, for Woolworths itself, the 2FA is needed to actually log in. On another note - why don't they make WW and EDR all one system with one set of accounts, using the same auth methods etc?

    • +1

      I realised you don't need the 2FA to log in at all

      It is genuinely hilarious how inconsistent their login system is.
      On the web, they just give you the option to login either via a SMS code or password. So, no 2FA there.

      On another note - why don't they make WW and EDR all one system with one set of accounts

      The former is a merchant / partner (who just happens to own EDR), and the latter is a rewards platform.

  • It's not the first time "thread merging" has led to utterly confusing flow of comments. STOP DOING IT!

  • +1

    I've never even thought about letting my rewards go over $10 when the cashier asks me I want to redeem I redeem straight away. If I want to save up for something I put extra on my house loan redraw so it works for me.

  • Just received the usual "here is the verification code for your login" on your phone when you login when I wasnt accessing it

    followed by a "thanks for changing your shopping to dollars off preference" email

    I already had mine set to dollars off preference anyway, so I logged in, changed it to bank for christmas so they wouldnt be able to use it

    called up woolworths, theyre going to raise an incident report, and send me a new card

    scary thing is, the fact that the verifcation code was sent means that someone had successfully entered my password in correctly

    • But nothing stolen because you acted quickly?

      Imagine this happening on a weekend when you cannot call customer support to lock your account, or on hold for over an hour.

      • Well, that's the idea!

        Waiting to hear back from IT to see what they can tell me

        • Well, that's the idea!

          Just to confirm you were able to thwart the attempt by acting quickly and switching to Bank For Xmas, right?

          • +2

            @DoctorCalculon: They said they couldn't see any attempts in my account .
            But I was able to change it to Back to Bank for Xmas while I was on hold to them

            I imagined that the thieves were probably at a woolworths, logged in, changed it to cash off, and were planning to use it straight away.
            The time from receiving the original msg to me changing was probably 3 mins

  • My $85 gone. Chatswood NSW shooping location

  • +1

    Just got my money back yesterday(no notification or email whatsoever) randomly just went to rewards app and it’s already gone AGAIN, this time its being used in Hilton SA and paid remainder $1 from card.

    Go Woolworths Security

    • and it’s already gone AGAIN

      😲

    • +1

      Jebus christ! How has this nonsense not been picked up by the news..

      EDIT ahh it has, but no updates I could see during my seconds of thorough research.

      • +1

        Sad thing is they’re still convinced that it’s my email address that’s hacked and nothing from their end. My email has 2FA and even if it got hacked I would have alot bigger problems to worry about then my ER rewards smh
        I ended up changing my email address let’s see what happens now, As soon as I get money refunded this time I am going to spend it straight away.

        Edit: copied from reddit, except I have opted for digital receipts so not sure how they got their hands on my card number

        I used to work as a supervisor for a woolies store, on quieter evenings we would key the rewards applications into the computer which had the temporary card number on it. From memory they were sequential or at least all our leaflets definitely started with the same 7 digits. And they print the last 4 digits along with your points balance on the reciept, so wouldn’t be too hard to fill in the blanks if someone got their hands on your receipt

        • +1

          From what I can see, if you attempt to log into ED using your email and password, it bypasses the need for 2FA.
          I got done once a few weeks ago, had the card replaced and my account got locked 3 days ago for multiple attempts to log in.

          It looks like you have 3 ways to login via a combination of your email and:
          - code emailed to you
          - code SMS-ed to you
          - just your password

  • +1

    `^ I'm disappointed I though this would be a Pam thread .

  • Well, I got done today

    Qv big w

    $40 gone

    They bought cosmetics

    Will be contacting ww tomorrow

    Only realised when I got a notification of e-reciept

    • Called today
      They said will start investigation

      Checked this evening, $$$ back in the account and Transaction gone!

      • +1

        That's good! Maybe because you caught on quickly. I'm still waiting for mine. Best to spend the $40 ASAP.

        • +1

          Well just checked my account

          The $40 original stolen transaction has popped back on, so my balance is back to $0

          Looks like I'll have to call them again

          • +1

            @Samsungnote10: Damn! If you had spent the $40 RD when you got it back, I wonder if they would put your balance into negative.

            • @DoctorCalculon: man im not having a good day

              i called yesterday and they said its still ongoing and no updates…..

              just then I got a transcation notifcation of withdrawal of $200 BIGW

              so im on the phone to them again to hopefully sort it out

              • +1

                @Samsungnote10:

                just then I got a transcation notifcation of withdrawal of $200 BIGW

                Now this is getting outrageous! EDR should rebrand as Steal My Rewards (SMR).

                Was the transaction in a completely different state to where you live?

                • +1

                  @DoctorCalculon: the first transaction was the same state, but ive never been there

                  todays one its one I have been to before but ive never used the card there

                  so much hassle. ive lodged another incident

  • +1

    I got done last week at Springvale, live nowhere close to it. Only noticed this week when I went to use the rewards. Purchase was mostly paid for by the rewards, then a gift card and cash. Called the team and they're launching an investigation that will take 3-6 weeks. Fun times.

    • Update, I've received the money back but there's already been 3 attempts to login to my account: Once on the day of the top up so much so my account was temporarily locked, two attempts yesterday to change my password. I'm not sure what else I can do.

      • +1

        i used mine up as soon as I got it returned.

      • Shop, cancel, convert

        How can I be refunded?
        Purchase refunds are often received via Credit Card, Woolworths Gift Card, or a Store Credit. Each refund type will depend on the payment method of the item.
        Credit Card purchases are either refunded back to the same Credit Card that made the purchase, or a Woolworths Gift Card is generated for the refund amount.
        Store credits are refunded back as a store credit. In some circumstances, store credits may be refunded as a Woolworths Gift card for purchases over $5.00.

  • +2

    Since I first started this thread about 5 months ago the number of posts of theft is staggering.
    The cases outlined on OZB are likely on the tip of the iceberg so it is strange how the issue seems to be flying under the radar of the public at large.
    Moreover, not a peep from Woollies on the matter

    • Nothing has changed since I got my points stolen 3 years ago

      • Nothing will change until Woolies IT get their sh*t together, and take a page of out of FlyBuys security model.

        • There's things I like about WW Rewards and things I like about Flybuys… but this is a pretty serious security issue. Surely there are enough cases now to warrant some remedial action.

  • I just had a random transaction come up in my app. $4.45 cash spent on bread, L&P and a WW bag in NSW. I'm in WA.

    I can only imagine the person has entered their number incorrectly into an app like Stocard. I've had $30 credit sitting on it for ages, until just this morning, a few hours before this random transaction.

    It's pretty poor that if they had spent more than $10, and I still had credit on it, they would have been able to redeem it.

    • Unless you've opted in for digital receipts, they could get a receipt which has your Woolworth dollar balance on it. I'd switch to 'Bank for xmas' asap

      • they could get a receipt which has your Woolworth dollar balance on it

        Neither receipts show the dollar balance.

        I'd switch to 'Bank for xmas' asap

        Please read the comments above. Bank for Xmas offers zero protection.

        The entire issue is how piss poor EDR's 2FA implementation is, and how easily it is being bypassed by these scammers / hackers.

      • I have digital receipts enabled; that's how I knew it happened. I imagine if they were dodgy, they would have spent more than $10, or tried another card number when they saw mine had no credit. How does that work in store btw, can you just scan another card to override a previously scanned one, call an attendant, or would you need to move to a different register and hope the attendant doesn't notice?

  • I am on board now, with $30 rewards toasted. I have been with this card for 9 years, thousands of rewards dollars redeemed, never had an issue. Only happened after a gift card purchase yesterday, the Eftpos deal - x10 points. Highly doubt it was taken from internal.

  • Lost $220 to some transaction in Victoria Harbour, Melbourne…transaction for 267 carried out and the rest paid with a master card. Never been to that store.

  • Just lost $30 used in a WW in NZ!! . Needless to say I haven't been to NZ.

    • +1

      Didn't even know you could use Woolworths Rewards dollars in New Zealand

      • My bad. It is in WA. I Google the wrong suburb.

  • wow, im not having much luck with this at all!

    https://www.ozbargain.com.au/comment/11881735/redir

    I just got another notification that the credit that was applied on friday for the original missing $$ has now been stolen, at a wooloworths in my state but ive never been to

    so in 3 weeks its my 3rd stolen case, ive had the card replaced 3 times, the last time's replacement card hasnt even arrived yet!
    ive changed my password, and even email password at their request, todays transaction is the stealing of the previous replaced $$$!

    surely its some sort of hacking and not someone walking around with forged cards

    • This must be an inside job.

      Have you changed your email?

      That may tell you something new…

      • ill have to change that too!

        • Give it a shot. It might be the key they are using to access your new member number each time.

          • @kickling: Well after changing my email 3 times Inc new email

            I got another password request today.
            But no credit applied today.

            My redeem method is still bank for Christmas so let's see what happens now,

            Will they try and change it to redeem off shopping

    • +1

      It sounds like an 'inside job' to me…

  • +1

    How long does it take for points to automatically convert to dollars (I have that option set)? I want to spend mine before they're stolen, but I've already been waiting half an hour and the all still says "Hang tight. Your points are being processed."

    Edit: found the answer

    • Good finding!

  • +1

    https://www.ozbargain.com.au/comment/11903853/redir

    Another update

    I got a password reset request on this account just then

    Logged in checked , to find that the missing 2nd missing $300 has been credited today.
    So it's as though someone knows when there are credits being applied and checking.
    I'm also still missing the first stolen credits , that were restolen after being credited

    Getting quite comical

    • I got a password reset request on this account just then

      Did this happen even after you changed your EDR account email address?

      Or, you haven't gotten around to it?

      • +1

        yes this is the new email address i created just for this account a few weeks ago just for EDR account!

        • Are you sure no one is accessing your emails? Or accessing your computer?

          I notice that changing rewards claiming (eg change to/from Christmas banking) requires a code be sent to you by email.

          • @kickling: No one is accessing my laptop physically. If it's some gun hacker then maybe

            Email is a new one and also changed passwords a few weeks ago

            I also have another account with $$ on it which so far has had no security issues

            • @Samsungnote10: Does your new email have similarity to your old?

              • @kickling: Yes it actually is semi similar!

                • @Samsungnote10: See i wonder if they are guessing your email again.

                  Not sure about how they are getting around passwords, but somehow they are getting your member number/ barcode by using your email..

                  • @kickling: Might change it to completely new and different one for kicks

                    • +1

                      @Samsungnote10: Yup - make it totally different, then wait and see…

                    • +1

                      @Samsungnote10: Don't forget to configure 2FA on your new email account.

                      • @DoctorCalculon: Well got 2 password requests today spread a few hours apart.

                        However there was no credits applied today.

                        I've still got my settings to "save until Christmas "

                        • @Samsungnote10: So it looks like login needs email or member number to try.

                          They issued you with new member number right?

                          • @kickling: Yes, a few times now.
                            The latest card hasn't even arrived in the mail yet.

                            Obviously it's some kind of secuirty issue and not someone swiping/skimming my card

                            Is there a solution?

                            • +1

                              @Samsungnote10: What they need to do is booby trap your card so that the POS stops the transaction and calls for the attendant haha.

                              Either someone is intercepting your emails or it is an inside job.

Login or Join to leave a comment