Stolen Woolworths Reward Dollars from Account

Happened to notice, just by accident, that the Reward Dollars on my Woolworths Reward Dollars account was almost zero, whereas it should be $60 plus.

Logged into my account and saw that someone in WA (I am in Victoria) had redeemed $60.00 from my account balance a few weeks ago

Weird part is that on checking the transaction the person bought $61.50 of groceries, redeemed $60.00 of my points and charged $1.50 to a Mastercard debit card.
Anomalies are (a) why would someone commit fraud and then charge to a debit card that can be traced (b) how did the person seemingly know the balance of my reward dollars so as to buy just enough goods to use them up and (c) to redeem points one needs a membership card to scan at the checkout.

Smacks of an inside job to me!

Contacted Woolworths by an online chat session, which took 35 minutes to be connected, which was better than a quoted 59 minutes for a person-on-person chat. Response was basically "OK we will look into the matter" - that was two weeks ago and heard nothing since.

Those with Woolies Reward accounts may be wise to keep tab on their account.


Mod Note: Thread was accidentally merged into the wrong thread, leading to comments being in the wrong order.

Related Stores

Everyday Rewards
Everyday Rewards

Comments

    • Surely this time the cops and/or bank can actually do something. This is straight up theft and fraud. Real money, not 'points'. The bastards should at least be on camera. BTW what did they buy?

  • +2

    Yep I'm hoping they're on camera! The thing is, Everyday Pay never works at the Woolies I go to because you can't get decent phone reception in there but I thought I'd give it a go because they have a promotion where you get 5x points if you use Everyday Pay. But it didn't work this time either so didn't think much of it. I feel as though there must have been some kind of scanner on the eftpos machine or something that they were then able to use to pull my details? Similar to what they do on ATMs.

    It looked like a regular grocery haul. Cleaning products, fruit, soft drinks, ready made meals etc

  • +2

    My understanding that the way ED Pay is implemented - scanning QR code on the terminal with an app in your phone - there should be no data transfer from phone to terminal directly, only via servers. So there should be no way any scanner/skimmer attached to POS would be able to steal any info. Also I don't think there are any Everyday Pay info in the ED website account that could be useful?

    Possible vectors of the attack then, I think, are:
    1. Malware in your phone. If it's not rooted android, chances are pretty low, though
    2. Credentials to ED account stolen, and app installed on another phone uses those credentials. Looks like there are 3 ways to login in ED - SMS, email confirmation, password - so additional vectors would be:
    2.1. Reused password
    2.2. Compromised email account
    2.3. Cloned SIM card (however I'm not sure that's possible in 2022 for low-level actors)
    3. Data stolen from ED data storage
    4. Internal unauthorised access by rogue employee

    If we are talking not about ED Pay, but ED rewards in general, then additionally
    5. Insufficient security controls allow some kind of automated brute-forcing. I remember several years ago either ED or Flybuys sent me and email with link, which led to the page saying "Hello, <my first name>!…" and had card number in the URL. I tried to change the number, and yes, every 10-20 consequential numbers I got someone's first name. Chances are there is somewhere same kind of API endpoint that returns some data, maybe indirectly telling you the points balance, without authorisation and proper rate-limiting, and some smart students created a script to get data and then sell it for 10% of the balance in WeChat groups to some other students that either buy stupid shit or baby formula to send to China.

    If we do not take in account that last report about ED Pay card used, then it's most probably 5, maybe 4.

    Issue here is it's probably very low volume scam, so Woolies are better off by compensating stolen money and brushing off any allegations, as they are very easy to brush off.
    What you can do:
    1. Take care of your phone, do not install banking/money apps on rooted android if you not 200% sure what you do
    2.1. Check your ED and email credentials on haveibeenpwned.com
    2.2. Use the regular credentials hygiene - do not reuse passwords, use password manager etc
    3. Close ED account and open new one
    Not that it would help if it's 4 or 5.

  • every 10-20 consequential numbers I got someone's first name. Chances are there is somewhere same kind of API endpoint that returns some data, maybe indirectly telling you the points balance, without authorisation and proper rate-limiting

    How do you explain the fact these so called WeChat hackers are able to login to the account, and switch off Bank For Xmas? Refer to some of the earlier comments in this thread.

  • +1

    I've just realised that I've been bitten and I'd never heard of the issue, despite how long it appears this has been an issues. I'm in Melbourne and someone in Adelaide bought $20 worth of salad ingredients. I take it there is no point contacting Woolies? I was wondering why the $20 I had "earned" the week before was no longer available when I shopped on Saturday. I've changed my password to be safe.

    • +2

      Yes there is a point. People have been getting their points back eg.

      A short chat with the Woolworths online customer service team fixed the issue and I was emailed a $30 voucher to spend on a future order.

      Got the $50 back today. Pretty timely.

      Reported it on the 28th and they returned the dollars on Friday 6th May

      after some hassle and a change of card number Woolies rewards reimbursed that

      My wife had $80 taken too. Lucky Woolworths credited her account with the missing money

      These are just a few from the previous page.

      • Okay, excellent. Thanks very much. I will give it a go. It is pretty clear from my buying habits that it wasn't me that used them with the purchase location.

      • Just following up that I chatted online with Woolworths and it sounds like I'll get the credits restored eventually. A new card number has been issued.

        • +1

          If you do not ask you will not receive.

          • @Yola: Very true. Thanks

            • +1

              @shaneb: I shopped this morning and my stolen credits were available already, so I used them before they get pinched again.

  • Mine reward dollar was stolen as well!!! I signed up a insurance policy with $100 cashback. The reward dollar landed on 07/08/2022, but it was used the next day from what it showed in transaction history.

    • Bugger. Try and chat online to a real person on the woolworths site. I managed to get my credits returned quite quickly.

      • +1

        Thanks Mate. I will contact them tomorrow/

  • Today I tried to use my ED rewards dollars shopping at the supermarket, WA, it's gone, $250, I checked the activity in the app, I used my reward dollars at Caltex, WA for the first time $50 on Tuesday 16/08, then next day, Wednesday, 17/08, 3 transactions were redeem in NSW(1 BigW and 1 return +1buy Woolies). Tried to contact ED reward support but they have already close. I will call ED rewards team tomorrow.

    Return Good receipt

    1364 Beecroft PH: 02 9450 6727
    Cnr Hannah St and Beecroft Rd
    TAX INVOICE - ABN 88 000 014 675
    Description $
    Return Reason: Unwanted Goods
    Deli Leg Ham Shaved -5.25
    Return Reason: Unwanted Goods
    Kraft Singles Original 432g -6.30
    ^Kraft Singles Original 432g 7.00
    Deli Leg Ham Shaved 5.83
    2 Returned Item(s)
    ^Promotional Price
    2 SUBTOTAL $1.28

    TOTAL $1.28

    WOOLWORTHS 1364
    BEECROFT NSW
    MERCH ID:611000602001364
    Mastercard
    AID A0000000041010
    TVR 0000000001
    ARQC F5BA49D6B225DB33
    17/08/22 20:01 002477
    TERM ID: W1364010
    CARD:………….4949 T

    PURCHASE $1.28

    TOTAL $1.28

    APPROVED 00

    X-4949 $1.28
    Change $0.00

    Taxable Items

    TOTAL includes GST
    You saved $2.00 􀀀
    62913640102477170822

    Thank

    Redeemed at Woolies

    1364 Beecroft PH: 02 9450 6727
    Cnr Hannah St and Beecroft Rd
    TAX INVOICE - ABN 88 000 014 675
    Description $
    ^Kraft Singles Original 432g 7.00
    Deli Leg Ham Shaved 5.83
    ^Promotional Price
    2 SUBTOTAL $12.83
    TOTAL $12.83

    REWARDS SAVINGS $10.00

    WOOLWORTHS 1364
    BEECROFT NSW
    MERCH ID:611000602001364
    Mastercard
    AID A0000000041010
    TVR 0000000001
    ARQC BA818F095C12605C
    17/08/22 20:09 001642
    TERM ID: W1364061
    CARD:………….4949 T

    PURCHASE $2.83

    TOTAL $2.83

    APPROVED 00

    X-4949 $2.83
    Change $0.00

    Taxable Items

    TOTAL includes GST

    You saved $12.00 􀀀

    YOU JUST SAVED $10 THANKS TO EVERYDAY

    REWARDS!

    62913640611642170822
    Thank you for shopping with us
    POS 061 TRANS 1642 20:09 17/08/2022

    WOOLWORTHS GROUP LIMITED

    Redeemed at BigW

    www.bigw.com
    LIKE US ON FACEBOOK
    www.facebook.com/BIGW australia
    FOLLOW US ON INSTAGRAM
    @bigwaustralia
    101 BIG W Town Hall
    TAX INVOICE - ABN 88 000 014 675
    TAX INVOICE -
    Description $
    ^#182334 Apple AirPods Pro 329.00
    Serial/IMEI No: H1FHR5CL1059
    ^Promotional Price
    1 SUBTOTAL $329.00
    TOTAL $329.00

    REWARDS SAVINGS $240.00

    BIG W 0101
    SYDNEY NSW
    MERCH ID:611000602000101
    DEBIT MASTERCARD
    AID A0000000041010
    TVR 0000000001
    ARQC A2C2DDDDA717046B
    17/08/22 16:24 002916
    TERM ID: W0101004
    CARD:………….3656 T

    PURCHASE $89.00

    TOTAL $89.00

    APPROVED 00

    X-3656 $89.00
    Change $0.00

    Taxable Items

    TOTAL includes GST $29.91

    You saved $310.00 􀀀

    Recycle your old toys today for a joyful future
    Every small change can make a big difference
    To find out more visit

    https://www.bigw.com.au/toys-for-joy

    YOU JUST SAVED $240 THANKS TO EVERYDAY

    REWARDS!

    Thank you for shopping at BIG W.
    If you change your mind, simply return the product
    within 90 days with a receipt
    and in its original condition.
    Exclusions apply.

    See bigw.com.au/returns for more details

    62901010042916170822
    POS 004 TRANS 2916 16:24 17/08/2022

    • +1

      Gee that is crap. Sorry to hear that. Hope it gets resolved for you quickly. They need to fix the issue urgently.

    • I have just called Everyday Reward, she is very helpful. First thing she mentioned, my account is compromised, may be my login credential and my password, and she also mention their IT backend is functioning well and not compromised.

      But she will cancel the compromised card and will issue me a new card and she will get their back end to issue me the $250 credit to the new card, the credit will be back into my new account within 7 business working days.

      • +4

        This is the BS they have been telling for years. If you read this thread you will see many people proving that the problem is not with their account and often when all details are change money is stolen again. If it's all your fault how come they are giving you the funds back?

        • +2

          Yes, agreed. From what I read it's possible to query barcodes to find accounts with available credit and then they just generate a barcode which they just scan at the checkout in store.

          • +2

            @shaneb: Yeah standard bs, at least at coles you need the physical flybuys card

            Just had $20 taken from Woolworths
            Woolworths is a pain, everytime i want to log in need to enter code from mobile or email.


            At Everyday Rewards, we care
            about your privacy.
            We provide robust security
            measures to safeguard your
            information, and while we have no
            evidence to suggest that
            Woolworths' systems have been
            compromised or breached, it looks
            like your login details may have
            been compromised or stolen from
            another source by a fraudster. This
            fraudster appears to
            have then used those valid login
            details to access your Everyday
            Rewards account or benefits.

  • +2

    Okay something funny is going on here. I noticed my points had been stolen too, a couple of months ago.

    Originally completed a 4 week spend offer for 7000 points. Had to chase it up with Woolworths as it wasn't credited automatically, but they did it manually, all good. A few days later, got an Everyday Rewards notification on my phone for a purchase in a different state, points gone.
    Hadn't got around to contacting WW about my stolen points as I haven't been shopping there much lately and didn't want to fuss around with everything only to have them stolen again.
    So i'm now going through my transaction history and points activity on Everyday Rewards, and the transaction from interstate and the stolen points spent are nowhere to be found. Not only that, the credit of the 7000 bonus points as well as the original transactions I made to qualify for those points have also disappeared, although they still show up in my order history in WW account???
    Is it just me or does it look like they're trying to be shady and hope I wouldn't notice that anything was missing?

  • -1

    geez….loyalty cards are even getting hacked/defrauded and they want to move us to a cashless society? secure my arse….

  • Anybody had e-mails saying that your account had been temporarily locked out due to too many incorrect logins? Haven't had this before. Not long after my credits were pinched and a new card re-issued.

    • +1

      Yes. Has happened to me a couple of times after my account was hacked.

      • Thanks. I'll keep an eye on it.

  • +2

    Same thing happened to me, pisses me right off, I got refund but not 100%, I will have to ring them again

  • Merged from [Scam Alert] Woolworths Rewards Scam

    Hi All,

    Almost a month back some one redeemed my Woolworths rewards dollars ($40 and $30) at two different Woolworths (Sunshine and Burwood in VIC). I called the service centre and they refunded my money and reissued a new card for the same account.

    I changed my rewards as Christmas bank so that no one can use them. But very recently I changed back to "immediate shopping option". But someone spent $80 and $50 at two different Woolworths stores in Tasmania. This time they used my new card number. I never shared my rewards number (both old and new one) with anybody. Customer service people forwarded my case to their IT team and they have not refunded this time (probably they will do in the future). I changed back to Christmas bank and they issued a new card number again.

    I changed my password both times, still this happened.

    Does anyone faced the same problem recently?

    • +1

      No.

      But I use Christmas bank and only switch back to "redeem" prior to making purchases, then switch it back to Christmas bank straight after

      • +2

        This scam has featured on the boards of OZB for over a year now

        • Yes - exactly why I use the Christmas banking toggle since I heard about it on ozb forums

    • +3

      Yes. I had $30 stolen and refunded. New card etc issued and adopted new difficult password. I have had my account temporarily suspended at least 5 times since due to multiple failed logins. Your ER details don’t seem at all secure, they’ll fob you off but definitely a weakness there.

    • Same thing happened to me just last week..
      Had $20 on mine and someone used it to buy something worth $20.80 (paid .80 by cash) in Queensland.

      I called ww a couple of days ago. They explained to me that the scammers generate rewards card numbers using an algorithm and target the ones that have some credit banked up on them.

      Anyways, they haven’t reimbursed my $20 but have since wiped that transaction of my transactions log. My boosters are gone, all existing promotions are gone…

    • +2

      Well known scam and far too easy to do, all they need is a card number and they can use the points.

      Woolworths would have to make using the card more difficult to prevent it (proof of identity or a PIN) so they seem to have no interest in doing so.

      Personally I've left my points going to qantas points until they fix it up. I know it's not the best reward but at least it's secure. This Christmas it's going to be a free-for-all on the credit on these cards.

    • Been happening for a few years now.

      Points being redeemed by other parties have been posted before on OZbargain.

    • +4

      Rewards should also implement pin like flybuys do.

      • But then people will complain they have to bring their physical card as it currently is with flybuys

        • Can't they do barcode and pin?

          • +3

            @kyle: Apparently not, otherwise they would have done it ages ago and this thread would be closed.

      • +1

        Agreed. Flybuys seems more secure and also convenient on some other fronts.
        Physical card needed - so security while shopping, for flybuy dollars on card
        Pin needed for shop - Card is literally like an EFTPOS

        Also other benefits like we don't necessarily have to use $10 in one go, can redeem partial amounts, can decide how much to leave as flybuy points / transfer to flybuy dollars, etc.

    • +6

      Always REDEEM them ASAP.

      • +3

        For those unaware, you can also redeem at WW branded Caltex if they are priced competitively in your area.

    • ..>Almost a month back some one redeemed my Woolworths rewards dollars ($40 and $30)

      and

      ….someone spent $80 and $50

      Slightly off topic, but how do you accrue $50 in reward points in "almost a month"? I'm by myself and spend about $200 each week at Woolies. Even with the boosters, etc, I'm lucky to even get $10/month in rewards! haha! It's barely worth the amount of time it takes to pull out my phone and navigate to the app each time!

      • +2

        I purchased $1900 ultimate gift cards recently to but iPhone. This added to my existing reward dollars..

        • +1

          ah, that makes sense!

    • Does this problem apply to gift cards stored in everyday pay too?

      • +1

        The platform might be compromised better do not use the everyday pay app. You can imagine if so many people everyday rewards dollars have been hack or stolen, do you think they will take responsible for your gift cards get stolen. I am saying that because they will not admit the problem we are facing they are blaming our account are compromised but not their platform. If they do not fix this loophole soon their entire system will be compromised. My suggestion do not use they Everyday app and do not add any credit card, gift card and any payment method into their Everyday app.

    • As soon as I earn a $10 reward, I now make sure to spend it within a day or two.

      The scammers must be living the high life. Unlimited free groceries and petrol.

      • From concensus it is unlimited baby formula, not petrol

        • My scammer bought salad ingredients…

          • +2

            @shaneb: Hey, Atleast he’s being healthy and doing something good with your money.

            That’s some indirect good karma for you 👍🏻

    • +1

      Personally, I closed my everyday rewards account a few weeks ago, because there has been enough evidence floating around that I believe that they are actively being hacked and not award of it.

      • +1

        I think they are afraid of the negative publicity. Look at Optus: the hack might eventually make them fail with all the payouts and lost customers

        • +1

          They must be aware of it, as there have been hundreds of people hacked on here alone and choose to compensate people than fix the system, which seems unbelievable. How much would it cost?

          • @Yola: If they copy Flybuys thn they'll have to send every member in Australia a new swipe card. There's bound to be heaps of problems as people adjust to the new system.

  • Just saw a post from WookieMonster about not receiving a fuel voucher after spending over $30 at Woolies. Another issue they are not bothering to fix.

    I also only actually contacted Everyday Rewards to see whether they knew about the issue. They said they knew about the issue and credited me with a fuel voucher anyway.

  • I have noticed that they seem to have stopped including the points and saved dollars in the spammy emails. This is mildly annoying as it was the easiest way to keep am eye on the balance but I guess it means they are trying something.

    • Yes, I have noticed that as well.

    • But is not worth just downloading the app and keeping an eye on your savings through that ?

      • +1

        Yes that would work but I generally avoid shopping apps for privscy reasons

        • +1

          privacy reasons

          You are still being tracked (via analytics) when you interact with their eDMs spam.

    • Card number should be partially masked too.

  • The App shows "Money off Purchase" when "Save for Xmas" is selected as today. And the rewards can be used from 16 Nov instead of 1 Dec as shown in the App.

    • +1

      So they have brought forward the Christmas spend to Nov 16th. Lets see what kind of results happen this season

  • https://www.ozbargain.com.au/comment/11903853/redir

    soooooo. this account hasnt been hacked since for a while, my $10 remaining has been safe, I still get fortnighly on average password reset requests

    However, last week, my other account for the first timewas hacked and the $$$ stolen at a VIC woolworths,

    Called up EDR, they went through the usual, "its your fault, change your password" "its your fault change your email"
    they offered to send out a new card with new numbers, I told them that I was waiting for a few promo bonus points to manually credit

    and they said "oh wait until those points have been credited and call us back, then we can transfer the transactions/credits etc to the new car"

    given that the promo was a month ago, and its taking for ever, going to be funny how long the time elapsed since the hack is going to be

    I think it will be put in the "too hard basket" and credit refunded

    • +1

      Nothing new, unless a PIN is required to redeem your points and they don't post the points and your full rewards number in your email.

    • +1

      Hopefully whats next is a much more secure system for using rewards points.

      • Don’t they already have SMS verification for login?

        • They don't need to log in. They just generate a valid barcode electronically, scan it at the register and the machine will ask if they want to use the rewards points.

          • -1

            @macfudd: so essentially using self checkout I could try 10 - 15 generated barcodes and no one would stop me and nothing would pop up telling staff I was trying to scam some freebies?

            • +1

              @wallet72: That's a brute force way but I suspect they either have a way into the woolworths rewards system that allows them to check balances without going into the store. Or back before 2FA was introduced a bunch of accounts were logged into and they made a list of people who let their balances accumulate.

      • +1

        Their Everyday Pay app actually provides an extra layer of authentication, where having just the reward barcodes won’t be enough to access the wallet. It will be nice if they use this in future to access the balance.

    • First time I've seen reports of anyone losing bank for Christmas balances…

      • they can first change it back to normal reward then can be spent.

        • 2fa required to change redemption…
          Maybe bank for Christmas is not a safe place to stockpile any more…

          • @randomusername2017:

            Maybe bank for Christmas is not a safe place to stockpile any more

            No, it never was. It has been mentioned many times in similar threads. Case in point.
            Whoever is doing this, they know the exact EDR balance, and change to normal spend without 2FA getting in the way.

      • It happened to my mum a few years back.

        It’s nothing new, it’s just happening a lot more now.

    • All this hacking is just getting out of hand!

      • -2

        It is how Putin is funding the war in the Ukraine.

    • +3

      Happened to my wife around this time last year. Someone used her christmas banked points (about $200 worth) to spend at a Woolworths about 20KMs away from us in another part of Sydney that we've never been to. After a bit of argy bargy on the chat she got a new card and the dollars back. 12 months on they haven't fixed their security.

    • Yes this has been happening for a while now

    • +4

      Hackers will probably start stealing 10٪ off Monthly shop from those who have it. Have to do my 10% off Monthly shop on the 1st of the Month to stop them.

    • +5

      Happened to me 2 years ago, the hackers actually stole the money when I was on the phone with Woolies support.

      Coles has a better system where you need the physical card swiped at the checkout.

      • Did Woolies support see that? Did they still say it's your fault?

        • When I was on the phone Support asked me if I just did a transaction in Box Hill in Victoria… I live in NSW.

          They cancelled the card, set up me with a new one and then credited all the points.
          I had been saving for Christmas so I had about $150.

          Nowadays, as soon as $10 appears I use it pretty much immediately.

          • @roguescholar: Surely, they know people are not doing this, yet the standard line is
            telling them to have strong passwords, including numbers, capital letters, and special characters etc. Basically gaslighting.

      • -2

        Coles has a better system where you need the physical card swiped at the checkout.

        ?
        Flybuys points are redeemed with just a barcode scan. Doesn't need a physical card.

        • +1

          You only have one membership with an additional financial service. People having multiples know it better than you.

          • @Neoika: Feel free to elaborate with more words , as I'm unsure what I'm missing in your response.

            Exactly what card is requiring to be swiped, as flybuys is purely barcode based

        • +4

          You only need a barcode to earn points.
          But you need a physical card and a pin to use points.

          • +2

            @zonra: Unless you have a Coles Financial Services product like @SBOB

            • +2

              @kerfuffle: Got ya.
              Perhaps when I had Coles home insurance or something

              I just scan the bar code on my phone and I'm sure I've redeemed the 2000pt offer multiple times, but perhaps not since we changed insurance.

              Wife's flybuys but I don't think she even knows the card has a pin number :/
              (Not a professional flybuys points accumulator :) )

              • +1

                @SBOB: whenever i redeem points in store i need to swipe it like a card and use a pin, I don't have the card linked to anything else, only used for points, no credit cards, the only points that can be redeemed from scanning is for promos like the kitchen shit

              • @SBOB: You set the PIN every time you redeem your points for dollars i.e. you can change it every time you redeem if you want

    • We lost all our points. What’s more the person paid using a combination of points redemption and their Mastercard. The fact that the Mastercard number is linked to the crime you would think woolies would pass on to the law enforcement but no they have not.

      • +1

        I wouldn't be surprised if they were using prepaid Mastercards.

        Also there should be CCTV of the thief using the checkouts.

        • +2

          Nothing will be done even if the thief redeemed the $EDR at a Woolies serve and had number plate captured.

    • I just use the $10 as they come up - however they could have a week or two to grab it if they were actively scanning for them.

Login or Join to leave a comment