Warning! Coles Prepaid MasterCard Compromised (Multiple) CHECK Your Cards NOW!

Hi OZBargainers,

I just found 3 of my Coles Prepaid MasterCard have been compromised (I have checked 26 cards in total which were purchased before when there were promotions at Coles).
They were compromised since 25/09/2021 and were used to purchase Google Play credits in USD on 28/09/2021 through out the day, from 13:00 to 22:00 from my records.

Here are the screenshots for transaction histories.
https://imgur.com/a/EhY9rYN


The first card had a Google auth transaction on 25/09, and then was used to purchase several Google Play credits for US $5, $10 ,$10 and $10 on 28/09.
The second card had no auth transaction but directly paid for US $5 Google Play credits on 28/09.
The third card was only used to do an auth transaction on 28/09, as it only had around $2 balance left at that time.


Probable Cause
From the discussion below, this huge compromise should be a because of the brute force attack.
Merchants like Google/Amazon and potentially many more that does not check CVV on the cards.
All these Coles gift cards have got the same name and specific expiry dates eg. 08/25 06/26, 09/26.
The only thing the fraudster needs to guess is the 6 random digit numbers and once they get one right they'll just keep using it while there's still a balance on it.


Suggestions

  1. Do not stock these cards, only buy them when you gonna use them quickly after the purchase.
  2. If you still have a lot of balance, you can prepay your utility bills, convert to other types of cards, say Prepaid EFTPOS or buy other gift cards like Amazon and Prezzee Gift cards or other gift cards via ShopBack (this card is not accepted by CashRewards).

More than welcome for any other ideas and suggestions.
Thanks for reading!

Credit to:
@meowsers for bringing up the contact details.
@Eugklng, @cwongtech, @NoGiveJustTake for the explanation of this compromise.
@thekensai for providing updates.
And all other OzBargainers that spread this post, provide updates and make contributions here.


Update 1
A couple of OZBargainers have confirmed the same situation. So it’s nothing to do with how we used the card. This is a systematic issue.

Update 2
A friend of mine found an unused card got compromised as well. So no card is safe now. Make sure you check all you cards and spend them as soon as possible and report immediately if you have losses.

Update 3
From @thekensai: Coles Financial Services is calling back and asking for account details to provide refund.

Related Stores

Coles Prepaid Cards
Coles Prepaid Cards

Comments

  • +5

    ShopBack or their payment service provider were compromised.

    Lol there's your first mistake, buying something through SB and not using it straight away

    • +2

      Not SB. I have linked many of these cards to SB and they are all not compromised. Some of them have been months before full depletion.

  • +9

    All hope is not lost. Have you called them?

    Also, google is very helpful with disputes and will often give you a full refund. In fact, I would start with google as they tend to credit back very quickly.
    You can still get a new card number issued and the refunds will roll over to the new card.

    https://support.google.com/googleplay/answer/2851610?hl=en

    If you suspect an unauthorised transaction,
    immediately report this by calling the Customer Contact
    Centre on 1300 095 072. We may be able to investigate
    a disputed transaction on your behalf. Please refer to
    “Enquiries and Complaints” below.

    If you have any enquiries or complaints in relation to
    your Gift Card, please contact the Customer Support
    Centre on 1300 095 072.

    We have the ability in certain circumstances to
    investigate disputed transactions which occur on your
    Gift Card and attempt to obtain a refund for you.

    In accordance with the Mastercard scheme rules, our
    ability to investigate a disputed transaction on your
    behalf is limited to the time frames imposed pursuant
    to those rules.

    The maximum timeframes vary between 75 days
    and 120 days from the time of the transaction so it is
    important that you notify us as soon as you become
    aware of a disputed transaction.

    • Thanks for your reply mate I’ll check with both Coles Financial and Google.

    • -6

      Hi mate, do you know what’s the best way to contact google or google play? Thanks!

      • +11

        I put a link in the comment above? Just click it and submit your claim there.

        • +5

          Hi mate, can you link me to to the link above when you can, thanks mate!

  • +4

    that's interesting, this morning i woke up and noticed one of my cards had a $1.xx google authorisation on it. i used up the remaining balance on the card, but i've still got a stack more of unused ones sitting in my drawer :)

    the only place i used the card was at coles, bunnings and a bpoint payment

    i'm confident my linux desktop computer is secure. i didn't use it on my mobile. i can only assume that someone is systematically trying card numbers in google, but wouldn't they require a cvc or doesn't google require that?

    • Thanks for your reply mate. Is that card also a Coles prepaid MasterCard? And you’d better to use all your rest cards.

      Did you link it to Shopback?

    • Lel just now one more card. Spend all your unused cards ASAP mate

      • are they new cards or used cards that's compromised?

        i just checked and the card i used today at the shops, have also been used on google.

        • Used cards but at different places. Where about you used that card?

          • @george668: a cafe in richmond and auspost in north melb

            • -1

              @el8: How much did they use to pay google? In my case they used whatever left on the card and even a card had negative balance because of the conversion fee.

              • @george668: all i can see now is various 6.95 transactions. not sure if there is any conversion fees, as it has not shown yet.

                • @el8: They will after the transactions become confirmed I think.
                  What are your going to do mate? I think we can report this to Coles Financial and Google. Any other ideas?

                  • +1

                    @george668: tried calling coles financial but was closed - will call them on Monday.

                    i am unable to find google's phone number.

                    • @el8: Would it be worth reporting it to Mastercard Global Emergency Contacts?
                      Australia 1800-120-113

  • +3
  • Does the Coles prepaid MasterCards have the same first X digits? Could be the reason for the compromise

    • I assume every bank has the same first x digits? But maybe not like coles one that has first 9 digits the same.

      • +2

        First 8 digits are the same. The 9th indicates the denomination of $50, $100 or $250.

        Card security issue is the reason why $250 one was not released till much later. They may wind back to with no $250 card.

  • +3

    Whoa… one of my cards was compromised too, on the exact same date. Four payments of "Google Play g.co/helppay# USD 5.00" (about $30 AUD total including currency conversion fees). Looks like they kept making small purchases until the balance was too low. What the heck???
    Did anyone experience this on a card they've never used? This is definitely not cool.

    • Where have you used the card prior to these transactions? Are you in Vic like the others? Definitely worrying.

      • My friend in NSW with an unused card got compromised as well. So this is widely affected.

    • +2

      I've had this happen on 2 cba debit cards that were locked via the app and stored away in a safe. They never saw the light of day and were never used once.

      I didn't lose any money since they were disabled but I did get a notification about the attempted use.

      No card is safe just be vigilant.

      • Exacty the same situation that happened to me last week but with my ANZ debit visa. Looks like they are attacking visa debit as opposed to credit

  • +6

    Concering. This post should be pinned to top of topic

    • I hope a Mod can do this. They are not working on weekends right?

  • -1

    There must be some kind of security flaw for this to be happening.

    Shopback has definitely been compromised

    ShopBack: In September 2020, the cashback reward program ShopBack suffered a data breach. The incident exposed over 20 million unique email addresses along with names, phone numbers, country of residence and passwords stored as salted SHA-1 hashes. The data was provided to HIBP by dehashed.com.

    Compromised data: Email addresses, Geographic locations, Names, Passwords, Phone numbers

    quoted from https://haveibeenpwned.com/

    • +2

      Actually this is not related to ShopBack as new cards can be compromised as well.
      But yeah that ShopBack compromise long time ago is still a pain:(

      • if people haven't changed their security details, then any compromise could be relevant, no matter how old

        • Yes, but as per my post below, I don't use shopback and I have never entered these card details any where

          • +1

            @cwongtech: Card details can be guessed, and they use services that do microtransactions all the time, esp to do card verifications. Low value cards like are still targeted, by the multitudes of uninitiated actors that don't know what kinds of cards they are attacking. At the end of the day, there is terrible security around cards and the losses and the overall dollar value of it is rising in line with the revenue being made by the various services and FInstos running it.

            All incidental though, no consumer/commercial operation like shopback, Coles, Rewards, and so on, has real or proper Operational Security. Wherever possible, they rely on their providers for to do regulatory compliance, and then on-claim that as security of their own. 'We use industry standard encryption to secure your data every move… ' Even though their stock in trade is the data they keep on you, they do not secure it like Google would, as Google investors have always been told this data is their core competitive advantage and that everyone will want it, one day. These dodgy consumer marketing companies are barely more than scams, and exist only to sell and share consumer data than to care how they secure it, no matter what they claim publicly. This is why noise their PR firms make when there is a breach is directly proportional to the damage they are suffering.

            The old adage that 'the cheaper something is, or the more compelling a service becomes, the more that you will end up 'the product' in some way' (or many) has never had more importance. Troy over at haveIbeenpwned.com is a consultant at MS btw, so no prizes for where your data, that Scott harvests like a greedy government, is stored (though he is probably doing the right thing, it doesn't mean he/it won't be breached too)

  • I think this might be quite widespread, I hope all those Ozbargainers who bought the cards get to see this.
    Apart from utility bills and egift cards, not sure what to spend on. Is it okay to pay council rates in multiple transactions of $250/$100 instead of the specified installments?

    • i pay my rates/water using multiple giftcard payments. they are due very soon for me so i will be able to offload more. 0.5% CC surcharge

  • Thanks for the heads up. I just spent the last card I had, that's $18.70 of my hard earned money these scammers won't be getting. I just can't stand people who want something for nothing.

  • google has a form for reporting unauthorised transactions from google on your card https://payments.google.com/payments/unauthorizedtransaction… . might be worth a try

  • +5

    I might have missed it - but had you actually tried contacting Coles to investigate?

  • +6

    Oh Fk!
    I have one unused $250 card compromised.
    It's showing $ -0.57 right now. It was compromised yesterday evening! Fk me! Hope I saw this post earlier…

    • How can it go into negative? I'm guessing the last transaction should have been declined as not enough funds on the card?

      But thanks for the PSA OP. I have finished up all my prepaid cards months ago, and will probably give it a miss if it goes on sale again… risk looks high for the savings.

      • Forex fees

      • Coz conversion fee only appears the next day or when the purchase settles. It is actually a trick to avoid paying int'l trxn fee if you empty the card before it kicks in.

        • +2

          Ah thanks guys, didn't know this was a loophole! Reminds me of the loophole of getting to Sydney airport by train for cheap with a negative card balance but I think they've since closed it.

  • +9

    I have one $100 card also compromised and it was never used before. Almost $60 spent on it and I immediately spent the remaining balance on Amazon gift cards to invalidate the card while I've submitted to google for all the unauthorised transactions

    This is nothing to do with your computer being compromised nor it has anything to do with Shopback.

    It is because merchants like Google/Amazon and potentially many more that does not check CVV on the cards. All they need is the card no, name and expiry. All these gift cards have got the same name and same expiry, no guesses there. The only thing the fraudster needs to guess is the last 8 digit numbers and once they get one right they'll just keep using it while there's still a balance on it.

    I'm sure google is able to see where all these google credits are being directed to but whether or not they'll be able to trace it back to the actual perpertrator is probably not so easy if they cover their tracks well. Google may ban that account but nothing stopping the fraudsters from starting another one and doing this again.

    The only safeguard against this is to start using the CVV damn it! Yeah you google/amazon.

    • +2

      I've always wondered why some sites prompt for CVV and others don't and all work for shopping. So I was thinking right that it's a load of pointless bollocks (ultimately) when stuff like this can happen.

  • +4

    The fastest move by CFS may be temporarily block out merchant Google.

  • this is similar to the attack on MasterCard by AusPost

    • Yes, I found one of my giftcarss had u authorised transactions before I received it in December last year.

  • +1

    Holy cow, I have multiple cards compromised..

    3 x $100s compromised

    Rest of my cards are not compromised.. yet

  • +2

    Whats the best use of the uncompromised balance? Convert it to amazon giftcard?

    • +3

      Prepay council rates
      Prepay utility bills (sydney water for example) so your account is in credit (not sure how much until they flag)

    • that's what I just did

      bought $250 worth of Amazon Gift cards and sent it back to myself.

      Amazon I will 100% spend

  • +1

    Just used all my cards to prepay my council rates. Just realised my council doesn’t have a surcharge on credit cards (other than Amex), otherwise would have paid them earlier this way. None of my cards have been compromised, but didn’t want to risk it. Thanks OP for the warning. Hope the rest of you guys get your money back without too much trouble.

    • +3

      That was exactly what I was about to say magwri! Just paid 2k off the rates bill.
      Thanks for the heads up OP, hope you can get your money back.

  • There is nothing to worry about. Clearly the merchant did not verify CVV before processing the transactions, which means they will have to pay it back in the event of a dispute.

    As to why google/amazon do not like CVV verification, my guess is they can either invalidate fraudulently purchased gift cards easily and/or they are too rich to bother abt these fraud losses.

  • had a compromise on a giftcard through https://giftcardstore.com.au/ details were only entered into cash rewards…had $1 auth that I was waiting to clear before buying a $50 giftcard…card was used a week later…

    Googled this company and looked like a lot of people are getting hacked too

    • I have (well, had) $250 giftcard from this mob too (related to universalgiftcard.com.au) given by my ex employer several months back.

      Few days ago, I wanted to check balance and found out balance = 0, and Status = Closed. I was so surprised.
      I went to transaction history and found out so many dodgy transactions from US, GB and BEL even before the card was loaded up by my ex employer in March this year. I wasnt sure how it was even possible.
      Those transactions were marked Declined though but there was one transaction in June which says Reversal $250. No idea why.

      Contacted the company via their dispute form which they said they would come back within 3 business days but nothing so far.

      How did you end up resolving your issue?
      Anyone else had the same or similar problems with this company's gift card?

      • They attempted to take hundreds and also thousands. Mainly from the Philippines. Had a Canadian transaction too. Looks like they just reuse card details if they're able to do such hack…

        I didn't want to contact the company directly after googling their dodgy business, I didn't trust them handling my details. Also you need to lodge a dispute 1 transaction at a time and the form was a pain to complete. i went direct with the event provider to lodge the dispute but I don't see much success. It was for $30 as well so it wasn't worth my time and risk.

        Sadly the event provider always use them and I attend most of their events. I don't see them changing companies but I guess I'll learn to lock the card immediately, and have a cart as close to the giftcard value to process it straight away. So far I have only been able to use it at Bunnings. Other hardware tool shops don't accept these type of giftcards.

  • I had couple of corporate gift cards compromised but the company was good to replace the cards.

    we pay extra money for the gift cards and they are doing nothing to protect us.
    Keep away

    • Which company was this?

  • +1

    "I read the T&Cs for Coles Prepaid Mastercards, and they are not responsible or provide refunds for unauthorized transactions"

    Just because they say that doesn't mean they're free to not help you dispute any transactions. Part of the Mastercard agreement which they must follow is they are responsible for helping you dispute transactions, if the transactions occurred on the Mastercard network which they clearly did. If they don't play ball, then threaten to take it to Mastercard or AFCA.

    • +11

      While it's all fun and games to kick the dead horse (yes.. shopback has had a bad reputation) I can 100% confirm this would not have been shopback's fault because I don't use shopback

      Furthermore, these aren't cards that have been taken out of their packet in Coles and scimmed.

      I checked EVERY SINGLE CARD I bought to make sure the GLUE marks are consistent with every other package and I can tell you with 100% certainty my cards were not physically tampered with.

      The only explanation that does make sense, which is as above, is brute force with a payment portal that doesn't require CVV to be entered.

      First 8 digits are the same (9th digit is a 4 or 5 depending whether 100 or 250 card), so that leaves 7 digits to be guessed.
      Expiry are the same with almost every card.
      CVV is not relevant as per above

      • +2

        Last digit is a check digit, so it would really only be 6 digits.

        It wouldn't be hard at all without CVV check. Just put the 9 digits into https://namso-gen.com/

      • +1

        is brute force with a payment portal that doesn't require CVV to be entered.

        I've just been reading though this thread and, as dodgy as I think Shopback is personally, this sounds like an old-school BIN attack which exploits security holes in the design of the product rather than an issue with a particular vendor.

  • +4

    These prepaid credit card gets hit every now and then. So easy to blame shopback, but it's not them.
    I think they have low security and therefore very easy for cybercriminals to just scan through them and empty the balances of any that are activated already.

    Source: received several of these prepaid credit cards as gifts from company. Myself and other colleagues had cards emptied before we had even opened packaging. And no, HR didn't somehow steal them from us- the prepaid credit card company confirmed they had been breached and emptied.

    Company switched to using Prezzee instead.

  • +2

    Compromise appears to be at the card operator level.

  • -5

    Haha bit of karma for hiding the cards in the freezer there lads.

  • +5

    The Australia Post Prepaid Mastercard has the option of freezing/unfreezing the card in the web portal. I take it Coles PP Mastercard doesn't have this option (considering that some users are now panic spending their remaining credit).

  • +4

    I've called Coles and still on the call now while writing this. They need proof of purchase before they can start investigation. I've got so many of them and doesn't look like there's an easy way to link a card to a receipt. I mean why does it even matter? I've got the card, its in my physical possession, why are they wanting proof of purchase only to start investigation? Sounds like they're just trying to avoid the entire matter. Not happy!

    • Might be a good idea to provide them a link to this discussion

      • not sure how I can do that speaking over the phone. But I'm sure more ozbargainers will be calling them today for sure.

    • Bank statement will work ? If don't have original receipt or Coles store can help if linked to flybuys

    • +4

      I've called Coles and still on the call now while writing this. They need proof of purchase before they can start investigation. I've got so many of them and doesn't look like there's an easy way to link a card to a receipt. I mean why does it even matter? I've got the card, its in my physical possession, why are they wanting proof of purchase only to start investigation? Sounds like they're just trying to avoid the entire matter. Not happy!

      On call at the moment, I just let them know there are unauthorised transactions and also the Coles deal
      Let them know I don't have proof of purchase anymore (because I bought so many), though I could show them my Amex statement I suppose

      The lady that I spoke to said they will need to go through an investigation and give me a call back (fair enough)

      If I get any further updates, will let update here

      • +5

        The guy I got is still putting me on hold now as I'm writing this. Asked for receipt or else no investigation. So I said I had them but good luck finding them because nothing on the receipt can be linked to that card.

        I even asked him, what if the gift card was a gift. He said to go contact the person that gave you this gift and ask them for the receipt. The absurdity of this is so damn high!

        Good that more people call about this

        • If there is no way to link the cards to the receipts couldn't somebody just upload their receipt here and everyone use that?

        • +2

          of course there is way to link the card to the receipt. The last 3 digit on the receipt (the activation successfull part) is the last 3 digit of the barcode which is the last 3 digit of your Card ID

          Of course there is some receipts that has the same last 3 digit but as long as you can match it it is fine. I don't think Coles even care to go into detail to check this.

    • +1

      They can find the transactions if you scanned your flybuys card when you purchased it. Might be tricky of you purchased a lot of them but I have done this before.

    • +1

      https://www.ozbargain.com.au/node/630293?page=7#comment-1060…

      The last 3 digits from the card should be on the receipt.

      • it is not the last 3 digit of the card number, it is the last 3 digit of the Card ID

  • +2

    Thanks OP for making this post, I just checked my $50 Coles prepaid Giftcard and found 2 unauthorised payment, one to Google and the other to LiveLoo.
    Both made on the 30/09/2021. Anyone have any idea what LiveLoo is?

  • +3

    Basically this is giftcard brute force attacking.. It's wise to spend the giftcard asap

    Steps

    • Does this mean no giftcards are safe? What about other cards, JB Hifi, Woolworths, etc.?

      • +2

        Does this mean no giftcards are safe? What about other cards, JB Hifi, Woolworths, etc.?

        Woolies eGift does have a fraud team in place by the way (I know someone that works in that department)

        I also had one random $500 eGift that was depleted (I have bought many…) and raised the issue with Woolies (I had bought a huge heap before Woolies started removing all their eGift partners like CashRewards for the 5% off offer)

        Woolies team investigated and provided a replacement card around 1-2 business days later (need to be patient while they check things)

        JB hifi - I'm not sure.

        Advice for gift cards is only buy when you're about to spend to minimise risk

        Coles MC card was an exception as I knew I could use them for bills..

      • +5

        EFTPOS cards are safe as physical cards must be presented in most cases, but you may have "lost risk".

        • EFTPOS cards requires a PIN for transactions and it has to be used in Australia, so it is much safer in comparison.

          • @truetypezk: I did not say absolutely safe coz some exceptions out there. TCN HIM/HER are restricted EFTPOS cards, but they can be converted other cards on TCN websites(online spend).

  • For those not affected, the best way to use them up is to prepay bill. Other ways are some upcoming deals: Ultimate cards, Woolies deal to be known from 5pm or conversion to EFTPOS cards / similar ones like Westfiled cards.

  • +2

    Just as a counterpoint to others - had a physical $100 Coles Mastercard gift card purchased from a Coles store months ago but just by coincidence used it up a couple of hours before reading this thread.

    Anyone have any idea if this is a Coles screw-up or whether the issue arises at a higher level? Or whether the issue is limited to Coles cards only? Wonder what company might be on the hook for these costs.

  • +2

    Thanks for the heads up. All good with my ones (physical).

    • +4

      Dont feel lucky as they might be hit in the next few days/weeks. I would take actions sooner than later.

      • Yeah i will but i only have one left and less than $20 in that. So not that much money left to lose.

  • -3

    Thanks, you helped me justify an impulse purchase with a $400 JB voucher :)

  • +1

    for anyone trying to match cards to receipts:

    in the card's transaction history, the date of the 'value loaded' transaction shows what day it was purchased. narrows down receipts to a particular day.

    then a receipt lists each card as it is activated

    there is a line 502125 nnn where nnn is the last 3 digits of the login number (and also the last 3 digits of the number on the barcode of the card packaging )

    • Why do they even insist on the receipt in order to kick off any investigation? These are gift cards, they’re given and like there won’t be a receipt.

      • Because of another well-known problem with these gift cards: tampered gift card packages.

        There have been a lot of cases where someone takes the gift card packaging off the shelf, carefully remove the inactivated card from the packaging, insert a used card into the packaging, seal up the gift card packaging and then put it back on the shelf. The barcode on the back of the gift card packaging is linked to the inactivated gift card, so when someone else scans that barcode and pays for the gift card, they’ll activate the inactivated gift card in the hands of the person who tampered the packaging.

        The receipt requirement is to make sure you (or the person who gifted the gift card to you) actually bought it, and that you’re not one of these people tampering gift cards.

        • Fair enough but this current situation is completely different. This time the cards are legit just the transactions on them aren’t.

Login or Join to leave a comment