Warning! Coles Prepaid MasterCard Compromised (Multiple) CHECK Your Cards NOW!

Hi OZBargainers,

I just found 3 of my Coles Prepaid MasterCard have been compromised (I have checked 26 cards in total which were purchased before when there were promotions at Coles).
They were compromised since 25/09/2021 and were used to purchase Google Play credits in USD on 28/09/2021 through out the day, from 13:00 to 22:00 from my records.

Here are the screenshots for transaction histories.
https://imgur.com/a/EhY9rYN


The first card had a Google auth transaction on 25/09, and then was used to purchase several Google Play credits for US $5, $10 ,$10 and $10 on 28/09.
The second card had no auth transaction but directly paid for US $5 Google Play credits on 28/09.
The third card was only used to do an auth transaction on 28/09, as it only had around $2 balance left at that time.


Probable Cause
From the discussion below, this huge compromise should be a because of the brute force attack.
Merchants like Google/Amazon and potentially many more that does not check CVV on the cards.
All these Coles gift cards have got the same name and specific expiry dates eg. 08/25 06/26, 09/26.
The only thing the fraudster needs to guess is the 6 random digit numbers and once they get one right they'll just keep using it while there's still a balance on it.


Suggestions

  1. Do not stock these cards, only buy them when you gonna use them quickly after the purchase.
  2. If you still have a lot of balance, you can prepay your utility bills, convert to other types of cards, say Prepaid EFTPOS or buy other gift cards like Amazon and Prezzee Gift cards or other gift cards via ShopBack (this card is not accepted by CashRewards).

More than welcome for any other ideas and suggestions.
Thanks for reading!

Credit to:
@meowsers for bringing up the contact details.
@Eugklng, @cwongtech, @NoGiveJustTake for the explanation of this compromise.
@thekensai for providing updates.
And all other OzBargainers that spread this post, provide updates and make contributions here.


Update 1
A couple of OZBargainers have confirmed the same situation. So it’s nothing to do with how we used the card. This is a systematic issue.

Update 2
A friend of mine found an unused card got compromised as well. So no card is safe now. Make sure you check all you cards and spend them as soon as possible and report immediately if you have losses.

Update 3
From @thekensai: Coles Financial Services is calling back and asking for account details to provide refund.

Related Stores

Coles Prepaid Cards
Coles Prepaid Cards

Comments

  • +1

    If they had an online block/unblock feature when you log in, I would be buying these cards again. Too much of a hassle to do it over the phone whenever I need to use them and then block them again. I'm pretty sure I remember another gift card having this feature, think it was only1 gift cards

  • +1

    Just received the following crap from coles:

    “*Thank you for contacting Coles Prepaid Cards regarding the use of your Coles Gift MasterCard.

    We are sorry to hear that transactions have occurred on your card without your authorization.

    Unfortunately, we are unable to cancel a transaction that has already been authorized on your card. As per the Coles Gift MasterCard Conditions of Use, we are not responsible for any unauthorised or fraudulent transactions which may occur. These conditions are accepted upon purchasing and/or receiving a Coles Gift MasterCard. Therefore we cannot refund the value of any such transactions.

    For more information regarding this, please refer to page 7 of the Coles Gift MasterCard Conditions of Use, which we have attached for your convenience.

    In the case that you would like to dispute an unauthorised or fraudulent transaction, you will need to contact the merchant directly for further assistance. If you require further information regarding the transaction you may contact our Customer Support Centre on 1300 095 072 within the operating hours indicated below. Due to privacy and security protocol we are unable to discuss account specific information via email.

    The Customer Support Centre operates Monday to Friday, 8.00am to 8.00pm AEST and Saturday, 8.00am to 1.00pm. The Customer Support Centre does not operate on National Public Holidays or Sundays*”

    Phone service is hopeless, as always.

    Time for joint media/afca action?

    • That is so terrible. I am sorry for you. Seems like they may have decided not to cover the loss which they have done up to now.

    • +1

      You should contact ACA, ABC and any other news service that will listen. Coles can get f-ed, they are actively promoting a product that they know can be easily hacked. Refunding some people and not others.
      They deserve negative publicity
      Perhaps tell them first in case they 'change their mind' in your case

    • +1

      I would recommend you start the lodging of a formal complaint with AFCA against Coles and Indue.

  • It seems strange that they are treating your case differently from all other unauthorised transactions that they refunded.
    Are your unauthorised transactions the same of others ie Google Pay in US$‽

    • +1

      No, one is unauthorised Australia parachute company, the other one is some Pilipino billing company

      • +1

        I've had two transactions for the parachute company totalling $210. Rang the parachute company and they said they've had several calls about this and to dispute it through the banks. Which would be fine if it was a normal credit card and I could do a charge back. I rang Indue and was fed the same bull crap about there's nothing they can do. I even said there's a precedent for refunds but the dude said that was a different scenario. Guess he means the Google pay guys. So where to from here? Report to AFCA? Shame them on social media?

        • How did they use the card with an Australian business providing a service and most likely asking for CVV number? The business would have details of the customer and should be able to stop the transaction unless they have already provided the service/goods.

        • +3

          Just rang the parachute company as well. Was told they've checked and confirmed there's nothing they could do. parachute company asked us to go back to coles.

          Another day, another round of the pacman game.

          • +1

            @rainex: Unfortunately the parachute company really can't do anything in the circumstances it needs to be reversed by the card issuer.

            And they have definitely been reinforced this information from their merchant services provider. As this payment is related to fraud not a simple refund.

            @randompunter: yeah I would say it's time to escalate to AFCA.

            • @Kyle-K: Good luck and I hope that anyone else that cannot get a refund does the same to improve the chances it will be properly investigated.

      • +1

        Maybe you should look online to see if anyone is selling brand new paracutes.

      • how'd you go? did Coles end up refunding? I just checked one of my cards and have similar transactions - parachute and Filipino billing…

      • i wonder what they buy from the parachute company?

      • I got the exact same unauthorised transactions on my card. One for a parachute company in Sydney and another for a Philippines billing company.

        I got the same response from Coles denying any responsibility.

        They are definitely in breach of Australian Consumer Law, specifically fit for purpose of services or products sold. The Australian Consumer Law is legistlation and should override any terms and conditions in the fine print.

        If you are in NSW, I suggest we make a complaint to NSW fair trading. They’ll put the company on a register if they receive more than 10 complaints in a month.

        https://www.fairtrading.nsw.gov.au/help-centre/online-tools/…

  • Called up, they said they were going to issue a refund, then changed it and said they can't refund my type of transaction - a video service rental from the US or Canada and to go through the provider…..

  • +5

    Given that a large number of customers still can't get their refund from Coles, here is a template for anyone that wish to follow up with Coles. Feel free to change/adapt as it is clearly context-specific, but hopefully, this can make the whole miserable experience slightly easier to navigate:

    "Thank you for your reply.

    I am writing to request a refund for the fraudulent transactions (please see attached transaction record). These transactions are unauthorised and are attributable to the systematic breach of the security of Coles Gift MasterCard.

    Second, Page 8 of the Coles Gift MasterCard Conditions of Use states that "In accordance with the Mastercard scheme rules, our ability to investigate a disputed transaction on your behalf is limited to the time frames imposed pursuant to those rules. The maximum timeframes vary between 75 days and 120 days from the time of the transaction so it is important that you notify us as soon as you become aware of a disputed transaction".

    Given that the time of the unauthorized transactions falls within the aforementioned timeframe, I am formally disputing the transactions as listed in the original attachment and requesting a full refund for these transactions.

    It is my hope that this issue can be resolved in an amicable manner. Please be advised that I demand the refund to be issued within seven (7) days of the date of this email. If the refund is not received within ten (10) days, I reserve the right to take further action to recover the money without further notice to you. I will also have to resort to media and social media as after creating the inconvenience and loss to your customers due to the compromised card, now Coles and Indue are currently running a new round of promotion on the same cards, demonstrating a deliberate and complete lack of due diligence or care for your customers.

    Yours sincerely"

    • +2

      It may be a little late for you, but I would suggest you (or others) also point out that you are aware of some people receiving refunds after disputing transactions. This means there is precedence of the Coles Gift Mastercard team issuing refunds within the last month or two to some customers who were hit with unauthorised transactions, so it is interesting (for a lack of a better word) that the Coles Gift Mastercard team seem to have an inconsistent approach to handling disputed transactions.

      That may add a little extra weight to your template… or you could save that point for if/when you or others start taking further action!

  • +3

    For anyone else that's fed up it might be time to escalate to AFCA and at this point I would strongly recommend that users may consider lodging a complaint with the ACCC there's definitely multiple breaches of the consumer protection's going on with this product.

  • +1

    I was just digging around for the terms and conditions of the Vanilla Visa gift card for an unrelated post, and I noticed Heritage Bank (the card issuer) published this notice on their website dated 05 October about disputing transactions. It seems as though the Coles Gift Mastercard is not the only Australian prepaid Visa/Mastercard gift card to be hit with fraudulent transactions lately…

    To be fair, I would question the security of that card, as you have to provide the card number, expiry date and the CVV2 value to be able to check your balance on their website!!!

    • +2

      They really need to block all transactions that doesn’t pass through CVV or else this still happens. Visa/MC should have got their shit right by not allowing merchant to process payment without CVV.

      • +1

        Requiring a CVC or CVV to process a Visa/MC transaction would cause a lot of problems for some MOTO transactions, but I think the increased security of always requiring a CVC/CVV outweighs the inconvenience of dropping support for some MOTO transactions (or forcing payment processors to update systems to accommodate a CVC/CVV).

        I mean, Mastercard recently announced they’re no longer requiring Mastercards to have a magstripe by 2024, and are completely dropping support for magstripes by 2033, so they are certainly capable of making bold decisions that shakes up the payments industry. (Arguably, that decision has much bigger implications than always requiring a CVC or CVV before a payment can be authorised.)

        Maybe it’s time to lobby Mastercard to get their act together?

        • +1

          There is NO problem for MOTO, in fact you can input CVV into eftpos machine. There is NO excuse why CVV should not be used.

          Coles Financial, Indue, Heritage bank don't need to rely on MC/Visa, they can just decline all payment without CVV.

  • +5

    Happy update: I received a call from Indue at 6pm last night saying they had processed a refund. I had emailed them on the 26th of October at the Coles prepaid card email address requesting this refund with photos of the card and a screenshot of the parachute company transactions. In the email I mentioned I was aware of many other customers who had compromised cards. I included my bank account details and they have apparently used that for the refund. I didn't mention AFCA and kept the tone of the email civil. Not sure I'd bother with these cards again, but if I did I'd convert them to Wish cards or similar straight away.

    • +1

      If another promo of 10% off, are you sure you won't bother?

  • so i've just checked all my coles mastercard after see this discussion.

    it is amazingly fortunate all cards is not been affect by this scam. surely grateful…. i've not bought them for over a year ago so our patches are older ones and might just be the reason we are safe…

    since indue ltd has already upgraded their measure on parahute or google play scam, might just keep steady on all cards now, will slowly get rid off them into couple of months ahead. however definitely will not buy them again at least for some time even with promotion.

    • +1

      I had cards bought in June 2020 and June 2021 that were hacked. There is no extra security or any difference no matter when you bought them

    • They'll just find another place to spend them unless they change it to require ccv.

    • I purchases some in the last 10% off offer and used many in the next couple of days. The rest I have locked by calling them and have since unlocked and used some again. While would rather be able to do this online the process was quite painless.

    • Waiting to use any gift card is a bad idea even if there is no security issue.

      At the end of the day it is prepaid credit in someone elses control. It can’t be converted to cash in most cases. What if the issuer or store went out of business?

      Then there’s the risk of forgetting about the cards and losing them or being expired. Use prepaid credit ASAP. If you don’t intend to in the short term, it’s better to not buy them even for a discount IMO.

      • +2

        You may be correct about many GC and I would add that with some of the swap-type cards the company you are interested in may stop being part of that program. However, I do not think Coles will go out of business. I like to have them on hand to use for the SB GC deals as I do not want to give them my CC details. I keep track of them and keep them safe.

        • +2

          Fair enough. I use Revolut disposable virtual cards for that purpose now.

  • Have any others continued to experience issues with these cards? Have Indue/Coles Financial Services/MasterCard provide a solution to the problem?

    • +2

      Refunded the affected amount, there are refunds issued by Google and the cards that have been refunded to me have been "restricted" by Coles Financial Services

      No loss incurred to me, just a little inconvenient

      Good outcome, and I thank the OP of this post to alerting me

      • Did they also refund the money back onto the card as well as your bank account? Then restrict the cards?

        • +1

          CFS refunded the affected amount only to my bank account
          For the cards that were fully stolen, Coles Financial Services refunded the purchase amount I paid for the cards.

          Google appears to have issued refunds to the cards much later, so its fair that CFS will keep those funds (and restrict the cards)

  • Hi all,
    TL;DR Happy New Year all, the system is still compromised - brand new sealed $50 Coles MC already has a charge on it.

    Received a brand new sealed "A Gift to Shop Everywhere!" branded card from Coles on Christmas Day, purchased and activated by my friend on the 8th of December (2022) and I have attempted to use it today, only to receive an insufficient balance reply from the merchant.

    I checked the balance at colesmastercardbalance.com.au which redirects to mybalancenow.com and saw a pending $25 transaction for TikTok dated 2 Jan 23 aka yesterday.

    The FAQ on mybalancenow says in case of unauthorised use to ring 0756606022, which after 20 minutes hold and a repeating queue announcement in an American voice, connected me to a nice American bloke.

    He said the transaction will "fall off" in 7 days and the balance will return to $50 (value of the card). He did keep stating I had made 11 failed attempts with TikTok and I reiterated several times I haven't done anything since even at the time of writing this, the card had only been unsealed from its packet for under two hours.

    Anyway, we will see in 7 days but I'm still lodging complaints with ACCC and OFO since if we don't, this kind of thing will not be addressed.

    I'm not sure how the cards are getting compromised. Before the guy said that there had been multiple attempts at use I suspected that they are using the balance check site to verify generated card details, since they know the expiry and a lot of the number. The site doesn't time out, it can just be hammered until a successful balance retrieval confirms the generated details.

    Stupid system either way. Serial number/pin combo is safer since this never divulges a working number and CVV.

    • Thanks for letting us know.

    • +1

      He said the transaction will "fall off" in 7 days and the balance will return to $50 (value of the card).

      They need to wait until it either goes through (then go through dispute process) or let the pending auth charge drop

      Either way, I recommend trying to reach InComm via [email protected]

      Another thread (that I made) here for Coles MC June 2022 promo
      https://www.ozbargain.com.au/node/724029

      • Thanks for that email address and the extra info in the other discussion, cwongtech.
        I am now in the incomm dispute process so we'll see where it goes. It was a toss up between that or calling Heritage.

        Far from the transaction "falling off", several more appeared and now the card is practically exhausted with me never using it.

        These coles Visa and Mastercards are a highly flawed product ☹️

        • +1

          No worries

          I got replacement cards eventually

          Given the higher failure/compromised rate for me this time, I'm really hesitant on stocking up for future promos, will probably just get enough to prepay utilities for a year or so

    • Bought a bunch this week but haven't checked them yet! Thanks for the update, I have to be more diligent with not letting the cards sit there

    • I'd suggest spending the remaining $25 asap

      • +2

        After the report, the card is blocked and cannot be accessed online or used by anyone. It seems the compromised card that has no spend by the true owner gets solved much more quickly, as it does not involve the calculation for legit (or not) spend. This experience is based on one card dispute (solved in 3 weeks) when comparing with others.

Login or Join to leave a comment