A Woolworths Rewards card was hacked, points used at a servo

My Woolies Rewards card was hacked today and the points worth $100 were used at a servo in NSW in a single transaction (from my activity statement, I can't say if it was only fuel or some other purchases too, though it's irrelevant). Usually I don't accumulate $$ in my Rewards card but I had received these recently as a promo bonus from a Woolies Insurance deal and I was yet to use them.

This is the first time I have experienced anything like this - upon Google and OzBargain forums search, I found a few posts about such events/ experiences from the past. I would like to know if this has happened to any OzBargainer recently.

It's still beyond my understanding as to how can one know the $$ balance in a Reward card so randomly. I understand that stealing barcodes or numbers from various sources isn't impossible but stealing the cards based on the exact balance on them isn't possible without access to a systematic database (which only employees would have access to or probably not even them). Leaked username and password of the Rewards account could be a possibility but I suspect it's something beyond it because so many people losing their Rewards account's login details every year doesn't sound very realistic. I will appreciate if someone can share info if they have faced such an event in the recent past.

Be careful with your Rewards cards, folks! It doesn't seem to be a rare crime.

Update: EDR customer care weren't even surprised to know about this when I reported this. They tackled it as if it's normal. I doubt if they are putting any effort to stop this either unless they are working on some better technology behind the scene.

Related Stores

Everyday Rewards
Everyday Rewards

Comments

  • +3

    An interesting recent article

    I have never heard of gridware until 30 seconds ago. But anyway….

    • +2

      A vulnerability exists in an app functionality that allows anyone to enter a random card number and find a card’s point balance. After entering the number in a rewards card app, the barcode can be produced, which can then be scanned at Woolies checkouts to claim a discount.

      Interesting.. I don't understand this part. Which app functionality are they referring to and if it's true, wouldn't Woolworths know about it?

      • As I said I don't know the source but the article mentions ozbargain so it has to be legit IMHO.

        And the author seems qualified…

        An emerging thought leader in cybersecurity

    • Make your passwords stronger by including numbers and special characters like ILOVE2ReadB00ks! and 2beornot2B?

      It's very rare for someone to brute force your password. As long as it's different and at not password you should be fine

      • +2

        They don't need passwords, all they need is your everyday number/barcode, scan it at checkout and click redeem on points

  • +1

    I thought only mydeal got leaked , not woolies rewards ?

    ohh, found it .. https://au.news.yahoo.com/woolworths-shuts-down-hacking-clai…

      • You assume they actually care. They have known about this issue for a long time.

    • +1

      "Red tape and bureaucracy often get in the way of developers writing good, secure code," he explained. "It's a huge industry-wide problem."

      This is the key problem.

  • +4

    Call woolies and explain the situation they will give you the points back, it’s bad because woolies refuse to accept there terrible IT system is to blame and after a year of this going on they have not introduced 2FA… which would solve all of this!

    • Agree. It's hard to introduce 2FA for scanning a card though.. I can't think of an easy workflow since the scan has to be quick at the point of checkout otherwise it will create another problem all together if a 2FA method took more time. Even Flybuys don't have 2FA but surprisingly this hack issue seems to be far more common with Rewards compared to Flybuys.

      • +1

        Flybuys do it just fine. Take your points turn to $ and set a pin and when you set a pin it sends a message with a pin, wollies is being very lazy here

        • +4

          Flybuys also require you to have the physical card though unlike Woolies.

      • +2

        Two ways that are not complicated

        • EDR can ask for a PIN on the screen before redemption.

        • Redemption instore is only allowed via Everyday Pay.

  • +2

    Someone used my points last Saturday, at Ampol in another state. I rang EDR and they reinstated my voucher and issued a new card.

    • Mine was used to an Ampol too.. Interestingly, they used my $100 EDR balance and also paid using their credit card (or maybe another stolen Rewards card) since the total expense was a tad above $100. Unfortunately, unlike a transaction in Woolies or BigW, you can't see the receipt of Ampol transactions within Rewards app so it's hard to know if they made that additional small payment through their own credit card - it will be stupid for them to do so if they did as it can easily reveal their identity if Woolworths investigated the case.

      • +2

        Ampol is not a EDR redemption location. It must be a Woolworths owned or EG location.

      • There are no Woolworths-owned Petrol stations, and Ampol-owned locations (Ampol Foodary and Ampol Woolworths MetroGo) are not EDR redemption locations as they use different Fujitsu POS as opposed to the POS that EG locations use.

        I suspect it would've likely been an EG/Ampol co-branded location owned by EG, although some may still have the Woolworths branding on the shop (but are being phased out by EG), so you may want to chase up EG if that's the case.

        • EDR customer support also confirmed that my points/ balance were used at a petrol station which would accept EDR card - I am not sure what branding the petrol station has but it would be one of those which are partly owned by Woolies.

      • +2

        it will be stupid for them to do so if they did as it can easily reveal their identity if Woolworths investigated the case.

        You assuming that they are using credit cards under their own ID.
        Even if they did, WW is so f#$%ing lazy, nothing will be done about it.

        • +1

          I had my rewards dollars compromised too, the scammers paid for the deficit using cash.

  • +2

    This scam is getting quite common now..
    I’d recommend everyone to change their redemption settings to either - Savings for Christmas or Convert to Qantas Points.

    • +1

      Savings for Christmas

      This won't necessarily protect you, especially for the month of December.
      Folks have reported lost EDR $ as those nasty hackers were able to bypass this with ease.

      • Well, atleast the user’s rewards dollars would be safe until December.
        Also, I don’t think the scammers have yet been able to ‘bypass’ alternate redemption preferences yet.

    • or just use them as soon as you get them

  • I had a weird one few years ago, I completed my shop and got $20 in Rewards dollars, the person who used the same self check out right after me redeemed it and I had no idea until I checked why my points didn't come through. I could see the receipt on my account, luckily live chat credited it back to me easily but they couldn't explain that one.

  • +1

    the whole system is insecure. they should have a pin for redeeming points at the checkout.

    i scanned some groceries and my card at a woolworths checkout. i had a $10 reward balance. then i decided i wanted something else, so i asked the checkout attendant to clear all the items off the machine. she did so, but my card was still left active on the machine. someone else immediately comes along to the machine i just used and their purchase appeared on my card activity. luckily for me they did not notice the $10 balance or they could have spent that.

    • Similar thing happened to me – the next person's transaction appeared in my account. Support couldn't explain it either.

    • luckily for me they did not notice the $10 balance or they could have spent that.

      Haha! This happened to me as well. I ended up getting all the points from this random person.
      A week or so later, all my favourites got mixed up. :(

  • There's several ways to find out the balance of an account. You'd think leaving it as save for Christmas would be safe but they seem to get around that as well. Either by entering your password or intercepting the text message.

    • Can you share how to find out the balance?

      • The most obvious is it prints on the bottom of the receipt. They could brute force it by making a small purchase.

        • But the card number is masked

          • @Garrettau: Still not masked at the 3rd party store like Ampol, not many though.

          • @Garrettau: You could theoretically sit at a checkout making small purchases on various generated rewards cards until you strike one that has dollars off next shop.

  • +1

    Basically the safest approach is just to redeem your points as soon as you get them. They seem to go after higher value balances.

  • +1

    someone hacked my maccas rewards account, i stupidly had a saved credit card attached to the account and they went on a spending spree buying about $150 of maccas in a few hours (hopefully they get diabetes and die). Macdonalds couldnt give a (profanity) just told me to report to credit card which luckily they gave my money back. Haven't been back to maccas in 6 months since it happened due to their lack of care about this situation.

  • This has happened to me and lost almost $700 in points. Been a month and a half of "it team investigating" and that is all I get. Plus they can't get past 1yr history on their own system and are "investigating" because it should be more.
    Don't know what else I can do

Login or Join to leave a comment