Feeds

back to article Tesco dials 999 after Clubcard vouchers are 'nicked' online

Tesco has called the cops after Clubcard vouchers were allegedly swiped from its customers' online accounts. It is feared the money-off coupons, which are earned by using the chain's loyalty card, were stolen after miscreants compromised victims' accounts. Tesco found out about the missing vouchers, thought to be worth hundreds …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Again...?

"Urgently check your online account and, if anything's awry, get onto Tesco to let it know, and tell us too to help us investigate further."

Sounds like closing the gate after the horse has bolted...

I'll get me coat.

3
0
N2
Bronze badge

Re: Again...?

Oh no, not more hackers

0
0
Silver badge
Coat

Re: Again...?

Closing the freezer door after the horse has bolted ...

8
0

Its a civil matter

I assume the Police responded just as they do for credit card fraud?

Oh its a big company with a big press following. Someone might get on telly.

5
0

We had ours nicked November last year, I did some background digging to see if I could replicate the fraud with login details etc, and as far as I can deduce it's an inside job re-printing online vouchers, or the printer is re-running the print job.

0
0

You can print "lost" vouchers yourself from the website

so if you get access to someone's online account you can print their vouchers and presumably spend them instore. Obviously the vouchers are tracked in an online system when you scan the barcode to avoid double-spend of reprinted vouchers.

0
0
Anonymous Coward

Don't you need your club card to use the vouchers?

0
0
Anonymous Coward

Don't you need your club card to use the vouchers

No - they are just like any other printed voucher from a newspaper or something. They do have your name on them though (a least the ones I have seen do), and I guess the shops are supposed to check the name. E.g. I used my Tesco vouchers to get 2 for 1 Jessops discount - the vouchers came with my name on them and Jessops checked the name matched the credit card I was using before allowing me to use them. I guess not all vouchers are the same, and not all are checked (assuming they can be).

0
0
Anonymous Coward

re: as far as I can deduce it's an inside job re-printing online vouchers

In one place where I worked, we provided prepaid telephony systems for telcos. Part of the system was a voucher database that was accessible to any telco staff that had access to the machine. The first time I had to install one of these I noticed that the vouchers were all stored in the clear, making it easy for people within the client's organisation to lift voucher numbers and sell them on. I pointed out to the development guys that they should really be storing hashes of the vouchers, but I don't think they ever implemented it. There were frequent enough support requests relating to vouchers not working for end users (ie, those buying the prepaid cards). I'm not sure how many of these were just because of programming/procedural errors, but I suspect that some people working in the telcos were skimming off a few numbers here and there.

At least with that system it would have been pretty easy to detect if the printers were copying their print runs and selling them twice because we could trace problems to particular batch numbers. At least if they got greedy and tried to skim off too many vouchers. Tough luck for people who bought a voucher and found that it had already been used.

0
0
Silver badge

Re: You can print "lost" vouchers yourself from the website

If this is the case then the accessing IP should be logged and therefore trackable. (Assuming non-onion-routing techniques being used - but the average crim isn't that smart)

0
0
WTF?

Our vouchers were spend instore, up near Burnley, and we never spend them instore and they were spent with a clubcard that wasn't ours! So the cashier didn't check vouchers matched the card, and nor did the computer system. I still have the mailed out vouchers in the In-Tray upstairs, so it wasn't Il Postino nicking them either.

There are reports also today that Pizza Express email voucher codes that have been converted from Clubcard Vouchers, have also been used in appropriately.

Suffice to say we've cashed ours in this time around before the mailout, as they appeared online a couple of weeks ago. Would hate to lose them again...and have the points rolled towards Mays mailing, we've got stuff to do!

0
0

It is a phishing scam that has been in operation since the latest vouchers were released, not a data breach or hack and I don't think they should get refunded to be honest as its not Tesco's fault.

2
1
Anonymous Coward

ooohh 200million clubcard vouchers stolen !

Good luck to the thieves, 200m vouchers buys you a plastic spoon.

5
0

Re: ooohh 200million clubcard vouchers stolen !

>>200m vouchers buys you a plastic spoon<<

Did you you check or did you just assume?

1 point is worth one penny; 200 million points would be worth £2 million. Add to that, if they were able to convert to the "Rewards" scheme it increases the value by 4 times. (not that 200 million points were taken; the article doesn't specify the amount.)

0
6
Facepalm

Re: ooohh 200million clubcard vouchers stolen !

"Did you you check or did you just assume?"

Satire is dead.

7
0

Re: ooohh 200million clubcard vouchers stolen !

yep, murdered by a plastic spoon...

4
0

Re: ooohh 200million clubcard vouchers stolen !

>>yep, murdered by a plastic spoon...<<

Now that IS funny

0
0
Anonymous Coward

Password mail, password fail

I'm sure they're using Industry Standard techniques now www.theregister.co.uk/2012/08/21/tesco_ico/

1
0

Sorry Dave, I disagree with you.

Ours were stolen from the November mailout, as was others, so its not just the Feb mailing impacted. the Register has an ICO article from November where Tesco is heavily criticised for its online security, the inference being that as forgotten passwords are emailed out in plain-text that there is two-way or n-way encryption on the password field in their database.

Online vouchers are available 2-3weeks before the voucher booklet arrives on your doorstep, I know mine arrived today, and we'd spent ours the day they went live online so as not to get stung again.

1
0
Silver badge

re. Tesco passwords

When I renewed my contract with TescoMobile (a simple matter), they sent me an email thanking me for renewing and 'helpfully' telling me what my e-mail address and TescoMobile user password were. As you say, stored in plain text on their servers.

However, the one capitalised letter in my password was shown as lower case. This might have been security by obscurity or it may be that they do case stripping when they accept the password.

1
0
Anonymous Coward

im not surprised, probably isnt theft tho...

i used to work for tesco, in the clubcard call centre many moons ago. Bloody aweful systems. It was all green screens and oodles of navigation numbers to remember. I know for a fact that a few employees didnt understand the systems enough and deleted numerous customers clubcard points. On the plus side the canteen was great, and cheap.

0
0
Anonymous Coward

Re: im not surprised, probably isnt theft tho...

Me too. I'm assuming you mean in the Dundee offices? And yes, the canteen was great. The screens were truly horrible when I last saw them but that was a very long time ago so I have to hope that they've been improved by now.

I did a process review on the operational processes within Clubcard customer services and to be honest it mostly focused on how bad the database was and its impact on CS as a result. It included a series of recommended changes to the UI which were submitted to IT. A detailed dossier came back a few weeks later costing the UI changes at tens of thousands and it was quietly forgotten and I moved to another part of the business. Subsequently a new process review was undertaken by someone different who was asked to leave aside the IT considerations.

0
0

There's another issue

If it is a hack/data breach then there is something else to consider. These thieves will also have your data. A database of Tesco shoppers names and addresses can be sold for a fair wedge too.

1
0
Silver badge

Re: There's another issue

>A database of Tesco shoppers names and addresses can be sold for a fair wedge too

Presumably though it's the "value line" of online databases

Now a list of Waitrose customers on the other hand

1
0
Anonymous Coward

Inside job

Check the MSE forum, people on there saying their vouchers were spent in-store and when they tell customer services they say it can't have been thieves because the Clubcard is needed. So either the people working on the tills are not doing their job, are in on the scam, or the fraudsters have copies of cards. All of them seem to be for big numbers of vouchers too so they seem to know who to go after for the most gain.

2
0

Re: Inside job

That's why we cashed our new ones in as soon as they became available online. We had £462 of vouchers because of a Tesco Bathroom/Kitchen deal on points.

Without knowing the "How" I was buggered if I was going to leave them another opportunity.

0
0
Anonymous Coward

Re: Inside job

I rarely shop in Tesco but did get some clubcard points when I bought a TV there + had a gas/electricity tariff that used by give clubcard points so a couple of years ago I had a small amount of vouchers which I spent in store. As I rarely shop in Tesco I don't carry a clubcard with me so I obviously managed to spend them without using a clubcard.

0
0
Happy

Every Little Helps

Just saying.

2
1
Anonymous Coward

Tesco

Are these the same people who save your passwords to their system.

They still deserve to be fed on SALTED corned beef(horse) HASH.

2
0
Facepalm

This allegedly covers Tesco's set up 6 months ago

Scary reading:

http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html

Now if true it probably partially explains why they are getting their botty smacked publicly.

0
0
This topic is closed for new posts.