Again...?
"Urgently check your online account and, if anything's awry, get onto Tesco to let it know, and tell us too to help us investigate further."
Sounds like closing the gate after the horse has bolted...
I'll get me coat.
Tesco has called the cops after Clubcard vouchers were allegedly swiped from its customers' online accounts. It is feared the money-off coupons, which are earned by using the chain's loyalty card, were stolen after miscreants compromised victims' accounts. Tesco found out about the missing vouchers, thought to be worth …
No - they are just like any other printed voucher from a newspaper or something. They do have your name on them though (a least the ones I have seen do), and I guess the shops are supposed to check the name. E.g. I used my Tesco vouchers to get 2 for 1 Jessops discount - the vouchers came with my name on them and Jessops checked the name matched the credit card I was using before allowing me to use them. I guess not all vouchers are the same, and not all are checked (assuming they can be).
re: as far as I can deduce it's an inside job re-printing online vouchers
In one place where I worked, we provided prepaid telephony systems for telcos. Part of the system was a voucher database that was accessible to any telco staff that had access to the machine. The first time I had to install one of these I noticed that the vouchers were all stored in the clear, making it easy for people within the client's organisation to lift voucher numbers and sell them on. I pointed out to the development guys that they should really be storing hashes of the vouchers, but I don't think they ever implemented it. There were frequent enough support requests relating to vouchers not working for end users (ie, those buying the prepaid cards). I'm not sure how many of these were just because of programming/procedural errors, but I suspect that some people working in the telcos were skimming off a few numbers here and there.
At least with that system it would have been pretty easy to detect if the printers were copying their print runs and selling them twice because we could trace problems to particular batch numbers. At least if they got greedy and tried to skim off too many vouchers. Tough luck for people who bought a voucher and found that it had already been used.
Our vouchers were spend instore, up near Burnley, and we never spend them instore and they were spent with a clubcard that wasn't ours! So the cashier didn't check vouchers matched the card, and nor did the computer system. I still have the mailed out vouchers in the In-Tray upstairs, so it wasn't Il Postino nicking them either.
There are reports also today that Pizza Express email voucher codes that have been converted from Clubcard Vouchers, have also been used in appropriately.
Suffice to say we've cashed ours in this time around before the mailout, as they appeared online a couple of weeks ago. Would hate to lose them again...and have the points rolled towards Mays mailing, we've got stuff to do!
>>200m vouchers buys you a plastic spoon<<
Did you you check or did you just assume?
1 point is worth one penny; 200 million points would be worth £2 million. Add to that, if they were able to convert to the "Rewards" scheme it increases the value by 4 times. (not that 200 million points were taken; the article doesn't specify the amount.)
Sorry Dave, I disagree with you.
Ours were stolen from the November mailout, as was others, so its not just the Feb mailing impacted. the Register has an ICO article from November where Tesco is heavily criticised for its online security, the inference being that as forgotten passwords are emailed out in plain-text that there is two-way or n-way encryption on the password field in their database.
Online vouchers are available 2-3weeks before the voucher booklet arrives on your doorstep, I know mine arrived today, and we'd spent ours the day they went live online so as not to get stung again.
When I renewed my contract with TescoMobile (a simple matter), they sent me an email thanking me for renewing and 'helpfully' telling me what my e-mail address and TescoMobile user password were. As you say, stored in plain text on their servers.
However, the one capitalised letter in my password was shown as lower case. This might have been security by obscurity or it may be that they do case stripping when they accept the password.
i used to work for tesco, in the clubcard call centre many moons ago. Bloody aweful systems. It was all green screens and oodles of navigation numbers to remember. I know for a fact that a few employees didnt understand the systems enough and deleted numerous customers clubcard points. On the plus side the canteen was great, and cheap.
Me too. I'm assuming you mean in the Dundee offices? And yes, the canteen was great. The screens were truly horrible when I last saw them but that was a very long time ago so I have to hope that they've been improved by now.
I did a process review on the operational processes within Clubcard customer services and to be honest it mostly focused on how bad the database was and its impact on CS as a result. It included a series of recommended changes to the UI which were submitted to IT. A detailed dossier came back a few weeks later costing the UI changes at tens of thousands and it was quietly forgotten and I moved to another part of the business. Subsequently a new process review was undertaken by someone different who was asked to leave aside the IT considerations.
Check the MSE forum, people on there saying their vouchers were spent in-store and when they tell customer services they say it can't have been thieves because the Clubcard is needed. So either the people working on the tills are not doing their job, are in on the scam, or the fraudsters have copies of cards. All of them seem to be for big numbers of vouchers too so they seem to know who to go after for the most gain.
I rarely shop in Tesco but did get some clubcard points when I bought a TV there + had a gas/electricity tariff that used by give clubcard points so a couple of years ago I had a small amount of vouchers which I spent in store. As I rarely shop in Tesco I don't carry a clubcard with me so I obviously managed to spend them without using a clubcard.