Tesco Clubcard fraud - online vouchers stolen

peachyprice

Peops, we have no proof this really is a person working for Tesco, be careful what you tell them.

The comments they have made regarding phishing emails etc. contradict the experience of people here who 100% know they haven't opened a phishing email and have used a unique address and password for Tesco but have still had their account hacked, more than once in some cases.


EDIT
OK, this post makes no sense now! But please be wary of people claiming to be working for Tesco who want to help.

Thanks for the housekeeping BG's.

subsist

I'm not sure why my original post was deleted but like I said, not all of the fraud is done through phishing. Some is brute force, some is by interception of vouchers in the post. I can only go on information provided by people who were caught.

I can't prove anything about who I am but Google "the mirror clubcard fraud" and you'll get information about one of the guys who was caught. I tried googling the names of some other people we stopped but there don't seem to be any articles.

If you are having trouble call Clubcard and if the advisor is not helpful ask to speak with a team leader or the fraud team. You will get your vouchers back if they can see it was not you that used them.

My original post was much more informative but I think it was deleted as I am a forum newbie.

peachyprice

No, it was deleted because you have to have permission from the forum to post as a company representative.

I'm sure if you ask for permission and can verify you are who you say you are you can re-type your original post.

Companies posting on the forum


What's a company representative?
We do not allow advertising of any type on the forum. This is against the forum rules (see Why was my post about my company/site/blog deleted?).

If you see something written about your company and would like a right of reply, please see How do I get a right of reply on what's been said about my company?

We also have a very limited number of 'company representatives'; these are checked out and verified spokespeople for specific firms. This status is granted entirely at our discretion, where we've identified it as being in forum users' interests.

Which type of companies are allowed?

We strictly limit it to household names with huge numbers of customers, companies that have been mentioned in the MSE guides, or non-profit agencies we have a relationship with.

Why are company representatives allowed?

The primary aim is to allow reps to help MoneySavers who have issues with the company - providing redress or instruction on how to work with it better. It is not, and must never been seen as, an avenue to sell or promote products.

Company reps allow a company to answer questions on the forum about the company or its services.

We limit the number of reps so we're not swamped, but also when dealing with household names, there is a critical mass of MSE users who are their customers and may want redress.

What are they allowed to post about?

It's a strictly reactive policy. Each company rep is allowed one thread to respond to. If reps are trying to promote their products (or it looks like they've had questions from others drafted to elicit such a response, which is illegal) then please report them to forumteam@moneysavingexpert.com and we may remove the 'company representative' privilege. An exception to this is the small number of consumer and debt help groups who help answer questions.

How do I spot a company representative?

If they've been given permission to post they'll have a standard username (xx Company Representative) and signature to clarify who they are. This doesn't mean MSE endorses their products or services. See the full list of Large companies with permission to post. Any posts by companies without permission will be removed when reported. Companies posting shouldn't tout for business.

Company reps can't send private messages

Company reps don't have the facility to send or receive PMs (it's switched off).

If company reps need to ask site users for personal details, they can include a special customer service email address in their profile page and refer to the fact it's there in their posts. They're not permitted to post it on the open forum.

This rule prevents companies touting for business through PMs and ensures forum members actively seek out a company’s contact details.

Want to be a company representative?

If you work for a qualifying company and are in a position to represent that firm (we'll require official confirmation) please email forumteam@moneysavingexpert.com in the first instance. If appropriate, you'll be forwarded to an internal email address to go through a verification process.

Want to respond to what's written about your company but aren't a company rep?

Please see the How do I get a right of reply on what's been said about my company?


How do I get a right of reply on what's been said about my company?
If you're from a company, have seen a post you feel is misleading or offensive, and would like the right of reply, please email the Forum Team at forumteam@moneysavingexpert.com.

A member of the MSE Team will carry out checks to confirm you are authorised to represent the company in question.

Provided you have the authority, you may either be asked to give a statement, which one of the MSE Team will post on your behalf, or be given permission to post directly on the specific thread.

Where permission has been given for you to post directly on a thread, a note from the MSE Team will appear on the thread confirming this.

If someone has posted claiming to be from a company but this has not been followed by a MSE Team note confirming we've authorised it, please use the warning triangle in the bottom right of the post to report it, or email the link to forumteam@moneysavingexpert.com.

There's a single exception to this rule. If you're from a company and have a discount code you'd like to offer MoneySavers, this rule is waived in the Great Want to Offer MoneySavers a Discount? Hunt.

You can post your discount once only, on that thread, but nowhere else on the forum. And you shouldn't post about your company anywhere else on the forum.

subsist

peachyprice wrote: »

No, it was deleted because you have to have permission from the forum to post as a company representative.

I'm sure if you ask for permission and can verify you are who you say you are you can re-type your original post.

To be honest I'm not too concerned about becoming an official representative. I just stumbled upon this thread and figured I may as well try to help in a non-professional capacity. It was a long post and I don't think there is any way to recover it now.

jnettleton

I've had the same happen. Had over £250 taken from my account in Oct. Tesco agreed to refund amount in Feb statement. On 5th Feb, had it all taken again.


I can assure all of you that this is not a hack of my PC. I use Norton 360 and keep it up to date. I never click on ads or phising emails. As soon as I discovered the Oct fraud, I changed my password. I always use a 'strong' password. I also noticed that Tesco added a new level of security to their website.


When I first contacted Tesco, and the police fraud dept, they said that Tesco had had their servers hacked.


As I have now missed the hotel that I wanted to book, that I had been saving my points for, I will be looking for more than just a refund.


This is completely unacceptable.

heatherks

that is terrible news jnetleston must have been the same person to hack account twice
just noticed a more recent report advising us all to check out February vouchers

http://www.telegraph.co.uk/finance/personalfinance/consumertips/10609030/Tesco-Clubcard-check-your-February-vouchers.html

peachyprice

http://www.bbc.co.uk/news/technology-26171130

The poop has hit the fan.

Tesco are still claiming it's still only a small number of customers.

kev_hewitt

Still trying to shift the blame off their own systems though and I think we have enough evidence on here to suggest otherwise or at least warrant a more detailed explanation

EtheAv8r

This is much bigger than the 2,239 accounts Tesco has admitted have been compromised.

I checked the list of exposed accounts posted by hackers on pastebin dot com and neither my nor my wife's account is listed. Yet we had 9 vouchers totalling £214 'spent for us' last week on 04/02/2014 in-store in Edinburgh Leith, and 3 of these vouchers had only been issued in the February 2014 statement!

This may be interesting to you: search for troyhunt dot com (I am not allowed to post links)

We were affected by the 2013 ClubCard Voucher thefts when we had all our unused (6) vouchers totaling £158 (worth £632 to us as restaurant vouchers) stolen and spent. I changed my password. The points were re-credited but we had the inconvenience of not being able to redeem any until the next issue of vouchers in May. In the online listing of "Vouchers you have used" these 6 stolen vouchers stood out clearly, they were all redeemed on the same date, and all were blank in the "Where used" column. They were stolen on the 10/01/2013 but we did not discover this until my wife logged on in late March to 'spend' some of our vouchers and discovered that she could not because they had already been used.

I wrote to Philip Clarke, the CEO of Customer Service, with full details and also that I was confident that my PC had not been compromised, and that I had been informed by Tesco Customer Services that Tesco investigations were ongoing and also that customers who do not have on-line accounts, who simply spend their vouchers in-store, had also been compromised. This meant that the problem was definitely not with compromised customers, but rather the compromise was within the Tesco internal system, either computer database or at the voucher printing location, as vouchers are clearly being replicated, duplicated or printed. I requested that once Tesco had completed their investigations that they fully disclose publically how this fraud had been perpetrated, as well as implementing measures to prevent reoccurrence. I also confirmed that my wife and I had both changed our ClubCard logon passwords and that I was perplexed as to why Tesco does not allow the use of special characters as these can make passwords much stronger and more difficult to guess or crack.

I received a prompt reply, with all the usual platitudes, confirming that a full investigation had been launched etc. They also claimed that this had happened to only “a small number of accounts”.

Fast forward to last week and a new set of strange happenings and further voucher theft. On Monday evening at 23:30 I received an email confirmation from Tesco Direct for an order I did not place using one of our vouchers valued at £16.50. This was immediately followed by a second email confirming that they had cancelled the order. Clearly somehow one of our Tesco ClubCard vouchers had been compromised but the fraud had been spotted and stopped by Tesco. Well done, full marks to Tesco.

I logged on to my ClubCard account and could see the voucher in question with a status of “Processing”, but the remaining 8 vouchers with a total value of £197.50 were still there and intact.

The following morning (04/02/2014) I phoned Tesco to enquire what was going on, what had happened regarding the attempted fraudulent use on one of my vouchers, and were the rest of my vouchers safe. The person I spoke to was rather dismissive, somewhat condescending and bordering on the rude. I was told it was probably due to phishing (i.e. it was my fault), or that another website had been compromised and that I used the same username and password on that site as I did on Tesco (i.e. it was my fault). I explained that I am an IT Security professional that I most definitely had not responded to any phishing emails or otherwise disclosed my credentials to any third party, and that I used different passwords on every website.

I was told to change my email account and password. I explained that I was not going to change my email account, it is not a free web based email account and that I have my own domain and use an Enterprise class hosted Exchange service for my email. I was then told to change my password. I said that I would (again) and enquired why the Tesco password requirements were so weak as they could only be alpha numeric and could only be up to 10 characters long (I was on the Change Password web page at the time). I asked if I could indeed include special characters in the password, and was somewhat contemptuously asked “what does it say on the instructions?” and when I responded it said letters and numbers up to 10 characters, I was told “do that then”. When I asked how this would help, as in order to spend or print vouchers, as well as logging on using my user name and password, I would then be required to enter 3 random numbers form my 16 digit ClubCard number, I was told that this was not so and that I had clearly been hacked!!!!

I assured her that I had not been hacked or otherwise compromised and suggested that she did not know the current correct security process utilised by the service she was supporting, and suggested she check with a supervisor. This she did, and discovered I was correct, however her tone was now quite defensive and rude. During this conversation I changed my password and logged on and the 8 remaining vouchers were all there and available. I made the password change from my Work PC.

A couple of days later I logged on to my ClubCard account from my Home PC and discovered that all the remaining vouchers had been stolen and spent in-store in Edinburgh Leith on the very same day after I had called Tesco! I contacted Tesco to report the fraud, and also filed a report with Action Fraud.

The password requirements for Tesco Vouchers are very weak. I believe I have discovered another weakness with them. Although the maximum password length is 10 characters you can actually create a longer password and it will be accepted. So if your password is J!!!9MyTCC56197z it would appear to accept it but only function on the first 10 characters. If you then change the password to J!!!9MyTCC92547M, you think the password has changed, but in fact it has not, and a lot of people have a core password and change the final ‘n’ characters, which is what I had been doing, but it was just an unlucky co-incidence that the core was 10 characters and so my past two password were in fact the same, even though the last 6 characters were changed.

I keep all my passwords in a secure encrypted Password Manager called LastPass. I have now changed the entire password to a completely gobbledygook jumble of 10 alpha-numeric characters, but I would like to be able to include special characters and have then at least 16 characters long.

And no I do not use a common core password for different online accounts.

Skiqueen

I found out the other week that £320 worth of my vouchers had been used fraudulently over the last few months. As I didn't know other people had been having problems, it was a bit of a shock as I thought I wouldn't get them back. However, the lady I spoke to at tesco's couldn't have been more helpful, all my points have been refunded, and although I won't get new vouchers until May, I can ring up tesco if I want to use my points on anything. I was advised to contact the action fraud people, which I did. The guy there (who was also very helpful and very reassuring), told me they had had thousands and thousands of cases reported to them.
So there must be a huge gang behind this, and as it must be costing tesco a lot of money, hopefully it will get sorted out soon.........