Tesco Clubcard fraud - online vouchers stolen

jatinmistry_uk

Just logged in to Tesco Clubcard site to check something and found that someone has used £100 worth of vouchers that were replced to me following onto previous scam. I did change my login password details and do not understand how this has happend yet again?

Have spoke to Customer Service who will replace it to the account but won't get my voucher until end of May or June sometime. Can't convert for days out until then :mad:

ktk

I have just checked my account and have also been targeted for the second time! £200 of vouchers stolen. I too changed both my password and email to ones that are not used anywhere else. The fact that nothing is ever taken from any of my other online accounts makes me even more suspicious!

It also occurred to me that I have not been getting any statements.

TheSaint_2

Ok, so this is interesting.


A fraudulent order was placed on Tesco direct at 10am today. The scum had added a new delivery address to my account and ordered for delivery there.


At 3pm I got an email telling me the order was cancelled due to fraud checks.


So, well done goes to Tesco for auto cancelling and recrediting my vouchers.


I called customer services asking if I should report it to the police, she said not necessary as they do pass detail on.


I asked if Tesco had had a data breach as I had not logged in to Tesco for a long time, and have had no spear phishing mails. She said that whoever is doing it is NOT using the username and password to get in. In other words my password has not been breached (I changed it anyway).


So this is one of three things:


1) inside job
2) data breach leading to loss of passwords (unlikely as others have stated that their vouchers have been stolen just after they changed their passwords repeatedly)
3) their is a vulnerability in one of their sites which allows credentials to be stolen or accounts to be logged in to without authentication.


In the last two cases examining their web server logs should allow them to spot the breach and fix it very easily, so they have a big inside job problem or massive incompetence in their web security team.

Fella

TheSaint wrote: »

1) inside job
2) data breach leading to loss of passwords (unlikely as others have stated that their vouchers have been stolen just after they changed their passwords repeatedly)
3) their is a vulnerability in one of their sites which allows credentials to be stolen or accounts to be logged in to without authentication.


In the last two cases examining their web server logs should allow them to spot the breach and fix it very easily, so they have a big inside job problem or massive incompetence in their web security team.

3) in my opinion.


Just logged into Clubcard this morning to see that my voucher balance has been cleared out too. My Clubcard password is only used for that account.

strontium

Got two emails last night saying my details had been changed.

Rang tesco this morning and it turns out someone had got it, changed my email address, bought loads of stuff worth the points and then changed stuff back again.

However, they left their name ( or their "best mate") on the account.

Tesco have promised to recredit the missing points.

However, they were at pains to explain that they didn't know how they were getting in, but as soon add they close one door the hackers find another.

They also said if I changed the password it would not happen again.

So, in my professional opinion, they have lost the password file which had been decoded, hence why they are having so many break ins.

Colin2511

Fella wrote: »

3) in my opinion.


Just logged into Clubcard this morning to see that my voucher balance has been cleared out too. My Clubcard password is only used for that account.

Yep me to ...again... I changed the password etc after the last time - so they are now saying perhaps the scammers were still holding one of the vouchers from last time and trying to resue again


This means that since Feb I have had this account online hacked twice, and another one that OH has that was paper vouchers only.. we had never logged online with that account..


Both accounts are now back in points waiting until August mailing..- what is annoying is I had been saving them up, since last year, so nearly £500 between the two accounts

Colin2511

I even had them asking


1. if anyone I know like a child could have logged into the account !!! (given that my eldest is only 12 and the vouchers were used instore over 200 miles away I think that was a no) -


2. then they asked / stated I must have left my clubard somewhere... no we don't have the fobs and just have them on the 2 Tesco credit cards we use to pay with - and finally...


3. They said I should report to the police and action watch (I think that was the name) the latest fraud - I had no idea what the latest one was, it was an email from them that said they had noticed something and cancelled all my vouchers - I asked them for more details so I can report - they cannto give that for security - I asked so what am I reporting -that I think I have had a fraud, I don't know how, don't know when, don't know what was taken...lol -


I said surely this was reported originally in Feb when they confirmed they had called the police in on that last breach when the accounts were all printed on the website - and that as they said it was the same vouchers they can just update THEIR case with the police?

thepearce

Well, I read about security problems ages ago over at "The Register". Having a lot of points I decided to change my password.

At the time the maximum length was 10 characters. Upper and lower case were treated the same and only numbers or letters could be used. Nonetheless I changed the password to a randomly generated one utilising upper/lower & numbers. (Thanks lastpass).

This password is *unique* to my tesco account. My clubcard is a clubcard plus so I don't give that number out readily.

I use lastpass to store & fill in my password. I run kaspersky Internet Security 2014. I work in IT (Finance) so would hope I am somewhat clued up....

Despite this after me doing a genuine redemption online (restaurant voucher) two fraudulent ones quickly followed.

A couple of days later I receive a letter from Tesco on this, the bulk of which details how I should use a stronger password [now that your systems allow it eh] and how to improve *my* online security.

Funny how my banking sites are not affected.

I tried to set a 20 character password but this failed. 15 characters was OK.

Not a lot of information from Tesco - with a lot of vouchers / points I now need to try and cross check that everything is refunded which is not easy given they have wiped all the voucher info.

hjd

My account has just been hacked - for the THIRD time.
Email from tesco to say they are cancelling all my vouchers and re-issuing.
I get the same patronising email to tell me about a strong password. Since I had a strong password, containing all the elements they suggest, that's obviously a lot of use. The password is unique to my Tesco account.
Are they still trying to maintain it's not an inside job??
Trouble is, there's not really anything I want to use the vouchers for - nothing appeals on the deals!

Odenplan

I've just found out that I've lost vouchers to the value of £600…been saving for a long time! What angers me is that the guy I spoke with at Tesco told me that it was probably my email account that had been compromised and suggested I change my password to all accounts I have…I did and it took forever! Anyway, I checked all my accounts and found that everything was as it should be with the exception of my Tesco Clubcard account. I'm angry because at no point did he tell me that Tesco accounts had been compromised in February this year and instead indicated that the problem was to do with my email address. I really think that Tesco could have been a little more honest with me and owned up to the fact that they have been having problems with fraud instead of trying to pass the buck. Also, they will not give me my points back until November even though it's not my fault. I used to be a big fan of Tesco, but right now I don't think I want to spend money there in the future. I've been using Ocado of late and will use them more frequently now. Still can't understand why Tesco didn't send letters out to people back in February if they knew accounts were being compromised….after all, they spend a fortune sending junk mail out to customers all the time.