Nectar point issue

Jami74

I know this is the wrong forum, but I don't know where to post this.

I have just just checked my nectar app and all my points of have been spent somewhere a long way from where I am. Nectar help is closed, and I know I am unlikely to get them back 

But I am most concerned with how and what this might means for my bank accounts.. My plastic card is still in my possession as is my phone. 

Please help me with what steps do I need to take immediately to protect myself from further losses (eg bank/credit card/savings etc).

MattMattMattUK

Jami74 said:

I know this is the wrong forum, but I don't know where to post this.

I have just just checked my nectar app and all my points of have been spent somewhere a long way from where I am. Nectar help is closed, and I know I am unlikely to get them back 

But I am most concerned with how and what this might means for my bank accounts.. My plastic card is still in my possession as is my phone. 

Please help me with what steps do I need to take immediately to protect myself from further losses (eg bank/credit card/savings etc).

It is actually not as big a deal as it first appears. There is a known flaw in the security of Nectar that means that it requires relatively little information to spend someone else's nectar points, a number and a baroda generator is pretty much all it takes. Put in a complaint on Monday, they will issue you with a new Nectar number and reimburse your points. Below is a very basic explanation from 2018, but the security hole is still there. Essentially if you can guess/find a valid Nectar card number then you can spend the points on that card with minimal effort.

https://www.bbc.co.uk/programmes/articles/1gJz1n3J50ZHYP1NcFHVYBY/nectar-fraud

It means nothing for your bank accounts, savings etc. they are not connected to your Nectar card.

Jami74

MattMattMattUK said:

It means nothing for your bank accounts, savings etc. they are not connected to your Nectar card.

Thanks, for being calm and reassuring. Was worried that my computer or phone might have been compromised. I check all my accounts every day. Will change all my passwords anyway. I've started getting sextortion junk recently, which of course is totally unrelated. They've spent twice the number of nectar points I had. So I now have -16000 nectar points.

WillPS

I've had this happen to me, twice. Both times Nectar reimbursed and reissued a new Nectar card.

MDMD

MattMattMattUK said:

Jami74 said:

I know this is the wrong forum, but I don't know where to post this.

I have just just checked my nectar app and all my points of have been spent somewhere a long way from where I am. Nectar help is closed, and I know I am unlikely to get them back 

But I am most concerned with how and what this might means for my bank accounts.. My plastic card is still in my possession as is my phone. 

Please help me with what steps do I need to take immediately to protect myself from further losses (eg bank/credit card/savings etc).

It is actually not as big a deal as it first appears. There is a known flaw in the security of Nectar that means that it requires relatively little information to spend someone else's nectar points, a number and a baroda generator is pretty much all it takes. Put in a complaint on Monday, they will issue you with a new Nectar number and reimburse your points. Below is a very basic explanation from 2018, but the security hole is still there. Essentially if you can guess/find a valid Nectar card number then you can spend the points on that card with minimal effort.

https://www.bbc.co.uk/programmes/articles/1gJz1n3J50ZHYP1NcFHVYBY/nectar-fraud

It means nothing for your bank accounts, savings etc. they are not connected to your Nectar card.

They can be linked to bank accounts through nectar connect., although appears to be one way only 

https://www.nectar.com/brands/nectar-connect

balsingh

Mimic what others have said. Had Nectar points stolen from me on 3 occasions. For some reason, on two of them, they were somehow used at Argos. 

Whilst you can call customer service and get them to investigate and reimburse, it is very frustrating that it keeps happening and they don't seem that bothered about sorting the underlying problems. Seems that it is easier to just reimburse!

MattMattMattUK

balsingh said:

Mimic what others have said. Had Nectar points stolen from me on 3 occasions. For some reason, on two of them, they were somehow used at Argos. 

Whilst you can call customer service and get them to investigate and reimburse, it is very frustrating that it keeps happening and they don't seem that bothered about sorting the underlying problems. Seems that it is easier to just reimburse!

The underlying problem is that there is no inherent security to the Nectar system, if you have a valid card number all one needs to do is generate a barcode for that number, then the points on that account can be spent. The issue for Nectar is that adding security would require them to start from scratch with a new system, one built from the ground up with security in mind. They will have run the numbers and realised that the cost of that, versus the cost of reimbursing misappropriated points means that it is easier to keep the existing system. I am sure that sure some point when they transition the scheme to a new system that will include proper security, but for the moment it is nor worth it.

Wheres_My_Cashback

As others have said its been a well known problem for years now. 
The only way to prevent spending by others on your account is to manually request a freeze on spending if you're saving the points.
But of course you have to request an unfreeze before being able to spend again.

claire07

I have also just had 28000 nectar points stolen.    Foolishly I was saving them up for a large purchase but had an email from Nectar Saturday to thank me for my purchase at an Argos in London (I am in the Midlands) using 28000 points leaving me with £3 in my account.  I reported it on their online chat and they've cancelled the card and will send out another.  However, as I only use it on the Sainsburys weekly shop I am concerned how they accessed my number and when I am eventually compensated I will make sure I keep running down the amount or get a gift card to protect the points.  I have also deleted the Nectar app.

I telephoned Nectar today to double check their fraud prevention team were dealing with it and they confirmed that they were sending out a replacement card and would reimburse the points.  They also said not to worry about my Sainsburys Credit Card or the app being vulnerable.

molerat

I am concerned how they accessed my number

Generating a viable account number is pretty simple.  Of more concern is how they know how many points are available to spend.  Nectar use 2FA to access account details so how can they know without some sort of inside help either within Nectar or the stores where they are spent.

WillPS

molerat said:

I am concerned how they accessed my number

Generating a viable account number is pretty simple.  Of more concern is how they know how many points are available to spend.  Nectar use 2FA to access account details so how can they know without some sort of inside help either within Nectar or the stores where they are spent.

Not in store they don't. Show them a barcode and they'll scan it and tell you how many points are available to spend.