Nectar points stolen in spite of locking it

jkcool

A couple of days back around 6:30 PM,  got an email saying that significant amout of Nectar points were  redeemed at a store in London. The Nectar contact centre phone line closes are 5:30 PM which was conviniently mentioned in the email. The "Spending Lock" on my account was still active. No idea, how they managed to steal from my account. I contacted Nectar via Twitter and got the points back. They said they will investigate but I don't think they will ever disclose how those people managed to pull it. 

The points were redeemed at a Sainsburys store. Usually there is a condition that you need to shop at least once in that store before you redeem from the store. 10 minutes before the "big redemption", those people bought some bananas to get around that. It is still a mystery how Nectar systems allowed this while the spending was locked. 

There are 18 million nectar cards and there will be only a few hundreds of those will have larger number of points.  Without an inside help how will those thieves know which accounts to target ? 
Possibly some security vulnerability is there in their APIs. I guess, I will never know. 

Under consumer rights, will I be able to ask Nectar about the investigation report ?  

user1977

No, your consumer rights are to get the points back. They're not going to chat to you about what they're doing internally.

sheramber

They are not going to reveal how it was done. That would allow others to do it.

flaneurs_lobster

I think it's telling that Sainsburys/Nectar are still reinstating points with little investigation or argument.

Seems they know that the "Spending Lock" isn't.

Ergates

flaneurs_lobster said:

I think it's telling that Sainsburys/Nectar are still reinstating points with little investigation or argument.

Seems they know that the "Spending Lock" isn't.

Or that it's cheaper to just reinstate the points than to perform the investigations.

Grumpy_chap

jkcool said:

There are 18 million nectar cards and there will be only a few hundreds of those will have larger number of points.  Without an inside help how will those thieves know which accounts to target ? 

Maybe the thieves do not know which accounts to target.

Maybe they get a load of Nectar cards access somehow, buy a banana with each card and the purchase of the banana allows then to see how many points are on the account.  They can then spend to the available amount.

Alternatively, and I really do not know whether this is possible, do the thieves need to know how many points are available?  If they have a load of cards and purchased a load of bananas, can they then take the TV (or whatever big purchase) up to the self-serve till and pay by Nectar from multiple cards in succession?  If the first card only has £1 on it, so be it, then use the 2nd card and the 3rd card and so on until one of the cards clears the remaining cost?  Does the system allow multiple Nectar cards to be used for one purchase?

jkcool

Ergates said:

flaneurs_lobster said:

I think it's telling that Sainsburys/Nectar are still reinstating points with little investigation or argument.

Seems they know that the "Spending Lock" isn't.

Or that it's cheaper to just reinstate the points than to perform the investigations.

Or the cost of fixing is significantly more than occasional points re-instating. 

SiliconChip

When it happened to me it appeared that the thieves made a small purchase first, the receipt from that then tells them how many points are on the Nectar card and they can then decide to make bigger purchases using up those points. I now spend my points before they get to £10 so that if they are stolen again it's not so much of a concern (I had over £100 stolen and reinstated).

jkcool

Grumpy_chap said:

jkcool said:

There are 18 million nectar cards and there will be only a few hundreds of those will have larger number of points.  Without an inside help how will those thieves know which accounts to target ? 

Maybe the thieves do not know which accounts to target.

Maybe they get a load of Nectar cards access somehow, buy a banana with each card and the purchase of the banana allows then to see how many points are on the account.  

Statistically the odds are pretty poor to do this. Finding hundreds from millions is quite hard. 

Also, you can't use multiple cards on one transaction. 

Grumpy_chap

jkcool said:

Statistically the odds are pretty poor to do this. Finding hundreds from millions is quite hard. 

Statistically.

Where is the data source that only "hundreds" of 18 million cards have high points balances?

flaneurs_lobster

jkcool said:

Ergates said:

flaneurs_lobster said:

I think it's telling that Sainsburys/Nectar are still reinstating points with little investigation or argument.

Seems they know that the "Spending Lock" isn't.

Or that it's cheaper to just reinstate the points than to perform the investigations.

Or the cost of fixing is significantly more than occasional points re-instating. 

They have a big player in Amex as a partner (their Nectar Credit Card). Rather surprising that a global finance company isn't applying a little more pressure on Nectar to get this fixed. They won't be happy to have their upmarket brand associated with points theft using bananas.