Scammers are still having a shopping spree with stolen Nectar points, with shoppers seeing their accounts drained in places they have never visited.
Meanwhile, some say they have been locked out of their accounts entirely and have asked Sainsbury’s for an explanation.
The supermarket introduced an ‘account lock’ feature to their loyalty app in February to try and crack down on the problem – but customer services reps are still fielding dozens of complaints.
Mum-of-two Fariba Rad, from Putney in London, told Metro she was ‘really upset’ to get two emails on Sunday morning thanking her for spending her balance.
‘First I started thinking about when I was at Sainsbury’s, but then I saw the area was Oakley and I said to myself, “someone’s hacked my points”,’ she said.
The thieves spent £12.50 in two transactions of 1000 and 1500 points, leaving her with only 194 points left worth 97p.
Some shoppers contacting Nectar online said their points had been spent while they weren’t even in the UK, while others said they were having problems with the app and ‘can’t even log in’.
In recent months, retail cybersecurity has come into the spotlight after Marks and Spencer was hit by a devastating hack which is still not completely resolved, with online shopping unavailable.
Supermarkets Co-op and Harrods were targeted by hackers too, while sports brand Adidas also fell victim – so the natural question for many was if Sainsbury’s could also have been compromised.
But the supermarket said they were not experiencing any IT issues.
They confirmed that Fariba had fallen victim to fraud, and that criminals use a range of tactics to try and profit from their popular loyalty scheme, which has over 23 million members.
The ease with which scammers can access Nectar points was revealed in January, when This Is Money revealed over 12 million points worth some £63,000 had been taken in the year prior.
‘I haven’t even left my house’
Another Sainsbury’s shopper, 43-year-old Amber Shuker-Bright, pictured at the top of this article, said she and her husband lost £60 of points.
‘We do what most people do – save them for Christmas,’ the mum-of-one told Metro.
She realised something was wrong when she got an email thanking her for redeeming 2000 points in Brixton on April 12, but thought: ‘I’m in Putney and I haven’t even left my house.’
The mum-of-one said her husband lost even more this weekend, when scammers spent 10,000 of his points, worth £50, in Camden.
She did not know there had been issues with points theft in the past, or that there was an option to lock her account, saying this should be made more clear.
Sainsbury’s has refunded the couple’s points after checking they were spent outside of their usual area, but sales assistant Amber said she is worried many customers wouldn’t even realise they were victims, as they might assume their partner had spent the points on a linked account.
She said the incident left her worried about how scammers got her details, and what else they may have accessed.
The paper reported that scammers were selling account numbers online, although it’s unclear how they accessed them in the first place.
Sainsbury’s has not revealed how they think scammers are doing this, fearing that it could encourage more fraud if they do.
Fariba, a 44-year-old professional placement advisor, said she struggled to resolve the loss of her points because her mum was the primary account holder, despite using the card ‘for years’ with her email address – a problem that others also reported to customer services reps.
Eventually, she managed to resolve the issue and will be sent a new card with the lost points added to it.
But she described the process as ‘really pointless and a waste of my time’, saying the experience made her concerned that criminals have her details.
How are scammers able to steal Nectar points?
There are no ID checks to spend points, except at Argos when there are if the amount is over £50.
A loophole meant that anyone with a user’s account number or barcode could potentially spend their points, unless the spend lock feature was turned on.
Last year, Cian Heasley, Threat Lead at Adarma cyber security firm, told Metro: ‘The specific nature of this vulnerability hasn’t been disclosed, but it could be that the attackers are conducting a brute-force attack. In this type of attack, malicious individuals, either manually or through automation, attempt to log into a customer reward portal using randomly generated reward account numbers.
‘When they do not receive a “no such user” or similar error message, they know the account is active and can generate a barcode scannable account identifier to spend the reward points.
‘To defend against this attack, app developers should incorporate security measures into the app’s design. For instance, they should require a full login or identity authentication to spend points and ensure that login portals do not indicate whether accounts are valid or not. Limiting the number of login attempts before imposing a timeout can also slow down brute-force guessing attacks.
‘The attackers may also be using credential stuffing, a cyber-attack where hackers use breached account information, like usernames and passwords, to gain unauthorised access to other online accounts. To protect against credential stuffing, it is crucial that individuals do not reuse passwords across different accounts, enable multifactor authentication whenever possible, and consider using a password manager to store and manage passwords for various apps and websites securely.’
A Nectar spokesperson said: ‘The security of our customer accounts is our highest priority and the proportion of those impacted by fraud each year is very small.
‘We have a range of measures which detect and in many cases prevent fraud, including point spending confirmation emails and our Spend Lock feature.’
Get in touch with our news team by emailing us at [email protected].
For more stories like this, check our news page.
MORE: First picture of ‘loving’ teenager who died after motorbike plunged into canal
MORE: ‘I’m a reformed drug smuggler – this is how mules will be feeling on flights’
MORE: The drug behind double death in London that’s ‘500 times more powerful than heroin’
