Tesco Clubcard users urged to check their accounts as supermarket warns of voucher scam

The Tesco Clubcard scheme has millions of members who collect points as they shop in the hope of using them for rewards. While the points can be used to take money off your groceries, they can also pay for special treats through the supermarket’s many Clubcard partners using unique discount codes. However, Tesco has discovered that fraudsters have found a way to steal some of the codes for a particular website.

READ MORE

  • Aldi scam: Supermarket shares warning over £250 voucher scam message

Tesco is urging customers to check their accounts after uncovering the online scam. 

One of the supermarket’s partners is Hotels.com, which means Clubcard holders could use their points to earn vouchers that would give them money off their bookings. 

However, online scammers have found a way to steal the discount codes which are generated by Hotels.com – and sold them online. 

The fraud could cost the booking platform millions of pounds in lost revenue due to the heavily discount bookings. 

Cybercriminals were able to decipher the 13-digit codes, which were generated by Hotels.com, in order to claim the discount when booking online. 

However, while it’s bad news for the hotel platform, it also affects loyal Clubcard holders – as the codes can only be used once. 

Any codes that have been guessed and now sold on the black market can no longer be used as they’re only valid for a single transaction. 

The codes offered up to £750 off a booking, meaning fraudsters have been able to bag huge discounts which should have been reserved as rewards for Tesco’s customers. 

DON’T MISS:
Aldi confirms when school uniforms will be on sale – ‘save the date’ [COMMENT]
Argos sale launches with thousands of products under £20 [INSIGHT]
Asda, Sainsbury’s and Iceland scrap priority opening hours – latest [LATEST]

The discovery led to the voucher offer being pulled from the Tesco website while the company worked to resolve it with Hotels.com. 

The scam was unveiled back in March by cyber security group CyberNews, who alerted Expedia Group, the website’s parent company to the security flaw in its system. 

The booking site has now taken measures to resolve the issue and the offer has been reinstated on the Tesco Clubcard website. 

Impacted Clubcard customers should have now received replacement vouchers or had Clubcard points reimbursed – but any members who suspect they have codes that have been used have been urged to contact the Clubcard support team if they’ve not already been contacted. 

READ MORE

  • Tesco announces huge change to its online shopping delivery service

“This is a very expensive lesson for Hotels.com and it should be a warning for other businesses that accept discount codes,” commented the CyberNews research team.

“In the current economic climate people are looking for ways to save money, so businesses need to stay vigilant to prevent fraud. 

“We’d recommend using longer, less predictable discount codes with more characters which make it harder for cybercriminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature.”

It’s thought that there are more than four million possible codes that have been hacked, with potentially huge losses for the hotel company. 

 

Fraudsters only had to guess the remaining four digits of the codes due to the way that they were generated. 

The 13-character codes used the same first five characters, plus three numbers consisting of the discount amount (which was either 200, 500 or 750), and then a colon, leaving only the remaining four characters to be guessed by the scammers. 

The coupons were valid for booking from April 21, 2017 to December 31, 2021, and guests could use them until December 31, 2023.

However, while the scam did pose serious consequences for Clubcard holders who may have lost their discounts, Tesco has assured members that strict security measures are in place and at no point was any Clubcard customer data accessed.

Source: Read Full Article