WOOLWORTHS is investigating reports of Rewards cards being “hacked” and points stolen from customers’ accounts using a major security vulnerability in the Woolworths app.
Currently, the app allows anyone to enter a random card number to see the points balance on the account. The user can then enter the number into a rewards card app like Stocard to generate an image of the barcode, which can be scanned at the Woolworths checkout to claim the discount.
Numerous customers have taken to the OzBargain forum to report points being stolen.
The breach so far appears to have targeted new cards issued as part of an introductory promotion for new members offering 5000 bonus points, which equates to $25. It is not clear whether existing accounts have been affected.
My new Woolworths Rewards card has been hacked,” wrote jjj123.
“Applied [for] the card last month with 5000 points bonus, I received the card today, login, and found the points were used in [another] state two weeks ago. Someone shopped the points in The Ponds and Kingsgrove in NSW. Anyone same situation with me? Who can access the card number before me? The envelope received today sealed in a unopened condition.”
User Ruper Murduck wrote: “Very odd, had one delivered to an address in Parkes NSW, and when I went to use it, the rewards were gone, looked online and someone in The Ponds near Blacktown NSW had redeemed them first. What in the world.”
User Blasted reported a similar issue, saying their $20 had been used on a gift card they did not purchase, but Woolworths customer service had refunded the points and changed the card number after being contacted.
“Still haven’t received my Woolworths Rewards card in the mail so I thought I’d check my Woolworths account to see that my $20 had been redeemed today in Kingsgrove, which three-and-a-half hours away from me,” wrote Frosty1.
Ricoguy added: “My card had $20 redeemed at Kingsgrove as well. I know you need a password to redeem Flybuys money at Coles but apparently you just need to scan the card to redeem your money at Woolworths which is quite a big loophole.”
Nickj also reported $20 being redeemed at Kingsgrove on a totally unused card, while another user reported their card being used at Northland Shopping Centre in East Preston, Victoria. F1ngolf reported two transactions at Hurstville and Parramatta.
“Looks like a breach on the IT system to me and is concerning since I use only the WISH gift cards for all my Woolworths purchases,” they wrote.
User Clem said they had ordered two new cards only to have the points stolen from both. “One was $20 exactly at Kingsgrove, and the other was an actual spend at Box Hill,” they wrote. “This guy better lawyer up because I hope Woolies hits him like a train.”
It’s not clear how the culprits identified the correct barcode numbers. “Possibly someone ordered a bunch of Woolworths Rewards cards, noticed a pattern in how they are numbered, created barcodes for the next numbers in the sequence and used them to redeem your points,” wrote user Durd0008.
“It’s entirely possible that for Woolworths Rewards they just increment each member number by 1, and because the membership number is also a barcode, the only security in it is knowing the last number is a check number. [For example], my card could be 9353000000008 and the next person would be 9353000000015.”
In a statement, a Woolworths spokesman said the supermarket was “monitoring customer feedback”. “Although our investigation shows there is no issue with the functionality and security of the app, we are reviewing how the app experience can be better improved to provide further assurances for customers,” he said.
“We work hard to ensure our customers’ shopping experience is efficient, seamless and importantly, safe and secure. We take our obligations in relation to customer data very seriously, and have robust controls in place to ensure customer expectations of privacy and security are met.
“We have a continuous program of security enhancements and our apps are constantly reviewed for any improvements in functionality and security. If customers require further information please contact us on 1300 767 969.”
The supermarket revamped its customer rewards scheme last August, just nine months after ditching its Qantas Frequent Flyer partnership for Woolworths Dollars, sparking a massive customer backlash. The revamped scheme introduced Woolworths Points and brought back the Qantas tie-in.