I woke up on the 9th June 2023 to find Vicki quite upset.. She’d been looking at our Nectar account in the Nectar app and found that our 13,500 points (£67.50) had been spent that morning in Sainsburys in Hendon. Obviously, it wasn’t us, we’d literally just woken up (in Essex), but it was in the app, that we’d lost all those points.
She called Nectar and they seemed pretty unsurprised, they told her that they would ‘investigate’ and then send us out a new card, and hopefully refund our stolen points. In hindsight, it was actually mad how non-plussed they were about it, like it was something that happened every day..
It turns out, it’s actually VERY easy to get into ANYONE’s Nectar account – because the way their website works is so flawed. I spent the morning of the 9th June learning about the ‘security’ Nectar have in place, and well, there wasn’t much of it.
A Nectar Card Number is made up of 19 digits – the first 8 are the same for everyone – 9826 3000 – the remaining 11, are a string of numbers. Your Nectar Barcode is that 19 digits, in a standard form – there’s nothing special about it – it’s just those numbers.
When you go to ‘register’ a card on the Nectar website, it asks you for your 19 digit Nectar Card Number – well, just the ‘unique’ 11 digits at the end. When you enter this, if the number hasn’t been recognised, (therefore not a valid number), it throws an error. If it IS a valid number, it will do either one of two things.. If the card hasn’t been registered online, it will ask you for a mobile number and email address to register. OR if the card HAS been previously registered online it will ask you for your email and password to get into your online account.
So by essentially ‘trying’ any random string of 11 digits, you can find out, valid Nectar card numbers. If they ARE valid, you can essentially take them over, and make an online account for them. Or, even ‘better’ (for the fraudster, at least), if they find that an account has already been set up, you’ve found someone who clearly cares about their points enough to register, and could potentially have points on their account.
I sat and tried this a LOT on that morning, I used random number generators to make a string of 11 digits for me, and found several valid Nectar accounts that hadn’t been registered online, and a couple where the people HAD registered them. The only way that I was momentarily stopped was by an ‘Are you a Robot?’ Captcha coming up every once in a while.. which, once passed, I could carry on trying more and more numbers.
Once you’ve found a valid card number, there is nothing stopping a scammer going to a barcode generating website and creating a valid barcode, That would be accepted at any Sainsburys ‘Scan as you Shop’ terminal, or Self Scan checkout. I definitely didn’t do that, because, obviously, this is ACTUAL FRAUD – but I managed to create a working barcode for my own card in seconds. I detailed everything I found on this YouTube video on my YouTube Channel..
Sainsburys DID send us a new card with our points back on it after a few weeks, and a thousand or so for the inconvenience. But it meant that with our new card we were seen as ‘new’ customers, so all the carefully algorithmically picked shopping items that we buy regularly and got extra Nectar Points on, or Nectar Prices were forgotten. It’s taken MONTHS for us to get the new card to learn what we buy, and give us relevant offers based on it.
As a result of the video I made, BBC Radio 4 got in touch and have run a story about me, and others who have had points stolen. Also the comments section of my video lit up with people who had their points stolen too. Many of them had HUNDREDS of pounds worth of points taken – someone actually had £1000 taken. They actually only had £250 worth of points in their account – however, because the Nectar points balance doesn’t refresh immediately, the fraudsters hit their account 4 times in quick succession. Leaving them with a debit of £750 in their Nectar account balance.
You might think it’s irresponsible of me to share how easy it is to get into the Nectar system.. It might well be. However, I wanted to show people just how little Nectar value the security of their own systems, and the data, and ‘money’ of their customers. That is HUGELY irresponsible, and potentially something that could land them in a lot of trouble with the Information Commissioner’s Office (ICO). Obviously my method relies on work, and a bit of luck.. but people a LOT cleverer than me, and could, and I believe HAVE scaled this up on an industrial level. What I’ve done could be done thousands of times over, you can automate this process for sure.. Whether they use my method, or another method, it should be so easy to peep into someone’s account like this.
When asked by BBC Radio 4 about mine, and others having their points stolen they said..
“If a customer suspects they’ve been a victim of fraud we recommend they contact the Nectar Helpline team, who will thoroughly investigate.
Fraudsters are becoming increasingly sophisticated and using a range of tactics. We can’t go into detail on the types of fraud we’re seeing specifically for obvious reasons.”
My method wasn’t even sophisticated.. it was just finding random numbers, and giving it a go..
Have you had this happen to you? Let me know in the comments!