I woke up on the 9th June 2023 to find Vicki quite upset.. She’d been looking at our Nectar account in the Nectar app and found that our 13,500 points (£67.50) had been spent that morning in Sainsburys in Hendon. Obviously, it wasn’t us, we’d literally just woken up (in Essex), but it was in the app, that we’d lost all those points.
She called Nectar and they seemed pretty unsurprised, they told her that they would ‘investigate’ and then send us out a new card, and hopefully refund our stolen points. In hindsight, it was actually mad how non-plussed they were about it, like it was something that happened every day..
It turns out, it’s actually VERY easy to get into ANYONE’s Nectar account – because the way their website works is so flawed. I spent the morning of the 9th June learning about the ‘security’ Nectar have in place, and well, there wasn’t much of it.
A Nectar Card Number is made up of 19 digits – the first 8 are the same for everyone – 9826 3000 – the remaining 11, are a string of numbers. Your Nectar Barcode is that 19 digits, in a standard form – there’s nothing special about it – it’s just those numbers.
When you go to ‘register’ a card on the Nectar website, it asks you for your 19 digit Nectar Card Number – well, just the ‘unique’ 11 digits at the end. When you enter this, if the number hasn’t been recognised, (therefore not a valid number), it throws an error. If it IS a valid number, it will do either one of two things.. If the card hasn’t been registered online, it will ask you for a mobile number and email address to register. OR if the card HAS been previously registered online it will ask you for your email and password to get into your online account.
So by essentially ‘trying’ any random string of 11 digits, you can find out, valid Nectar card numbers. If they ARE valid, you can essentially take them over, and make an online account for them. Or, even ‘better’ (for the fraudster, at least), if they find that an account has already been set up, you’ve found someone who clearly cares about their points enough to register, and could potentially have points on their account.
I sat and tried this a LOT on that morning, I used random number generators to make a string of 11 digits for me, and found several valid Nectar accounts that hadn’t been registered online, and a couple where the people HAD registered them. The only way that I was momentarily stopped was by an ‘Are you a Robot?’ Captcha coming up every once in a while.. which, once passed, I could carry on trying more and more numbers.
Once you’ve found a valid card number, there is nothing stopping a scammer going to a barcode generating website and creating a valid barcode, That would be accepted at any Sainsburys ‘Scan as you Shop’ terminal, or Self Scan checkout. I definitely didn’t do that, because, obviously, this is ACTUAL FRAUD – but I managed to create a working barcode for my own card in seconds. I detailed everything I found on this YouTube video on my YouTube Channel..
Sainsburys DID send us a new card with our points back on it after a few weeks, and a thousand or so for the inconvenience. But it meant that with our new card we were seen as ‘new’ customers, so all the carefully algorithmically picked shopping items that we buy regularly and got extra Nectar Points on, or Nectar Prices were forgotten. It’s taken MONTHS for us to get the new card to learn what we buy, and give us relevant offers based on it.
As a result of the video I made, BBC Radio 4 got in touch and have run a story about me, and others who have had points stolen. Also the comments section of my video lit up with people who had their points stolen too. Many of them had HUNDREDS of pounds worth of points taken – someone actually had £1000 taken. They actually only had £250 worth of points in their account – however, because the Nectar points balance doesn’t refresh immediately, the fraudsters hit their account 4 times in quick succession. Leaving them with a debit of £750 in their Nectar account balance.
You might think it’s irresponsible of me to share how easy it is to get into the Nectar system.. It might well be. However, I wanted to show people just how little Nectar value the security of their own systems, and the data, and ‘money’ of their customers. That is HUGELY irresponsible, and potentially something that could land them in a lot of trouble with the Information Commissioner’s Office (ICO). Obviously my method relies on work, and a bit of luck.. but people a LOT cleverer than me, and could, and I believe HAVE scaled this up on an industrial level. What I’ve done could be done thousands of times over, you can automate this process for sure.. Whether they use my method, or another method, it should be so easy to peep into someone’s account like this.
When asked by BBC Radio 4 about mine, and others having their points stolen they said..
“If a customer suspects they’ve been a victim of fraud we recommend they contact the Nectar Helpline team, who will thoroughly investigate.
Fraudsters are becoming increasingly sophisticated and using a range of tactics. We can’t go into detail on the types of fraud we’re seeing specifically for obvious reasons.”
My method wasn’t even sophisticated.. it was just finding random numbers, and giving it a go..
Have you had this happen to you? Let me know in the comments!
I’m sure I read a similar story on Head for Points a while back but not as detailed as you go into explaining how it was done.
Seems Nectar aren’t interested in beefing things up. Won’t be long before BBC Morning Live sends Rav Wilding to chat to you about this!
I lost 100,000 points last year the same way. Alerted to it by an email from Nectar thanking me for redeeming.
Like you, I was surprised how unsurprised they were when I contacted them. Had a new card number + all the points back within an hour or two.
As well as losing your ‘history’ you will lose anything in transit like bonus points that were due to be credited, I think.
I’ve just discovered that I’ve had £950 of points stolen on a single day (16th May ’24) shortly after I’d used points in a Sainsburys branch. The points were used in shops some 60 miles away from me and there is now a balance of MINUS £1045. I could see all this activity on my account on the website when I looged in yesterday. I spoke to Nectar yesterday and they said how they understood and would raise a complaint for me and I’d get communications by email. Today, I cannot log into my Nectar account and I haven’t had any emails. I’m upset and horrified thatthe points I’d saved over a very long period for ‘a rainy day’ have just been stolen when that rainy day has arrived.
It is infuriating how this stealing of Nectar points continues and that Sainsburys seem so unconcerned about it. I had about £65 worth of points stolen recently and the person I spoke to when I contacted Nectar acted like it was an everyday occurrence. Yes my points were reinstated plus some bonus points that will recompense in some way the points I lost whilst awaiting my new card (and the special, tailored, offers I will miss out on for quite some while) but more should be being done to make it impossible for points to be stolen. To add to the mystery of quite how the scammers steal the points, mine were used at a Sainsburys in Hove. This is 70 miles from where I live and I had never visited the town until I attended a car show there on the same day the points were stolen. Somebody randomly generating my 11 number card number and using it in a town I was visiting on the same day seems a very strange coincidence.
It is still going on and Nectar (Sainsburys, who own Nectar360 Ltd) would appear to have done nothing to improve their security. We have just lost 36500 points and whilst Nectar responded appropriately, they said they are aware of the problem. Hopefully we will get our points reinstated. The fraudulent transactions all occurred in London and we have seen another story online that suggests that it is an inside job. Time for a complaint to the Information Commissioner, I think.
Mine have just disappeared. I had £26.45 and now 1.45. Which may not sound much. However it was vital for me as a 74 year old state pensioner living on basic state pension plus a little housing and council tax benefit. I was saving this for a Christmas dinner plus trimmings and now will have nothing. I am heartbroken and struggle to heat and eat anyway. Please help me get them back. I can’t sleep for worrying.
Hi Maria, did you get them back? If not, ring Sainsburys they will refund them. If you suspect your Nectar points have been stolen, you can contact Nectar on 0344 811 0811
I’ve just discovered I’ve lost just over £450 worth of points (having never redeemed any) and so will be ringing Nectar first thing in the morning. All the points were redeemed on one day at 4 different Sainsbury stores in London and despite having an online account I received no email or SMS warning. I live over 200 miles away and was not in London on that date – I hadn’t even heard of 2 of the locations and all my legitimate transactions are close to home. They obviously don’t do any sort of profiling to see if transactions are suspicious in any way. Amazingly inept…
It’s just happened to me – £60 worth of points stolen in two transactions in Essex this morning (I live in Derbyshire) . The live chat were helpful but didn’t seem unsurprised, and now I don’t have those points for my Christmas shop. Maybe Sainsbury’s should strengthen their security since it seems so easy to steal points.
Wow! I’ve just found this article as I was goggling stolen nectar because, yes, my points have just been stolen! Only* £20 worth but, like others, I was saving them for a rainy day. I feel fortunate that I spent £75 a few months ago getting new white goods. I always shop according to what’s on my nectar prices/points offers so to know I’ll not get those for a while is another disappointment! I’m appalled that this is such an easy fraud to commit and that this article is almost a year old and Sainsbury’s appear to have done nothing about it!
Had 10,500 points stolen yesterday . Someone used them at Sainsbury’s Walthamstow in store and petrol station. Seems it’s not a rare occurence! Receiving a new card and await points back on card in 10 days time. This must be costing Sainsbury’s in the long run….step up security!
I have just discovered my balance of 10,000 points were stolen in Ladbroke Grove on 21st December, this is about 120 miles from my home location.
Reported today and advised that a new card and reinstated balance will be sent to me.
I was initially paranoid as to how the points were stolen – I do not use a physical nectar card and my phone has not been compromised.
My thoughts are that there are dishonest people working within Nectar who have access to balances and target people with enough points to make the crime worth their while.
The method mentioned in the article is valid, but would surely take so many attempts to discover big balances to steal?
They seem to be able to locate these balances consistently.
Two factor verification on redeeming balances over a certain amount would surely be a cost effective method to reduce these crimes.
I had nearly 50,000 points stolen from my nectar account on Christmas Eve, one half in Ladbroke Grove in London and the other near to Derby. I’ve been reading comments other have left and am shocked to see how long ago this all started. I can’t understand how Nectar have not made their accounts more secure as there are a lot of us upset that through no fault of their own their Nectar accounts have been breached and emptied.
Tomorrow I will start the arduous process of sorting this mess out.
Just had an email tonight, saying id redeemed 23000 points in Dulwich , z ojade I’ve never been to.
From the activity it looks like someone spent 2 quid and scanned the fake card so got a receipt showing the points I had.
5 minutes later they are all gone. 9.55pm so I can’t contact nectar.
Before Christmas I went to check my points balance as I usually put it (normally between £40 and £50) towards my “big” Christmas shop. However, I only had about £7 of points. I was pretty sure I hadn’t used them myself during the year but was too busy with serious ill health issues in my family before and through the Christmas period to do anything about it. Today I thought about the points again and decided that the reason I had few points must be because, unknown to me, Sainsbury’s must just have downgraded the Nectar points, giving you fewer for each £1 spent. However, I decided to google Nectar points and noticed a few news articles from as early as January 2024 talking about how some people’s Nectar points were being stolen.
I went onto the Nectar App and clicked on the Activity section where I could see all my points awarded and/or deducted for all of 2024. To my surprise I found out that some of my points had been redeemed on 16th October 2024. Using my Nectar card number someone had bought something worth 1 point in Sainsbury’s, Kettering, England. (I live in Northern Ireland and have never been to Kettering.) Apparently, this enables the fraudster to get a receipt which then shows how many points I have available to spend. The Activity section in the App then shows 2 separate deductions of 1000 points, also in Kettering, and a further deduction of 4000 points at Sainsbury’s Heaton Newcastle Petrol Station. The App also shows that I was in my local Sainsbury’s on the same day for which I received 70 points and a Bonus Reward of 20 points. I clearly wasn’t in both places at once!
I phoned Nectar this morning. They said they would “open an investigation” but didn’t sound at all surprised at my problem. They said they would issue me a new card and would transfer my existing points balance to it along with restoring the missing points and this should be done within the next 10 days.
I have decided that in future I shall just spend any points I get as soon as I get them. Sainsbury’s needs to get their act together and take steps to prevent this fraud. I’m annoyed that with a new card I will seem like a new customer and I will lose the special offers tailored to me and the things I usually buy.