Sainsbury’s shoppers are being warned to lock their Nectar cards to avoid their points from being stolen.
The supermarket was forced to introduce the lock function thanks to scammers draining accounts of hard-earned Nectar points.
Shoppers saving up their points to spend at Christmas or on other special occasions have been left ‘really upset’ and disappointed to find their balance had been spent, sometimes in branches they had never visited before.
The ease with which scammers can access Nectar points was revealed in January, when This Is Money revealed more than 12million points worth some £63,000 had been taken in the year prior.
Despite introducing the account lock back in February, Nectar and Sainsburys customer services are still dealing with numerous complaints about stolen points.
Sign up for all of the latest stories
Start your day informed with Metro’s News Updates newsletter or get Breaking News alerts the moment it happens.
Experts have now issued fresh warnings reminding shoppers to activate the account lock and check their Nectar point balance frequently – especially if you’re intending to save your points for Christmas or another annual event.
Jake Moore, global cybersecurity advisor at Eset, told The Sun: ‘It’s especially important to monitor accounts more often just before Christmas as this is usually when criminals target accounts with points that have been accumulated over the year.’
Consumer expert Martyn James said the majority of customers would be ‘unaware’ their Nectar points had vanished ‘because we rarely look at the app or check the total on our receipts’.
He suggested: ‘Download the latest version of the app and activate the lock feature.
‘But Sainsbury’s need to reassure customers about why this is happening so we can shop with confidence.’
‘I hadn’t even left my house and I lost £60 worth of points’
43-year-old Amber Shuker-Bright said she and her husband lost £60 of points.
‘We do what most people do – save them for Christmas,’ the mum-of-one told Metro.
She realised something was wrong when she got an email thanking her for redeeming 2000 points in Brixton on April 12, but thought: ‘I’m in Putney and I haven’t even left my house.’
The mum-of-one said her husband lost even more this weekend, when scammers spent 10,000 of his points, worth £50, in Camden.
She did not know there had been issues with points theft in the past, or that there was an option to lock her account, saying this should be made more clear.
Sainsbury’s has refunded the couple’s points after checking they were spent outside of their usual area, but sales assistant Amber said she is worried many customers wouldn’t even realise they were victims, as they might assume their partner had spent the points on a linked account.
She said the incident left her worried about how scammers got her details, and what else they may have accessed.
How are scammers able to steal Nectar points?
There are no ID checks needed to spend Nectar points, except at Argos eif you’re spending more than £50.
A loophole meant that anyone with a user’s account number or barcode could potentially spend their points, unless the spend lock feature was turned on.
Last year, Cian Heasley, Threat Lead at Adarma cyber security firm, told Metro previously: ‘The specific nature of this vulnerability hasn’t been disclosed, but it could be that the attackers are conducting a brute-force attack.
‘In this type of attack, malicious individuals, either manually or through automation, attempt to log into a customer reward portal using randomly generated reward account numbers.
‘When they do not receive a “no such user” or similar error message, they know the account is active and can generate a barcode scannable account identifier to spend the reward points.
‘To defend against this attack, app developers should incorporate security measures into the app’s design. For instance, they should require a full login or identity authentication to spend points and ensure that login portals do not indicate whether accounts are valid or not.
‘Limiting the number of login attempts before imposing a timeout can also slow down brute-force guessing attacks.
‘The attackers may also be using credential stuffing, a cyber-attack where hackers use breached account information, like usernames and passwords, to gain unauthorised access to other online accounts.
‘To protect against credential stuffing, it is crucial that individuals do not reuse passwords across different accounts, enable multifactor authentication whenever possible, and consider using a password manager to store and manage passwords for various apps and websites securely.’
How to lock your Sainsbury’s Nectar card
In order to lock your Nectar card, you must download the Nectar app from the Apple store or Google Play.
Once you have downloaded the app and signed in with your Nectar card number, open the settings and click on the ‘lock or unlock spending’ option.
There you can choose whether to lock or unlock the ability to spend nectar points.
Shoppers can toggle between the two options at any time using the app, and can still earn points when they shop even if the spend option is locked.
But users aren’t able to spend their points to get money off their shopping or other deals until the option is unlocked again.
Unlocking should be instantaneous, but it may take a bit longer during busy times or in busy shops – meaning it might be best to unlock spending before you head out to the supermarket.
What has Nectar said?
A Nectar spokesperson said: ‘Nectar is one of the UK’s biggest loyalty schemes, with over 23million members.
‘The security of our customer accounts is our highest priority and the proportion of those impacted by fraud each year is very small.
‘We have a range of measures which detect, and in many cases prevent fraud, including our Spend Lock feature.
‘Our Nectar Helpline team are on hand to support any customer who suspects they may have been a victim of fraud.’
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.
