BBC Watchdog: Nectar Card Fraud
I was back in the BBC Watchdog studio last night for an item on how Nectar card fraud has been leaving some viewers with a decidedly sour taste in their mouths.
Reports of fraudsters targeting the Nectar loyalty scheme aren’t new, but a recent spate of activity has brought it back to the top of the Watchdog mailbag.
Nectar began rewarding shoppers in 2002, and now around 20 million members collect and spend points at a variety of high-street and online retailers. In February this year, Nectar was bought by supermarket chain Sainsbury’s, which now also owns catalogue chain Argos.
In the fraud, Nectar points are redeemed – often in high street stores – to buy goods. The first victims know is when they try to spend their Nectar balance and find instead that their account is empty. So prolific are the fraudsters that, in some cases, victims have even found they‘be been left with a negative balance.
There are some patterns to the fraud:
- Victims are adamant that their physical Nectar card – which is required to redeem points for goods in store – hasn’t been stolen, mislaid or even in the same town as where the points were redeemed
- Argos appears to be a hot-spot for fraudsters redeeming Nectar points
How does Nectar card fraud work?
That is the million Nectar point question. On the surface, this is very straightforward:
- In order for Nectar points to be redeemed in-store, a card bearing the customer’s name must be produced (as per Argos T&Cs)
- Yet, victims report that their cards haven’t been lost stolen at the time of the fraud – some were even in different countries
So, a natural conclusion would be that the fraud involves card cloning, whereby fake copies of victims’ cards are being made by fraudsters which are then used in-store.
Whatever Nectar knows about the fraud, however, it remains tight-lipped. Its typical response is:
We take security extremely seriously at Nectar and have an active programme of monitoring and remediation.
We ask people to treat their Nectar cards like they do their bank cards, in that if they notice suspicious activity or if it goes missing, we ask that they report it, so that we can block their accounts, protect their points and conduct a thorough probe.
We encourage customers to help minimise exposure to suspicious activity by embracing good cyber hygiene such as using complex passwords for online accounts and changing these on a regular basis.
We have rigorous processes and procedures in place to constantly monitor for fraudulent activity and we regularly invest in new technologies to protect our customers’ accounts.
Two things occur to me here:
- Nectar suggests we exercise “good cyber hygiene”. While that’s always sound advice, reading between the lines here it suggests that Nectar is concerned that its online accounts are part of the fraud. This could be how criminals are able to identify Nectar accounts with large balances.
- Nectar also asks members to treat Nectar cards like bank cards. This makes me angry, as Nectar clearly isn’t meeting its side of the bargain: once Nectar implements chip and PIN, multi-factor authentication and more robust fraud detection on its own systems, only then does it have the right to talk about bank-like security.
How to keep your Nectar points safe
Nectar card fraud is a real cause for concern for its members, but Nectar’s security is not – in my opinion – doing a good enough job of preventing it. As we don’t know for sure exactly how it’s happening, it’s difficult to give specific advice, but here’s what I do recommend:
- Regularly login to your Nectar account online to check your balance for any unrecognised transactions; immediately flag up to Nectar if anything doesn’t look right
- Check your Nectar password is different to any you use for your other online accounts; I recommend using a password manager app to generate unique passwords and keep them safe
Watchdog airs on Wednesday nights, BBC One at 8pm and is available on-demand from BBC iPlayer.
- Comments (0)
Fatal error: Cannot assign by reference to overloaded object in /websites/123reg/LinuxPackage99/da/vi/dm/davidmcclelland.co.uk/public_html/wp-content/themes/mystique/atom-core.php on line 4258