The awkward lack of security with the Nectar loyalty card

My mum recently had all her Nectar points redeemed by someone in a completely different region to where she lives and had most of the points emptied from her Nectar account at some Sainsburys store in Tooting, London. She didn’t fall victim to a scam, her Nectar account wasn’t breached, and the Nectar account had a unique password from her password manager (1Password). Yet the large majority of her points were stolen by an unknown individual. How did this happen? I wanted to find out how it could have happened, and it led to a few interesting discoveries about the Nectar loyalty card and its very easy exploitable design.

Nectar account security

The first obvious area with any online/digital account is the password of that account. In this case, the Nectar account has a unique password generated by 1Password. Nectar, also have a form of multi-factor authentication implemented on account logins whereby a new/unknown device will send a one-time code to a registered mobile, which provides an extra layer to stop credential stuffing or other site breaches compromising another account. While 1Password showed a modified date on the Nectar entry in the vault, which did not align to any action taken by my mum, I was confident this wouldn’t be anything sinister and put it down to some process of 1Password itself and nothing to be concerned about. Her password vault is equally secured with multi-factor authentication. You’d know someone was trying to get in very quickly. The Nectar account was secure, what are the other vectors? When looking into it a bit more, it turns out the Nectar account is somewhat of a companion to the Nectar card and isn’t really the problem.

Analysing the Nectar card

Looking at the Nectar card system itself it features a 19-digit card number but it’s actually a unique 11-digit number for each customer. The first part is always the same with 98263000 followed by the 11 digits of your unique number. For newer Nectar cards issued, there is also a barcode on the back, I will come back to that later. My mum happens to have a very old Nectar card, with one of the throwback designs which just has the number on the front.

The much older Nectar card my mum has. Maybe we should frame it after this?!

This card has always been in physical possession of my mum, it’s never been lost or misplaced, so this also rules out someone just walking off with it and going on a spending spree.

I turned to the barcode on the back of my own card (which is much newer) to see what data was hiding in it.

The back of my card (with sensitive information masked for obvious reasons) has your name, full card number (the initial prefix and the 11-digit unique number) and then a barcode (blocked out in red).

My Nectar card with the details masked, the barcode is the red masked area.

I would guess it would be the card number or rather the unique 11 digits printed on the card encoded in the barcode, but would the barcode be easily readable? The answer, yes. Quite easily readable.

Using the original resolution of the same picture visible above, I put this through zbarimg which can scan images and decode various barcodes e.g. QR codes and with a single command, the answer is clear.

Terminal window showing zbarimg result of decoding the barcode from the input image

zbarimg tells me the type of barcode is CODE-128 and the value encoded is 299, followed by my 11-digit card number. I’ve obviously masked it, but you’ll just have to trust me that’s the data hiding in it.

I don’t know much about barcodes but doing a bit of quick researching about them, CODE-128 is a common type of barcode used in a variety of different scenarios. It is described as a linear barcode and one of the most popular implementations of it is in shipping i.e tracking items using a subset of this barcode type called UCC/EAN-128, so you’ve likely seen it before. It appears CODE-128 can only store alphanumeric or numeric only data. Which in the case of the Nectar card, is numeric only data.

If the barcode is just simply a number value encoded, the readers at stores like Sainsburys aren’t doing anything special when you scan your Nectar card for either collecting or redeeming points, the redeeming side being somewhat the key focus here.

This reveals a bit of a major flaw, the security of the card is… The 11-digit card number itself. That seems like something which could be abused, and it appears that’s exactly what’s been happening for at least 10 years from some of the articles/forum threads I’ve come across about Nectar card fraud. Yikes. I guess I’d never looked into the Nectar card too closely, but people’s Nectar points being redeemed halfway across the country from where you might live is something that’s been on-going for a long period of time.

With no additional authentication or other piece of data unique to the card owner, there is nothing to stop someone from creating a CODE-128 barcode of any Nectar card number with the proper value encoded and then scanning that instead at any store using the Nectar loyalty card. There’s no checks or authentication, only if the Nectar card number is valid. I even came across a post from someone who was fed up with the amount of loyalty cards they have and decided to create their own barcode to place on something that they always carry, which is fairly easily to do. I mean they aren’t wrong, have you tried shopping at Tesco lately without a clubcard? Those clubcard prices… tempting. The premise behind a DIY loyalty card barcode was a totally innocent reason, but it opens the door for abuse.

How did someone get my mum’s card number?

Now we know about the non-existent security on the Nectar card, the question remains how her Nectar card number was used by someone else?

It’s an interesting question and I think there’s a few possibilities. Guessing the number doesn’t seem likely given the total combination of 11-digit numbers is 9,999,999,999, that’s nine billion nine hundred ninety-nine million nine hundred ninety-nine thousand nine hundred ninety-nine. That’s a 1/9,999,999,999 chance of that being possible, although the algorithm behind generating a valid card number is not known, which may cause some sequences to be discarded/invalid and therefore that the actual number of combinations isn’t truly known at least in the public domain.

There are some other possible ways:

• Enumerating over combinations of 11-digits with software to test random combinations which happen to match Nectar card numbers.
• The possibility of someone cloning your Nectar card.
• A bad actor within Nectar doing bad things.
• In store fraud/cloning
• Nectar partner fraud

I want to state that I’m 99.9% sure that employees of the likes of Nectar and partners like Sainsburys and other stores which use Nectar are lovely and unlikely to be running some Nectar card racket, but a long time ago it did happen, but that was someone with high level access to internal systems. There are reports of Nectar points being stolen by employees as an inside job, but proving it is often the difficulty. It’s technically plausible with very little digital trace available to make it easy to spot. One major marker in that scenario is likely where Nectar points are redeemed tallying to an increased rate of reports about points being redeemed by someone who is not the original card owner that keeps occurring in the same area. However, what’s to stop somebody processing your transaction from passing your Nectar number onto to someone else? After all, it’s just a number.

Enumerating over 11-digit combinations was an angle that made me interested if it was possible. There might be a vector for this, but it is also likely to be limited. The Nectar mobile app allows you to check for a valid Nectar card number using the following screens on the mobile app, this is without being logged in or having an account created first.

The Nectar app on Android showing the screen paths required to get entering a Nectar card number

Following the path of:

1. Register.
2. Yes — Have a Nectar card or have done in the past.
3. Enter card number manually.

You will be presented with a screen which takes an 11-digit number, but crucially it tells you if the input is valid or not. You do not need to have an account logged in or setup to do this therefore this check is unauthenticated to an extent. You could use this to try combinations of 11-digit numbers perhaps finding a working one. Doing this manually is going to take way too long, but writing an app to essentially repeat this, is a more viable option.

As previously mentioned, the number of combinations to try is vast and I suspect there’s rate limiting/unusual traffic detection that would eventually stop this from being possible and start to block you. The Nectar app certainly detects VPNs and refuses to complete requests when one is active, it can also detect jailbroken/rooted devices and uses TLS certificate pinning to make TLS inspection very difficult (but not impossible).

More likely and requiring less effort is the cloning angle, simply having a picture of the card, barcode or the card number itself would be enough to essentially control it. With a unique 11-digit number in hand you can generate your own barcode with someone else Nectar card number encoded and away you go. I read there may be a requirement to scan first at a store before you can redeem, but I don’t know how accurate that is. Ultimately, with a valid Nectar card number you control the points on it. With the rise of self-service machines, there’s not even any human interaction required for many redeem actions either.

What could be done to make things more secure?

The redeeming of points process particularly seems very easy to abuse. Given the design of the Nectar card there might be limited options, but at minimum for any larger redeem transaction, a multi-factor approach of having a prompt be sent to the Nectar app on the registered owners device to confirm the transaction, seems like one way to prevent this issue. Seeing an unknown transaction from a location that is not expected, would quickly raise the alarm. Likewise, any redeem action from a location that deviates from the usual pattern could equally be challenged, given all this data is tracked and recorded by Nectar currently and this could be another way to stop this type of abuse of the system. There is a challenge with this however, the Nectar card can be used without being ever linked to an online account i.e. email address, but these days for Nectar partners and the Nectar app itself, it is a disadvantage to not do this, even if they absolutely rinse you for all your spending/shopping habits. It is pretty commonplace for many services to essentially mandate having an account linked to either a mobile number or email. Nectar technically doesn’t enforce this to use your Nectar card, but they could in order to provide additional security and fix some of the issues.

Going further, another more radical option would be to implement a chip inside Nectar cards that can offer more security and storage capabilities. Implementing a layer of encryption or key signing, to prevent having the card data in plain text, would stop being able to easily produce valid barcodes. This would of course require a major change to pretty much all parts of the Nectar loyalty card scheme, new cards, readers/scanners and processes, something unlikely to be implemented. As Nectar is unlikely to ever be classified as sensitive enough or significant monetary value like a bank account/bank card is, there are no enforceable financial standards or regulations to comply with. Just disgruntled Nectar card owners when their points suddenly vanish in a place they’ve never likely been in or possibly ever visited.

Nectar fraud (a phrase I’d thought I’d never write about), is something that Nectar itself appear to be aware of and likely know of the issues and limitations. Reading the experiences of those unfortunate to be in a similar situation, thankfully don’t appear to have had many issues having Nectar points reimbursed with even additional bonus points added for the inconvenience, so there’s that. At least Nectar is happy to make good on the situation, but you do wonder if the system itself is making all too easy for it to be possible in the first place.

In the case of my mum, she reported the fraud and Nectar were more than happy to register a new card number after confirming some details on her account that now flagged Nectar card was registered to, a new card number was provided by SMS and the physical card is in the post. Nectar have opened an investigation about the fraudulent transaction that has been flagged and look to be refunding the redeemed points and will provide 2000 additional points too. I assume for their investigation, they will review patterns of points activity and if they see a significant deviation, they are likely to be reasonably confident it is a genuine case of fraud and a simply refund with some bonus points. It is then a win-win scenario, it makes the innocent party happy, and Nectar get to come across as the nice loyalty card company. Of course, it does help that Nectar points not being actual monetary value directly, otherwise the matter and security aspect would be rather more serious.

Perhaps the truth is, it costs less for Nectar to reimburse Nectar points with an additional bonus when this happens, compared to the expense of changing the system or implementing additional measures. After all the Nectar points to monetary ratio is 1 Nectar point = 0.5p, so 100 points = 50p, 200 points = £1 and so on, compared to GBP being £1 = £1! While Nectar does seem to compensate most situations without major issue, there are people getting away with redeeming points for goods converting them into monetary value and unlikely to ever be recovered, which ultimately Nectar is just writing off unless they implement better measures to curb the issue.