Tesco closes 2,000 customers accounts after hackers steal Clubcard Vouchers

Police probe Tesco fraud

Tesco has closed down more than 2,000 Clubcard accounts, after their customer names and passwords were hacked and posted online.

The company says it has deactivated a number of accounts, and has contacted all affected customers. With some complaining that their accounts have been cleaned out, Tesco says it will issue replacement vouchers to the "very small number" affected.

Tesco came in for heavy criticism back in 2012 when security experts revealed flaws in the way it handled customer data. It has since made improvements - most recently just last October, when it started requiring customers to enter their Clubcard number as an additional form of identification.

And in this case the company appears to be blameless. The hackers are believed to have stolen the user name/password combinations from other sites entirely. Exploiting the fact that many of us re-use the same passwords on multiple sites, they will have tested these combinations on the Clubcard login.

"Remember, folks: having the same password for different websites is a recipe for disaster. If one site gets hacked, and your login credentials are stolen, then that information can be exploited elsewhere on the web," warns security expert Graham Clueley.

"The most sensible course of action is to use different, hard-to-crack passwords for different sites. If you find it difficult - like me - to remember lots of different passwords – you really should be using password management software."

Anyone that has been hacked should immediately change their password on any other sites they use, using a different one in every case. Software such as KeePass keeps all your passwords securely encrypted in one place, meaning you only need remember one password to access the full list.

Such bulk hacking of passwords is becoming increasingly common - and incidents are getting larger in scale. Last month, for example, social networking site Snapchat was hacked and 4.6 million passwords stolen. At much the same time, an undisclosed number of passwords for Yahoo's email service were also accessed by hackers.

Indeed, it's entirely possible that the password combinations used to carry out the Tesco hack were harvested during one of these incidents.

The biggest scams of 2013
See Gallery
Tesco closes 2,000 customers accounts after hackers steal Clubcard Vouchers
First Direct found that the most common type of fraud was the 'fake email', which makes up 53% of all scams. This is also known as phishing, and involves the fraudsters contacting you, requesting personal information like passwords and PINs.

They use all kinds of methods to persuade you to reveal your details: from pretending to be your bank, to pretending to be the taxman. Earlier this year HMRC warned people to watch out for scam emails promising tax credit refunds in return for account details - timed to coincide with a major advertising campaign to remind people to renew their tax credits.
This is an old and established scam, but is the second most prevalent in the UK this year. It involves someone getting in contact with a sob story, and asking for a sum of money in return for paying you a larger sum. If you pay up you may get requests for more cash but you will never receive a payout.

This year the horrible twist on the scam was that the gangs pretended to be a victim of the war in Syria, in desperate need of money and able to pay you from money he has hidden overseas, once you give him enough money to escape the country.
This is a new take on phishing, which Financial Fraud Action warned about in August. They said victims receive a cold call asking for personal or financial information. Some 39% of all people targeted by these calls said they found it difficult to tell if the person was genuinely from their bank or whether it was a scam. First Direct says this is the third most prevalent type of scam.
Duplicating your bank cards made up 14% of fraud this year. Old-fashioned card scams are actually on the rise this year. The experts say that the introduction of chip and PIN means 'crude scams' are back in vogue, where criminals distract people in shops and bars, or shoulder surf at cash machines and then steal customers' cards without them noticing.
These also make up 14% of all scams. You receive an email telling you that you have won a lottery. All you have to do is get in touch with the 'claims agent' who you'll need to pay a 'processing fee' or a 'transfer charge' to. These 'agents' are all criminals, who will just take your money and run.
We warned in November of a boom in phoney research calls. Boiler room operatives will call pretending to be university researchers looking into investor confidence. In fact, they are just trying to find out how best to exploit you: asking how much cash you have, your attitude to risk, and determining whether an appeal to greed would work.
Back in May we warned that you could receive a telephone call out of the blue from someone claiming to be from Microsoft. The scammers were using a variety of techniques to extract money from their victims. These included infecting computers with malware and charging to remove it, charging people a fortune for help they didn't want or need, or even just asking for their credit card details.

This is not a new type of scam. For years now different types of Trojan viruses have been embedded in various web pages and links. If you click on the page or link you're taken to malicious websites, which install a virus. The virus then quietly sits on your computer, stealing passwords and account details until it has enough details to empty your bank accounts.

This scam took two very popular forms this year. The first was a link sent in an email pretending to be from Facebook, and inviting you to click the link. When you did, it would install the virus and then send the link to your Facebook friends.

The other form was a page with a fake YouTube video in the background, which claimed to show Rita Ora's famous wardrobe malfunction. However, the site prompts you to enter your Facebook details, so you can see the video and 'personalise your experience'. The criminals then have access to your Facebook account.

As the jobs market continues to be tight, the job offer scam is still a real risk. Financial Fraud Action issued a warning about fake online job offers, that could turn innocent job hunters into unwitting money launderers.

The jobs offered are called things like "payment processing agents" or "administration assistants". They involve the payment of the proceeds of crimes into your bank account. You then pay the cash into an overseas account, effectively hiding the money and laundering it for criminals. In return you receive a share of the money. This is a criminal act.
These reached a peak this year after One Direction collected their Brit award (pictured) and announced a World Tour - and demand for the tickets exploded. The scammers set up fake sites offering tickets to sold-out gigs. Desperate fans trawling the net would stumble across them and take a risk. They handed over hundreds of pounds, the criminals took the money, shut the website, and ran.

Read Full Story