Security News > 2020 > July > Think of a number: A tale of iffy discount codes, supermarket loyalty cards and Hotels.com

Miscreants have been nabbing British supermarket chain Tesco Clubcard discount codes to snap up Hotels.com rewards meant for holders of the retailer's loyalty cards.

The 13-character discount code used the same first five characters, then three numbers for the discount amount, a colon, and then four final characters.

"We'd recommend using longer, less predictable discount codes with more characters which make it harder for cyber-criminals to predict, as well as implementing a limit on attempts for an incorrect entry to prevent brute force attacks of this nature."

Hotels.com is a so-called "3x" partner of Tesco's loyalty programme, meaning those seeking to lob their points its way were in line for three times the value of each pound "Earned" on the loyalty scheme.

We contacted Hotels.com, which said: "This issue was identified and resolved promptly several months ago. Working closely with our partners at Tesco we ensured that only legitimate Clubcard customers were able to obtain and redeem the codes they had earned. No customers of Hotels.com or Tesco missed out on the offer, lost money or Clubcard points as a result."

News URL

https://go.theregister.com/feed/www.theregister.com/2020/07/06/clubcard_miscreants/