Maximise your Avios, air miles and hotel points

Scammed: How and Tesco lost money via fake Clubcard Deals codes

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

There was a very interesting article published on the CyberNews website this week which is well worth a read.

It explains how and Tesco Clubcard lost substantial sums of money when scammers realised that the codes provided by Tesco Clubcard to get a hotel discount could be generated automatically.

The full article is well written and I recommend you read that rather than I repeat the story.  The article is not entirely correct, however, as I explain below.

This is how the offer was meant to work:

Tesco Clubcard vouchers can be swapped for a credit voucher worth 3x the face value of your Clubcard points

When you redeem, you receive a 12-character code which you input into the website to get your room discount

What could go wrong?

The answer is that the code format generated by was not very complex.  Whilst 12 characters long, the first five characters never changed.  The next three characters were the discount amount in £.  This means that only four characters needed to be guessed.

If you wrote a little bit of code to automatically generate different permutations of four character codes, it was straightforward to find one that worked.

Tesco and fraud

But I think there was more to it …..

The CyberNews article is not correct in how the discount worked. 

The article says that only a few different code values could be ordered with Clubcard points.  In reality, you were able to order vouchers for any amount you wanted as long as it was a multiple of £15.

In theory, this would make it virtually impossible to guess a code since the middle three characters could be anything from ‘015’ (£15) to ‘990’ (£990).

There are two other issues: vouchers were capped at £495 (EDIT: apparently this increased to £750 at some point) yet the scammers were selling codes worth more than this

In the article, a £200 code, bought from a scammer, is successfully used in the trial.  However, it is impossible to have a £200 voucher code from Tesco.  You could only redeem in chunks of £15, so a £200 code could not exist.

This makes me think that the code triggered whenever an ‘active’ set of four characters was found and then applied whatever discount was shown in the middle three digits with no other checks.  ‘Active’ means that had generated a voucher code for Tesco which would, at some point in the future, be sent to a customer.

For example …. someone ordered a £15 voucher and was supplied with the code ABCDE-015-DJ8J.  The scammers created a £200 voucher by using a piece of code to try to book a £200 hotel using the code ABCDE-200-…….’ and then randomly scrolling through different variants of letters and numbers.  There are only (36x36x36x36) 1.7 million permutations which can be tried surprisingly quickly.

Once a voucher code got the ‘accepted’ message, the transaction could be cancelled so the voucher remained active for future use.

If true, this would imply that scammers didn’t even need the computer power to try out 1.7 million codes.  Anyone who genuinely ordered a voucher would have been able to change the discount simply by changing the three numbers in the middle of the code.

Perhaps this was going on too?  Were people ordering a £15 voucher and selling the codes online as offering £500+ off, simply by changing the three middle numbers?  It would be easy to cover your tracks as people sell Clubcard points on eBay.  A scammer could buy points, get the seller to redeem them for multiple £15 codes, change the middle three numbers to increase its value and then resell the code.  Suspicion, if investigated, would fall on the person who sold the original £15 code.

The full story is here.

If you’re interested in learning more about redeeming your Clubcard vouchers for (now far more secure) codes, you can learn more here.

Hotel offers update – June 2023:

Want to earn more hotel points?  Click here to see our complete list of promotions from the major hotel chains or use the ‘Hotel Offers’ link in the menu bar at the top of the page.

Want to buy hotel points?

  • Hilton Honors is offering a 100% bonus when you buy points by 18th July. Click here.
  • IHG One Rewards is offering an 80% bonus when you buy points by 7th June. Click here.
  • Marriott Rewards is offering a 30%-50% bonus when you buy points by 2nd July. Click here.

Comments (54)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • johnnt5a says:

    I suspect the was an open web service that you could use to validate codes against, not necessarily redeem but to check it was valid before committing at the checkout.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.