Recently there has been a series of Shoppers Drug Mart Optimum Points thefts that were a result of several factors, including people giving out their Optimum account numbers without knowing that is almost enough for their accounts to be hacked into. Although the reasons behind the thefts can be attributed to poor judgment on the customer’s side, I believe there’s a major loophole in the Optimum points system that attracted so many scammers. So I decided to investigate the root of the problem:
Why are Shoppers Optimum points so easy to steal?
First, I analyzed the online login system, which can be found here.
As a Computer Engineer with more than 8 years of experience in developing (programming) websites, I figured I’d be able to understand the backend and the logical problem behind the system. However, I quickly learned that it doesn’t require backend analysis, or in fact much computer knowledge at all, to see the huge loopholes and problems in the system.
At login, after inputting your Shoppers Optimum Card number, you have 3 options to log in:
- Date of Birth OR
- Postal Code OR
- Password
The very simple combination of Shoppers Optimum Card number and postal code are two things that are relatively easy to get.
Another potential weakness in the system: the Shoppers Optimum Card number is not really a secret. Although Shoppers Drug Mart is finally starring-out the Optimum number on receipts, it didn’t do that in the recent past. And unlike credit cards, I never personally felt or treated my Shoppers Optimum Point Card number as a secret. I think many people share the same feeling, and have operated the same way.
Furthermore, customers don’t feel secure entering their date of birth on the website. Unfortunately, it’s just a very poorly designed website system.
And a weak system leaves the door open for scamming and social engineering, the art of manipulating people into performing actions or divulging confidential information.
One Shoppers customer recently provided a nice illustration of what’s at stake and how easy it is to become the victim of Optimum Point theft on the Shoppers Facebook Fanpage:
I have many different cards in my wallet and I really do appreciate the Optimum Points program. However even though I have not given out my card number to anyone, I am very aware that the simple act of leaving my Optimum card on the counter or losing my wallet means that the points could be gone in the blink of an eye. No identification whatsoever is required to use the card and just a postal code is sufficient to access my account. For those whose cards have 350,000 points on them it is like carrying close to $1,000 cash in your wallet. Not something most of us would do.…
I only have ne SDM card and I have read suggestions that we should have 2 one we keep loaded and tell no one the number, the other we keep minimal points on. How do we go about getting a second card, sian’t it one per person? How do you get around this?
Perhaps, now is a good time for everybody to change their password. If you did use your Date of Birth, you my want to use a date which you always remember like your parents, siblings or friends. I rarely use my date of birth for anything unless actual physical proof of ID is required for claiming actual prizes from reputable companies, but use a combination between mine, my dog & my sibling for most accounts from P & G to J & J, etc. As for postal code for the security password, again, never use that as we’ve just seen what happened with the Optimum pts, but perhaps a childhood one where you’ve lived at for years or even your parents’ postal code. Also, I think if your Optimum card hasn’t been compromised, it’s time that we all get another Optimum Pts card to leave at home & with our existing cards to transfer the majority of the pts over to the new one & treat it like a Savings account & just transfer the pts over when you know you will be redeeming, especially if you have OPtimum Plus status & don’t want to jeopardize that if you’ve worked so hard to attain it. I hope some of these suggestions can help my fellow SCers and I’m so sorry to the people you who have had their points stolen. I’ve read in some posts that the security camera may have caught some images of people using these stolen points & do hope that these people will be prosecuted to the fullest.
I am very interested to see whether there will be any response to my post (quoted above) on the SDM website. I have already applied for a second card in my husband’s name and will promptly transfer every point I earn to his card which will be kept locked up at home and only brought out for redemption. This should not be necessary.
I CANNOT BELIEVE the requirements for logging into the Optimum webpage.
Wow, thanks for writing this all up. I’ve recently started strategically saving and earning points like many of you do on this site and appreciate this information. I’ll be doing some of the things the first commentor mentioned to protect my points.
We need eveyone signature and wishes sent to Shoppers so they might protect our points better. I feel so bad for the ones that lost points and I no longer feel like mine are money in the bank it’s more like I’ve left my purse on the bus.
It is horrible that many people have had their Optium points stolen. I know I would have freaked out if it happened to me.
My fear is that Shopper’s will realise that the cheapest & easiest way to remedy this situation is to simply stop allowing the transfer of points between accounts. This would totally suck! I like being able to pool my points and my spouse’s points onto one card.
Just my 2 cents.
How about you just stop sharing your number.
Why not all write to SDm and tell them they should improve their system? If they receive a ton of emails, maybe this matter will go up in their to do list…
Thanks, I will take this to SDM today when I go speak with the Manager! SDM is not handling this well.
If your wallet was stolen they can enter your postal code and get all your points. Changing your password does not help as you only need to provide 1 of the 3 choices.
Maybe just do not carry your card with you unless you plan to visit SDM that day. We were told not to carry your SIN or your home alarm card, birth certificates or credit cards around unless you need to use them that day. I do it and would not be so much at a loss if my wallet was missing.
Um.….so did you send off this letter to Shoppers HEAD OFFICE?
I would email it AND fax it to them:)
When you transfer your pts to someone you recieve an email that tells you there 1st/last name and email. Can’t shoppers just contact whomever stole it with that info? If this gets to out of hand, Shoppers will just cancel the optimum program all together. It is a bonus for there customers, and if they have to fork out too much time/money, it won’t be worth it to there company! I would suggest all the people that share on here with strangers have 2 cards, one for sharing, and your real one. This has 2 benefits, if someone tries to steal pts, there won’t be any there and 2 if shoppers catches you, they’ll take away the card with not very many pts.
What a great reminder for us not to be so passive when we hand cards to the cashiers or friends, or whomever.….it really is up to the cardholder to be diligent in safe handling of all our cards!
Thanks for posting! HOpefully SDM hears the concern & beefs up their website security.
Wow, blame the consumer for having their points stolen. “poor judgement on the consumer side”.
That’s as bad as saying “she was wearing skimpy clothes”.
Neither of these should be reasons for crime.
What about the people who stole the points in the first place? Are they not responsible for anything?
The first time I logged into the site, that what I thought about it too. Wow, thats the easiest sign in ever! I agree they do make the site too easy.
However I dont believe SDM has the responsibility to investigate your claim. I believe it is up to the consumer to protect their stuff, or it is a police issue. Thieves are crafty people, some are very smart and will target you. But that is a police matter.
I can see how some could view it like $1000 cash, but its more like a gift card. If you leave your gift card on the counter, or your wallets stolen, its GONE! The thief doesnt need to go to the website, he can just wait in line to claim points.
They are not going to I.D every customer with an Optimum card, for one, my fiance, and my brother and sister-in law use mine. There are plenty of rewards programs out there, and this is a bonus given to us as an incentive to shop there.
So all in all I agree They need to update their site to a password. However I believe if someone stole your points, It is a police matter.
I don’t pre-plan every trip I make to SDM so taking the card with only when I plan to use it is not viable. I often pop in to buy a gallon of milk or a loaf of bread or I go in during my lunch break at work. The security on their website should not be minimal as to make this necessary. I certainly do not have to do this with my other reward cards
so since it is their policy not to trade points. Will SC remove this as an option for trading coupons?
Maybe people should just stop sharing their points/optimum card #s? That seems to be the reason that the points were stolen. Seems more like consumer problem and not Shoppers’ problem? If people were following the rules and not trading points, then their points wouldn’t have been stolen. Seems like an easy solution to me!
@Boo — Have you sent a copy of this post to SDM? Call me a cynic, but I doubt that they’d care since it’s pretty much a franchise with the pharmacists owning the store. So why would they care about this detail, when they’re just about making money?
As for the theft, I’d probably be the best victim! I don’t really keep track of how many points that I have.
I agree that point shouldn’t be traded and I can see SDM saying that to that end they will not be replacing points for people who gave out their card number. But the bigger issue– one that rises above the points theft– is the lack of protection of personal information. Find a card, guess a postal code and voila! a full name, address, email birthday and phone number for a person– more than enough information to begin accessing many, many other accounts.
I feel terrible for everyone that has had their points stolen but it shouldn’t have taken something like this to expose a major flaw in their protection of consumer privacy.
It’s against SDM rules to trade points with people other than friends and family. I think the poster here is trying to avoid that part of the problem, because people on smartcanucks trade points all the time, this site is facilitating a very easy system for this.
I feel bad for all the people who lost their points, yes the system should be improved for sure. However, people should be more careful with whom they share their points, then this wouldn’t have happened in the first place?
The poster is trying to place blame on the system, without talking about the clear issue here… trading of points. Don’t trade your points, don’t lose them! simple as that. This post just annoys me.
They are getting rid of the program by 2016 I believe.
If you trade points with strangers and then get your points stolen (even if it they were stolen by someone outside of points trading) they will not give you the points back in most cases as you broke the TOS
If you do not trade points at all and have your points stolen they are more likely to help you as you have not broken their TOS or shared information with anyone.
If you only share between close friends and family (as they suggest) you shouldn’t HAVE to worry about points being stolen as they are friends and family.
Also It would be a shame if shoppers got rid of this as a LOT of people only shop there for points. Otherwise their prices are extremely high and very ridiculous. Why not just buy at places you can get PC points and don’t have to wait for sales for reasonably priced items
The issue here isn’t people trading SDM points. The problem is that SDM has a horrible log-in system and it needs to be changed, just like Boo said. Plain & simple, they need to implement an e-mail and password log-in system.
and you laura annoy me
There are some that had points stolen that HAVE never shared their number… sc or anywhere. Explain that.
I read the thread and am sympathetic to everyone involved. Some people lost more than 95,000 points!
People were calling out other members, then blaming a moderator, then blaming Shoppers. It’s understandable why they would be angry, but I would like to offer my opinion: the people who stole the points were the jerks, and they are the ones who should be blamed. There has been so much hate for everyone — except the thieves themselves!
Please stop blaming each other — you are all victims here — whether you lost points or not.
I don’t see why everyone thinks Shoppers should replace the points that were stolen. Why should they give away $500 in total merchandise (assuming thief used 95,000 for $250)? And now the card owner wants points back to redeem. And how many customers were affected? Does not make financial sense to the company. I agree the security should be updated, and I would bet that they will update it now. And it is really crummy for those who saved their points all year to try and use them for Christmas. But at the end of the day — Shoppers didn’t steal the points from you, someone else did. I would also guess that SDM isn’t telling everyone exactly what they are doing behind the scenes to investigate, that just makes it easier for the next scammer to figure out the loopholes.
Remember those tell a friend promo? Many of you join the chain of link to take advantage of getting more points. I wonder how secure is it to give your optimum numbers to the leaders of the chain.I have never done it.
It would so not be right to stop transfer of points between family members.If people would not give out their info it would not happen and i do agree that there should be a better way to log in where no one else can fig it out.
Agree Sheelly, it is not shoppers fault.
@ Shelly — ‘I don’t see why everyone thinks Shoppers should replace the points that were stolen. Why should they give away $500 in total merchandise (assuming thief used 95,000 for $250)? And now the card owner wants points back to redeem.’
Do you work for Shopper’s? It doesn’t sound like you’re very business savvy — not being confrontational. Of course the card wants & in every way should have their points back to redeem — they earned them. Not the thief, not SDM but the member. The member who suffered a personal financial loss not to mention a federal breach of it’s member’s personal information/privacy entrusted to them due to lax SDM website security.
I know you wouldn’t be talking this way if your bank operated in the same manner and you were out $1000 from your Christmas savings account and worried about future criminal activity as a result of your I.D. theft.
@Shelly — ‘But at the end of the day — Shoppers didn’t steal the points from you, someone else did.’
I repeat, Shopper’s did not steal them — they permitted ‘someone’ else easy access to steal them, member’s addresses, birth dates — even their mother’s maiden name. That’s more than enough information to provide ample opportunity for additional criminal activity under the guise of these members. The responsibility for the safekeeping of all member’s account information rests solely in SDM’s hands.
@Michelle — ‘If people would not give out their info it would not happen’
I trust this comment was made in ignorance of all of the information available. There were victims who have never shared their member information, including this ‘trading.’ Having said that, even victims who are being accused of trading have every expectation and every right to have their personal information safe guarded by any organization or corporation who requires this information to be divulged to them as conditions of membership.
My fore mentioned statements are written with the moral and legal reprehensibility of SDM administration in mind. In this aspect they have failed miserably.
I have worked for Shoppers Drug Mart for 36 years. About 7 years ago I gave up a Cosmetic Managers position to go part time. I love it!! Believe me when I say.. SDM is not trying to “rip” you off with the Optimum Card. This card is loosing them A LOT of money. That is why you will see it disappear in 2014. So while it is here, use it to its full advantage (of which there are many) and enjoy the benefits!!
Let me start by stating that the only time I have transferred points is when I found a card that I thought I lost and transferred the points to my new one. About a week before the mega redemption I checked my points balance. I was able to login in with my card number and password. Just by chance I noticed once logged in that my email was changed.….not even close to any of my email addresses that I have. So I changed it back not thinking too much of it. For some reason two days later I logged in again, I guess I was getting excited and wanted to check again what my points were. Again, email was changed to that other address. So I changed it again. Well when I woke up the morning of the mega redemption before I left I logged onto SC and saw the post about stolen points, freaked out, logged in to check my points. Well, I am very lucky to say they were still there. But this makes me wonder.…if I hadn’t noticed, was this the beginning of someone trying to steal them from me? By changing the email address, if they transferred/stole them, I would never have received an email confirming the transfer? Food for thought for me and maybe others. All in all, SDM Login in system is seriously flawed and needs to be fixed. I remember what the email address was but don’t want to post it in case it was just a system error and I don’t want someones email to start being inundated with threatening emails.…..
Hey Chad, that’s really mature about your comment saying you find me annoying. Did I say that I found the blog author annoying? no I said the post. I am entitled to my opinion just as you are, no need to be rude.
2011 has certainly been a year of cyber security failure. Looks like everyone has gone cheap on the web security front. From leaving basic database injections unsecured to opening networks up with non-hashed password tables.
Sony, PBS, Lockheed Martin, and even the Canadian government.. you have to wonder what these organizations were thinking.
Some SC members have their birthday or birthday and age posted in the SC calendar feature and on the mini statistics on their personal page. You only need an SC login to see this. The info could be used along with the optimum card number to access an optimum account.
There was no “cyber security failure” here, they gave away their acct #s
I wish people would stop complaining about free perks. I remember when I first got my optimum card (the wine colored one) and got my first 10$ off reward, It was a wow moment. Maybe everything was more simple when they didn’t have the optimum website (I’m not sure when they implemented it) I can tell ya I’m the first to complain about anything, but we don’t have to pay for it– they are given to us. And I never get anything from the other stores I shop at.
My points worth $10 were missing thru Shoppers Drug Mart error and I suspect Shoppers DRug Mart. I called them and got nowhere. They could care less. Forget about saving those flimsy receipts that, FADE with time. The only proof they require showing previous balance. So guess what –SDM — for your the measly $10 you refuse to rectify, guess what I do when the flyers come in? You are the first one, I purposely pick up and dump in the Blue Box. I will never shop there ever again.
i wish some of you idiots that think it’s alright to do a pyramid scheme to screw shoppers out of money would give me your card #s, no wonder their prices are higher than everyone else
Their products, including Rx’s were overpriced from their start up and remain so today.. Many have had to adjust prices drastically, usually when a Wal-Mart or other such type store opened in the vicinity, however you’re correct they are still higher
Thus the rational behind developing and promoting the Optimum Program was designed & promoted to assist with maintaining or increasing their client base — as are most all member/reward programs. It’s a marketing strategy practices by many.
Market analysis’s are relied on heavily prior to launching these types on consumer reward programs to determine and keep abreast of the very small percentage of member’s utilizing the program.