My mother's Nectar card was stolen by the cashier in Sainsbury's about 12 years ago.
The cashier was taking cards with a high points balance (she had the equivalent of over £100 on the card), and swapping them with a new, unregistered card.
We reported it to the store and they could see this happening on CCTV, so the cashier was fired. They gave my mother a Sainsbury's gift card for the monetary value stolen, plus a goodwill gesture.
Personally, my lesson learned from all of this is to spend loyalty points/rewards ASAP. While there are some "double up" offers every year that reward saving up, these are less common than they used to be. I think Sainsbury's ran a trial last year where only some people could use the "double up" promotion.
The other part of this about “saving” points for anything that I’ve learned is that they will generally never increase in value. Most companies are not going to give millions of dollars away by doing that, so it’s usually worth it to spend the points as soon as you can, to recognize their current value (and not less.)
Today they would most likely say they'll "look into it" and that would be it. Then you would get a boilerplate message (indicating they didn't read your complaint) and that they are sorry and ask for an address to send some gift card.
If you point out they didn't read your complaint, you'll get no further response.
Customer service is more than useless across the board.
> Sainsburys DID send us a new card with our points back on it after a few weeks, and a thousand or so for the inconvenience.
And at a local shop (not a "customer service assistant" on the phone having to follow a script) people are usually quite helpful, especially when (potential) theft from an employee is involved, which tends to be taken quite seriously.
This is just generic undirected negativity and cynicism.
Your comment is disingenuous as you cherrypicked a sentence from the article.
Further it goes like this: "But it meant that with our new card we were seen as ‘new’ customers, so all the carefully algorithmically picked shopping items that we buy regularly and got extra Nectar Points on, or Nectar Prices were forgotten. It’s taken MONTHS for us to get the new card to learn what we buy, and give us relevant offers based on it."
So clearly the customer service had no understanding of the issue and it suggest it took them weeks to issue a new card - from what I gather - after the author created a video, but that doesn't seem clear.
But that matches my comment - his problem has not been resolved and it took weeks.
> someone actually had £1000 taken. They actually only had £250 worth of points in their account – however, because the Nectar points balance doesn’t refresh immediately, the fraudsters hit their account 4 times in quick succession. Leaving them with a debit of £750 in their Nectar account balance.
It's astonishing that of all the software engineers involved in programming and reviewing this system, not one of them thought to lock the DB records to prevent this (or worse, someone ordered them not to for some reason). It's so simple to do and should be top consideration when dealing with financial transactions.
I'm sure all of them thought about it. But were then told the terminals used for scan & shop or the self-scan kiosks needs a bit of slop in them to make them appear more reliable, meaning to work "offline" for a short span of time. It is a trade-off between serving real customers (meaning the majority) well but with the downside of benefiting fraudsters.
All systems have trade-offs like these. It reminds me of the phase: "Anyone can build a bridge, but it takes an engineer to build a bridge that barely stands." That applies here. Any student can build a system with locking database records, but then when thousands of people's cards don't work for minute-long lockout periods, you aren't the one doing the CS calls or getting yelled at.
The system originally worked on an overnight batch processing basis.
Each store would have a local copy of the card balances - but only for cards that had been used in that store in the past 12 months.
The first day you scanned your card in a store, you could only collect points (not redeem them).
By the next morning, your card would be included in the local database and you could redeem points - with the vulnerability that each store had its own database, and therefore you could redeem the points in multiple stores.
I thought this had been improved in recent years, but maybe not.
Everything that normal people don't like about the user experience of large computer systems can be attributed to the batch nature of how these systems were designed and often still operate. A lot of systems that feel real-time are really just batched more often.
You can register a Nectar card (giving name/postal address/email address/phone number/date of birth), but I'm not sure how much verification of these things they do.
I am not sure, but I think you might need to register to redeem points.
There would be CCTV and maybe more if they used a payment card for the purchase. Whether Sainsburys would lift a finger to investigate a small loss is another matter.
What does negative Nectar points even mean? That you have to keep shopping at Sainsburys until you've accumulated enough points to "pay back" the "debt"?
Or there is a batch update in there somewhere - which given that Nectar is over 20 years old and probably based on older systems I suspect would be a distinct possibility.
I have a related story. One local supermarket nagged me into getting a customer card every time I visited. Finally they annoyed me enough and I registered their card with a random SMS service. After a week or two the cashier told me that I have around 1.5-2 my average checks worth on my card. I was confused, but why would I argue. Free monies are nice.
Only later it came to my mind that I'm not alone in not giving them my real phone and that they tracked us by phone numbers, not by cards. We all played a lottery: to whom a cashier would suggest to spend points earlier. I didn't care about that sort of money too much and decided to play fair. It was after half a year or so when another "win" happened. I moved and stopped visiting eventually, but I believe they are still playing this funny game. Software... software never changes.
I always enter (local area code)+8675309 when prompted, because at stores like Safeway you're gonna pay more unless you enter something. Bonus, you can then use that same number at gas stations that do grocery rewards, and you'll usually get the maximum discount. Beats the hell out of using your own phone number.
Aside from the song as others have pointed out, it's also easy to enter because you press keys in a diagonal pattern, wrapping around the keypad... hard to explain, just look at a phone and you'll get it.
> Nectar is a loyalty card scheme in the United Kingdom run by Nectar 360 Ltd, a company wholly owned by Sainsbury's. The scheme is the largest in the United Kingdom, and comprises a number of partner companies including Sainsbury's, Esso, eBay and British Airways.
I don't think people really understand what happened. Consumer protection laws allow people to choose whether they consent to being tracked, but then this mutated into a system that effectively means you pay an extra fee to opt-out of tracking.
It wouldn't be legitimately useful, but it can be abused by intelligence agencies. You can imagine a machine learning algorithm trained on the shopping history of terrorists and associates, which then scans the entire database to identify new potential terrorists.
For example, the US has a No Fly List with millions of algorithmically identified potential security risks. If you're on the list you can't get on a plane, but you are never notified or given a reason, and can't challenge the listing. Here's a paper that describes the issue I'm talking about: https://pure.uva.nl/ws/files/4284150/61150_Goede_M._de_Trans....
> This paper argues that the deployment of transactions data of many kinds has become the banal face of the war on terror’s preemptive strike. Because the failure to predict and prevent 9/11 is partly thought to be a failure to ‘connect the dots’ of available intelligence, post 9/11 policies seek to register, mine and connect ever more ‘dots’, or association rules, in the form of credit card transactions, travel data, supermarket purchases and so on. We argue that it is in these ordinary transactions that another spatiality of exception is emerging, one in which the traces of habits, behaviours and past practices become the basis of security decisions to freeze assets, to apprehend, to stop and search or to deport. As such, these developments constitute a relatively unacknowledged violence in the war on terror, which is in need of critical questioning.
> Supermarket checkout staff are being trained by the security services in how to detect potential terrorists. MI5 has been secretly advising food retailers, including Asda and Tesco, on how to identify extremist shoppers. Measures include [...] being alert to mass purchases of mobile phones, which can be used as bomb detonators. The awareness training for staff also covers bulk sales of toiletries which could be used as the basic ingredient in explosives.
With a full supermarket loyalty database, you can just scan for anyone with suspicious toiletry purchases and an ethnic-sounding last name and bring them in for questioning.
If you know the suspect purchased a bag of funyuns, pack of marlboro lights, and a diet dr. pepper 1 liter, having the shopping history of every 7-11 customer for the last X years could give you a high probability of identifying exactly which customer it was, or eliminating exactly which customers it wasn't, from a list you compile from a large set of information sources.
Using metadata and tracked information of known individuals can illuminate the lives of people who aren't tracked through process of elimination and correlation, which is why privacy rights are so crucial to legislate correctly. Right now, the US justice system is not at all equipped to properly handle the scale and scope of private industry's panopticon providing more or less total global surveillance.
We need to see some legislation with teeth, big and sharp enough to completely kill any business, no matter how large, if privacy isn't respected. But hey, let's all enjoy being tracked, logged, monitored, and surveilled every second of every day in the meantime.
I recall hearing a stat at Yahoo orientation in 2004 that a very large % of Yahoo accounts had the zip code as 90210. I can't remember what it was, but I want to say something like 5-10%. Dramatically larger than any zip code could legitimately have.
Being surveilled as to what food / sanitary, etc products an individual buys is just icky. Supermarkets already know how much they sell, now they want to sell our behavioural info too.
Corner stores are gone, supermarkets took over and you have even less variety, and you want to squeeze MORE fresh fruits and vegetables out of your neighborhood? Be my guest and eat only packaged foods so they do make those high margins, don't restock any fresh food and I hope you vote with your wallet to make these supermarkets go out of business. Then you can buy nothing but high margin foods at your gas station.
> I hope you vote with your wallet to make these supermarkets go out of business.
I do -- not to make anyone go out of business, but because I prefer to shop at supermarkets that don't spy on me. At least in my part of the US, they do still exist and while they do, that's where I'll shop.
The point (for me) isn't to encourage or discourage any particular business practice. It's purely a self-defensive move on my part.
If you don't want to use the rewards at any supermarket you don't have to, so what's the problem?
If you're not a zealot that preference probably melts as soon as you need it fast, or an exclusive price or item. Just from my observations the best performing supermarkets are in low crime areas with an ethnic minority as a majority. Supermarkets that try these tracking techniques aren't doing well, and I don't blame them for trying to survive and bring fresh food.
> If you don't want to use the rewards at any supermarket you don't have to, so what's the problem?
The problem is that stores that do use rewards programs hike up their prices so that the rewards programs are necessary just to get normal prices. This means it's not sufficient to just not use the program -- I need to use a store that doesn't have such a program.
It's also not just about rewards programs. It's about all of the various surveillance mechanisms these companies use. Going to a supermarket these days is like going into enemy territory.
But all of this isn't relevant to my comment. My comment was just that any business is responsible for the decisions it makes.
Private companies keeping records of every single thing you buy. They have a very good idea of your diet, lifestyle, health issues, pregnancy, alcohol consumption, etc.
Fortunately, at least in my part of the US, there are still a decent number of supermarkets that don't use these cards at all -- so there's still a few I can shop at and get normal prices without having to subject myself to this form of spying. I just have to avoid the major chains.
Going slightly off topic, but I find it surprising that GDPR doesn't offer more protections here. The supermarkets are not using consent, but legitimate interest, as the legal basis to process data.
This is surprising because I would think you should be able to opt out of processing/marketing, while still having the loyalty/points aspect of the card. Particularly given non-member prices can be double to triple the price.
Nectar is especially bad here. I signed up because Sainsbury’s have ‘special’ prices for nectar card users on many items (presumably they increase the price and then reduce it back down for cardholders). But there was no way to opt out of marketing and tracking.
By contrast when I signed up for Tesco clubcard, even pre gdpr, I was easily able to opt out of tracking. I don’t get targeted vouchers, or any discount coupons, but I still get points and clubcard prices.
Good point. Although I should point out the vouchers would be for their benefit not mine - the whole point of supermarket tracking is to entice you into discovering some high margin item you will end up loving. So their motivation to track is reduced.
I work for a company that used to offer points back to their members. They closed it down after 15+ years - they honoured all they should, but it highlighted the problem to me. The points are not cash - they are only cash once it has hit your bank account. If the company closes, you have nothing.
Never, ever, ever think cashback or points based sites as your money/savings. Take it out as soon as you hit the minimum threshold.
Of course, you must realize that if you substitute "entry in the bank database" for "points", your (pun intended) point is still valid. Obviously, you also need to change "they are only cash once it has hit your bank account" into "they are only cash once it has hit your wallet/purse".
(Technically, exactly the same can be said about paper money, too, with "they are only cash once you have it in gold/silver coins".)
(All that said, I agree with you - only I find it funny that you don't trust some store but trust a banking system or a government. Yes, I know that trust(private company) < trust(bank) < trust(banking system) < trust(government), but neither is 100% (or even very, very close).
In most countries, retail bank balances are insured by the government up to a pretty high threshhold[0], so `trust(bank)`, `trust(banking system)` and `trust(government)` should all be on a par, which should be vastly different from `trust(loyalty points)`/`trust(private company)` in ways that are very much obscured by your simple chain of "<"s.
[0] to the point where, if your savings exceed it, you should have the ability to make some contingency plans yourself (like using multiple banks to spread risk and increase you total insured threshhold), or be able to hire someone to advise you on such things.
Good point. Fun fact: many years ago, when I studied banking, I had a class on these "deposit insurance systems". After one of the lectures I came up to the lecturer and pointed out a weak point in the system, where a very small group of people (say, a dozen) with enough money could pretty easily destabilize the whole country-wide system. His reaction was priceless. "You're right! I never thought about it! I have to bring it up during the next meeting of the council of [the banking regulatory body in my country]!" (He was a member of that body.) After a while of chatting I told him that I also study mathematics. This led to the strangest compliment I've ever heard: "You know, many of those famous fraudsters were mathematicians!" ;-)
> Of course, you must realize that if you substitute "entry in the bank database" for "points", your (pun intended) point is still valid.
This is quite different. Banks have strict regulations regarding how they have to handle your money.
Now, of course, the banking system could collapse, but so could the state, in which case the cash in your wallet would loose validity, too. Gold would be valid, but only as long as you have people to trade to. For most states, though, this is a far smaller risk compared to some retailer shelving their cashback system.
EDIT: Responding to your edit:
> Yes, I know that trust(private company) < trust(bank) < trust(banking system) < trust(government), but neither is 100% (or even very, very close).
You are right, but reasonable trust in some unregulated cashback system of a private company is orders of magnitude smaller than the reasonable consumer trust in a bank (assuming we're talking about a stable country).
> You are right, but reasonable trust in some unregulated cashback system of a private company is orders of magnitude smaller than the reasonable consumer trust in a bank (assuming we're talking about a stable country).
100% agree. Just shaking my fist at clouds when I hear people calling money in the bank "cash".
Unless there is an obvious incentive to purchase a giftcard -- critically for a store/vendor which you already have near-term plans to spend money at -- then avoid them. Eg. I recently purchased one which had an effective 20% savings due to some holiday promotion and will be done spending the balance some time next week. Even then I barely decided to do so.
I don't know how we got conned into trading our money for giftcard balances at par.
Similarly, the definition of blasé has changed since Lord Byron first used it in 1819, since most people don't speak French and don't know exactly what it meant.
My guess at why would be that US high schools pretty much universally teach 1984 with 'plusgood' and 'doubleplusgood' which is the only use of the plus- prefix in the novel. And since it's a nonstandard prefix people associate the word with plus. Newspeak slang would absolutely use plussed to mean "feeling plusgood" and when you encounter the word in the wild you just assume that's what it means.
Non- is perfectly logical extension of newspeak because neither anteplusgood nor unplusgood quite capture absence.
I think it's just because it's a relatively rare word (https://books.google.com/ngrams/graph?content=nonplussed%2Cb...), and it's often extremely difficult to figure out what it means from context ("He looked nonplussed"), so people just try to guess based on the word itself. Plus means like more of something, so not more, not a lot, something like that. "He looked not a lot", I guess not very interested. Plus might mean more of a reaction, so nonplussed is no reaction. Simple as that. I don't think most people paid as much attention to their high school reading as you're imagining. Also note that two of Merriam's examples are from before 1984 came out.
It just doesn't match any dictionary definition of "get" I can find (but it is defined as an idiom https://www.merriam-webster.com/dictionary/get%20right), and idioms generally come from colloquial non-standard usage.
I mean it's kind of dumb argument, we might as well say that all of English is "wrong" because it didn't exist when the first dictionaries were published.
>>I mean it's kind of dumb argument, we might as well say that all of English is "wrong" because it didn't exist when the first dictionaries were published.
But surely there has to be some agreed meaning of words? Otherwise in mathematics you might as well just claim that "addition" is the same as "division" because a bunch of people just defined it that way.
This redefining of words based on errors and ignorance just seems like one more example of the pernicious influence of post-modernism.
> But surely there has to be some agreed meaning of words?
Yes you're right, and the dictionary documents that agreed meaning, but some of those meanings will gradually change over time. It's not new, and it certainly isn't post-modern. You can easily find examples, here's a short list: https://ideas.ted.com/20-words-that-once-meant-something-ver.... I think the first three here ("nice", "silly", "awful") are particularly noteworthy.
> redefining of words based on errors and ignorance
How else could they be redefined? Occasionally someone invents a word on purpose, but that's relatively rare, and none of the languages people actually speak were intentionally designed. For all of history, people just spoke to each other and sometimes they got a word wrong or said it a little weird. That's where all languages and almost all words came from.
There's nothing wrong with feeling annoyed by a particular word or usage, we all feel that sometimes, I just think it's useful to recognize that basically every word was in that transition phase at some point in the past. https://www.etymonline.com/ is fun to explore this stuff, it is often surprising.
More examples from this very comment:
- We make a distinction between "inventing" and "discovering", but "invention" used to mean "discovery"
- "phase" only referred to phases of the moon until the mid 19th century
- "weird" used to be a lot cooler, and mean something like powerful, magical, fate-determining
- "document" used to mean "to teach with authority"
This is one of those things where common usage in the United States has given it a secondary meaning that does mean exactly what he meant, and of course this will have also spilled into UK usage.
So if you're a linguistic descriptivist then no problem.
> Author is a Brit, and so should be using British English
See point about, "this will have also spilled into UK usage".
> So if you're a linguistic descriptivist
> Absolutely not.
This is a point where English lacks the distinction between a "singular you" and "collective you", I meant the 2nd interpretation, you (singular) took it at face value.
To be fair, I do understand somewhat where you're coming from. I hate the "common" usage of "could care less" in US English. It literally doesn't mean what it's trying to convey. However, I'm slowly learning to care less about it!
In one sense, certainly not, for example I have 2931 points, in theory that's £14.65 value.
As this story explains, if you knew the 11 digit account code for those 2931 points you can just rock up to a Sainsburys store with the appropriate code on like a piece of paper, scan it with the reader, and it'll conclude you're me (that's my code after all, that's what I do when I shop with them although my code is printed on a little plastic card they gave me) and therefore you can "spend" my points, typically in lump sums of £5, so you could buy £12 of booze, take 2x £5 = £10 off the price and spend £2 on booze that costs £12.
You can't turn it directly into cash, but obviously goods like booze, electronics, jewellery which are all potentially available are very easy to turn back into cash at a discount.
Each point is next to worthless, but if you shop at Sainsburys regularly you can build up quite a balance which can be used for very real money off.
There was a court case some years ago about an IT insider at Nectar assigning themselves points fraudulently and then spending them. He received a pretty hefty prison sentence: https://www.bbc.co.uk/news/uk-england-london-12189919
For comparison, a bakery chain that I often by from here in Austria has a card that you can get anonymously but also an app, they also allows you to put money on the card, so it ought to be more secure in the first place. If you want to link the card to the app they give you a code at anyone of their 27 shops. I haven't tried it yet but hope the code is randomly generated for my card. I'll find out and report tomorrow.
Crazy that they designed it without even thinking about security. I guess the question now is what the company can do to fix it that will cause minimal disruption and churn. Maybe lock all the cards until you present ID at the store to claim the account, then have the customer enter a 4 digit pin to associate with the account going forward.
It's not about trust. It's about the fact that in the UK now, you have to have a nectar card to shop at Sainsbury's. Not doing so is a financial mistake in itself.
Many products are deeply discounted just by owning a card. You also cannot use certain features, such as scan-as-you-shop, without them.
Unfortunately Tesco's loyalty scheme requires an app, which is far more invasive than knowing I regularly buy cat food at Sainsburys. So I have a Nectar card but not the Tesco app.
Last time I asked for a clubcard they said the only option was to use the app. According the website you can still order a card after registration though. Meh. They're really pushing the app these days.
Great article, though I do think it would be good to include a quick explanation of what “Nectar” is, since it’s kind of hard to understand what the stakes are here without a little background.
(I’m not looking for someone to explain here, I already looked it up)
My main takeaway from this article was learning that people actually want to be algorithmically profiled on their shopping. Personally I wouldn't even have a loyalty card in the first place.
10-15% of goods in my trolley are "£5 or £2.50 for loyalty card holders". You actually have to be a member to pay correct market rates for their goods.
> If you've ever paid by credit or debit card, they can associate the name on the card with your Tesco Clubcard account.
If you're shopping in-store in the UK, the supermarket can't profile you based on your bank card without express consent, as it falls under personally identifiable information.
You have no control over what they're doing with that data. Your insurance provider might be very interested in how often you buy those delicious discount donuts, the police might be very interested in the fact that you bought several items that together could form a bomb making kit, or murder cleanup kit. You could end up on a no-fly list just doing your weekly shop.
It would be illegal for insurance companies to use it (and questionable how good the data for this is, because it's not collected with this goal in mind). You can't really buy "items that together could form a bomb" or "murder cleanup kit" at Tesco and police aren't regularly scanning all of this anyway, which would be pointless as the data is so noisy to be useless. None of this has a connection to reality.
You really don't though. You can either pay more, or go to another supermarket with a similar scheme. Doesn't really seem cricket, am I really loyal for buying bread or cheese because I needed them and this supermarket is in my neighborhood?
I don't know where you are in the world, but in the UK it is really common to have multiple supermarkets in spitting distance of each other. Most of them deliver if you're not in the neighbourhood. And not all of them offer loyalty schemes.
GDPR is great and all, but it only takes one rogue employee. I speak as someone who had their data sold by a rogue Aviva employee to scammers all over the world. Which made my life hell for several years.
I value the discounts more than a grocery store knowing that I buy fruit, milk, coffee, beef, turkey, and fish. On a $200 grocery run, it's common for discounts to be $20-30.
Am I willing to sell the correlation between this week's trip and last week's trip for $20? Absolutely.
I resisted loyalty cards for a long time, but recently all the large UK supermarkets have started offering loyalty-only pricing - so not using a loyalty card adds maybe 5-10% to your bill. They all profile on online shopping and debit/credit cards anyway, so I figure they don't know much extra about me.
The way I see it, there's a tradeoff to being algorithmically profiled. Facebook, YouTube, Twitter etc profile you, and in return you get a time-sink, and some moderate recreation (and possibly some societal disadvantages in the aggregate).
Sainsbury's give you 1 nectar point per £ spent in store or in petrol. A nectar point's average value is a half penny, but annually they put on an offer to "double up" your points. That's a full percent off your annual petrol and shopping bills (more if you include the algorithmically generated offers).
The typical UK household spends £1,500/yr on petrol, and £6,500/yr on groceries, so the trade-off is that they give you £80/yr to profile you based on your preference of beans.
Another way to look at it is the card holders are paying the normal price and those who opt-out are being charged an £80 punishment fee for refusing to be tracked.
The UK is in a cost-of-living crisis, and use of food banks is at an all-time high. Not everyone has the luxury of opting out of surveillance when they can reduce their food bills by using this card.
I doubt that people do want to be profiled however I would argue that the information stating they will is hidden somewhere in tiny text on page 267 of the T&C.
Cash is truly the only de-facto standard that gives you privacy on expenditure.
If you are referring to NCR self checkout cameras. This is generally NCR SmartAssist
and NCR ScanItAll which is for shrink and employee theft rather than mass identification. I only know of ASDA near me that has this implementation.
The cashier was taking cards with a high points balance (she had the equivalent of over £100 on the card), and swapping them with a new, unregistered card.
We reported it to the store and they could see this happening on CCTV, so the cashier was fired. They gave my mother a Sainsbury's gift card for the monetary value stolen, plus a goodwill gesture.
Personally, my lesson learned from all of this is to spend loyalty points/rewards ASAP. While there are some "double up" offers every year that reward saving up, these are less common than they used to be. I think Sainsbury's ran a trial last year where only some people could use the "double up" promotion.