The IT Nerd

I’ve written numerous times about the #EpicFail that is the PC Optimum rewards program which has been pwned repeatedly by hackers and as a result costs their customers their rewards points. And in turn it negatively affects the reputation of Loblaws who owns this rewards program. But it finally seems that Loblaws is doing something about it. A recent app update tipped me off to their plans:

Well I tested this out by enabling it on my phone. It then sent a code to my email which I then promptly typed into my phone and I was allowed to log in. I then tried to log in via my computer and after initially popping up a message saying “our apologies an unknown error has occurred”, I tried again and it sent a code to my email which I then promptly typed into my computer and I was allowed to log in. Of interest, it had the option to make my computer a “trusted device”. I didn’t choose that option as I want the security that this feature offers. Oddly enough, my phone did not offer this same option. I can only assume that a phone is a “trusted device” by default which from a computer security standpoint has risks as if you leave yourself logged into the PC Optimum app, anyone with physical access to the phone can drain your points. The flip side to that is that this is likely a connivence thing to speed up access to the app on your phone.

Given the fact that up until now Loblaws hasn’t been able to adequately protect their customers from being pwned by hackers, this is big improvement. So I applaud them for doing something, even if it took way too long to actually do something. You can find out how to enable this new security feature here and I strongly suggest that you do so ASAP.

The IT security nightmare for Loblaws that is called the PC Optimum program that has been pwned by hackers repeatedly and has resulted in reward points being stolen from members has taken a bit of a twist. Today, members of the PC Optimum program have been getting emails like this one:

“Keepin’ your security on point”? Who wrote that? A millennial?

So they are forcing members to change their passwords which is something that they have said is the cause of their headaches. But I did note that in the changelog for a recent PC Optimum app update on iOS it did say this:

If you look at the entry for version 3.2.0, it makes mention of improving their password requirements. Which implies that when whey said that they had a password issue several months ago, that was true. But when they said that they fixed it, that wasn’t true at the time and might have become true in the last couple of weeks. That’s pretty lame on their part because it likely means that whatever issue or issues that they’ve had are still ongoing.

In any case, if you are a member of the PC Optimum program, you should change your password to something strong. Such as something that has at least 8 or more characters, one or more uppercase letters, one or more numbers, and a special character ($%#@!* for example). But call me skeptical, seeing as Loblaws has really managed to screw this up in epic fashion for months, I don’t expect that this will put an end to members of this program having their points swiped by hackers. Thus don’t be shocked if I am still writing about this in the weeks and months ahead.

I’ve written numerous times about the #EpicFail that is the PC Optimum rewards program which has been pwned repeatedly and led to levels of frustration that I rarely see in a customer base. Here’s recent, as in the last two days, examples of this:

We're sorry to hear this, Elizabeth! Please send us a PM with the email address registered with your account and details of your issue so we can look into it for you. Thanks for reaching out to us.

— PC Optimum (@pc_optimum) May 2, 2018

Followed by:

I’ve emailed you a dozen times already.

— lizzyepp (@lizzyepp) May 2, 2018

That’s a customer service #fail if I have ever seen one. How about this example:

@pc_optimum How long does it take to answer points inquiry its been 6 days

— Ray (@Raybabe222) May 2, 2018

I did now im missing points and still no response for 6 days

— Ray (@Raybabe222) May 2, 2018

Another customer service #fail. That really illustrates that Loblaws isn’t on the ball when it comes to taking care of their customers. This one is really bad:

@ShopprsDrugMart @LoblawsON @PresChoice are you going to let this horrible customer service and horrid reward program @pc_optimum ruin your reputation? https://t.co/ABaFbDvo2Y

— Bradley Parris (@bradley_parris) May 1, 2018

This guy Tweeted a lot over the last 24 hours. But here’s why he’s mad:

Same problem here. Over 200k points stolen and @pc_optimum @ShopprsDrugMart @LoblawsON continue to do nothing about it. They don't care.

— Bradley Parris (@bradley_parris) May 1, 2018

Let me put it this way, If I had the equivalent of $200 stolen, which is what the value of 200,000 points is, I’d be a wee bit ticked too.

What is clear here is that Loblaws who is the company that runs this rewards program can’t get their act together. They clearly can’t deal with the number of people who have been affected by whomever is stealing points from their customers. And it is highly likely that this problem is far worse than Loblaws cares to admit. None of this is good for Loblaws. And I suspect that we’re now reaching the point that these issues are beyond the ability for Loblaws to rescue its reputation from. Because right now it looks like Loblaws is really circling the drain.

This is really getting stupid. And it illustrates the incompetence of Loblaws.

For the third time, there are reports that members of Loblaws PC Optimum rewards program are reporting that they are having points swiped. Here’s an example via the CBC:

After getting hit by points theft multiple times, some PC Optimum members are questioning a fix Loblaws says it has made to improve the security of its rewards program. 

“I do not believe they have fixed anything,” said Shawn Nicholson in Halifax. On Wednesday, a thief infiltrated his PC Optimum online account for the third time in less than a month, this time stealing 150,000 points — worth $150.

“I’m beyond the point of frustration,” he said.

Loblaws says that they have fixed the password issue that they found the last time their rewards system got pwned by hackers. But that clearly doesn’t seem to be the case as this keeps happening, or they have deeper security issues that they aren’t telling anyone about. Keep in mind that this system has been pwned multiple times both in its PC Optimum incarnation and its PC Points incarnation. Which means that the system is clearly not secure, which is something I said a few weeks ago.

Now the cops are on the case to track down the people behind this, but let’s get real here. Loblaws clearly cannot fix this and make their rewards system secure. If I were them, I’d bring in a top shelf security company like Manidant to figure out how this is happening and how to fix it. And I’d be public about it. Because I have zero confidence in Loblaws being able to keep the points of their members secure. And I am sure that this is true for other members of the PC Optimum rewards program.

Time to find a new grocery retailer with a rewards program that is actually secure. Because clearly Loblaws isn’t smart enough to figure out how to do that.

If this wasn’t so serious, it would almost be comical. I say that because it seems that PC Optimum members have had their points stolen again according to CBC News. Keep in mind that the predecessor to this program also has had issues in the past.

Now here’s the kicker, Actually two of them. Loblaws now says that there is a “glitch” in their password system that allows a hacker to stay in the member’s account even after the password was reset. What that means is if you’ve been pwned before, you’re likely going to get pwned again. In fact, that’s already happening to people who have been had points swiped in the past.

Now Loblaws claims that the “glitch” has been fixed, and they said that only a “very small number” had been negatively affected. But I don’t buy that. At this point, I feel that given how often that Loblaws has been pwned by hackers, I seriously doubt that anything short of a third party review of their systems to confirm that any and all issues are fixed is going to reassure members that their points are safe. Because as I said here in this post:

So far, Loblaws has done a craptastic job of showing that they can do any of that with any level of competence. That needs to change and change quickly. Otherwise you will see people like my wife and I adjust where and how we shop accordingly. Which will include shopping with retailers that aren’t associated with Loblaws.

This latest incident has only reinforced my opinion that Loblaws has really dropped the ball here and customers will want to shop elsewhere because of their sheer incompetence.

Yesterday I reported that people were having millions of PC Optimum points stolen from their accounts, which as I noted has happened before and is the latest issue with the rewards program run by Loblaws which has been plagued by problems since the company merged multiple rewards programs into one. What become abundantly clear is that Loblaws not only botched the rollout of this program earlier this year, but because members of the program have been hacked twice and their points stolen, it’s also clear that Loblaws lacks sufficient levels of security when it comes to whatever back-end systems that makes their rewards program work. The latter is of great concern because if Loblaws cannot protect you from being pwned by hackers, you have to take matters into your own hands to protect the points that you earn.

Here’s the problem. There may be not much that you can do to protect yourself. I say that because Loblaws has been far from transparent about this issue. It isn’t clear if they know how these hacks are happening. Of if they can stop it from happening in the future seeing as it has happened at least twice that we know of. Which means it is possible that there are more instances of this that they’re not talking about. And any comments that the company has made leaves you with the impression that they really don’t want to admit that they have a serious problem. That’s not good and Loblaws really needs to do better on that front for reasons that I will get to in a bit.

In the meantime, the only thing that you could do that might protect you is to use a unique password for your PC Optimum account (and as an aside, this advice also applies to ANY online account) that is a combination of letters, numbers, and ideally has at least one upper case character and one special character (eg: # $ % &). Also, it should not be tied to you in any way. By that I mean it shouldn’t be a license plate number, or the name of your dog or kids. In the absence of any root cause analysis from Loblaws, that’s really the best that you can do.

Loblaws needs to do better job in terms of being up front about these issues and how they are going to get them remedied because people make a conscious decision to shop at Loblaws, or Shoppers Drug Mart, or any other store that allows them to collect PC Optimum points so that they can get rewarded with free stuff weeks or months later. And to these people, my wife and I included, these points are like money. And we’re trusting Loblaws to manage those points and your personal information similar to  your bank protecting your bank account and personal information from fraud, or just managing them period. So far, Loblaws has done a craptastic job of showing that they can do any of that with any level of competence. That needs to change and change quickly. Otherwise you will see people like my wife and I adjust where and how we shop accordingly. Which will include shopping with retailers that aren’t associated with Loblaws.

It seems that the problem plagued PC Optimum program that is being rolled out by Loblaws has a new and serious issue to deal with. According to the CBC, points are being stolen and then the thieves go on a shopping spree:

CBC News interviewed eight people across Canada who say they’ve each had more than 100,000 points stolen from their accounts after Loblaws merged its two rewards programs — PC Plus and Shoppers Optimum — to form PC Optimum on Feb. 1.

The reported thefts are just one more problem plaguing Loblaws, which is already dealing with technical glitches with PC Optimum, and fallout from a bread price-fixing scandal, including related fallout over asking some people to send ID to collect a $25 gift card as compensation for the overpriced bread.

In the theft cases CBC News investigated, many of the stolen points were redeemed for products at Loblaws-owned stores in Quebec.

All the complainants reported what happened to PC Optimum, but they told CBC they were having difficulty getting their cases resolved. After CBC News contacted Loblaws this week, almost everyone quickly got their points back.

Despite the fact that Loblaws has “strong security measures in place”, there’s clearly an issue. And it isn’t the first time as Loblaws has been pwned before. I’m going to go out on a limb and suggest that Loblaws needs to give whatever “strong security measures” that they have a very quick rethink as clearly they aren’t strong enough and haven’t been for a while now.