Asda Rewards security change - how are your supermarket loyalty card points protected?
Asda has introduced a one-time passcode on its Asda Rewards app in a bid to improve security for loyalty scheme members.
With savings of between 50p and £5 for every £100 you spend, it’s no wonder many of us are signed up to supermarket loyalty schemes - especially with food and drink prices soaring.
Here, Which? explains how the Asda Rewards scheme works, what the security update means for you and how other supermarkets are protecting loyalty rewards.
How does the Asda Rewards loyalty scheme work?
Asda introduced its first customer loyalty scheme, Asda Rewards, in the summer of 2022.
The scheme operates through a smartphone app and allows customers to collect 'Asda Pounds' by buying certain products or completing missions to build up a 'cashpot'.
You can then convert your cashpot into vouchers to use at Asda stores or online.
- Find out more: Asda Rewards scheme explained
What are the new Asda Reward security measures?
Asda emailed its Asda Rewards cardholders earlier in January advising them of how to keep their cashpot of reward points ‘even more safe.’
The email outlined that the supermarket had introduced a one-time passcode feature for the Asda Rewards app in addition to customers’ regular email and password login requirements. Asda said the extra security measure is a ‘fast and secure way to confirm your identity.’
If you’re an Asda Reward cardholder, next time you open the app, you’ll be prompted to enter your mobile phone number. Then a unique six-digit code will be sent to you via text, which you then need to enter into the Asda Rewards app. Asda said this should take less than a minute to do.
It only needs to be done once for your mobile device to be verified. This means every other time you open the app, you won’t be asked again, unless you’ve chosen to log out of the Asda Rewards app, or if you’re trying to access the app from another device.
Why has Asda introduced a one-time passcode?
Asda told Which? it made the change to ‘increase overall security’ and so that ‘users can be confident their earned rewards are secure.’
The supermarket would not share any further detail on why it implemented the one-time passcode. But the update follows dozens of tweets from Asda Rewards app users in December 2022 and January 2023 stating that they had encountered issues with the app. These problems included missing rewards (Asda Pounds), while others were unable to log in at all.
- Find out more: best and worst supermarkets
How do other supermarket loyalty schemes keeps rewards safe?
Which? asked other major supermarkets that have loyalty programmes how they ensure points and benefits are secure and what they recommend members do if their rewards are stolen.
The Co-op Membership
If you’re a Co-op member, you need an email address and password to log into its app or website. Once you’re logged in, you will remain signed in on that device for thirty days.
The Co-op told Which? its systems authenticate members’ identities in the background to ensure it's really them attempting to log in.
A spokesperson for the Co-op added: ‘we continuously monitors for any suspicious activity, and our security systems automatically take steps to protect members accounts where necessary, including the immediate blocking and resetting of a members account to ensure any illegitimate access is prevented.’
If a member suspects any irregular activity on their Membership account, the Co-op says they should immediately log out of their account and reset their password, as well as contact the Co-op on 0800 023 4708. From that point, it will investigate to help ensure the member doesn’t lose any benefits that they have accrued.
Iceland Bonus
Customers who use the Iceland Bonus loyalty programme have to log in using their email address and password.
Iceland advised that if a Bonus cardholder has lost their card or had it stolen, to call its customer service team on 0800 328 0800 as soon as possible so it can disable the card.
M&S Sparks
M&S Sparks membership gives shoppers personalised offers, the chance to win what they're buying and money donated to a charity of their choice each time they shop.
Customers who use the M&S app or website to access their Sparks loyalty programme account have to log in using their email address and password.
Morrisons More
Last year, Which? heard from a Morrisons customer that found someone else had spent 34,000 of their Morrisons More points.
Morrisons customers who use its More reward card are required to login with their username and password on each new device they use, and the supermarket can invalidate these login sessions remotely if required. Any sensitive and personal data within the app is protected via a two-step authentication process.
If you think your points may have been taken or your My Morrisons app may have been used by someone else without your permission, Morrisons told us you need to log into your My Morrisons Account or go to the My Account section in the Morrisons My Morrisons app on your phone and select 'replace/cancel card, followed by 'report card as lost or stolen.'
- Find out more: are your loyalty points and vouchers safe from fraud?
Sainsbury's Nectar
We also heard from one Sainsbury's shopper last year that lost their card and found someone else had spent nearly £30-worth of their Nectar points.
Nectar is a loyalty scheme owned by Sainsbury’s with partners including Sainsbury’s and eBay.
Sainsbury’s told Which? it encourages Nectar cardholders to be vigilant with their own personal information, like making sure they avoid using the same password for multiple accounts and websites.
If a Nectar card user has noticed any points missing or any other suspicious activity, Nectar recommends the customers calls it on 0344 811 0811.
But the terms and conditions on the Nectar website seemingly passes the responsibility to cardholders.
According to the Nectar website, the ‘primary collector is responsible for the security of all Nectar Cards issued on his/her Nectar account and all vouchers issued on that account. If a Nectar card is lost or the holder thinks an unauthorised person has become aware of any security code, password or account number, they should contact the Nectar customer service centre immediately.
'We cannot be responsible for any unauthorised use of points or any lost or stolen vouchers.'
- Find out more: 'Nectar told me to go to the police'
Tesco Clubcard
Tesco told us it takes cybersecurity ‘extremely seriously’ and that it has robust security measures in place, but would not disclose the individual security measures that it has for Clubcard users.
Its Clubcard app will be discontinued later this year, with Clubcard points, rewards and vouchers going on the main Tesco app.
Tesco told Which? that clubcard customers with concerns about their Clubcard account should contact the Clubcard team.
Waitrose MyWaitrose
The MyWaitrose loyalty programme doesn’t operate with loyalty points, and instead offers personalised vouchers, which customers select themselves digitally from their personal online account.
Most MyWaitrose cardholders use the digital version of the scheme card, which could reduce the chance of the card being stolen or used by a different person.
Waitrose told Which? if you suspect someone else is using account without your consent, you should urgently change your password (which you can do under ‘My Account’ on Waitrose.com) or call Waitrose on 0800 188 884.
- Find out more: best and worst supermarket loyalty cards
How to protect your supermarket reward points
If you're part of any supermarket customer reward schemes, it's worth checking your points balance and statements regularly to spot any transactions you don't recognise.
Given that loyalty card reward accounts are unlikely to have the same level of security as bank accounts, it's important to have a secure password and it's good practice to change your password regularly.
If you have a physical loyalty cards, you should ensure you safely store them away when out and about to prevent them from getting stolen.
Should you fall victim to loyalty card fraud, report it to the scheme provider and change your password. You can also report the crime to Action Fraud which will investigate the issue.
