FF Account just hacked and almost 300,000 points taken

[Sera]

I'm guessing when these thefts happen, the email address for the targeted account is also changed. Qantas sends an email confirmation each time a gift card is ordered showing the address the reward was sent to. Has Qantas released this type of information to the owners of the affected accounts?

well in our two cases they did not. just asked us to change pin and mother's maiden name. which begs the question of how one is suppose to answer that security question because mothers cannot change their maiden names.

 

[get me outta here]

The mother's maiden name is a really easy bit of info to hack. It is recommneded that you make up something totally improbable that is also like a password.

well in our two cases they did not. just asked us to change pin and mother's maiden name. which begs the question of how one is suppose to answer that security question because mothers cannot change their maiden names.

 

[Freq Flier 2013]

The mother's maiden name is a really easy bit of info to hack. It is recommneded that you make up something totally improbable that is also like a password.

I make up my answers to such questions.
Ie fav color - I don't use a color at all ect..

 

[rainbowgirl]

We use mother's maiden name as a security question and use difficult to guess made up information.

 

[burmans]

The mother's maiden name is a really easy bit of info to hack. It is recommneded that you make up something totally improbable that is also like a password.

Agree with this, mothers maiden name is common so possibly easily discovered.

 

[Sera]

took a week but points have finally been returned. so very happy with problem resolution

 

[JohnK]

Are these incidents inside jobs?

As mentioned by others Qantas need to get better with their security. I have used a new machine to log into GMail overseas and received an email to my backup email there was access to my account. Then I setup a new laptop at home the other day and received another email to my backup email there was access to my account.

If a Qantas account has had 4-5 unsuccessful attempts to login then they should at least send an email to inform.

 

[brettoau]

Just discovered 150,000 points stolen from my QFF account. I use a strong unique password for most websites but QFF login is only 7 digit account number, last name and 4 digit pin. The email address had been updated to one i don't recognise and multiple transactions for Woolworths and David Jones vouchers. On hold to Qantas now to try and sort this out...

 

[JessicaTam]

Just discovered 150,000 points stolen from my QFF account. I use a strong unique password for most websites but QFF login is only 7 digit account number, last name and 4 digit pin. The email address had been updated to one i don't recognise and multiple transactions for Woolworths and David Jones vouchers. On hold to Qantas now to try and sort this out...

Good luck. Let us know how you get on.

 

[sinophile888]

Sorry to hear of your recent FF points loss. A similar think happened to Mr. s., but we got all the points back from Qantas.

Around 50000 points were taken from his account and spent on 6 iTunes vouchers. Qantas returned all the points and I immediately transferred them across to my account.

If I remember correctly, my husband’s contact phone number was changed but not his email address. Qantas was very proactive in tracking us down as they had tried the phone, luckily with no success. We thought that the Qantas email could be dodgy, so rang Qantas and confirmed that the points had been stolen. The points were returned very quickly.

 

[Buzzard]

How much are 150,000 QFF points worth?

I just tried to make an internet payment from one of my bank accounts and couldn't do it without entering an authentication code.
Seriously Qantas, there needs to be another level of authentication. Not perfect I know but better than what we currently have surely?

 

[Daver6]

Good point Buzzard. Pretty ridiculous they don't use two factor authentication, especially when forcing people to use the weakest of weak passwords.

 

[williamsf1]

Just discovered 150,000 points stolen from my QFF account. I use a strong unique password for most websites but QFF login is only 7 digit account number, last name and 4 digit pin. The email address had been updated to one i don't recognise and multiple transactions for Woolworths and David Jones vouchers. On hold to Qantas now to try and sort this out...

Did you get a email to the “old” email address to advise of a change of email ? if not that is a big security issue ..

 

[anat0l]

Good point Buzzard. Pretty ridiculous they don't use two factor authentication, especially when forcing people to use the weakest of weak passwords.

What are Qantas now, a bank?

That said, 4 digit PINs aren't ideal. What if they do one of those dealies like iPhones, i.e. 3 attempts, then it takes longer, and even longer, and eventually if you keep trying you'll just lock the account. At worst, that should mean a hacker will at best just cause an inconvenience to you by having you to call Qantas.

One thing is, as far as I know, Qantas Mall purchases can only be delivered to Australia or New Zealand. Whilst this country isn't small by any means, it should at least narrow down considerably where one should attempt to direct any investigation efforts. That said, if vouchers are delivered electronically, that puts to bed that idea.

On top of all of this, almost no - nay, absolutely no - law enforcement agency would appear to gave two points next to a damn if you were to report such activity to them for investigation.

 

[BacchusMarsh]

What are Qantas now, a bank?

That said

You can always unsay it.

 

[trippin_the_rift]

How much are 150,000 QFF points worth?

I just tried to make an internet payment from one of my bank accounts and couldn't do it without entering an authentication code.
Seriously Qantas, there needs to be another level of authentication. Not perfect I know but better than what we currently have surely?

Didn't you read the T&C? They have no value.

 

[OATEK]

What are Qantas now, a bank?

On top of all of this, almost no - nay, absolutely no - law enforcement agency would appear to gave two points next to a damn if you were to report such activity to them for investigation.

Not always the case. I had a series of amounts totally about $200 charged to my bank account from the US. Went to local Police to get a reporting number for the Bank (actually no it was a Credit Union). The officer took all the details, passed them on here and to the US and got back to me with what had been done to try and identify the persons involved.

 

[Strategic Aviation]

What are Qantas now, a bank?

That wouldn't be inaccurate given the monetary value (and currency-like nature) of points to Qantas, the banks that issue QFF-earning cards, and QFF members.

 

[Buzzard]

Didn't you read the T&C? They have no value.

The T&C might say they have no value but to many they certainly have a "worth" and a cost.
The cost could simply be the % surcharge paid when using your credit card or what you paid for your credit card to get the sign up bonus.

 

[RAM]

Re: FF Account just hacked and points taken

1) The issue of a 4-digit PIN does make it easier to force a hack but reading through from the start of a thread it sounds more like data leaks have occurred.

These can be ANYWHERE on the data chain.

For example Citibank lost 6 million cc accounts COMPLETE details (I think it was 6 million from memory). I was one of them.

The hack/leak was not from within Citibank itself but from a cc clearer in the US. For some reason they had that number of full account details (security questions, day of month statement due for payment etc) covering 8 different countries - one of which was Australia.

The cc account of mine that was 'visited' was one that we had never used, was an unsolicited card upgrade and was supposedly 'totally cancelled so no transactions can be initiated in future.'

With QFF - who knows how much has been outsourced and where to. For example: Accounts Payable for certain well known airlines may be run out of Indian third party processors... Not to say they do not have good security but all it takes is one bad employee (recall a certain phone company last year?).

2) Yes, you need to get your computer (and every device you use or open emails, look at online accounts with) checked. Use MULTIPLE programs to do so. What security program do you run on your smart phone? When was the last time you ran a full system scan with another program on your smart phone? These links give you a good idea...

• https://www.verizonwireless.com/arc...rity-app-tips-to-keep-your-smartphone-secure/
• https://usa.kaspersky.com/internet-security-center/internet-safety/smartphones#.WJuU4H_sHhA
• https://www.fcc.gov/smartphone-security

Also available, a general smartphone security checklist (PDF).

3) NEVER instantly go and change every password - Why give every new password to the thief? Until you can be certain the device is REALLY secure - assume it is not. Phone calls are much safer, especially from a landline NOT a smartphone.

4) For security questions - LIE. Mother's maiden name - Frankenstein City of birth - Stalingrad First car - Rolls Royce. You get the idea. However make sure you only ever use the same answer for each question. With people's use of social media and thieves' use of Google etc - it does not take long to find info, or to buy it.


And if you are ever in a taxi - NEVER sit in the front seat and use the eftpos terminal, NEVER


Now did anyone, say out of interest, just click on one of the links provided in (2)?

Perhaps my AFF account has been hacked (without me knowing) and a very clever person/group has set a trap to get a few million more points....

Sometimes being paranoid is really being prudent.

Never cough U ME!