1
Sometimes being paranoid is really being prudent.
Didn't you read the T&C? They have no value.
What are Qantas now, a bank?
To their credit Qantas support were very good. They were not at surprised it had happened and sent me a stat dec form to fill out and return, which they would attempt to process and credit points back in three business days.
Of course not. However, security should be taken seriously for everything. Two factor authentication (2FA) should really be used for everything these days. It really isn't coughbersome at all.
A bit off-topic to bring Australia Post into this. I suspect some of the key components are quite old systems and require a major rebuild that QFF wants to delay as long as possible.Cost cutting knows no reasonable bounds unfortunately.
Then again, neither do senior executive remuneration packages....
Yes but cost of IT changes to implement vs the handful of points that get stolen and have to be refunded by QF. I guess QF has done their maths.
A bit off-topic to bring Australia Post into this. I suspect some of the key components are quite old systems and require a major rebuild that QFF wants to delay as long as possible.
It was meant as a joke, hence the smiley. QANTAS, like Auspost, has a board - and perhaps one day they will earn their fees, but I am not holding my breath.Makes Aust Post look like amateur hour in comparison - no?
Logged in to my QFF account yesterday to see that just under 150k points had been used to purchase some JB HIFI vouchers on Saturday afternoon via the Qantas Store. ......
AFF Supporters can remove this and all advertisements
Logged in to my QFF account yesterday to see that just under 150k points had been used to purchase some JB HIFI vouchers on Saturday afternoon via the Qantas Store. Thankfully, the order was still "in process" and I was able to start an online chat with the store and have the order cancelled and the points refunded. No details had been changed in my account. PIN, email address, phone number etc were all the same. Now super paranoid! What is weird is that 2 factor authentication has been active on my account for a couple of months now. Admittedly, not every login - but you'd think that before a purchase, it would be mandatory.
Probably no different to a Credit Card hack, where they take a statement and a copy of any doco.Today I logged into my QF account to discover almost 90,000 points stolen to purchase flights. Three separate transactions - and the ff centre was able to tell me the names in which they were purchased (most likely not their real names). The ff centre was supportive and advised that once I send in a Stat Dec they will reimburse the points. They do say I must report it to the police. Has anyone had any experience in reporting these fraudulent hacking to the Police?
True, but alternatively, just sending out vouchers the old fashioned way in the mail would solve much of the problem.Re: FF Account just hacked and points taken
The 4-digit PIN is really insecure - not just the PIN itself but also the wide number of points where it is used. Different websites, apps etc. Many of them take different data paths to the QF authentication servers, so many potential points of weakness where data can be intercepted.
Add to that two pieces of information (Surname and FF number) that are in pretty much every email from QFF to their customer base and you can see how these things happen.
I wrote a script for a lawyer mate back in the day who had 2M+ QFF points and was paranoid about them being stolen. He'd been stung by the AN collapse, and knew his work email had been compromised a couple of times. He just wanted something that would SMS him any time there was any negative change of 1000 points or more. He made sure that SMS number was unblocked from his phone and assigned it a loud and annoying alert tone. Quite a length to go to. And every time the QFF site or backend would change he'd message me in a panic to update the script. Thankfully he burned his points and has moved on from QFF so not my problem anymore ;-)
Simply offering the ability to set our own (complex) passwords, and adding mandatory two-factor authentication would clear up probably 80%+ of the fraud attempts.