FF Account just hacked and almost 300,000 points taken

[legroom]

Why would a systems require a PIN for an upgrade to be valid and as I noted earlier (clause 16.1.12), if you change your PIN, your upgrade requests have to be re-logged ?

I'm sure my banks do not require my PINs to deduct fees & charges whenever they are due.

Asking for PIN is unwise (nobody else does that); so is the linking of upgrade requests to the PINs.

Maybe this time QF would wise up and modernise its IT security for a change.

Maybe it is not hurting them on the bottom line yet (too few frauds ??), but it certainly does not appear to be "world best".

......To be perfectly honest, when you look at many FF programmes around the world, relative account security is quite poor. I'm not saying this is ideal, and a tighter system of security would be good. I'd also like QF to have some system during any customer service interaction that would not require one to give their PIN (e.g. lodging an upgrade over the phone).

Most, if not all, my bank accounts will email me on the OLD address whenever I change to a new address. So, that is technically feasible already.

Further, they would insist on a SMS code before you could modify your contact details including changing the mobile phone for that SMS. In other words, you would have to be notifed.

That would not be effective if the thief changed the email address, burned the points, then changed it back.

They could also possibly hack into the target email account, remove the notification email, and no one is the wiser.

That would leave an e-trail of sorts (if Qantas logs all such changes and emails sent), which may be useful except possibly in the second case which would be much more difficult for Qantas to check.

Such a measure would have hardly helped the OP in this case, as she had checked her account that same afternoon. Not much different to getting an email (possibly delayed delivery) and then notifying closer to the time, except possibly the proximity of her notification to the event may have prompted Qantas to take much more imperative action.

That said, the idea is not without merit at the very least it may just start a trail.

 

[JohnK]

That would not be effective if the thief changed the email address, burned the points, then changed it back.

They could also possibly hack into the target email account, remove the notification email, and no one is the wiser.

If any changes are done on a QFF account the email goes to original email address? So a thief would need to be able to hack into 2 different accounts?

Do people save their passwords on their computer? I do it for AFF, Flyertalk and email address so I guess a hacker has access to that information. Hmmm....

 

[anat0l]

Most, if not all, my bank accounts will email me on the OLD address whenever I change to a new address. So, that is technically feasible already.

Further, they would insist on a SMS code before you could modify your contact details including changing the mobile phone for that SMS. In other words, you would have to be notifed.

I'm not sure with QF, but they may only send changes of email address to the new one, not the old one. To be honest, I've never tried. I'm sure there has been at least another account I've had (not sure if it's another FF, bank or other) in which I changed the email but it went to the new address only.

It would make sense to send to both, unless of course sending an email to the old (possibly malicious) address would of course inform the thief of an action (in which case, another way to do it is a secure call to Qantas to change the email without sending a notification to the old address).

 

[froggerADL]

What a terrible thing to happen. Hope you get it all sorted quickly.


Hmmm.... Do QFF points have a value?

Apparently in this case they had a value of 8 * $250 Myer Gift Cards, so $2000.

 

[tuapekastar]

Sorry to hear of this Noreen. I would not be happy at all should this happen to me (though rest assured they cannot take 300K points from me, I have a minuscule amount at the moment).

If (and it sounds like you can) you can provide reasonable 'proof' or a stat dec like you have done, then I'd be mighty surprised if you don't get your points back fairly promptly.

I also think, unless the hacker has been very 'clever' in covering his/her tracks, that there is every likelihood they will be caught...or I would like to think so anyway.

Is there the remotest chance this is all actually an 'innocent' mistake, not deliberately fraudulent? I highly doubt it, but I wouldn't consider it beyond the bounds of possibility.

Anyways, here's hoping your points are returned soon and with no more fuss than you've already endured.

 

[DIANNENICOLOFF]

Hi Noreen, I logged into my Velocity account yesterday, and guess what, somebody had used my points to buy iTunes vouchers. 3 x $50 and 1 x $20. Not as much as yours, but they were still my points even at only 30000 points. Rang Velocity and they said the same, it was not their responsibility, they said maybe someone from the family. The only thing is I do all our bookings and know all the passwords, even my family don't know the passwords. Rang Apple and they couldn't help. Not happy, so I rang Velocity back and insisted someone hacked my account,and that I would go to the police because as far as I'm concerned it was fraud. They gave me the email address of whoever got the evouchers, also they gave me the serial numbers. I definitely did not know that email address. It ended with @postdotcom - does anyone on this site know of this one?
Told them they need to do something because I want my points back, she put me on hold to speak to her supervisor, came back to me and said that they will start an investigation, and have to suspend my account while they check it out.
I too, will keep you posted.

 

[coles525]

Grrrrr........

I check my qff everyday, with atleast 1 of 2 android programs.

My Usage is the main one I use.....

 

[cove]

Never leave a boarding pass where someone can pick it up. I shred mine once the points have posted.
Then with your PIN avoid all the simple ones like birthdays and stuff like 1234 and 9999.
It is a sad world where your hard work to produce points gets hacked.

 

[AIRwin]

Never leave a boarding pass where someone can pick it up.

Attention MartinMemo! Final call to take down your wallpaper of boarding passes at your desk if you haven't already done so...

 

[Mwenenzi]

Unlikely to do anything, but try contacting the Airline advocate

The Airline Customer Advocate (ACA) provides a free and independent service to eligible customers of major Australian airlines by facilitating the resolution of current unresolved complaints about airline services.

 

[mannej]

Attention MartinMemo! Final call to take down your wallpaper of boarding passes at your desk if you haven't already done so...

The naivety of some people can be amazing at times. A member on Facebook is quite happy to show his full BP on there, yet laughs it off when people suggest it's a security risk.

 

[drewbles]

Must be the season for dodgy transactions. In the past 4 hours, i've had 2 of my credit cards see dodgy transactions. One card has been replaced, and i'm now on hold to the other institution to have that one fixed.

The strange thing is, none of them are stored anywhere, both cards are in my possession, and I never let them leave my sight when using them (ie, I won't just hand it over to a waiter, i'll always go to the machine). One of them is pretty much exclusively used only for paywave/paypass type use, and at ATM's for cash withdrawls (where I carefully check to make sure there's no strange attachments over the card slot, and *always* cover up my PIN when entering).

Oh, and the cards live in separate wallets. Very strange.

*edit*
And after speaking to institution #2, it was a charge for the exact same amount, from the exact same merchant, around 60 seconds after the first card. The only thing I can think of is amazon.com, where I have both cards stored. Pain in the back.

 

[markis10]

People were commenting about the recent decision to stop an IT overhaul of the systems in use by asking what needed to be fixed, I would suggest four digit passwords and the ability to try guessing them twice a day with no notification to the user would be an area to be looked at.

 

[OATEK]

People were commenting about the recent decision to stop an IT overhaul of the systems in use by asking what needed to be fixed, I would suggest four digit passwords and the ability to try guessing them twice a day with no notification to the user would be an area to be looked at.

I get frustrated at the number of times my login to Westpac fails on the password, because the buttons you click don't seem to register. Then when I log in it tells me there was a failed password attempt. This is exactly the sort of feature Markis is referring to. If you know you failed once, then all good. If it says there were two or three - time to investigate.

No doubt this is just the sort of feature that might have been in the "failed" project. Would still be possible if there was a front-end process to the old system.

 

[DontGetMeStarted]

I have just been informed by Qantas that the investigation will be ongoing but that my points will be reinstated so I much relieved as you can imagine, thanks also to Red Roo who also kept in contact with me during this stressful time. I have suggested a 3 step security process at the very least and have been informed that they will look at this and interestingly enough the Qantas rep advised that with large transactions of this type made on the store they would normally check with the owner of the points but that I was so quick on checking my account ( which I do daily) that I had pre empted that call from them. As I have never bought anything from the store before I dso not know if this is normal procedure. I am not tech savvy as you would have noticed from my previous posts and requests for assistance but I would urge everyone to upgrade their security on a regular basis, PINS/Email addresses etc. Be aware of scammers etc etc .....Thanks to everyone for their support, I hope no one has to go through this themselves and maybe a bit of a lesson for me to burn some points which I certainly have plans for in the near future.

 

[MEL_Traveller]

I have just been informed by Qantas that the investigation will be ongoing but that my points will be reinstated so I much relieved as you can imagine, thanks also to Red Roo who also kept in contact with me during this stressful time. I have suggested a 3 step security process at the very least and have been informed that they will look at this and interestingly enough the Qantas rep advised that with large transactions of this type made on the store they would normally check with the owner of the points but that I was so quick on checking my account ( which I do daily) that I had pre empted that call from them. As I have never bought anything from the store before I dso not know if this is normal procedure. I am not tech savvy as you would have noticed from my previous posts and requests for assistance but I would urge everyone to upgrade their security on a regular basis, PINS/Email addresses etc. Be aware of scammers etc etc .....Thanks to everyone for their support, I hope no one has to go through this themselves and maybe a bit of a lesson for me to burn some points which I certainly have plans for in the near future.

excellent outcome. and relief no doubt

 

[MEL_Traveller]

on the perhaps 'less well done' side... if the company has a process in place to contact account holders for big transactions, that implies there is a process for a manual approval before the order is shipped. It also implies the order could be stopped (and if stopped, then the points refunded).

if that is the case then it would have been helpful to have that explained on the day it happened. Knowing you will get your points back (but may have to give them time to process the refund) is different from wondering what will happen.

 

[legroom]

.... Must be the season for dodgy transactions. .... The only thing I can think of is amazon.com, where I have both cards stored. Pain in the back.

I am averse to saving my CC anywhere incl. Qantas, booking.com. Amazon etc....

I'd prefer to enter them again... and again, for security reasons.

Any server could potentially be hacked into and your CC would then become compromised.

Maybe no loss will ensue but the hassles of cancelling / re-applying for a new card is not worth the time saving from the stored details.

 

[grussellt]

Hi Noreen. I'm glad to hear you will have points reinstated. One of my family members has just suffered from points theft in mid-January and is going through the same process as you.

 

[drewbles]

I am averse to saving my CC anywhere incl. Qantas, booking.com. Amazon etc....

I'd prefer to enter them again... and again, for security reasons.

Any server could potentially be hacked into and your CC would then become compromised.

Maybe no loss will ensue but the hassles of cancelling / re-applying for a new card is not worth the time saving from the stored details.

I am usually the same but as I buy a lot off Amazon, usually when I'm needing something urgently and may not have access to my cards, I did save them there. I've now removed all my cards from amazon us and uk. As you say it'll save future issues.