Fraud on Velocity Frequent Flyer accounts

[jsoprano]

I suspect they're not the true culprit and there is quite the operation going on, and possibly some laundry being done...

I suspect this is some shady "Buy discount airfares here via email/whatsapp/Telegram" operation in these markets like Nigeria and Bangladesh (some of the originating itineraries we've seen, where people are more desperate and less aware of such shady operators). They sell a ticket at a significant discount, hack an account, book it on their "customer's" name, issue it to them, they can check on the airline website that they have a genuine booking, and then 2+ days later when QR cancels it the shady travel agent has disappeared and is no longer contactable and the "customer" is SOL and a few $1000 out of pocket. That's kind of how I explained it to myself what's going down here... Otherwise (a) you wouldn't book anything for yourself if you're the perpetrator, and (b) you'd redeem the points for gift cards or the like.

But in my mind to do this (the travel agent operation), you need a list/database of account details that you bought on the dark web somewhere, and then you go to work one by one. But what do I know...

 

[NM]

But in my mind to do this (the travel agent operation), you need a list/database of account details that you bought on the dark web somewhere, and then you go to work one by one. But what do I know...

Or an "insider" of some sort, with access to Velocity systems, such as a contact centre agent or IT service provider or similar. Someone who has access to change account information such as associated email address so that the transaction does not get emailed to the account owner.

It does seem what what hacked account owners are saying here, that their passwords were not changed, just the email address changed and redemptions transacted from their accounts.

But that is just my personal speculation.

 

[Brissy1]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

 

[Legoman]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

Unfortunately the ACCC are a completely worthless and useless organisation with no enforcement power whatsoever and all the businesses in Australia know it. Just try actually reporting a business to the ACCC as I have done, and see what response you get. It is laughable. The business you have a dispute with will openly dare you, or actually goad you into reporting them, and then if they really feel like it, will laugh at you to your face, because they know damn well, they will never be prosecuted or more likely even contacted at all.

ACCC and ESG are just nice acronyms in Australia. There is no actual meaning and no enforcement or policing behind them whatsoever. Australian consumer law is a joke. At best, a nice theory, but in practice, you've got no chance of ever seeing any compensation for even the most deliberate and clear cut case that results in anything less than death. For an actual death as the result, you might get somewhere if you're willing to pay a lot of money to lawyers, but for anything less, you're wasting your time and money.

 

[JohnK]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.
Even if VA don't know, care or willing to reveal "how", given the extent perhaps this could be be a noncompliance issue to the ACCC thus prompting VA to act. Their system clearly has a vulnerability.

Very easy for an inside job to pass details to an outside source. Membership number, email address, password etc.

I don't quite understand the lack of action. Account had been hacked and flights booked and flown. You have the passport details of the person taking the flight. Did they purchase a flight from some dodgy website that uses stolen points to book flights? Did they book it themselves.

Solution is simple. Set-up a do not fly register and all airlines adhere to it. Do not let these people fly again unless they provide all the details.

A few weeks back I found someone had booked a $480 Jetatar flight using my 28 Degrees card. None of my details were hacked so how did they get past authentication? Has to be some sort of inside job. I called Jetstar before calling Latitude and flight had not yet been taken and I hope Jetstar cancelled that booking.

 

[Must...Fly!]

Solution is simple. Set-up a do not fly register and all airlines adhere to it. Do not let these people fly again unless they provide all the details.

The problem is that there is not a small group of people travelling the world having a grand old time on defrauded Velocity account points.

What there almost certainly is, is a group of people acting as agents in countries with lax regulation. Possibly offering these seats at retail as a cut price to unsuspecting buyers, or maybe involved in people/drug trafficking or other nefarious dealings.

 

[33kft]

I thought that Australian companies are required by law to report when customers details have been stolen via their system.

"Under the Notifiable Data Breaches (NDB) scheme any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved."

I would guess that this wouldn't meet the criteria. Unless we AFFers got to define serious harm....

 

[jbman]

I have concerns that this is happening via some super user access that has either been granted or left open during testing etc. As passwords are not being used the only explanation can be there is another method to access accounts above customer level to make changes or bookings.

If such access is being used I would have hoped this would have been found ASAP and shut down. Cleary they either don’t know what the source of the access is or are still working on a solution.

Have all the flights so far been booked via QR?

 

[jbman]

"Under the Notifiable Data Breaches (NDB) scheme any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved."

I would guess that this wouldn't meet the criteria. Unless we AFFers got to define serious harm....

Yeah I do feel as though we are still in the early stages for the gov to really explain what a breach is and what action they will take against the company.

If a staff member accesses an account without request by the customer is this a breach? Would the customer be notified.

Concerning is the fact Velocity has not contacted anyone from what I can read. The members have contacted them to advise of the breach on their accounts.

 

[Happy Dude]

I am not convinced that flights are flown when these last minute QR redemptions are made. Citizens of Nigeria and Bangladesh cannot just jump on a plane to Doha on a whim. Those that could probably are more organised wrt international trips and would be unlikely to risk picking up 'hot' tickets on the day of travel. Plus, the "model" relies on they're being reward availability. Hardly a given. There must be a way an award ticket can be monetised.

 

[encryptededdy]

I am not convinced that flights are flown when these last minute QR redemptions are made. Citizens of Nigeria and Bangladesh cannot just jump on a plane to Doha on a whim. Those that could probably are more organised wrt international trips and would be unlikely to risk picking up 'hot' tickets on the day of travel. Plus, the "model" relies on they're being reward availability. Hardly a given. There must be a way an award ticket can be monetised.

I was reading a thread on FlyerTalk last year (sorry can't find it now) talking about how some scammers are able to pull off scams where they sell tickets to customers (usually they meet them on Social Media promising premium class tickets at a discount off the regular cash fare) that end up being rewards, either with points they've purchased off people as a points broker or stolen points.

First, they would book the flights as soon as the award space opens up with a bot (for popular routes) or when a customer requests them using their own points, usually with a currency with free cancellations & refunds (such as Aeroplan Flex Rewards). Then, they will acquire points from other places (e.g. stolen accounts), cancel their flex booking and use a bot to automatically book that flight when it returns to inventory using the stolen account, or their points broker account*.

I understand this is the main reason Aeroplan suspended Family Transfers last year for quite a long time, so they could beef up their security.

*either directly with someone who's sold their account to a points broker, or one of the many accounts a points broker would have to receive "family transfers" from their customers.

 

[odysseus]

Wow, commiserations! This sounds very similar what happened to me, same routing etc. and it occurring outside service centre hours also seems deliberate to me.

Question: how do you know for when the redemption was? I could only see the flight number and routing but no date or PNR.

If you know enough to make last minute bookings and get multiple accounts to pay for them, I'm sure they know the contact centre hours to know the best/safest time to get bookings when the office is closed and nothing can be done. Again, Velocity could do something about that - but don't seem bothered to.

As for the booking, it was accessible from My account under My trips, with the PNR, passenger name and all other flight/booking details. Passenger also had a unique name so I checked out his background. Has some IT knowledge and some history of questionable activities, but nothing related to flights so I lean towards him being a paying customer of some professionals.

 

[jsoprano]

If you know enough to make last minute bookings and get multiple accounts to pay for them, I'm sure they know the contact centre hours to know the best/safest time to get bookings when the office is closed and nothing can be done. Again, Velocity could do something about that - but don't seem bothered to.

As for the booking, it was accessible from My account under My trips, with the PNR, passenger name and all other flight/booking details. Passenger also had a unique name so I checked out his background. Has some IT knowledge and some history of questionable activities, but nothing related to flights so I lean towards him being a paying customer of some professionals.

That's interesting, in my case it didn't show up under My Trips, was the first thing I checked after seeing the redemption. But neither do rewards I book for my partner show up in there, so this didn't strike me as odd.

To your first point: yes, they could absolutely do something about it, such as a 24/7 phone line for security breaches - either post the phone number somewhere or have it as an option in the phone menu. Also, I do not think I ever got an email from Virgin or Velocity suggesting to change my password or even a more general "be vigilant" kind of message (unless I missed it?). Seems these issues are going on for the best part of a year now, so well overdue. But they would admit there's a problem to a few million customers, while for now it's only a few hundred impacted and a few thousand aware of it I guess. Not good enough.

 

[moa999]

The similarity between some of these cases.
- high number of points
- change of details
- last minute flight redemption
- flood of emails to obscure
Would suggest some type of inside job targeting specific accounts.. but that's only because we are seeing the outcome.. who knows if they are also gaining access to accounts with only 3,000 points and then moving into bigger fish.

But VA look pretty damm stupid allowing points redemptions in different names from high risk countries with no additional verification, particularly after recent changes to account details.

 

[jsoprano]

The similarity between some of these cases.
- high number of points
- change of details
- last minute flight redemption
- flood of emails to obscure
Would suggest some type of inside job targeting specific accounts.. but that's only because we are seeing the outcome.. who knows if they are also gaining access to accounts with only 3,000 points and then moving into bigger fish.

But VA look pretty damm stupid allowing points redemptions in different names from high risk countries with no additional verification, particularly after recent changes to account details.

Very much this! One other simple security enhancement would be 24hr cool off period for any redemptions after account details where changed. As you say, there are so many red flags - account details changed, immediate high-value redemption, suspicious routings not in line with user profile/history etc., why has nothing been done about this?

 

[jsoprano]

I am not convinced that flights are flown when these last minute QR redemptions are made. Citizens of Nigeria and Bangladesh cannot just jump on a plane to Doha on a whim. Those that could probably are more organised wrt international trips and would be unlikely to risk picking up 'hot' tickets on the day of travel. Plus, the "model" relies on they're being reward availability. Hardly a given. There must be a way an award ticket can be monetised.

Yes, but African and South Asian countries are also the main source for guest workers in Qatar. So there will always be a few thousand of them that have an urgent need to (a) get back to work asap, or (b) try to get home for a family emergency, flee their exploitative conditions etc. Lot's of vulnerable and desperate souls that travel on these routes. I can easily see them fall for a half-price last minute ticket scam if your family's livelihood depends on it.

 

[sharkiesrule]

A good news update to my fraud case from 7th August.

On 16th September I received the following notification:

"Our internal control systems have been alerted to suspicious activity on your account. It appears that your login details have been compromised and redemptions were made from your Account. As a result of this investigation, we have suspended your account as a security precaution. We do realise that this is a less than an ideal situation and would like to assure you that this process exists only to protect the best interests of both our members and Velocity Frequent Flyer.

Your login details may have been compromised in a number of ways, more information can be found through the Australian Cyber Security Centre https://www.cyber.gov.au/ .

We recommend reporting the cybercrime via the Australian Cyber Security Centre Report | Cyber.gov.au.

All Points used in the unauthorised Points Transfer have now been fully reinstated back to your account.

In order to secure your details going forward, Velocity would recommend creating an entirely new account with a new password and security question. For added safety we also recommend that you update the email address used in conjunction with this new account. You may create a new account online via the Velocity website, and then advise us of the new account number so that we may transfer your status and earnings to your new account. Alternatively, please call us on 131 875 and our Membership Contact Centre will be able to assist you with the full setup of your new account."

I completed the creation of the new account, de-linking of partners on the compromised account, transfer of all account history to the new account, and re-linking of partners to the new account. Took about 40 minutes all up both online and on the phone.

I have noticed an introduction of a 4 digit pin for redemptions to the new account creation, which I don't recall from before (although it may well have been in existence).

 

[jsoprano]

A good news update to my fraud case from 7th August.

On 16th September I received the following notification:

"Our internal control systems have been alerted to suspicious activity on your account. It appears that your login details have been compromised and redemptions were made from your Account. As a result of this investigation, we have suspended your account as a security precaution. We do realise that this is a less than an ideal situation and would like to assure you that this process exists only to protect the best interests of both our members and Velocity Frequent Flyer.

Your login details may have been compromised in a number of ways, more information can be found through the Australian Cyber Security Centre https://www.cyber.gov.au/ .

We recommend reporting the cybercrime via the Australian Cyber Security Centre Report | Cyber.gov.au.

All Points used in the unauthorised Points Transfer have now been fully reinstated back to your account.

In order to secure your details going forward, Velocity would recommend creating an entirely new account with a new password and security question. For added safety we also recommend that you update the email address used in conjunction with this new account. You may create a new account online via the Velocity website, and then advise us of the new account number so that we may transfer your status and earnings to your new account. Alternatively, please call us on 131 875 and our Membership Contact Centre will be able to assist you with the full setup of your new account."

I completed the creation of the new account, de-linking of partners on the compromised account, transfer of all account history to the new account, and re-linking of partners to the new account. Took about 40 minutes all up both online and on the phone.

I have noticed an introduction of a 4 digit pin for redemptions to the new account creation, which I don't recall from before (although it may well have been in existence).

Thank you for this update!

Question (to you and others who've been through the process): how concerned do I have to be with regard to points and SC earn during the suspension period? Did this all still accrue as per normal while the old account was suspended (and then eventually transferred across)?

 

[Legoman]

I completed the creation of the new account, de-linking of partners on the compromised account, transfer of all account history to the new account, and re-linking of partners to the new account. Took about 40 minutes all up both online and on the phone.

You've done well. I'm a week into trying to get de-linked from 7-Eleven now. I need to call Velocity now actually to see where they're at with getting that done. Yesterday I got a plethora of "Your Velocity details have been updated" e-mails. I called and was told it was Velocity staff themselves hacking my account this time trying to get it extricated out of 7-Eleven. Today though, the 7-Eleven app still says it's linked to Velocity, so whatever they were doing, didn't work.
One thing's for sure, I will not be linking the new account to 7-Eleven. 7-Eleven is like a scathing case of herpes, you can never get rid of them!

Question (to you and others who've been through the process): how concerned do I have to be with regard to points and SC earn during the suspension period? Did this all still accrue as per normal while the old account was suspended (and then eventually transferred across)?

They told me they still accrue and will automagically transfer across once the account is unblocked, but that's just a nice sounding story. I have no evidence at all that this will actually happen. I very strongly suspect that it will not work like that, because we now know that part of the rectification is that your old Velocity account number gets binned and will never be used again. In that case, then where will your credit card know to send the points you've accrued, if it doesn't know the new membership number and the old one is dead and buried?
Will Velocity place a redirect on their systems to automagically forward points sent to the old number to the new number?
Will points sent to an invalid membership number just disappear and be voided?
Will points sent to an invalid membership number be rejected and bouce back to from whence they came?

I don't know the answers to any of these questions

 

[sharkiesrule]

Thank you for this update!

Question (to you and others who've been through the process): how concerned do I have to be with regard to points and SC earn during the suspension period? Did this all still accrue as per normal while the old account was suspended (and then eventually transferred across)?

Any SC or points earned during the suspended timeframe were credited to the old account.

Along with the balance transfer to the new VFF account number, all historical transactions are listed. I can see

Whilst I imagine if anything is missing it would be a painful challenge to recover, I assume it will be possible. Once my migration was complete, the old account was deactivated once again.

Travel Credits, if exist, remain tied to the old account details. Apparently, you can use them at checkout when booking. Future travel credits will flow to the new VFF account. I'll verify when I get a chance to book.

It is on you though to update to your new VFF account any non-linked earns. AMEX, Virgin Money, Virgin Wines etc I had to change myself through respective portals.