Fraud on Velocity Frequent Flyer accounts

[sharkiesrule]

You've done well. I'm a week into trying to get de-linked from 7-Eleven now. I need to call Velocity now actually to see where they're at with getting that done. Yesterday I got a plethora of "Your Velocity details have been updated" e-mails. I called and was told it was Velocity staff themselves hacking my account this time trying to get it extricated out of 7-Eleven. Today though, the 7-Eleven app still says it's linked to Velocity, so whatever they were doing, didn't work.
One thing's for sure, I will not be linking the new account to 7-Eleven. 7-Eleven is like a scathing case of herpes, you can never get rid of them!

My process to de link was.

• VFF rep validated identity and all info on the old account (pre-compromised).
• VFF rep unlocked old account and generated a password reset to original email address.
• I reset password.
• I deactivated Fly Buys link through VFF portal.
• I delinked 7/11 through 7/11 app.
  • Required login in to 7/11 app.
  • Navigating to "More"
  • Selecting Velocity link
  • Delink Velocity account
  • Login again to 7/11
  • Then transferred to Velocity login and entered credentials for old account.
  • Removed.
• Once completed agent locked old VFF account.
• I added linkage to both on new VFF account.

 

[sharkiesrule]

further to updates, here's what my transaction history looks like now on my new VFF account number:

Activity date	Process date	Description	Velocity Points	Status Credits	My Commentary
4-Oct-2024	4-Oct-2024	Congrats! First time activate offer bonus points	+10	–
4-Oct-2024	4-Oct-2024	Congrats! First time favourite brand bonus points	+10	–	First transaction on new VFF account number
3-Oct-2024	3-Oct-2024	VELOCITY POINTS - VIRGIN MONEY	+1,507	–	Last transaction on compromised VFF account
5-Aug-2024	30-Sep-2024	Virgin Australia High Flyer 3 Status Credit Bns	–	+3
1-Aug-2024	30-Sep-2024	Virgin Australia High Flyer 3 Status Credit Bns	–	+3
19-Sep-2024	20-Sep-2024	American Express Velocity Card Points Earn	+9,471	–
7-Aug-2024	12-Sep-2024	Refund - NH159, New York (JFK)-Haneda, All Nippon Airways	+264,400	–	FRAUD REVERSAL
31-Aug-2024	10-Sep-2024	flybuys 4 Status Credit Earn	–	+4
3-Sep-2024	3-Sep-2024	VELOCITY POINTS - VIRGIN MONEY	+2,133	–
8-Aug-2024	22-Aug-2024	Virgin Wine SO001014009	+539	–
19-Aug-2024	20-Aug-2024	American Express Velocity Card Points Earn	+10,005	–
31-Jul-2024	17-Aug-2024	flybuys 6 Status Credit Earn	–	+6
3-Aug-2024	8-Aug-2024	VELOCITY POINTS - VIRGIN MONEY	+6,068	–
3-Aug-2024	8-Aug-2024	Virgin Money High Flyer VA Bonus Points	+7,728	–	First transaction post account lock/ investigation
7-Aug-2024	7-Aug-2024	NH159, New York (JFK)-Haneda, All Nippon Airways	-264,400	–	FRAUD
5-Aug-2024	5-Aug-2024	VA1140, Ballina (Byron)-Sydney, Virgin Australia	+745	+15	Last transaction before fraud

 

[jsoprano]

Any SC or points earned during the suspended timeframe were credited to the old account.

Along with the balance transfer to the new VFF account number, all historical transactions are listed. I can see

Whilst I imagine if anything is missing it would be a painful challenge to recover, I assume it will be possible. Once my migration was complete, the old account was deactivated once again.

Travel Credits, if exist, remain tied to the old account details. Apparently, you can use them at checkout when booking. Future travel credits will flow to the new VFF account. I'll verify when I get a chance to book.

It is on you though to update to your new VFF account any non-linked earns. AMEX, Virgin Money, Virgin Wines etc I had to change myself through respective portals.

That's great to know, thank you for all the info! And a good reminder re the other earning partner, hadn't thought about this yet (it's only Amex and Virgin Money for me I think, not doing FlyBuys, 7Eleven, Wines etc.). But I will make sure to doublecheck when the time comes around.

Given one ends up with a new account, for Platinums does one get a second chance for car-rental and Hilton / IHG status matches? That would at least be a tiny bonus out of the entire saga.

 

[JohnK]

What there almost certainly is, is a group of people acting as agents in countries with lax regulation. Possibly offering these seats at retail as a cut price to unsuspecting buyers, or maybe involved in people/drug trafficking or other nefarious dealings.

All the more reason to come down on them hard.

If you're selling tickets with stolen airline points (or even stolen credit cards) you've forfeited your right to live and breathe the same air as the rest of us.

How do you catch them? Follow money trail. Not hard if you know where to look.

 

[Stone]

"Qantas Frequent Flyer customers caught in major cyber theft as police called"

The above is a headline from The Australian.

"The Weekend Australian can reveal two third-party airport contractors in India have been suspended by their employer for inappropriate conduct, which involved accessing and making unauthorised changes to Qantas customer bookings. The contractors worked for Air India SATS, a joint venture between India’s main airline and SATS, which is Singapore’s biggest ground handling company."

Maybe linked, who knows??? Obviously a negative Qantas headline sells more papers than a negative Virgin headline.

 

[33kft]

Maybe linked, who knows??? Obviously a negative Qantas headline sells more papers than a negative Virgin headline.

From the article, multiple airlines were impacted:

Qantas said the fraud occurred because it operates flights to India where it uses a ground handling operator. It alleges staff at the local ground handling operator were able to access bookings – unrelated to India flights – and steal passengers’ information.
Qantas has since referred the attack to local Indian police and admitted customer data has been compromised by the unfolding cyber hack.
Qantas alleges the individuals were fraudulently stealing valuable frequent flyer details in their bookings. The frequent flyer theft has hit several airlines, including around 800 Qantas bookings over several weeks.
“We apologise to our customers who have been caught up in this fraudulent activity, which has impacted a number of airlines,” Qantas said in response to questions from The Weekend Australian.

I'm not sure if VA would have been impacted as they don't fly to India, I'd also question how having access to Amadeus data would allow the stealing of points unless they were subbing out alternate QFF account numbers, as has been speculated for other airlines recently. 2FA should still protect QFF data such as points transfers and bookings, but yet another outcome of the mess that is GDS platforms is the relative ease in which someone with access in a small airport in timbuktu can potentially alter bookings for tens or hundreds of airlines simply because they're contracted to check in for those airlines in one location, and GDS data seems to have little to no guardrails around access and manipulation.

 

[odysseus]

From the article, multiple airlines were impacted:



I'm not sure if VA would have been impacted as they don't fly to India, I'd also question how having access to Amadeus data would allow the stealing of points unless they were subbing out alternate QFF account numbers, as has been speculated for other airlines recently. 2FA should still protect QFF data such as points transfers and bookings, but yet another outcome of the mess that is GDS platforms is the relative ease in which someone with access in a small airport in timbuktu can potentially alter bookings for tens or hundreds of airlines simply because they're contracted to check in for those airlines in one location, and GDS data seems to have little to no guardrails around access and manipulation.

That would be the way. I've seen stories from others where they had a booking with their FF entered, but when they got their boarding pass had another FF showing. They then tried to correct afterwards, but found it was refused due to points being credited, and were able to find out that a fake new account had been set up in their name, but not with their contact details, to which the points were credited.

 

[33kft]

That would be the way

Yes, it does track for those cases, but not for what is happening with Velocity accounts.

 

[Legoman]

• I delinked 7/11 through 7/11 app.
  • Required login in to 7/11 app.
  • Navigating to "More"
  • Selecting Velocity link
  • Delink Velocity account
  • Login again to 7/11
  • Then transferred to Velocity login and entered credentials for old account.

This is where that process failed for me. It's probably something to do with phone/app version incompatibilities, but when I entered my Velocity membership password, it kicked me not to a screen that says "You have now de-linked your Velocity account" but rather to the screen where you actually LINK Velocity to 7-Eleven again. Indeed, on the de-linking screen, you always get led down a path to the Linking process and there's no way out of it without completing it, by which time you've re-linked Velocity to 7-Eleven again. Exactly the opposite of the thing your're trying to do.

Anyway, I finally got out of it yesterday by manual intervention from Velocity talking to 7-Eleven to get me brute-force removed. Even after the sledgehammer approach, my app still said it was linked to Velocity. I had to go through the delinking process the 1,327th time to finally convince the 7-Eleven app it was in fact de-linked.

The whole process has taken 7 weeks from discovery of hack to restoration. Just de-linking 7-Eleven from Velocity took a whole week of that seven. In that seven weeks, I have been demoted from Silver to Red status again, which I would argue against if I had any intention of ever using Virgin/Velocity again, which, after this debacle isn't the case, so it really doesn't matter.

 

[JohnK]

As I've said in the past it's very easy for someone with production access to pass on bits of information to friends or 3rd party.

Our company want to remove access to production data from everyone but if that happens that will make my support job very difficult. Much easier to investigate issues looking at real data rather than data masking and obfuscation.

 

[Legoman]

I have noticed an introduction of a 4 digit pin for redemptions to the new account creation, which I don't recall from before (although it may well have been in existence).

That PIN has always been there, it's not new. The problem is that it's nothing more than mere security theatre. It's there to make YOU the account holder feel like Velocity are actually doing something about security, when they're not. Same as the scanners at security at the airports. Pure theater put on to not spook the horses so they keep buying tickets and flying discretionally willy nilly all the time. Gotta keep the money flowing around and around afterall.

The PIN as you've no doubt already discovered, does absolutely nothing. I've just logged into my brand new Velocity account to see if my points lasted the night without being nicked. I did this from a private browser tab that Velocity has never seen before. All I needed was my username/password and I was in. No PIN, no SMS, no Google Authenticator code, no "we haven't seen this browser before, answer a thousand questions first", no Are You Human? captcha nonsense. None of that, just username/password and go for your life, help yourself. Brilliant.

I am fully expecting my account to be hacked again before the week is out.

 

[Legoman]

"Qantas Frequent Flyer customers caught in major cyber theft as police called"

I'm impressed at the detective ability of the members in here to have figured out for themselves that the hacking was coming from the sub-continent/SEA and that it was more than probably at least partly an inside job as well. I would put the amateur sleuths in here well ahead of the clown show running the ACSC, Velocity, AFP or the ASD every day of the week.

 

[jsoprano]

Any SC or points earned during the suspended timeframe were credited to the old account.

Along with the balance transfer to the new VFF account number, all historical transactions are listed. I can see

Whilst I imagine if anything is missing it would be a painful challenge to recover, I assume it will be possible. Once my migration was complete, the old account was deactivated once again.

Travel Credits, if exist, remain tied to the old account details. Apparently, you can use them at checkout when booking. Future travel credits will flow to the new VFF account. I'll verify when I get a chance to book.

It is on you though to update to your new VFF account any non-linked earns. AMEX, Virgin Money, Virgin Wines etc I had to change myself through respective portals.

In addition to this, answering my own question here:

I have noticed I can still see account activity in the Virgin Australia (not Velocity!) app, and my recent flights and Amex earn since account suspension are still posting normally. So this is good.

 

[jsoprano]

Plus, the "model" relies on they're being reward availability. Hardly a given. There must be a way an award ticket can be monetised.

Out of curiosity I checked award availability for those two routes that were most recently part of the scam:

• LOS-DOH (2x QR flights daily): Y availability on every single flight for today (same day booking), tomorrow, day after and so on for the whole week; J availability about 50/50
• DAC-DOH (2-3x QR flights daily): Y availability on one flight today, one tomorrow, then sporadically for the next few days; J availability on almost every flight from tomorrow (booking 24-48 hrs out) for the entire week

None of this is a coincidence. There's great availability on these routes and the people operating the scam know this.

 

[n7of9]

Has anyone else changed their VFF password too be more complex since the start of this thread? And then checked their balance every time this thread is updated? Yeah...

 

[muppet]

Has anyone else changed their VFF password too be more complex since the start of this thread? And then checked their balance every time this thread is updated? Yeah...

Nah. Transferred it all to KrisFlyer for good awards

Post automatically merged: Oct 7, 2024

I'm impressed at the detective ability of the members in here to have figured out for themselves that the hacking was coming from the sub-continent/SEA and that it was more than probably at least partly an inside job as well. I would put the amateur sleuths in here well ahead of the clown show running the ACSC, Velocity, AFP or the ASD every day of the week.

I think the difference is trying … pretty sure when the po po and AFP say they can’t find these thieves they actually mean they won’t look.

 

[VPS]

Has anyone else changed their VFF password too be more complex since the start of this thread? And then checked their balance every time this thread is updated? Yeah...

I have indeed

 

[Subharpoon]

I have indeed

I did but still got done! 74,900 points for a 06 Oct 24 - QR246, Istanbul-Doha, Qatar Airways.

 

[Happy Dude]

I did but still got done! 74,900 points for a 06 Oct 24 - QR246, Istanbul-Doha, Qatar Airways.

Eff'n WOW!! So easy to hack these now. Password doesn't seem to be a hurdle.

 

[Legoman]

Exactly. The password makes no difference whatsoever. It is just sidestepped entirely. Make the password 360 characters long entirely out of symbols from WingDings and Microsoft Character Map application on your computer if you want. It will make no difference.