Fraud on Velocity Frequent Flyer accounts

Airlines could solve these issues quickly, but there are too many internal politics involved.
Fixes are easy, but not cheap.

Fixes are easy - and cheap. Well, to get the 'low hanging fruit' anyway.

Either or better, both:
- block redemptions within the next say 2-3 days, or at a minimum on Qatar in that time and that looks to take away most of the viability. A more friendly way would be to permit these bookings only through the customer service centre, with verification. A bit more expensive, but I doubt there's a massive legitimate volume of bookings for those conditions that CS cost would be great.
- prevent changes to email address online. Require contact through CS, with verification provided. Again, cheap and easy to do, with little CS cost.

Slightly more expensive, but standard nowadays and not excessively costly is IP/session verification as is done with financial payments, which this is equivalent to in the case of redemptions. i.e. if a redemption is made, is the session trusted, or is it a new IP? Permit the first, reject the latter - again, require them to go through CS or add verification to the session.

Of course that won't eradicate it BUT with the extra lead time and extra visibility it will mean that most of the current dodginess can be picked up and cancelled in that time, making the honey pot less attractive. There are also things that do cost more and do a greater job of blocking, but it's just way too easy as it stands, so the aim is to make it harder, and then focus on the next best value things to improve.
 
Last edited:
To your first dot point, I would add "redemptions not originating or finishing in AU". I don't think the scammers would try sell off a stolen redemption flight involving AU??
 
To your first dot point, I would add "redemptions not originating or finishing in AU". I don't think the scammers would try sell off a stolen redemption flight involving AU??
I don't see why they wouldn't sell it, if they have a customer wanting fly from or to AU and award availability is there? They'd sell you anything that makes those points into $$, it's just less likely I guess given how/where we assume they operate.

I think the easiest quick fix/band-aid for Velocity would be to restrict/disable the ability to change email addresses on the profile online (realistically, how often do you have to do this?) but make people call for further validation, or at least institute some kind of 24/48hr black-out period for redemptions following the change of email. But it's all crickets...
 
I think the easiest quick fix/band-aid for Velocity would be to restrict/disable the ability to change email addresses on the profile online (realistically, how often do you have to do this?) but make people call for further validation, or at least institute some kind of 24/48hr black-out period for redemptions following the change of email. But it's all crickets...
Please just stop. You're making far too much sense. Logic and rational suggestions aren't appreciated at Velocity. They've made an entire business off the back of excuses and endless apologies, and it just wouldn't do to have to completely change the work culture now this late in the game. Their motto is Excuses are better than Prevention. There's another idiom that coughs on about "prevention" and "cures", but Velocity haven't heard that one yet.
 
Update
Contacted Velocity via website contact form and received this within 12 hours:

Thank you for contacting us about the unauthorized Points redemption on your account.
We understand that you are not the one who made the booking reservation using Velocity Points. Kindly be advised that your Velocity account will be place under suspended as a security precaution. We have a specialist team looking into this and they will be in touch with you within 30 business days. During this time, we are unable to provide any details of the investigation.
As an extra precaution, please know that you will not be able to access your account online during the investigation, this is to make sure that no one can access your account. We understand this may be inconvenient, however – the safety and security of our members is our top priority.


Now we wait!
Received this morning Update #2

Hi Subharpoon

This email is to notify you that Velocity Rewards Pty Ltd (Velocity or us or our or we) has detected unusual activity in relation to your Velocity Account. If you contacted us, thank you for alerting Velocity to the unusual activity detected on your account.

Your Account has been suspended while the matter is investigated in accordance with section 2.6 of the Membership Terms.

During this time, we are unable to provide further information, however we will inform you of the outcome of our investigation within 30 business days. We do realise that this is a less than an ideal situation and would like to assure you that this process exists only to protect the best interests of both our members and Velocity Frequent Flyer.

The Membership Terms can be accessed in full at Terms and Conditions

Yours sincerely
Velocity Frequent Flyer
 
A shame one of these 'major changes' was not the introduction of 2FA. Hopefully now all the 'enhancements' are out in the open, they can focus on this, but I imagine there's still much more to be done on the technical side with the 'enhancements'.
 
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

Virgin has the data on how many points are being stolen, who is doing it, how they are doing it, and how much money is being lost. I'm sure their people are working on whatever response is appropriate depending on the magnitude of the problem. Velocity is still the most profitable part of their business so this issue can't be doing much damage.

By all accounts they are reimbursing all customers affected so the issue is really just the inconvenience of not being able to use your points during the 7 week investigation period.
 
Virgin has the data on how many points are being stolen, who is doing it, how they are doing it, and how much money is being lost. I'm sure their people are working on whatever response is appropriate depending on the magnitude of the problem. Velocity is still the most profitable part of their business so this issue can't be doing much damage.

By all accounts they are reimbursing all customers affected so the issue is really just the inconvenience of not being able to use your points during the 7 week investigation period.
Most of us are quite sure that "their people" are doing absolutely nothing about it! In particular, improving login security seems to have passed them by while they slept
 
Most of us are quite sure that "their people" are doing absolutely nothing about it! In particular, improving login security seems to have passed them by while they slept

Hear hear! And if they are not doing anything structurally about it but are simply refunding anyone affected eventually and just take it as a cost of doing business, why take 7 weeks? The superficial investigation and cancellation of any redemptions (if not already flown by the time it's reported) wouldn't take longer than a week or two.

On another note, with the latest announcement of lifetime Gold status being introduced, how will this go for those of us who had to open a new account? By the time they roll this out mid next year my old account will long be gone. But also, there's no way for me to take stock of my lifetime SCs now as it's not tracked anywhere...
 
Velocity clearly know who is doing this, and how they are doing it, and it seems clearly is internal.

Why are not Police called in - this is staff ongoing FRAUD surely?

If Current Affairs programs get onto this and Virgin agree they have done nothing, they'll look like idiots. Or worse.

But they inconvenience innocent members for SEVEN weeks each time these spivs raid and plunder member accounts??

With all the massive changes announced today, no-one can go and check past flying SC balances etc online etc or current SC status etc to pal,n some runs before the new changes.

Tell members their account access to SPENDING or transferring points is temporarily restricted, and nothing else changes. How hard is that?
 
Last edited:
So I had my Velocity account hacked as well on Monday. Got an email around 8:30pm that my details had been updated and to call them if it wasn't me. Checked my account on the app and sure enough, someone changed the email address and then booked a redemption LOS-DOH on QR for 99200 points. Called them first thing the next morning and now going through the process with account suspended etc. At least I wasn't planning on booking any further redemptions as I booked my J rewards on NH for next June a few weeks ago. Oh well.
UPDATE:
Just received an email from Velocity this morning, they have reinstated my points (which I can also see in the VA app). My account still remains suspended and I cannot log in online or on the Velocity app. Email suggests I open a new account and then call them to transfer everything across (no surprises there). I'll deal with that next week then.

So it took about 2.5 weeks for them to restore from when I reported it - it seems things are improving.
 
But they inconvenience innocent members for SEVEN weeks each time these spivs raid and plunder member accounts??
Is this your first experience of the new world order where corporations have all the power, are laws unto themselves, answerable to no-one and dictate to governments which laws they feel like abiding by and which ones they won't?

You might be able to save yourself a lot of blood pressure spikes if you can get on board with the fact that you as a consumer are powerless and worthless and the corporations you deal with really don't care about your inconvenience or your angst when they shaft you.

So it took about 2.5 weeks for them to restore from when I reported it - it seems things are improving.
They've had a lot of practice. They know the ropes by now.
 
Received this morning Update #2

Hi Subharpoon

This email is to notify you that Velocity Rewards Pty Ltd (Velocity or us or our or we) has detected unusual activity in relation to your Velocity Account. If you contacted us, thank you for alerting Velocity to the unusual activity detected on your account.

Your Account has been suspended while the matter is investigated in accordance with section 2.6 of the Membership Terms.

During this time, we are unable to provide further information, however we will inform you of the outcome of our investigation within 30 business days. We do realise that this is a less than an ideal situation and would like to assure you that this process exists only to protect the best interests of both our members and Velocity Frequent Flyer.

The Membership Terms can be accessed in full at Terms and Conditions

Yours sincerely
Velocity Frequent Flyer
Update #3

Hi Subharpoon
Our internal control systems have been alerted to suspicious activity on your account. If you contacted us, thank you for alerting Velocity to the unusual activity detected on your account. It appears that your login details have been compromised and redemptions were made from your Account. As a result of this investigation, we suspended your account as a security precaution. We do realise that this was a less than an ideal situation and would like to assure you that this process exists only to protect the best interests of both our members and Velocity Frequent Flyer.

Your login details may have been compromised in a number of ways, more information can be found through the Australian Cyber Security Centre https://www.cyber.gov.au/ .

We recommend reporting the cybercrime via the Australian Cyber Security Centre Report | Cyber.gov.au.

All Points used in the unauthorised Points Transfer have now been fully reinstated back to your account.

For your security, your current account remains suspended. In order to secure your details moving forward, Velocity would recommend creating an entirely new account with a new password and security question. For added safety we also recommend that you change the email address to a different email in conjunction with this new account.

You may create a new account online via the Velocity website. You will then need to phone our Membership Contact Centre with your new Velocity account number so that we may transfer your status and earnings to your new account. Alternatively, please call us on 131 875 and our Membership Contact Centre will be able to assist you with the full setup of your new account.


Problem is that I cannot create a new account as the system claims I already have one! Grrr!
 
Apologies if this has already been mentioned.
I logged on today and transferring points online has been disabled, one has to ring the call center. A good move to cut down on fraud.
 
Last edited:
Interesting, I logged in today and my account is no longer "suspended".

I never actioned any response back to Velocity, but it appears my account is live again after all this time.
 
just take it as a cost of doing business, why take 7 weeks?
Yes. The cost of doing business... Where the customer pays for that cost. They want me to prepare some legal documents about a family transfer to get my points back while I'm on holiday overseas. My holiday time is too valuable for that nonsense. No thanks. Bye bye Velocity.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Staff online

  • NM
    Enthusiast
Back
Top