Fraud on Velocity Frequent Flyer accounts

[StayGoldPonyboy]

Bit off topic but just saw this linked from another news article.... catching folk connecting to in-flight wifi

Perth man allegedly set up fake wi-fi networks to steal people's personal data at airports

A Perth man is released on strict bail conditions after appearing in court accused of starting up "evil twin" wi-fi networks, to get the personal details of users at multiple locations, including airports across Australia.

www.abc.net.au

 

[Lost Redditor]

Bit off topic but just saw this linked from another news article.... catching folk connecting to in-flight wifi

Perth man allegedly set up fake wi-fi networks to steal people's personal data at airports

A Perth man is released on strict bail conditions after appearing in court accused of starting up "evil twin" wi-fi networks, to get the personal details of users at multiple locations, including airports across Australia.

www.abc.net.au

I'd say this can be considered on-topic.
How this works is they take your browser's request to fetch `virginaustralia.com.au` (this is DNS spoofing) and instead serve you an identical looking VA website clone and collect your credentials if you enter it there.

Best to rely on the apps rather than websites when connecting to open, unknown network. Still not 100% safe but you're less likely to fall victim to this kind of credential harvesting.

 

[Legoman]

Fortunately these days, even the most poverty pack cheapest PAYG pre-paid phone plans include more data than anyone not addicted to Facebook can ever use, so the incentive to go through all the sign-up/agree to terms & conditions cough to connect to free wi-fi is slowly going away. Last time I was in an airport I found the constant pop-ups telling me there was free wi-fi available so annoying and disruptive to typing the message I wanted to send on my phone that I just killed its ability to search for them.

The people who will fall victim are Grandpa & Grandma wanting to play jigsaw puzzles and solitaire on their non-simcard equipped tablets in the business class lounge.

 

[33kft]

How this works is they take your browser's request to fetch `virginaustralia.com.au` (this is DNS spoofing) and instead serve you an identical looking VA website clone and collect your credentials if you enter it there.

Not quite, if you have a look at the article it explains what the attacker was doing.

The problem with what you're describing is that without an SSL certificate for virginaustralia.com.au, you'd get a certificate warning within the user's browser. VA publish HSTS headers for virginaustralia.com.au so you would not be able to pull this off, as HSTS requires a HTTPS connection with valid certificate or browsers would not display the content at all:



What the attacker was doing was to redirect to a captive portal authentication page which harvested user credentials:

The AFP said when people tried to connect their devices to the free networks, they were taken to a fake website which required them to log in using their email or social media accounts.

This would work because you're in control of the redirect through a DHCP parameter, although it would be clear to at least some users that it makes no sense for them to be redirected to the website that they were directed to when connecting to that particular hotspot. The genius part (also dumb) is doing it in-flight, you could redirect users to a mock up VA site for example, whereas if you spoof an airport's wifi it would not make sense to redirect all travellers to one particular airline's loyalty login page. The dumb part is that I'm pretty sure it will end up being used against him, eg tampering with flight related systems or similar.

There would still be a number of protections in place within modern browsers to avoid getting stung like this, for example for those who save their credentials within their browser, it would not have autofilled usernames and passwords without additional confirmation from users because the domain would not match for the site that the credentials were saved for. It's basically designed to harvest credentials from those who would memorise their credentials and happily type them in to a site without checking the URL vs those who use password manager features within browsers.

 

[StayGoldPonyboy]

Props to the airline staff member who escalated it.

 

[ben95]

although it would be clear to at least some users that it makes no sense for them to be redirected to the website that they were directed to

I’d say it’s still too hard for the average job to identify. It’s all well and good that the crew and instruction manual in the seat pocket tells you to go to a particular website, but if you got taken somewhere by a captive portal it’s hard to tell whether it’s the right one used by that particular airline.

For example, VA redirects you to boardconnect.aero (entertainment) / inflightinternet.com (intelsat WiFi), none of them have anything to do with virginaustralia.com.

There’s many more out there for various provider/ airlines own portal. If you are an average joe traveller who booked a flight via a TA, do you even recognize the airlines domain name let alone checking that particular portal got a valid SSL certificate.

 

[33kft]

There’s many more out there for various provider/ airlines own portal.

I agree with you, but only in the context of inflight wifi. That and perhaps a lounge are the only 2 times that you could feasibly connect to wifi, get taken to a captive portal and type in your velocity credentials (and even then, there should be pause for thought given the browser won't auto fill them for you due to a different domain)

But if you connect to Melbourne airport wifi and get taken to a velocity log in page, is that going to make any sense? Again, it is very context specific... People are going to ask the obvious question, does it make sense for me to connect to a public hotspot and get asked for my bank login details?

It has to be within the realm of believability and that's to get the unsophisticated people. This guy got caught because his ruse was not believable enough despite spoofing VA's in flight wifi, with a captive audience and a reasonable explanation for why you would be asking for credentials

To show how context matters - imagine if you tried the same trick on QF. I don't think it would take long before questions would be raised about why any credentials were being asked for at all

 

[StayGoldPonyboy]

The article didn't mention VA it just said "domestic airline" .... That's why when I posted the link to the article I said it was a bit off topic (as may not relate to this VFF thread specifically)

It says this guy did his 'evil twin WiFi' scam in various airports, flights and in locations connected to his workplace. He would have been spoofing a variety of login pages probably.

 

[jsoprano]

I’d say it’s still too hard for the average job to identify. It’s all well and good that the crew and instruction manual in the seat pocket tells you to go to a particular website, but if you got taken somewhere by a captive portal it’s hard to tell whether it’s the right one used by that particular airline.

For example, VA redirects you to boardconnect.aero (entertainment) / inflightinternet.com (intelsat WiFi), none of them have anything to do with virginaustralia.com.

There’s many more out there for various provider/ airlines own portal. If you are an average joe traveller who booked a flight via a TA, do you even recognize the airlines domain name let alone checking that particular portal got a valid SSL certificate.

I consider myself reasonably tech-savvy, but I can see myself falling for it in some circumstance - in a rush trying to send a document from my laptop, doing three other things at the same time etc. Usually I'd just hotspot via my mobile, but inflight that's not an option. I may or may not get suspicious with missing auto-fill, but all these boardconnect etc. pages may not have it anyway. And also, VA does give out free wifi by status, so it somehow can make sense they ask you for your Velocity details to validate (they do via your seat number though). Don't think this was it but it's a possibility nonetheless.

 

[Brissy1]

Push notification comes in today advising a few points came into my Velocity account from 7eleven.
No such notification when 100,000s points go out (legitimately thankful).
Interesting priorities.

 

[JohnK]

I'm not sure why you would think that, given that neither email nor phone is being used as a security factor here. The only email notification that goes out is when the personal info in the account is changed, and attackers have been blasting victims inboxes with junk to try to hide that notification simply because they don't have access to inboxes to remove it.

There is no evidence of any sophistication here in terms of taking over people's accounts/phone numbers outside of VFF. There simply seems to be a way that VFF #s and passwords are known to or found by the attackers, or that authentication bypassed somehow.

I think there are many examples out there and possibly inside jobs.

How can someone take port my number without my permission. It can be difficult for me to do it when I change from Optus to Circle and back to Optus or from Belong to Amaysim to Woolworths. How do these hackers do it and how are they simply allowed to do it?

How does someone purchase a $480 Jetstar flight with my 28 Degrees credit card without verification when I struggle to make an online purchase for a small amount? That has to be inside job right because I have control of the phone and email address associated with the 28 degrees card.

How does someone put a $600 subscription through to some coughty subscription service in the USA with my Virgin Money credit card? I received an SMS for authentication the previous day but I didn't see it. The phone and email address on the Virgin Money were unchanged.

So I think hackers have life way too easy and are allowed free reign to do as they please. It should be very simple to catch any of the people that have committed fraud on my accounts. Even easier if there are multiple attempts out there leading to the same person or group of people.

They don't want to catch them. I don't know why but I'd guess part of the grand plan to disrupt our lives as much as possible. We should never underestimate the amount of time takes for us to restore our integrity. I have better things to do than spend hours, days, weeks trying to prove my innocence.

 

[FishFood]

How can someone take port my number without my permission.

Quite easily, criminal groups specialise in "SIM swapping attacks". At its most simple the criminal will simply call the telco and explain their phone was lost / stolen / dropped in a river and they need their number ported to a new SIM. More sophisticated gangs will have socially engineer backend access or even steal devices from telcos that they use to reprovision SIMs.

This is why SMS MFA should be avoided where possible, but any MFA is better than none

 

[JohnK]

This is why SMS MFA should be avoided where possible, but any MFA is better than none

This is why need to make anything online difficult. So you suffer but you'll be protected.

I'm still struggling to understand how anyone is able to port a telephone number when it's not them. Sorry sir, you've lost lost your phone? Please go into any store with photo id and proof it's your number. That will stop illegal number porting. In the meantime if you've lost your phone or number use a temporary one. It's not an inconvenience. It's protection.

I was chatting with someone from Westpac the other day as this was the 3rd month in a row online banking is asking me to confirm my phone number and email.

What we've sacrificed and what we've allowed to occur around us is really silly. We think it's convenience. Huh.

- Bank does not need to know where I'm getting my money. Salary, won on horses, won on pokies, my brother and mum helping me out. It's no one's business including ATO. If pushed just say no or lie. ATO has income details. They don't need to cross match with anyone. That's intrusive and going way beyond what's acceptable.

And yes since I've stopped applying for loans or credit cards no one knows anything. They don't need to know. I use a mixture of card and cash. I'd do well if I stopped transacting online. Get off the grid so to speak. What's coming around the corner is not going to be pleasant.

 

[FishFood]

Sorry sir, you've lost lost your phone? Please go into any store with photo id and proof it's your number.

This is a commonly suggested fix, but doesn't work in practice due to the large number of MVNOs (Mobile virtual network operators) which are telcos without any physical stores like Amaysim. Additionally it would disadvantage those in rural areas without telco stores

 

[Legoman]

So I think hackers have life way too easy and are allowed free reign to do as they please.

They don't want to catch them. I don't know why but I'd guess part of the grand plan to disrupt our lives as much as possible. We should never underestimate the amount of time takes for us to restore our integrity. I have better things to do than spend hours, days, weeks trying to prove my innocence.

It sounds a bit conspiracy-theory, but as they say the only difference between conspiracy theory and real life is around 2-3 years at the current rate of change. The simple fact is, it's much easier and less costly to lock up the legitimate owner and their money, than it is to find and prosecute the actual fraudster/thief. So that's what they do and then justify it by saying it's for your own good and they're protecting you.

- Bank does not need to know where I'm getting my money. Salary, won on horses, won on pokies, my brother and mum helping me out. It's no one's business including ATO. If pushed just say no or lie. ATO has income details. They don't need to cross match with anyone. That's intrusive and going way beyond what's acceptable.

And yes since I've stopped applying for loans or credit cards no one knows anything. They don't need to know. I use a mixture of card and cash. I'd do well if I stopped transacting online. Get off the grid so to speak. What's coming around the corner is not going to be pleasant.

Don't look at the UK as it will scare you even more. Trying to transact with cash is getting harder and harder over there. Banks are starting to refuse cash if they don't know exactly where it's come from. It's a scary new world we're being pushed into.

 

[JohnK]

Don't look at the UK as it will scare you even more. Trying to transact with cash is getting harder and harder over there. Banks are starting to refuse cash if they don't know exactly where it's come from. It's a scary new world we're being pushed into.

So fight it. Don't give in. It's not convenience. It's laziness. Don't shop from your living room. Get out there, interact just like we used to in the good old days.

I think it will sink in when the changes come. Told when to shop. Told where to shop. Told what to buy. Lockdowns are going to be so easy. Sorry sir, your card is not accepted here as you're out of range.

Life is going to be so exciting learning how to obey. Goodbye freedom.

 

[AustraliaPoochie]

Bank does not need to know where I'm getting my money. Salary, won on horses, won on pokies, my brother and mum helping me out. It's no one's business including ATO. If pushed just say no or lie. ATO has income details. They don't need to cross match with anyone. That's intrusive and going way beyond what's acceptable.
The Aus fed govt needs to know, not the banks.
Its due to then
You know that AML/ATT thing that banks "have to do" due to Aus fed govt regulations, talking about time wasting indeed.
45 mins, I spent with one of my banks, name, date of birth, address, employer, employment source, then passport #, medicare #, dl # if you drive, then, they have to check these details off, then contact phone number, they then have to put you on hold, ... then they have to call you back on your mobile phone # you gave.
This bank then has the gall to tell me, I didnt want to cause a fuss, that they would check me with/against data on credit rating agencies, even tho I am not applying for any loans.
Phone and linkT and other scammers have it easy.
Not to mention the "health authority" sms scam.
VFF and QFF and other companies, talk tough, but like Medibank data breach, etc, its so easy for scammers/people who know how to manipulate it, the data is so easy for them to gain.
It should be harder for points to move out of VFF accounts.
VFF should have a code word/words system in place for points transfers out, or points burn.

 

[odysseus]

This is a commonly suggested fix, but doesn't work in practice due to the large number of MVNOs (Mobile virtual network operators) which are telcos without any physical stores like Amaysim. Additionally it would disadvantage those in rural areas without telco stores

That's just an excuse.

They could equally be required to have a representative shopfront e.g. Aust Post often fulfils the role for other activities, and there wouldn't be anything wrong with that. There's no requirement they _can't_ have a physical presence. Same applies in regional areas.

 

[Legoman]

So fight it. Don't give in. It's not convenience. It's laziness. Don't shop from your living room. Get out there, interact just like we used to in the good old days.

It's a nice idea indeed, but where do I go when the physical shops simply don't exist to go to? It's all playing into itself. One restriction works into another restriction and they all dovetail with each other, so that one supports the next which supports the next which supports the next and before you know it, your local grocery store has all the products for sale inside locked anti-theft cabinets you can only open with an app on your phone which has been preregistered with your credit card and facial ID data and the products are subject to instantly variable dynamic pricing ala Uber, so as soon as you request a cabinet open, the price shoots up since you've expressed interest in buying.

 

[Subharpoon]

Update #3

Hi Subharpoon
Our internal control systems have been alerted to suspicious activity on your account. If you contacted us, thank you for alerting Velocity to the unusual activity detected on your account. It appears that your login details have been compromised and redemptions were made from your Account. As a result of this investigation, we suspended your account as a security precaution. We do realise that this was a less than an ideal situation and would like to assure you that this process exists only to protect the best interests of both our members and Velocity Frequent Flyer.

Your login details may have been compromised in a number of ways, more information can be found through the Australian Cyber Security Centre https://www.cyber.gov.au/ .

We recommend reporting the cybercrime via the Australian Cyber Security Centre Report | Cyber.gov.au.

All Points used in the unauthorised Points Transfer have now been fully reinstated back to your account.

For your security, your current account remains suspended. In order to secure your details moving forward, Velocity would recommend creating an entirely new account with a new password and security question. For added safety we also recommend that you change the email address to a different email in conjunction with this new account.

You may create a new account online via the Velocity website. You will then need to phone our Membership Contact Centre with your new Velocity account number so that we may transfer your status and earnings to your new account. Alternatively, please call us on 131 875 and our Membership Contact Centre will be able to assist you with the full setup of your new account.

Problem is that I cannot create a new account as the system claims I already have one! Grrr!

Finally, all sorted. New account created and points/status credits transferred to new account.