Fraud on Velocity Frequent Flyer accounts

Clayton said:
I get those random 2FA texts as well, turns out mine are from access by Award Wallet to update details of flights and points held.
Click to expand...
Makes sense. My awardwallet account has a few months before renewal (which won't be happening).

I might can it early.
 
AMEX Velocity Platinum Card Benefits
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

serfty said:
Makes sense. My awardwallet account has a few months before renewal (which won't be happening).

I might can it early.
Click to expand...
Which makes me think: could AwardWallet (or similar services) be the vulnerability where the credentials were obtained/stolen in the first place? I do have an AwardWallet account still but have not been actively using it. Should probably just wipe it clean.
 
I have now cancelled Award Wallet - they were going to put the price up from the very cheap $5USD they have been charging me to about $50USD. Yeah nah!

Plus I am not sure how they will overcome 2FA as it is currently implemented.

I really like the Trip function in Award Wallet though as it essentially builds out a trip list of all bookings - Flights, Hotels, Rental Cars, Activities etc. just by monitoring my email - so I'll miss that!
 
moa999 said:
For that functionality I recommend TripIt.
Just fwd bookings etc to [email protected]

They used to have a monitoring feature with some email providers like Gmail but this got discontinued due to security risks.
Click to expand...
Was just about to recommend the same, I have a TripIt Pro account through work nowadays but been using the free version for probably 10+ years and it's great to keep everything - flights, hotels, car rental, events etc. - in one place with a customised itinerary.
 
First time using my account today in months. requested code to be sent by SMS, twice. And failed.

Got it to email.

Useless system if they can’t deliver to an aussie number.
 
moa999 said:
For that functionality I recommend TripIt.
Just fwd bookings etc to [email protected]

They used to have a monitoring feature with some email providers like Gmail but this got discontinued due to security risks.
Click to expand...
When did they remove the email monitoring? I've got all my trips booked earlier this year which could have only come from the monitoring.

will have to remember to forward future bookings.
 
As many have mentioned... close, yet so far... why not offer 2FA with a standard Authenticator App? Far safer than SMS or Email. And can be used offline so you don't need to have your phone number active... say when you're travelling and using another SIM.

Even QANTAS allows he use of Authenticator apps. But they also only let you set a 4-digit number as your "account password".... so let's not give QF too much credit.
 
Chief Wiggum said:
Even QANTAS allows he use of Authenticator apps. But they also only let you set a 4-digit number as your "account password".... so let's not give QF too much credit.
Click to expand...
This is the second time I've seen this take in as many days on here and I think it's a really bad one, tbh. Qantas requires 3 details - a FF #, surname and a PIN and to be honest it's going to be one of the most effective security controls out there, since it's so unique.

Look what happens when sites allow customers to use their email address and a user defined password - human nature dictates that many re-use the same credentials over and over, so as soon as one leaks, you have access to their entire set of accounts. The idea that everyone does the exact same thing - e-mail as the key and minimally bound password complexity controls has resulted in the same outcome time after time.

As it turns out, these 3 QFF details are not trivial details to obtain - which is made all the more clear in the lack of a similar thread on these forums for Qantas, and the fact that we aren't bombarded with MFA codes on the regular due to weak authentication in the first instance.
 
Last edited:
MEL_Traveller said:
First time using my account today in months. requested code to be sent by SMS, twice. And failed.

Got it to email.

Useless system if they can’t deliver to an aussie number.
Click to expand...
Each time I make a booking while logged into my account, I notice my number is populated as +61 614XX xx_ xx_ with a 61 prefix in addition to the country code which I then manually override. I think others may have the same issue.

I had to speak to the call centre today on an unrelated matter and was asked to confirm my number. They mentioned about updating it to a standard format and it now seems to have removed the 61 prefix, so this may be why you didn't receive the SMS. Try contacting the call centre?
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

Total: 316 (members: 49, guests: 267)
Back
Top