Fraud on Velocity Frequent Flyer accounts

aikman · Aug 8, 2024

I'm not sure what the point of the 125,000 point limit per transfer is. My account was cleaned out within 2 minutes using 4 back to back transfers.

Scr77 · Aug 8, 2024

Can you somehow reset a velocity password without logging in? Madz had a unique password, so how can this happen?

It would be great if each report here confirmed if a unique password is used.

StayGoldPonyboy · Aug 8, 2024

Scr77 said:
Can you somehow reset a velocity password without logging in? Madz had a unique password, so how can this happen?

If the hackers have accessed your email account they can use the 'forgot my password' link on the VFF login page (to get sent a 'reset password link' email and reset it that way assuming they know your old one?).

Maybe some people have followed a link in a phishing email/SMS/ad, and entered their VFF credentials there without realising it's fake.

Happy Dude · Aug 8, 2024

moa999 said:
Of a few million accounts it's pretty tiny. VA certainly doesn't help themselves with lax security but I suspect the victims aren't totally innocent.

What?

Happy Dude · Aug 8, 2024

StayGoldPonyboy said:
If the hackers have accessed your email account they can use the 'forgot my password' link.

Maybe some people have followed a link in a phishing email/SMS/ad, and entered their VFF credentials there without realising it's fake.

go back a few posts for my full story but I did click on a pdf in a work email. From that point my work email has been used to create a zillion accounts on a zillion websites. It's a problem where websites use an email as a username, but Velocity doesn't. The problem with Velocity, in my case, is that my email address was changed without me being notified. I don't know how my email address and velocity number were "matched". I managed to change it back before any damage but have since received two more hacking attempts where I did get the forget your password link. My work email, which is also my Velocity email, is listed on several public websites and I send to tonnes of clients etc each year, so it's not or doesn't have to be a phishing thing.

MattA · Aug 8, 2024

Madz said:
I’ve had 700,000 points transferred out fraudulently on 31 July and 2 August. I noticed on Tuesday night and called Virgin immediately. It’s the same story as others, the hackers have changed my email, phone etc and booked flights to London, Shanghai, San Francisco, New York and more in names that I have never heard of. They have frozen my account and said they will launch an investigation that will take 30 days. The weird thing is that I updated my password for the first time in a few years in early July, to a unique password.

This is tens of thousands of dollars worth of points. They better be able to cancel those redemptions!

Intrigued by this.

Maybe I'm missing something here, but of all the types of fraud you could choose to do, you'd think booking international flights with stolen FF points would surely be one of the dumbest... Unless you are compounding the crime by also travelling on a fake passport, surely the identities of the people catching those flights are going to be trivial for the authorities to determine?

MJ_/\_ · Aug 8, 2024

Happy Dude said:
but I did click on a pdf in a work email

Just in case you haven't done so already, you've scanned for viruses/malware by now I take it? Clicking on a pdf link can do a lot more than expose your email address, if they've used it to install malware they potentially have access to everything on your machine.

MJ_/\_ · Aug 8, 2024

MattA said:
Maybe I'm missing something here, but of all the types of fraud you could choose to do, you'd think booking international flights with stolen FF points would surely be one of the dumbest

They probably have a scam setup selling half-price flights or something, take the cheap payment off unsuspecting victims, book using stolen Velocity points... Looks like Velocity don't have any restrictions on who you can book reward tickets for... and disappear.

My guess would be they are getting payments in cryptocurrency and targeting people who want to spend their crypto rather than bring the income through proper channels... there may be other explanations, but that one is my non-evidence based guess.

Can You Book Award Flights With Your Points for Other People?

Most frequent flyer programs let you use your points to book reward flights for family members. Some airlines also let you redeem points for friends or anyone else.

www.australianfrequentflyer.com.au

StayGoldPonyboy · Aug 8, 2024

Oh that's horrible @Happy Dude
I wonder if they got your velocity number from an email in your account (if they got access to your work email account). Then if they were in there they could action then delete password reset links overnight before anyone realised?

Velocity should also send us an SMS when account details are changed (QFF do this)

Happy Dude · Aug 8, 2024

StayGoldPonyboy said:
Oh that's horrible @Happy Dude
I wonder if they got your velocity number from an email in your account (if they got access to your work email account). Then if they were in there they could action then delete password reset links overnight before anyone realised?

Velocity should also send us an SMS when account details are changed (QFF do this)

IT told me they couldn't have done that and that they're soon bringing in a system that allows access to company servers etc from only a company device. I did get into "trouble" for using work email for personal things, which I do because it's easier to deal with just one. Everything I've pretty much ever signed up to has been with my work email. Occasionally I'll sign up with a hotmail, gmail etc when exploiting 'sign up as a new customer' type offers.

Happy Dude · Aug 8, 2024

MJ_/\_ said:
Just in case you haven't done so already, you've scanned for viruses/malware by now I take it? Clicking on a pdf link can do a lot more than expose your email address, if they've used it to install malware they potentially have access to everything on your machine.

We were hacked a few years ago so possibly not the best IT dept around. I haven't scanned but IT may have done that when I told them about it. I don't have any admin rights etc.

StayGoldPonyboy · Aug 8, 2024

Happy Dude said:
IT told me they couldn't have done that and that they're soon bringing in a system that allows access to company servers etc from only a company device.

Ah sorry, I assumed you were on a work device when you mentioned work email. If you were on a personal device then, as advice from others above, that needs to be scanned.

Happy Dude · Aug 9, 2024

StayGoldPonyboy said:
Ah sorry, I assumed you were on a work device when you mentioned work email. If you were on a personal device then, as advice from others above, that needs to be scanned.

No you assumed correctly. I was on a work device. I assumed that IT did scans or whatever was needed security-wise. IT assured me the hackers couldn't have accessed anything on my computer. Like you, I thought they could and had read my emails to get info such as Velocity #, but I'm told that wasn't possible.

ben95 · Aug 9, 2024

Use a password manager and randomly generated password - never reuse passwords between websites and never share your master password. It should already be built in to any relatively modern device/browser.

For most people that will stop 90% of attacks on your account that relies on password being reused across websites. MFA and Passkeys etc are even better of course.

Of course Velocity’s account security is laughable. There’s no mandatory MFA for points or high risk transaction nor does it even notify you on suspicious login activities or have a way for you to audit those.

bcworld · Aug 9, 2024

In the past 2 weeks I've received "we detected unusual (successful?) login activity" emails for my Avianca LifeMiles account...but more concerningly my personal email account. IP addresses in the US in both cases...where I wasn't. Both use, strong, unique passwords.

AustraliaPoochie · Aug 10, 2024

Most likely too late now, or use a VPN.

MarkD · Aug 10, 2024

So when accounts are suspended, are they suspending all status benefits, ie Priority boarding, chekin, lounge, seating etc? Assume so as account not valid. If so, that sucks and is there any chance of retrospectively claiming points / SC and additional time on status level once its sorted?

StayGoldPonyboy · Aug 10, 2024

I think only their frequent flyer accounts are suspended, not the airline account. Eg Velocity account not Virgin account. So status still intact

CaptJCool · Aug 10, 2024

All good advice offered in here

Single point of failure

Unfortunately one needs to diversify their finances AND diversify their passcodes IMHO Banking passwords must be unique plus anything that can provide ID info.

Running Two or more email (and a work one) accounts affords some peace of mind

The crooks will always likely be one step ahead and combatting their approach especially if they get access to data dumps like Medibank or Optus or All don’t aid you in keeping all your various accounts safe

AustraliaPoochie · Aug 11, 2024

Would be nice if we could "lock our points".
Like what we can do with our bank cards.
VFF could set up, when we call them, set up a verbal password/passcode, to burn points.
But I guess it will cost VFF $, and NR wouldnt be too keen on that.
2fa/mfa are all scammable, its only when and if they set up a verbal code word, that only VFF and the member know, that is the only safe way.
Unless of course, the scammers crack into VFFs records.

Fraud on Velocity Frequent Flyer accounts

Established Member

Established Member

Member

Established Member

Established Member

Active Member

Junior Member

Junior Member

Member

Established Member

Established Member

Member

Established Member

Member

Established Member

Senior Member

Established Member

Member

Established Member

Senior Member

Become an AFF member!

AFF forum abbreviations