Fraud on Velocity Frequent Flyer accounts

[Must...Fly!]

2FA is clearly necessary, but something weird is going on. It can't be that so many members are compromised by chance. Sophisticated phishing?

 

[Stone]

As a point of reference, does anyone who has been affected by this share passwords across multiple websites. With all the data breaches that have occurred in the last couple of years, this is as likely an explanation as a phishing attack (and potentially why we have seen a recent uptick in these events.)

This is definitely an area that Qantas has over Virgin at the moment; if I login in from a different device or IP address, I get a text and email to let me know (in addition to 2FA). Surely there will reach a point where the financial losses from reinstating points will exceed the cost of 2FA. I know phone numbers can be ported out, but this requires a more sophisticated ID theft than what is occurring.

 

[33kft]

Telephone Number & Email was changed but strangely was not notified by any email from Velocity at all

On the one hand I find this inexplicable - it would be the simplest and most low cost early warning system given the lack of 2FA, but with the delays in acting on cases I guess it just doesn't really matter

 

[VPS]

This has made me go and check my Velocity account and check they all have unique passwords

 

[CaptJCool]

On the one hand I find this inexplicable - it would be the simplest and most low cost early warning system given the lack of 2FA, but with the delays in acting on cases I guess it just doesn't really matter

Yea it’s the combined ID “takeover” changes in THE “one” transaction (crooks tend to be lazy and impatient so unlilely to ‘want to wait’) and the subsequent flight bookings from outside Australia origins that ought trigger the red flags


Seems not to be the case

However as for source of origin of data, well let’s see, there’s been the Optus breach and the Medibank breach and the … plus of course all these phishing emails and SMS but this is hypothesising without knowing and besides if I were to hypthotesise further, it could be a disgruntled former employee or contractor but I digress. Bad actors aren’t just in Hollywood

 

[kallinch]

From friend at VA - Velocity are in process of implementing MFA this year (they’re aware it’s well overdue). Points fraud/phishing generally is common for all loyalty programs.

 

[sharkiesrule]

Unlike banking scams, where customers are voluntarily handing over passwords and or 2FA credentials to enable fraudulent transactions, Velocity customers are blissfully unaware of what’s taking place.

No matter the complexity and uniqueness of your password, if it’s cracked and your details changed and points fraudulently used, you’ll only ever find out by accident.

There’s no social engineering, no impersonation calls, no SMS spoofing. Just a silent account comprise and takeover. Not even an email or sms to the customer in order to verify the primary contact detail changes.

I’d imagine these fraudulent redemption events will continue until the poor account security is addressed.

 

[aikman]

I get the risk of using the same password but how do they find out your Velocity number and link that to your password.

Edit: never mind, they must have hacked a Velocity partner website which keeps a record of your Velocity number and a common password.

 

[Stone]

Edit: never mind, they must have hacked a Velocity partner website which keeps a record of your Velocity number and a common password.

Medibank Private???

 

[Scr77]

Medibank Private???

Possibly. There was a sign up to Medibank to get velocity points promo.

 

[MARTINE]

Although — deep during C——d when I decided I wanted to cash in a bunch of points for some $1000 voucher they personally rang to check it was me before approving. I suppose that was the when the other mob were in charge (and we know what happened then…)

 

[33kft]

when I decided I wanted to cash in a bunch of points for some $1000 voucher they personally rang to check it was me before approving

It does make sense in the context of what was a priority at the time. Redeploy staff to validate reward redemptions to conserve / prolong cash reserves.

 

[angad596]

Medibank Private???

I am a member of Medibank Private and was part of the hack

 

[Happy Dude]

Just on MFA/2FA, even supermarkets and their loyalty schemes have it. But....

I was just able to log into my Wife's Coles online account using her email and simply changed the phone number to mine when asked if the number was correct. I still needed the password to access the account but it's clear that the 2FA can be bypassed in some circumstances. Hopefully VA won't allow an option to have a OTP sent anywhere.

 

[VPS]

I much prefer authentication on an app rather than text

 

[bcworld]

it could be a disgruntled former employee or contractor but I digress. Bad actors aren’t just in Hollywood

Or, its current employees...an inside job.

There seemed to be a situation a while back where people travelling on QR were having their (velocity as it happens) frequent flyer details changed between checking in and boarding the flight. So someone would change the FF number to be a different one using a second Velocity account with the same name. Upon retroclaiming they'd be told the points were already processed.

 

[Legoman]

Just had my Velocity account locked for no reason given. Just tried to log in to go shopping on eBay and am told your account has been locked. Enter details and then it tells me I have to reset my password (no doubt they've changed the minimium requirements for passwords without telling anyone) and now I have to retrieve the code sent to e-mail to be able to reset my password. All standard stuff, except the code never arrives to e-mail and expires in 20min.

Brilliant bit of marketing this. 'How to piss off your loyalty members and send them off to Qantas' 101

I really cannot be coughd fighting with Velocity just to order some stuff from their store on eBay. I'll just go to Qantas instead where my membership works without having to strip down naked and lather myself up in goose fat before leaping through flaming hoola hoops on a bicycle while whistling 'Happy Days are Here Again'. Velocity really do like making life hard for no good reason.

 

[MooTime]

Just had my Velocity account locked for no reason given. Just tried to log in to go shopping on eBay and am told your account has been locked. Enter details and then it tells me I have to reset my password (no doubt they've changed the minimium requirements for passwords without telling anyone) and now I have to retrieve the code sent to e-mail to be able to reset my password. All standard stuff, except the code never arrives to e-mail and expires in 20min.

Brilliant bit of marketing this. 'How to piss off your loyalty members and send them off to Qantas' 101

I really cannot be coughd fighting with Velocity just to order some stuff from their store on eBay. I'll just go to Qantas instead where my membership works without having to strip down naked and lather myself up in goose fat before leaping through flaming hoola hoops on a bicycle while whistling 'Happy Days are Here Again'. Velocity really do like making life hard for no good reason.

And good luck at Qantas.

 

[ozstamps]

So your account got hacked - again possibly from using a public network, and you too are allegedly off to Qantas.

Maybe Qantas are paying the hackers, given this 'apparent' exodus?

I'd love to be a fly on the wall at Virgin. REAL loss of elites will be about zero is my guess.

 

[Legoman]

So your account got hacked - again possibly from using a public network, and you too are allegedly off to Qantas.

Absolutely no evidence of this whatsoever, so good on ya for your purely baseless speculation with zero evidence.

Qantas has worked perfectly seemlessly with zero friction apart from the annoying 2FA phone code bizzo nonsense - but they're far from Robinson Crusoe these days on that cough.