Fraud on Velocity Frequent Flyer accounts

As a point of reference, does anyone who has been affected by this share passwords across multiple websites. With all the data breaches that have occurred in the last couple of years, this is as likely an explanation as a phishing attack (and potentially why we have seen a recent uptick in these events.)

This is definitely an area that Qantas has over Virgin at the moment; if I login in from a different device or IP address, I get a text and email to let me know (in addition to 2FA). Surely there will reach a point where the financial losses from reinstating points will exceed the cost of 2FA. I know phone numbers can be ported out, but this requires a more sophisticated ID theft than what is occurring.
 
Telephone Number & Email was changed but strangely was not notified by any email from Velocity at all
On the one hand I find this inexplicable - it would be the simplest and most low cost early warning system given the lack of 2FA, but with the delays in acting on cases I guess it just doesn't really matter
 
On the one hand I find this inexplicable - it would be the simplest and most low cost early warning system given the lack of 2FA, but with the delays in acting on cases I guess it just doesn't really matter
Yea it’s the combined ID “takeover” changes in THE “one” transaction (crooks tend to be lazy and impatient so unlilely to ‘want to wait’) and the subsequent flight bookings from outside Australia origins that ought trigger the red flags 🚩


Seems not to be the case

However as for source of origin of data, well let’s see, there’s been the Optus breach and the Medibank breach and the … plus of course all these phishing emails and SMS but this is hypothesising without knowing and besides if I were to hypthotesise further, it could be a disgruntled former employee or contractor but I digress. Bad actors aren’t just in Hollywood
 
Unlike banking scams, where customers are voluntarily handing over passwords and or 2FA credentials to enable fraudulent transactions, Velocity customers are blissfully unaware of what’s taking place.

No matter the complexity and uniqueness of your password, if it’s cracked and your details changed and points fraudulently used, you’ll only ever find out by accident.

There’s no social engineering, no impersonation calls, no SMS spoofing. Just a silent account comprise and takeover. Not even an email or sms to the customer in order to verify the primary contact detail changes.

I’d imagine these fraudulent redemption events will continue until the poor account security is addressed.
 
I get the risk of using the same password but how do they find out your Velocity number and link that to your password.

Edit: never mind, they must have hacked a Velocity partner website which keeps a record of your Velocity number and a common password.
 
Although — deep during C——d when I decided I wanted to cash in a bunch of points for some $1000 voucher they personally rang to check it was me before approving. I suppose that was the when the other mob were in charge (and we know what happened then…)
 
when I decided I wanted to cash in a bunch of points for some $1000 voucher they personally rang to check it was me before approving
It does make sense in the context of what was a priority at the time. Redeploy staff to validate reward redemptions to conserve / prolong cash reserves.
 
Just on MFA/2FA, even supermarkets and their loyalty schemes have it. But....

I was just able to log into my Wife's Coles online account using her email and simply changed the phone number to mine when asked if the number was correct. I still needed the password to access the account but it's clear that the 2FA can be bypassed in some circumstances. Hopefully VA won't allow an option to have a OTP sent anywhere.
 
it could be a disgruntled former employee or contractor but I digress. Bad actors aren’t just in Hollywood
Or, its current employees...an inside job.

There seemed to be a situation a while back where people travelling on QR were having their (velocity as it happens) frequent flyer details changed between checking in and boarding the flight. So someone would change the FF number to be a different one using a second Velocity account with the same name. Upon retroclaiming they'd be told the points were already processed.
 
Just had my Velocity account locked for no reason given. Just tried to log in to go shopping on eBay and am told your account has been locked. Enter details and then it tells me I have to reset my password (no doubt they've changed the minimium requirements for passwords without telling anyone) and now I have to retrieve the code sent to e-mail to be able to reset my password. All standard stuff, except the code never arrives to e-mail and expires in 20min.

Brilliant bit of marketing this. 'How to piss off your loyalty members and send them off to Qantas' 101

I really cannot be coughd fighting with Velocity just to order some stuff from their store on eBay. I'll just go to Qantas instead where my membership works without having to strip down naked and lather myself up in goose fat before leaping through flaming hoola hoops on a bicycle while whistling 'Happy Days are Here Again'. Velocity really do like making life hard for no good reason.
 
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

Just had my Velocity account locked for no reason given. Just tried to log in to go shopping on eBay and am told your account has been locked. Enter details and then it tells me I have to reset my password (no doubt they've changed the minimium requirements for passwords without telling anyone) and now I have to retrieve the code sent to e-mail to be able to reset my password. All standard stuff, except the code never arrives to e-mail and expires in 20min.

Brilliant bit of marketing this. 'How to piss off your loyalty members and send them off to Qantas' 101

I really cannot be coughd fighting with Velocity just to order some stuff from their store on eBay. I'll just go to Qantas instead where my membership works without having to strip down naked and lather myself up in goose fat before leaping through flaming hoola hoops on a bicycle while whistling 'Happy Days are Here Again'. Velocity really do like making life hard for no good reason.
And good luck at Qantas.
 
So your account got hacked - again possibly from using a public network, and you too are allegedly off to Qantas.

Maybe Qantas are paying the hackers, given this 'apparent' exodus?

I'd love to be a fly on the wall at Virgin. REAL loss of elites will be about zero is my guess.
 
So your account got hacked - again possibly from using a public network, and you too are allegedly off to Qantas.
Absolutely no evidence of this whatsoever, so good on ya for your purely baseless speculation with zero evidence.

Qantas has worked perfectly seemlessly with zero friction apart from the annoying 2FA phone code bizzo nonsense - but they're far from Robinson Crusoe these days on that cough.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top