Fraud on Velocity Frequent Flyer accounts

[ozstamps]

I am sure Velocity just randomly lock accounts for no reason whatever.

But you are correct - I have ZERO evidence they do lock them for NO reason.

I've read endless threads here and elsewhere over several decades, of airlines being 'meanies' and doing such things. Most of the time the story unravels of the 'meanies' discovering it being connected with sale or transfer of award tickets, folks travelling under other member's accounts using the status and lounge and seating and baggage benefits, fiddling or abuse of family pooling and so on, and other breaches of the clear Rules of the programs.

But I have zero evidence of that either, just what was posted.

Great to hear Qantas has allegedly welcomed you with open arms, even before you discovered what the Velocity issue is/was. Hmmmm..

 

[Legoman]

I am sure Velocity just randomly lock accounts for no reason whatever.

Well given that I haven't even bothered to log into my Velocity account since the SailGP event in February 2023, I'm willing to bet the cause has nothing to do with all the rubbish you're speculating about in order to forgive the airline (who is no doubt your employer).

I'm no fan of Qantas, but I will say this for them, they haven't seen fit to just randomly lock my QFF account and not bother to tell me about it.

 

[ozstamps]

all the rubbish you're speculating about in order to forgive the airline (who is no doubt your employer).

Thanks ... I need to get a good laugh each day, and you certainly provided today's.

My posts here show I am no fan of MANY things Velocity does, and am very pleased to say so regularly. 'Employer' my eye.

I've made 40,000 posts on airline bulletin boards over 25 years, and the 'rubbish' sadly is not 'speculation', it is simply a long trail of proven facts.

10,000s of folks flout the rules each year. Many are caught. Those are concrete facts.

I've never had any account frozen, and I am sure if I did, it would be resolved amicably once looked into.

 

[bcworld]

Absolutely no evidence of this whatsoever, so good on ya for your purely baseless speculation with zero evidence.

It sounds a bit like that is what has happened...because, hacking (and locking) of Velocity accounts is at epidemic proportions at the moment...and something that is very commonly reported is that the hackers change the email and phone number on the account...which Velocity doesn't seem to send any notification about.

 

[Happy Dude]

@Legoman my guess is that someone tried to hack your account resulting in the lock.

I know when I sign into the app and get the password wrong it is supposed to give me two more chances, but no matter what I put in the second time - even when I know I've got the password right - the account gets locked anyway. Annoying asf.

 

[clifford]

They could, but there's a number of things that would make that ineffective:

• All modern browsers default to https, meaning to get to a http site you have to specifically type in the http:// prefix, or to redirect a user to a http:// URL, and it will show that it is not a secure site in the browser bar
• Companies who publish only HTTPS services can use HSTS (HTTP Strict Transport Security) to inform browsers that they only publish HTTPS sites so even the above would not be effective (note that Velocity do not appear to publish HSTS headers, but Qantas seem to).
• If someone's using an app, which is going to be a significant proportion of accesses to these sites, they're not going to even have a choice - the app will just enforce HTTPS

They could perhaps pair up a few techniques like creating a SSID with the same name as the airport wifi or one that tricks people into thinking it is one, adding a hotspot authentication page which then redirects users to a http site which pretends to be VFF's login page to capture their login info, but:

• People who go to the https site or try to use their app while connected to the hotspot would see either a certificate error or would fail to connect, so it's hardly a long-term hack, it requires a specific flow of sending people to the http spoofed site and those people ignoring any security warnings and entering their credentials
• This could easily be thwarted by VFF publishing HSTS headers, which would inform user browsers not to even try connecting to anything hosted under velocityfrequentflyer.com via http
• They'd be better off just redirecting to a HTTPS site with a similar domain name and a mock up of the real velocity site, and capture login details that way. Just your standard phishing attack, which is probably how this happened anyway. Don't bother with physically being at the airport with a wifi hotspot, just send an official looking email to people with a link to veloc1tyfrequentflyer.com and capture their logins from the comfort of your home

Let's just say that all of the above did actually happen, let me just make a point here about what that would actually mean, it would actually mean that:

• Someone has set up an AP or set of APs that are physically at the airport, that they control, that intercept DNS requests for velocity, send them to a local webserver that can only provide http and not https and therefore will only work in very specific circumstances for people who happen to access very specific APs when an attacker's equipment is physically nearby
• The AP would have to specifically redirect them to the fake velocity site. What I am suggesting here is that every single person who connects would have to specifically and only be redirected to a velocity login page. I can't see any other way that the owner of the wifi AP is going to convince people to go to this fake http URL
• The user would have to log in with their credentials
• The fake site then has to either log in to velocity on their behalf and show the actual real content, or error out afterwards, which combined with all the other weird stuff they have just seen (like why did this wifi network send me to log into velocity automatically?) is going to set off some alarm bells

It's not the slickest operation

That sounds like it may be learned stuff, but how does it explain:

When I was staying at the Premier Inn T4 LHR I needed to access my Santander bank account. No doubt this uses HTTPS. I usually use a VPN when travelling, but I had just used the Coles (AU) website where I had to disconnect from the VPN, as Coles didn't allow its use (Guru Meditation). I forgot to re enable the VPN, so when I accessed Santander it was just native public wi-fi.

Of course, someone was monitoring this hotel's wi-fi and got hold of my Santander login details. What thwarted them was the 2FA, so when I got the text message requesting the code I knew what was going on.

So, really nothing will protect you when using a public wi-fi network, apart from perhaps a VPN.

 

[33kft]

So, really nothing will protect you when using a public wi-fi network, apart from perhaps a VPN.

Sorry, but this is just nonsense.

Your anecdote might convince you of the magic properties of a VPN but it is nothing but an encrypted tunnel, just as HTTPS is, but unlike HTTPS which is decrypted by the bank you are trying to access, VPNs are encrypted half way to the bank (or in more cases than not, 1 and a half times further than the bank in an encrypted tunnel and then doubled back unencrypted) by some random that you are paying 2 dollars a month to to re-encrypt your encrypted traffic.

VPNs are really not for security. Nothing should convince you to trust that company more than anyone else with your data. Taking an indirect path to someone else is not safer than taking a direct path over the internet. VPNs are only useful for pseudo-anonymity and bypassing geo restrictions.

If someone really believes they have managed to defeat the security of HTTPS then there are 2 potential cases here:

1. They have found out how to factor large primes on demand and all asymmetric encryption is now useless, or
2. They have compromised one of the trusted certificate authority and a non trivial proportion of all certificates issued globally need to be invalidated immediately.

 

[moa999]

Interestingly I decided after posting in this thread a few times to change my Velocity password.

My password was one I'd setup 10y+yrs ago that was fairly unique (repeated for some of my higher level logins only) but only six characters and no alphanumerics (not what I'd use today). I had never been asked to Virgin to replace it.

On the good side it did force me into an 8-16 plus special character, and it did immediately email me about the change.

 

[padders]

Or, its current employees...an inside job.

There seemed to be a situation a while back where people travelling on QR were having their (velocity as it happens) frequent flyer details changed between checking in and boarding the flight. So someone would change the FF number to be a different one using a second Velocity account with the same name. Upon retroclaiming they'd be told the points were already processed.

That happened to me at Mecca!

 

[bcworld]

That happened to me at Mecca!

And did you get this resolved?

 

[padders]

And did you get this resolved?

Kind of. A whole lot of points went out, then a whole lot more arrived in my account. I just changed the address and email back to mine and redeemed them for several rewards items.

Then I changed my password.

 

[bcworld]

Kind of. A whole lot of points went out, then a whole lot more arrived in my account. I just changed the address and email back to mine and redeemed them for several rewards items.

Then I changed my password.

That wasn't the situation I was describing with QR.

People would check in, with their velocity number on the boarding pass. Between then and boarding the flight someone would change that to a different Velocity number and collect the points. No points transfers or unauthorised account logins.

 

[Crustypedro]

I just tried to log in to my account and got the following message:

"INACTIVE, SUSPENDED OR CLOSED ACCOUNT
The Velocity Membership number you have entered is associated with an inactive, suspended or close account. Please check that you have entered the correct membership details or contact the Membership Contact Centre for assistance."

Called up the contact centre - and they informed me that my mobile number, email and address had been changed on the account - and that a large number of points had been transferred out? My account is under investigation - and someone will contact me within 30 business days.

Has anyone had this issue before? I didn't realise stealing points was a thing?

Cheers,
dB

I have the same. 2 days ago i tried to log on to book a flight and couldnt. Said account was blocked, so velocity knew something was going on but they failed to contact me. Called velocity and they had a different email for me. It was changed back, i logged on and i had lost over 700000 points a few weeks ago so now had almost none. Lost to a myer redemption. Called myer who will tell me nothing. Lodged a police report with australian signals directorate.
I reckon it’s an inside job because only a few weeks before i had transferred all those points from my bank and got the 15% bonus. A few days after those points were in my account the hack occurred because they knew i had a lot of points to grab. Im on 30 day freeze too, but will contact velocity again today.

 

[Legoman]

As best I can tell, because the Velocity staff are no help whatsoever, my e-mail hasn't been changed, my points haven't been stolen, and my account hasn't been hacked. They've just locked my account presumably because my password doesn't comply with their newly tightened up minimum requirements that they didn't bother to tell me about and didn't prompt me to upgrade my password. Theit solution appears to be just lock every account that doesn't have a compliant password and wait for the account holder to complain.

What really pisses though, is when you do complain, they just redirect me to a website to change my password, which I've done 3 times now and never, not once do I get the code to verify that I want to change my password to my e-mail. But the e-mail is still the very same one I get all their advertising and spam messages to. So they damn well know my e-mail when they want to spam me with offers to book a flight somewhere, but then I can't book that flight because they've bloody well locked my account! I'm in catch-22 hell.

 

[33kft]

so velocity knew something was going on but they failed to contact me. Called velocity and they had a different email for me. It was changed back, i logged on and i had lost over 700000 points a few weeks ago so now had almost none.

Ouch, sorry to hear that.

It's possible that Velocity did contact you, but the contact details had been changed by the person who took your points. I know that's not very helpful, but it seems to be a bit of a vulnerability in the process, once those contact details are changed, the account owner tends to not hear a thing from that point onwards, based on recent reports.

 

[Legoman]

Same story here. Finally got through to Velocity and they have finally admitted (though not officially or formally) they've let my account be hacked by the Chinese. The name on my account has been changed to something like Ming Ann and my e-mail address had become [email protected]. My points balance has gone from 124,383 down to 30,800, but they won't let me into my account now to even see what the redemption activity was. They've changed my details back to what they were before, but the account remains locked and they won't let me or anyone else into my account for another 6 weeks while they investigate their own security failings and try to come up with a plausible excuse for why it isn't their fault and why they aren't responsible for refunding my stolen points.

It is quite obvious that until very recently, Velocity didn't send out notification/confirmation e-mails to both the old and new e-mail address as a security measure when a change e-mail request has been put through. I never received any advice at all my e-mail had been changed on the account. The last communication I got from Velocity appears to be on 24 June, so the hack has happened sometime after then.

 

[msarswat]

And the other common attack vector.
Had you recently received an email/ SMS from Virgin / Velocity asking you to login to your account or confirm something?

Also see this recent thread, and note that some of Virgins investigations extend well over 30 days.

Velocity account suspended

I received an email last night with "Your account profile has been updated" and now after signing in, I get "INACTIVE, SUSPENDED OR CLOSED ACCOUNT The Velocity Membership number you have entered is associated with an inactive, suspended or close account. Please check that you have entered the...

www.australianfrequentflyer.com.au

No, I avoid all such phishing / vishing attacks. never clicked on a link on sms

 

[Legoman]

It's possible that Velocity did contact you, but the contact details had been changed by the person who took your points. I know that's not very helpful, but it seems to be a bit of a vulnerability in the process

Velocity don't employ 2FA in their log-in process, unlike Qantas who do. Logging in to Qantas is a pain that requires a code from your mobile as well as the user/password. Velocity doesn't do this, just the user/password is enough for Velocity and that's the prime vulnerability.

But it's actually worse than that, because not only do they not 2FA but they also don't send out notification e-mails to both the old and new e-mail addresses when a change to contact information is made, which would alert an account holder to something fishy going on that hadn't been initiated by them. This would at least alert the holder to take a look and maybe start asking questions. Instead, as was my case, the account holder is completely blind to what's happening and doesn't notice anything amiss at all for 2 months! More than enough time to clear out all points.

 

[Mr H]

Instead, as was my case, the account holder is completely blind to what's happening and doesn't notice anything amiss at all for 2 months! More than enough time to clear out all points.

Wouldn't the points get cleared almost immediately? Not an exact analogy but I had a bank card stolen in London and they racked up thousands of pounds within an hour.

 

[Legoman]

Wouldn't the points get cleared almost immediately?

You'd think so, but according to the Velocity guy I spoke to this morning, he said I've still got 30,800 points left from somewhere around 124K points when I estimate it was hacked. So either the 100K transfer the hacker did was enough to trigger an instant auto-block on my account thus preventing anymore theft, or the hacker was just happy with taking a nice ~100K points and couldn't be bothered with another trivial 30K, or there was some frictional limit on transfers that prevented the theft of more than 100K in one hit, or the hacker was trying to look legitimate by not taking the entire balance all at once so they could come back and grab the remainder at a later date.

Who knows? I don't because the Velocity guy I spoke to wouldn't answer any of my questions, wouldn't tell me anything of a technical nature about what had gone on and was seemingly very reluctant to give me anything at all that I could go on other than wild speculation.

All I did get was a strong impression they had heard all this before, I was not the only one, and that they already have a dedicated investigation team set up for account victims like me.

They won't even tell me just how "suspended" my account is right now and what that means. ie. are points earnt and auto-transferred using my Amex Velocity Escape card going to still appear in my Velocity account eventually? Or are they just going to vanish if they are transferred to a non-active/suspended account? No idea, they can't even tell me that, so I'm parking the Amex Velocity in favour of the Amex Qantss Discovery instead until I get some info of the way forward.

The only thing I will say is this experience has confirmed for me that I've been very smart to have kept my other 1.9mil points banked as credit card points and not transferred them over to Velocity regardless of any silly little 15% bonus offer claptrap 'deals'. 15% bonus of nothing is still nothing as the saying goes. The security of my credit card points scheme I dare say is significantly greater than that of Velocity. Losing 100K points is a mild irritation compared to potentially losing 1.9mil points. I'd be brickin' it if someone had taken 1.9mil points!