Fraud on Velocity Frequent Flyer accounts

[Happy Dude]

Velocity don't employ 2FA in their log-in process, unlike Qantas who do. Logging in to Qantas is a pain that requires a code from your mobile as well as the user/password. Velocity doesn't do this, just the user/password is enough for Velocity and that's the prime vulnerability.

But it's actually worse than that, because not only do they not 2FA but they also don't send out notification e-mails to both the old and new e-mail addresses when a change to contact information is made, which would alert an account holder to something fishy going on that hadn't been initiated by them. This would at least alert the holder to take a look and maybe start asking questions. Instead, as was my case, the account holder is completely blind to what's happening and doesn't notice anything amiss at all for 2 months! More than enough time to clear out all points.

Sometimes Velocity send out notifications. I received a "your Velocity account profile has been updated" when I changed something (I can't recall what I changed exactly as I'd changed a lot of account details at the time), and I received a "Velocity account update" when I changed my security question.

I changed a lot of my details following a hack using just my email. But I didn't receive any notification that my contacts details had changed. And they definitely send out "update your password" notifications, of which I received several when the hacker tried to get in for a second time, not knowing that I had changed the email back to mine.

 

[Legoman]

It looks very much like my account was hacked on or around 10 July by my reckoning. I have figured this out by myself (no help at all from Velocity staff), because on 10 July my e-mail was hit with a massive Tsunami-sized flood spam attack that I'd never experienced before. I'm talking more than 600 e-mails in half an hour. It continued for a couple of days before starting to taper off, though still today more than a month later I'm still getting 20-30 spam/day which is still about 10x more than 'normal'.

Googling spam flood attacks says it's a tactic hackers use to hide the warning e-mails from the institutions they've just hacked, so the account holder misses them and doesn't react. Since I know the hack happened after 24 June (my last correspondence of any kind from Velocity), it's too much of a coincidence that the spam flood attack happened on 10 July. The two things have to be linked.

For my part, I didn't just blindly delete all spam messages without looking through them all quickly, so I maintain there was nothing there from Velocity warning me about the change of e-mail or transfer of points or anything else dodgy that went on, so all blame is still on Velocity AFAIC. I mean even my account name was changed FFS! How is that not a big fat red flag?!?! How many account holders do they get a year who change their entire name from an Anglo Saxon Protestant name to a Chinese one? I'm only guessing, but I would estimate… none!

 

[RAM]

It looks very much like my account was hacked on or around 10 July by my reckoning. I have figured this out by myself (no help at all from Velocity staff), because on 10 July my e-mail was hit with a massive Tsunami-sized flood spam attack that I'd never experienced before. I'm talking more than 600 e-mails in half an hour. It continued for a couple of days before starting to taper off, though still today more than a month later I'm still getting 20-30 spam/day which is still about 10x more than 'normal'.

Googling spam flood attacks says it's a tactic hackers use to hide the warning e-mails from the institutions they've just hacked, so the account holder misses them and doesn't react. Since I know the hack happened after 24 June (my last correspondence of any kind from Velocity), it's too much of a coincidence that the spam flood attack happened on 10 July. The two things have to be linked.

For my part, I didn't just blindly delete all spam messages without looking through them all quickly, so I maintain there was nothing there from Velocity warning me about the change of e-mail or transfer of points or anything else dodgy that went on, so all blame is still on Velocity AFAIC. I mean even my account name was changed FFS! How is that not a big fat red flag?!?! How many account holders do they get a year who change their entire name from an Anglo Saxon Protestant name to a Chinese one? I'm only guessing, but I would estimate… none!

I don't know, but suspect there is, if other mail setups have an equivalent to GMail's 'labels' but it is worth looking into.

Pretty much every regular email sender (that I value) has a 'filter' set up to label it accordingly. So anything from Coles/Flybuys etc gets labelled 'Flybuys', same with VFF etc. Typically I do it not by selecting 'sender' but by 'includes' and in that field I set it to the common component in the sender field (such as Amex having around 5 long form variations that all have an identical string within them).

This way I can instantly see what's hit the inbox overnight etc. Makes is so much easier to avoid even the most spohisticated spam and equally NOT miss something important.

Makes it so much easier to find any offers/discounts etc offered by any loyalty program etc.

 

[Happy Dude]

Wow thats exactly what happened to me @Legoman. I opened a pdf and a couple of days later was spammed big time. I was lucky as I didn't have points taken, just had the email and phone contact details changed. I stumbled on that when I accessed my account. I've since had an attack on my MyGov account but 2FA alerted me to that. I've changed my passwords on lots of accounts and the username away from my email on accounts where I can.

I've also emailed Velocity twice, once for each hack/attempted hack, to complain about the lack of 2FA. I received a generic email in response to the first email. I'm not at all confident that my Velocity account is secure. How contact details and mass points can be changed or transferred without so much as a whisper is beyond me. It's not good enough.

 

[RAM]

Wow thats exactly what happened to me @Legoman. I opened a pdf and a couple of days later was spammed big time. I was lucky as I didn't have points taken, just had the email and phone contact details changed. I stumbled on that when I accessed my account. I've since had an attack on my MyGov account but 2FA alerted me to that. I've changed my passwords on lots of accounts and the username away from my email on accounts where I can.

I've also emailed Velocity twice, once for each hack/attempted hack, to complain about the lack of 2FA. I received a generic email in response to the first email. I'm not at all confident that my Velocity account is secure. How contact details and mass points can be changed or transferred without so much as a whisper is beyond me. It's not good enough.

Seems that too many people are unaware just how DANGEROUS any PDF can be.

"Opening a malicious PDF can launch malware that will start up whatever process the hacker has in mind. That is, by clicking on and opening a PDF or other file, a user also unknowingly starts up a predator program."

I suspect your machine has some kind(s) of malware installed as a result of opening that PDF. The worst case I've heard of installed 6 different malware programs with varying degrees of sophistication ranging from keyloggers that were set to export the file any time a Microsoft update happened through to one particularly nasty malware that caused virus updates to skip, and was loaded in the antivirus file directory using a correct filename for that antivirus program.

Time to do some research on various online & offline malware detectors just to be on the safe side. You may be able to get away with doing a 'clean' reinstall of windows and downloading the various add-on programs that you have but either way - there's a bit of work to do.

Good luck.

 

[Legoman]

I don't know, but suspect there is, if other mail setups have an equivalent to GMail's 'labels' but it is worth looking into.

I don't use Labels. I have Labels completely disabled and hidden in fact, because I don't like the distraction. In fact I don't use any add-on features of my mail provider at all. It's just a postbox to me the way I use it. Everything comes in one place and then my mail client grabs it all from there POP3 style and does whatever custom sorting and filing offline on my computer where I control it myself.

I'm old-school and haven't subscribed to the 'everything in the cloud' modern computing mantra. Software as a service is not something I'm comfortable with. I prefer to have the software on my hardware, put there by myself and controlled my me. That way when it goes wrong, it's either my own fault which I accept, or I can instantly stop any attack and know for certain it is very definitely killed by simply unplugging a blue cable.

There is very little that can continue to be hacked from me for too long because very quickly you are required to access the internet to make any changes. When you have everything mission critical locally stored and secured offline, there is a very short limit to how much can be stolen. In this case, yes, I've had 100K points gone, but that's fairly trivial in the big scheme of things. There are another 1.9mil points elsewhere that are safe and have gone nowhere. I don't have too many eggs in one basket and my baskets are not always accessible everywhere in a nebulus cloud.

 

[RAM]

I don't use Labels. I have Labels completely disabled and hidden in fact, because I don't like the distraction. In fact I don't use any add-on features of my mail provider at all. It's just a postbox to me the way I use it. Everything comes in one place and then my mail client grabs it all from there POP3 style and does whatever custom sorting and filing offline on my computer where I control it myself.

I'm old-school and haven't subscribed to the 'everything in the cloud' modern computing mantra. Software as a service is not something I'm comfortable with. I prefer to have the software on my hardware, put there by myself and controlled my me. That way when it goes wrong, it's either my own fault which I accept, or I can instantly stop any attack and know for certain it is very definitely killed by simply unplugging a blue cable.

There is very little that can continue to be hacked from me for too long because very quickly you are required to access the internet to make any changes. When you have everything mission critical locally stored and secured offline, there is a very short limit to how much can be stolen. In this case, yes, I've had 100K points gone, but that's fairly trivial in the big scheme of things. There are another 1.9mil points elsewhere that are safe and have gone nowhere. I don't have too many eggs in one basket and my baskets are not always accessible everywhere in a nebulus cloud.

Fair enough.

Using 'labels' to do a presort for you does not change your end result by offloading the emails as you do - merely it makes it easier for you to keep track of whats come in since you last cleared it out.

 

[Legoman]

Wow thats exactly what happened to me @Legoman. I opened a pdf and a couple of days later was spammed big time.

I never allow links in PDFs to connect to anything. As a general rule I don't like automation of anything. I'm a human and I decide and control when I want things to happen. I don't even have a car with automatic wipers or headlights or braking or lane assist/steering or blind spot warning, or even an automatic gearbox. When the car starts paying for its own fuel, then and only then will it be allowed to decide when it turns the headlights or wipers on. Until that time, I'm a perfectly functioning human being who can tell when it's dark and when it's raining, and it doesn't tax too much of my mental capacity to flick a switch when necessary. It's the same thing with software. If I don't know exactly what's going on behind the scenes that I can't see (because I'm not a software coder), when I click on a link, then I go full-caveman mode and CTRL+C, CTRL+V it if it really interests me that much. It follows of course that I don't do Siri or voice recognition of any kind in any device either. I have a top line LG TV with voice command in the bluetooth remote that I don't use and whose function is disabled as well. I don't do Alexa or Siri or any of those digital assistant aka spying devices is called either.

I'm not a complete paranoid luddite though. I do have my LG TV connected to the internet so I can use the smartTV channels, mainly because I'm not clever enough to set up a full Linux box as a custom gateway in between with a configurable firewall to protect me from all the LG Corporation IP spying hosts, but if I was that clever, I probably would.

I have no idea how my VFF account got hacked, but I'm 100% convinced it wasn't through anything I have done. It is purely the lack of 2FA by Velocity and their lack of sending change notification e-mails, as you rightly suggest.

 

[RAM]

I never allow links in PDFs to connect to anything. As a general rule I don't like automation of anything. I'm a human and I decide and control when I want things to happen. I don't even have a car with automatic wipers or headlights or braking or lane assist/steering or blind spot warning, or even an automatic gearbox. When the car starts paying for its own fuel, then and only then will it be allowed to decide when it turns the headlights or wipers on. Until that time, I'm a perfectly functioning human being who can tell when it's dark and when it's raining, and it doesn't tax too much of my mental capacity to flick a switch when necessary. It's the same thing with software. If I don't know exactly what's going on behind the scenes that I can't see (because I'm not a software coder), when I click on a link, then I go full-caveman mode and CTRL+C, CTRL+V it if it really interests me that much. It follows of course that I don't do Siri or voice recognition of any kind in any device either. I have a top line LG TV with voice command in the bluetooth remote that I don't use and whose function is disabled as well. I don't do Alexa or Siri or any of those digital assistant aka spying devices is called either.

I'm not a complete paranoid luddite though. I do have my LG TV connected to the internet so I can use the smartTV channels, mainly because I'm not clever enough to set up a full Linux box as a custom gateway in between with a configurable firewall to protect me from all the LG Corporation IP spying hosts, but if I was that clever, I probably would.

I have no idea how my VFF account got hacked, but I'm 100% convinced it wasn't through anything I have done. It is purely the lack of 2FA by Velocity and their lack of sending change notification e-mails, as you rightly suggest.

You may have misunderstood about what I highlighted about PDFs.

The malware PDF only requires you to open it for it to install malware programs on your phone or computer.

Long gone are the days where the only risk was to click on a link inside a PDF.

That’s why so many spam emails come with a PDF invoice etc attached.

This has become one of the top three malware methods because too many people still think opening a PDF can do no harm.

W R O N G

Opening a PDF is now EXACTLY the same as clicking on a link.

Be warned and be careful.

There’s a related issue with you not having installed a Cyrillic (IIRC) language pack. Otherwise when you hold the cursor over an email address or link - you will see an English character shown in place of the Cyrillic one.

Worth doing some research on it. Very, very easy to fix for Windows, Apple, Samsung and Google (relying on 3rd party comment on G).

A must fix for everyone.

 

[Legoman]

You may have misunderstood about what I highlighted about PDFs.

The malware PDF only requires you to open it for it to install malware programs on your phone or computer.

I presume then what we're talking about is some sort of auto-executing macro embedded within the PDF that runs on open?

That won't happen to me either, because I do not have my settings such as to allow PDFs to open in a browser tab. All PDFs open in Acrobat Pro for me, and the security settings in Acrobat Pro are to block (or at least ask) before allowing any macros to run. As explained, I really do not like things happening on my computer automatically without my control. If the default settings are to allow such things, then I go through and switch them all off. I don't use Chrome browser either for the exact same reason. I cannot stand programs that auto-update themselves and do not provide any option to block updates - hence, no Chrome for me. Firefox can be forced to not update (although it requires custom browser config registry settings to do so). You may then ask well what about all the Windows 10/11 telemetry/spyware embedded by Microsoft that you can't turn off and can't block updates? I don't use Windows 10/11 either for that exact reason.

Macros in PDF are so rare and obscure in my world, that if a PDF suddenly said it wanted to run a macro on open, my alarm bells would be ringing so loud, there's no way in the world my curiosity would get the better of me. The PDF would be closed immediately and probably be just deleted. I wouldn't even be bothered enough to run it through MalwareBytes.

 

[tmdl]

Well, I've got 160k points missing from my account and there is no transaction or redemption history for it.

Initially my account was suspended for a perceived fraudulent transfer to my brother in law, after 4 weeks all was cleared up that it was a legit transaction and they merged my old account to a new one.

I try to make a VV to KF transfer but it was blocked (points not taken) the next day my account is missing about 370k points (no transactions, no expired point and no redemption listed).

I called VV, they said that 210k points expired due to inactivity, although they quickly rectified this as wasn't the case and they returned back in my account the next day

But the remaining 160k points, It has been back and forth for 5 weeks and I had to ask VV for a statement and calculated that indeed it was out by 160k.

I called for 3 weeks and response was 'you will receive your points in 3-5 business days) and still waiting as the last call was..... we cant give you a timeframe but we are working on it

Anyone had this issue? My guess it was a syncing issue?

 

[Legoman]

Either the account hacking problem is the lowest of the low priorities for Velocity, or else they are just deliberately slow-walking the so-called 'investigations' into each case, because they are exhibiting no urgency at all AFAICS. They won't tell me anything I can use at all about my lost 100K points. Won't provide a progress report, won't provide a pathway plan for the investigation, they aren't asking me any questions about my account usage, they don't want to know about the related spam flood attack I suffered on 10 July - which absolutely has to be related - they don't wanna know about my Amex Velocity Escape card usage. Nothing at all. You would think the first part of any genuine investigation would be to gather the facts. Velocity are doing none of this.

I don't think this bodes well. It's starting to smell like Velocity's plan here is to stonewall and delay any solid investigation for as long as necessary for the genuine account holder to get bored and tired of chasing, and then give up. Pretty much the go-to strategy for every Australian airline for any dispute or complaint about anything in fact. It doesn't look good because there's no genuine advocate agency to police the airlines and their associated points schemes in this country, and no, I do not regard the Airline Customer Adovcate (Catherine Fajerman) as that<redacted>.

Given that the airlines in this country are essentially laws unto themselves, answerable to nobody, and protected by the government, I rather think the chances of getting back stolen points, is probably minimal at best.

 

[Thomas088]

I had an almost identical experience - 2 business class tickets booked on ANA to JFK in mid-July, reported to Velocity a couple of days later and the account suspended for 30 business days. Email & password were also changed.

I was logged out of the Velocity app automatically, but can see in the Virgin Australia app that they points redemption has been reversed and points reinstated. No further communications yet apart from the 'Suspension of your Velocity Account' email I received shortly after letting the team know of the unautorised redemption.

Hopefully I'll be able to access the account again shortly!

Almost exactly 30 business days and I have now received an update - glad to have the points reinstated but am waiting for the 30k bonus points from the recent credit card promotion to credit first before making the new account:

Our internal control systems have been alerted to suspicious activity on your account. It appears that your login details have been compromised and redemptions were made from your Account. As a result of this investigation, we have suspended your account as a security precaution. We do realise that this is a less than an ideal situation and would like to assure you that this process exists only to protect the best interests of both our members and Velocity Frequent Flyer.

Your login details may have been compromised in a number of ways, more information can be found through the Australian Cyber Security Centre https://www.cyber.gov.au/ .

We recommend reporting the cybercrime via the Australian Cyber Security Centre Report | Cyber.gov.au.

All Points used in the unauthorised Points Transfer have now been fully reinstated back to your account.

In order to secure your details going forward, Velocity would recommend creating an entirely new account with a new password and security question. For added safety we also recommend that you update the email address used in conjunction with this new account. You may create a new account online via the Velocity website, and then advise us of the new account number so that we may transfer your status and earnings to your new account. Alternatively, please call us on 131 875 and our Membership Contact Centre will be able to assist you with the full setup of your new account.

 

[Legoman]

Unsurprisingly it sounds a lot like Velocity have no intention of getting serious and implementing real security measures to shore up against another identical theft attack. Like Happy Dude has done, I've e-mailed Velocity and called upon them to do like Qantas and at least implement 2FA via SMS on account login, but it doesn't sound like that's even on the brainstorming ideas whiteboard from the last employee team building bonding session. The meeting probably went overtime acknowledging the traditional owners of the land upon which the meeting was taking place and then doing the obligatory welcome to country, such that they then ran out of time to talk about actual account security. Honestly nothing would surprise me these days.

It seems that just changing all your personal particulars in a new account is as far as Velocity are willing to go to 'secure' your account. So in essence, the hackers just have to go back and redo what they did before again and grab more points. Yay!

 

[bcworld]

I called VV, they said that 210k points expired due to inactivity, although they quickly rectified this as wasn't the case and they returned back in my account the next day

I know they'll say things like that...but how little do they even understand their own program?

Partial points expiry is not a thing...if they expire, the entire balance expires...not some of the balance.

 

[RAM]

Unsurprisingly it sounds a lot like Velocity have no intention of getting serious and implementing real security measures to shore up against another identical theft attack. Like Happy Dude has done, I've e-mailed Velocity and called upon them to do like Qantas and at least implement 2FA via SMS on account login, but it doesn't sound like that's even on the brainstorming ideas whiteboard from the last employee team building bonding session. The meeting probably went overtime acknowledging the traditional owners of the land upon which the meeting was taking place and then doing the obligatory welcome to country, such that they then ran out of time to talk about actual account security. Honestly nothing would surprise me these days.

It seems that just changing all your personal particulars in a new account is as far as Velocity are willing to go to 'secure' your account. So in essence, the hackers just have to go back and redo what they did before again and grab more points. Yay!

Try the Company Secretary or instead.

 

[Must...Fly!]

Unsurprisingly it sounds a lot like Velocity have no intention of getting serious and implementing real security measures to shore up against another identical theft attack.

From friend at VA - Velocity are in process of implementing MFA this year (they’re aware it’s well overdue). Points fraud/phishing generally is common for all loyalty programs.

It's being done.

 

[Demon_fan]

Just received the AFF email and saw an article about this linked to this thread.

So I'm jumping on board to say this happened to me on July 2. Cleaned my points out for some redemption flights between Nigeria and Doha.

I've received my points, but VFF failed to get back to me within 30 days like they said they would.

Massive PITA, I've since now created a new account and now they are taking forever to tranistion my old account across.

Can't believe how many people it's happened to in a similar time frame.

 

[ddhhrr]

I was checking my VFF account on 29/7 for status credit update and noticed I had 90k less points. After checking the activity I had apparently booked a flight on ANA from from San Fran to Haneda the day before. I spoke to CS and my email and security question had been changed along with the the flight redemption. I was assured the points would be credited back after investigation and my account has been suspended for 30 days since then. I flew SYD to MEL last week without an issue after adding my VFF number to the booking so still had all my gold benefits. Inconvenient but not the end of the world. I would like to see some adde level of security. I know QANTAS makes you call them after redeeming gift cards to confirm your purchase.

 

[StayGoldPonyboy]

Would be interested to see if there is any commonality between those affected, in relation to more recent breaches, by the affected posters checking the email address they used on their Velocity account against the Have I Been Pwned website.