Fraud on Velocity Frequent Flyer accounts

[Legoman]

Would be interested to see if there is any commonality between those affected, in relation to more recent breaches, by the affected posters checking the email address they used on their Velocity account against the Have I Been Pwned website.

I have done this and no, my VFF e-mail is not known to pwned

 

[VPS]

I was checking my VFF account on 29/7 for status credit update and noticed I had 90k less points. After checking the activity I had apparently booked a flight on ANA from from San Fran to Haneda the day before. I spoke to CS and my email and security question had been changed along with the the flight redemption. I was assured the points would be credited back after investigation and my account has been suspended for 30 days since then. I flew SYD to MEL last week without an issue after adding my VFF number to the booking so still had all my gold benefits. Inconvenient but not the end of the world. I would like to see some adde level of security. I know QANTAS makes you call them after redeeming gift cards to confirm your purchase.

Welcome to AFF and good luck with getting your points back

 

[RAM]

I have done this and no, my VFF e-mail is not known to pwned

Just a thought...

Are you unlucky enough to be/have been a customer of Optus, AHM, FlightRadar24 FlightAware (have an account with anytime since 2021 NOT just use the free option) etc etc - or any of the other companies that have been hacked and lost various information on customers.

The FlightRadar24 FlightAware hack does make me wonder though given the flying connection...,

Doing a search just now does not appear to mention a relatively recent hack I read about on a specialist IT security service, interesting! I don't think I dreamt it nor have I been smoking any teabags...
_______________________________________
Edited: Correcting naming wrong Flight web site, sorry

 

[Legoman]

Just a thought...

Are you unlucky enough to be/have been a customer of Optus, AHM, FlightRadar24

Yes. I was a victim of the Latitude Finance 28° Mastercard hack where those lax clowns just gave away thousands of customer details and are probably never going to see any consequences from doing so. And yes, to answer your next question, my e-mail address with Latitude was the same as my Velocity one.

To answer your third question pre-emptively, yes, I will be cancelling my 28° card come October following the imposition of the new $8/mo fee just for having it.

 

[RAM]

Yes. I was a victim of the Latitude Finance 28° Mastercard hack where those lax clowns just gave away thousands of customer details and are probably never going to see any consequences from doing so. And yes, to answer your next question, my e-mail address with Latitude was the same as my Velocity one.

It would be interesting to note how many of the other posters also have (seemingly ubiquitous for AFFers) the 28 Degree CC.

As do I. The one, possible saving grace, for us is my VFF always has a zero balance. Most will be able to guess why this is, enough said.

Curiously enough 28 Degrees was not one of the listings of sites where my details were pwned from.

It gets worse, the Have I been Pwned web site DOES NOT (in its list of companies/web sites hacked) list 28 Degrees, nor Latitude, nor Optus, nor AHM, nor MBF - despite receiving confirmation that I had been among the accounts stolen.

The only Australian ones that I turned up (doing a 'find on this page' search using 'Australian' after the name searches failed) on the web site/company list page are Ticketek, Amart, Tangerine, Dymocks, Business Acumen (oxymoron anyone?) & CTARS (a service provider of some sort for the NDIS).

 

[Demon_fan]

One thing I noticed that happened to me which also happened to others, is I got spammed massively in the lead up to it.

However, I did not have a 28 degrees CC but do have my email address linked to Optus.

 

[skylight]

I just tried to log in to Velocity to check and my computer security kept saying SPAM hmmmm.

 

[StayGoldPonyboy]

It gets worse, the Have I been Pwned web site DOES NOT (in its list of companies/web sites hacked) list 28 Degrees, nor Latitude, nor Optus, nor AHM, nor MBF - despite receiving confirmation that I had been among the accounts stolen.

Troy Hunt (the owner of the site) posted about why he didn't load the partial Optus dataset that was leaked by the hacker. See attached screenshot.

I don't know if the other names you mentioned were the same type of situation (only partial dataset available to load). Or perhaps the breached data was never posted anywhere on the dark web etc so couldn't be obtained to be loaded into the Pwned website.

I was wondering about reuse of email/password combos that hackers may have obtained.

 

[Legoman]

The only Australian ones that I turned up (doing a 'find on this page' search using 'Australian' after the name searches failed) on the web site/company list page are Ticketek, Amart, Tangerine, Dymocks, Business Acumen (oxymoron anyone?) & CTARS (a service provider of some sort for the NDIS).

The sad reality is that it's quickly becoming a list that's so long now, that unless you're a hermit living off-grid in a cave like a pict, abstaining from electricity and personal hygiene who looks upon the Amish as the devil's children with their modern ways, then you can pretty much assume your details are in the public domain to whomever wants them. We're rapidly reaching the tipping point where the list of companies that haven't been hacked or leaked all their customer details, is shorter than the list of those who have.

One thing I noticed that happened to me which also happened to others, is I got spammed massively in the lead up to it.

Yep, this does genuinely seem to be a common trait. The hackers seem to have been prepared and equipped in advance to be able to trigger a mass spam flood to the e-mail of the account they were about to hack into as a smoke screen in case the target (Velocity) sent out notification e-mails. The hackers obviously didn't know that Velocity don't do this anyway, so the flood wasn't even necessary, and was probably a bit of a Barbra Streisand effect in actually acting as the signpost that you were being hacked somewhere - you just didn't know where to look.

I was logged into the mail server during the spam flood and it was scary to see how many e-mails were coming in. It was quite literally impossible to empty the bucket faster than it was being filled. I estimate I was seeing new e-mails arriving every 1-1.5 seconds.

 

[Mattg]

Just a thought...

Are you unlucky enough to be/have been a customer of Optus, AHM, FlightRadar24 (have an account with NOT just use the free option) etc etc - or any of the other companies that have been hacked and lost various information on customers.

The FlightRadar24 hack does make me wonder though given the flying connection...,

Do you mean Flight Aware, rather than Flightradar24?

 

[RAM]

Do you mean Flight Aware, rather than Flightradar24?

Yes, memory failing me again - time to edit that post!

Thank you!

 

[mel-world]

Don't know if Velocity has altered its procedures but, after reading this thread, I thought I should change my password. I got 3 emails from them. One saying I had logged in from a new device, one asking if I had changed any details and the third advising a password change. No request to set up 2FA so no more secure. I do used multiple email accounts to separate the vital from the just important and these from companies that might spam me or sell my details. Worked for me so far.

 

[jakeseven7]

Don't know if Velocity has altered its procedures but, after reading this thread, I thought I should change my password. I got 3 emails from them. One saying I had logged in from a new device, one asking if I had changed any details and the third advising a password change. No request to set up 2FA so no more secure. I do used multiple email accounts to separate the vital from the just important and these from companies that might spam me or sell my details. Worked for me so far.

I wonder why they haven’t put in 2FA

 

[RAM]

I wonder why they haven’t put in 2FA

Cost to buy new tech, perhaps it was one of the 'post float' plans that may now be an urgent requirement.

Beancounters/Private equity vs long term customer satisfaction & revenues

 

[burmans]

Cost to buy new tech, perhaps it was one of the 'post float' plans that may now be an urgent requirement.

Beancounters/Private equity vs long term customer satisfaction & revenues

Agree, it’s not a click your fingers and it happens implementation. There would be probably not insignificant costs and Velocity hardly unique in not fully addressing potential security risks until they actually become a significant problem. Not saying I agree with the strategy though.

 

[RAM]

Agree, it’s not a click your fingers and it happens implementation. There would be probably not insignificant costs and Velocity hardly unique in not fully addressing potential security risks until they actually become a significant problem. Not saying I agree with the strategy though.

Comes under the PE pigeon hole of ‘Near term pain before selling out’.

Longer term wellbeing is of zero concern - purely maximise the flip profits.

 

[reach_trav]

Just got done - 235,000 points; 30 business days to investigate. Funny that AMEX can get it fixed immediately: AMEX Membership Reward Points Fraud

Perhaps it's worth sharing this story with A Current Affair or the papers? Surely some cadet journo would be interested in 'breaking' another data leak/hacker story for another major Australian brand. Might tie in nicely with the charter of rights and Rex stories currently doing the rounds...

 

[Legoman]

Just got done - 235,000 points; 30 business days to investigate. Funny that AMEX can get it fixed immediately: AMEX Membership Reward Points Fraud

I was only making the AMEX comparison myself in my mind the other day. Every single time I've ever had a query or question about my AMEX charges or bonus points or rewards offers or basically anything at all to do with AMEX, I have found without exception that I can contact them reasonably quickly and easily, without staying on hold for an eternity. I am then speaking or text chatting with someone with an English sounding name who doesn't speak too fast, that I can actually understand. They are knowledgeable about what I wish to talk to them about, and best of all, they actually have the answer and either explain my misunderstanding, or solve the problem I've given them there and then on that one call. I am rarely left waiting more than a few days for it to be solved.

I guess that's why the AMEX interchange fees are the highest. You're paying for the customer service. You get what you pay for goes the adage and at least where AMEX is concerned, that rings true.

 

[eecchhoo]

My account also got hacked and accessed 29 June without any notification as velocity lack of 2fa. 3 batches transfered to other vff account. Since it happened on the weekend, I only able to report it on the following Monday. Now past 30 business day still no update and called in they can’t tell much beside asking me to wait.
I have also report this cyber incident to cyber.gov.au and mentioned the incompetency of velocity not to implement 2fa on their system.
We need to report every hacking incident to cyber so all get recorded and make it more transparent how widely spread is this issue.

 

[aikman]

It's been 7 weeks since my account has been blocked. Doesn't sound like they are ready to refund my points yet. I will wait a bit longer.