Fraud on Velocity Frequent Flyer accounts

I think only their frequent flyer accounts are suspended, not the airline account. Eg Velocity account not Virgin account. So status still intact
Yep, they explained to me that I can continue to accrue status and points.

I didn’t specifically ask about utilising or access status perks as I’m not in the air again until later in the year, but I’d assume that everything would operate as normal, barring redemption.
 
Same story here. Was away in USA, in Teneeseee. Used a public wi fi network in one place. When back to Australia got spam 4500 sign in E mails. I knew something is going on. This hack is called a mail list bomb. So bad...

few days later couldn't log in to Velocity. Called them the same minute.,
10 000 miles got stolen. E mail changed and also mobile number changed.

Now undergoing 30 days investigation instead of just restoring the access to the account. So stupid rules.
 
The moral of the story is, I think, never use public Wi-Fi, at least not without a VPN, and then probably not.

I learned my lesson when staying at the Premier Inn at Heathrow T4 last year, when using their free Wi-Fi. I usually have my VPN turned on, but because the website I was accessing did not work with a VPN I had to turn it off.

I then needed to access my bank account (with the VPN turned off, as I forgot to turn it on again) and lo and behold, a few minutes after accessing my bank account I received a text message from the bank with an access code. So, I thought, someone is trying to get into my account (as it certainly wasn't me) and the only explanation was that my communications through the hotel's Wi-Fi had been hacked.

Needless to say, I immediately turned on my VPN, logged out of the Wi-Fi and changed to phone data, as well as changing my banking password.

That could have been a very expensive hack, but luckily the bank’s 2-phase verification security foiled it. Hence, I strongly suggest that no one uses public Wi-Fi networks (unless they understand and accept the risks).
 
^ that would look more like normal bank 2FA security for access from an unknown device/ IP, I suspect more likely triggered by your access but for some reason didn't force you to enter the password.

Almost all hot-spot associated issues ended with the implementation of Https which almost all websites use these days.
 
So, folks who freely admit they used non-secure public Wi-Fi networks to log into Velocity, and then have their passwords stolen, blame Velocity, and all are allegedly all stampeding across to Qantas as a result.

Guess what - the first time you do that with your Qantas account, the same thing will likely occur.

Maybe you can then run off to REX .. oops, wait a moment ..........

Talk about no-one these days taking any responsibility for their own actions.
 
Guess what - the first time you do that with your Qantas account, the same thing will likely occur.
Except that mandatory 2 factor authentication would stop the attack in its tracks. You cannot do this with a QFF account regardless of how you obtained the credentials without a one-time PIN sent via SMS to transfer points or make a points booking.
 
So, folks who freely admit they used non-secure public Wi-Fi networks to log into Velocity, and then have their passwords stolen, blame Velocity, and all are allegedly all stampeding across to Qantas as a result.

Guess what - the first time you do that with your Qantas account, the same thing will likely occur.

Maybe you can then run off to REX .. oops, wait a moment ..........

Talk about no-one these days taking any responsibility for their own actions.
It's absolutely appropriate to blame VA. Particularly in relation to the lack of 2FA, which, as has been pointed out to you, will prevent unauthorised account access. Given how widespread and effective 2FA is, VA's delays on introducing it is shameful, irresponsible and given that hacks appear to be on the rise, makes them complicit IMO.
 
I sign in to plenty of global hotel chains that I have millions of points with, Singapore Airlines, and my Amex and Westpac account, and they do not require it. NEVER been hacked.

But I never sit at airports etc and log in either, so some scammer can capture and copy all my details. All comes down to basic common sense. Which as my Grandpa always said was less common than many imagine.
 
But I never sit at airports etc and log in either, so some scammer can capture and copy all my details.
I am not sure where this claim comes from - as explained up thread, ubiquitous https encryption has made this largely a non issue. I am willing to wager that logging in to airline, hotel and banking websites/apps is one of the key use cases of public wifi at airports and is probably not limited to a few irresponsible people.

Also, why just limit it to airports? Remember, you will encounter public wifi:
  • At the airport
  • In the lounges
  • In the aircraft
  • At your hotel
  • Out and about
That's a lot of time to stay disconnected or not log in to anything.
 
Last edited:
I am not sure where this claim comes from - as explained up thread, ubiquitous https encryption has made this largely a non issue. I am willing to wager that logging in to airline, hotel and banking websites/apps is one of the key use cases of public wifi at airports and is probably not limited to a few irresponsible people.
IIRC the FBI some time ago put out a warning not to use free airport wifi for anything finance/money related.
Equally I think the same warning mentioned to never use a USB charge point in public, only use power outlets with your own charger.
 
My supposition is that most of these attacks are simply social engineering/ phishing attacks to convince people to login to a fake website or provide details.

But of course no-one wants to own up to that so the good old hot-spot story sounds good.
(And of course the heavy YouTuber promoted VPN sponsored companies are happy to perpetuate that story)

But I wonder whether there is another line of attack - one that's susceptible because VA doesn't have 2FA.
Say you leave your boarding pass on an aircraft, or post photos on social media.
Then someone has a link between Velocity number and a name and with data breaches can (particularly in the case of less common names) link that to a probable email and possible password if you are using the same login for multiple site.
 
Last edited:
If I accidentally connected to a public WiFi that was impersonating the legit WiFi (if I didn't check the name of the real legit one), could hackers put up fake non HTTPS versions of popular login pages and get details that way? Another form of phishing I guess.
 
If I accidentally connected to a public WiFi that was impersonating the legit WiFi (if I didn't check the name of the real legit one), could hackers put up fake non HTTPS versions of popular login pages and get details that way? Another form of phishing I guess.
They could, but there's a number of things that would make that ineffective:
  • All modern browsers default to https, meaning to get to a http site you have to specifically type in the http:// prefix, or to redirect a user to a http:// URL, and it will show that it is not a secure site in the browser bar
  • Companies who publish only HTTPS services can use HSTS (HTTP Strict Transport Security) to inform browsers that they only publish HTTPS sites so even the above would not be effective (note that Velocity do not appear to publish HSTS headers, but Qantas seem to).
  • If someone's using an app, which is going to be a significant proportion of accesses to these sites, they're not going to even have a choice - the app will just enforce HTTPS
They could perhaps pair up a few techniques like creating a SSID with the same name as the airport wifi or one that tricks people into thinking it is one, adding a hotspot authentication page which then redirects users to a http site which pretends to be VFF's login page to capture their login info, but:
  • People who go to the https site or try to use their app while connected to the hotspot would see either a certificate error or would fail to connect, so it's hardly a long-term hack, it requires a specific flow of sending people to the http spoofed site and those people ignoring any security warnings and entering their credentials
  • This could easily be thwarted by VFF publishing HSTS headers, which would inform user browsers not to even try connecting to anything hosted under velocityfrequentflyer.com via http
  • They'd be better off just redirecting to a HTTPS site with a similar domain name and a mock up of the real velocity site, and capture login details that way. Just your standard phishing attack, which is probably how this happened anyway. Don't bother with physically being at the airport with a wifi hotspot, just send an official looking email to people with a link to veloc1tyfrequentflyer.com and capture their logins from the comfort of your home
Let's just say that all of the above did actually happen, let me just make a point here about what that would actually mean, it would actually mean that:
  • Someone has set up an AP or set of APs that are physically at the airport, that they control, that intercept DNS requests for velocity, send them to a local webserver that can only provide http and not https and therefore will only work in very specific circumstances for people who happen to access very specific APs when an attacker's equipment is physically nearby
  • The AP would have to specifically redirect them to the fake velocity site. What I am suggesting here is that every single person who connects would have to specifically and only be redirected to a velocity login page. I can't see any other way that the owner of the wifi AP is going to convince people to go to this fake http URL
  • The user would have to log in with their credentials
  • The fake site then has to either log in to velocity on their behalf and show the actual real content, or error out afterwards, which combined with all the other weird stuff they have just seen (like why did this wifi network send me to log into velocity automatically?) is going to set off some alarm bells
It's not the slickest operation
 
Last edited:
They could, but there's a number of things that would make that ineffective:
  • All modern browsers default to https, meaning to get to a http site you have to specifically type in the http:// prefix, or to redirect a user to a http:// URL, and it will show that it is not a secure site in the browser bar
  • Companies who publish only HTTPS services can use HSTS (HTTP Strict Transport Security) to inform browsers that they only publish HTTPS sites so even the above would not be effective (note that Velocity do not appear to publish HSTS headers, but Qantas seem to).
  • If someone's using an app, which is going to be a significant proportion of accesses to these sites, they're not going to even have a choice - the app will just enforce HTTPS
They could perhaps pair up a few techniques like creating a SSID with the same name as the airport wifi or one that tricks people into thinking it is one, adding a hotspot authentication page which then redirects users to a http site which pretends to be VFF's login page to capture their login info, but:
  • People who go to the https site or try to use their app while connected to the hotspot would see either a certificate error or would fail to connect, so it's hardly a long-term hack, it requires a specific flow of sending people to the http spoofed site and those people ignoring any security warnings and entering their credentials
  • This could easily be thwarted by VFF publishing HSTS headers, which would inform user browsers not to even try connecting to anything hosted under velocityfrequentflyer.com via http
  • They'd be better off just redirecting to a HTTPS site with a similar domain name and a mock up of the real velocity site, and capture login details that way. Just your standard phishing attack, which is probably how this happened anyway. Don't bother with physically being at the airport with a wifi hotspot, just send an official looking email to people with a link to veloc1tyfrequentflyer.com and capture their logins from the comfort of your home
Let's just say that all of the above did actually happen, let me just make a point here about what that would actually mean, it would actually mean that:
  • Someone has set up an AP or set of APs that are physically at the airport, that they control, that intercept DNS requests for velocity, send them to a local webserver that can only provide http and not https and therefore will only work in very specific circumstances for people who happen to access very specific APs when an attacker's equipment is physically nearby
  • The AP would have to specifically redirect them to the fake velocity site. What I am suggesting here is that every single person who connects would have to specifically and only be redirected to a velocity login page. I can't see any other way that the owner of the wifi AP is going to convince people to go to this fake http URL
  • The user would have to log in with their credentials
  • The fake site then has to either log in to velocity on their behalf and show the actual real content, or error out afterwards, which combined with all the other weird stuff they have just seen (like why did this wifi network send me to log into velocity automatically?) is going to set off some alarm bells
It's not the slickest operation
Or they could be a major MSM operator like Newscorp and run news sites that are only HTTP like The Telegraph for example whereas the News.com.au site is HTTPS - go figure?

Certainly you can have the settings to alert you if you cannot go to a HTTPS site but surprisingly few (that I've come across with friends & assciates pre-Covid) laptops/PCs came with it as the default setting.

BTW - in the early 2000s, in a meeting with the CFO of Norton - guess what was seen over the top of his laptop but a yellow post-it note. When asked why, given that is Norton's business, his response was;

"We catch bad actors' work but not the instant it is released into the wild. Realistically the odds of even one of us getting hit is along the lines of death & taxes."

It has only gotten worse since then.
 
That could have been a very expensive hack, but luckily the bank’s 2-phase verification security foiled it. Hence, I strongly suggest that no one uses public Wi-Fi networks (unless they understand and accept the risks).

Are you saying that anytime we use public wi-fi we are going to get hacked?

I have used hotel wi-fi many times over the years without VPN and don't recall anything bad happening.

I've stopped using airport wi-fi but do use lounge wi-fi, mainly in SIN.

I do check banking websites, make bookings etc but don't really login into Velocity or Qantas websites. There have been times where I've had issues trying to change my own password so struggling to see how some random hacker is going to succeed.
 
Australia's highest-earning Velocity Frequent Flyer credit card: Offer expires: 21 Jan 2025
- Earn 60,000 bonus Velocity Points
- Get unlimited Virgin Australia Lounge access
- Enjoy a complimentary return Virgin Australia domestic flight each year

AFF Supporters can remove this and all advertisements

but not the instant it is released into the wild
Fair enough.
But the state or experienced bad actors with enough nous to find new exploits or exploit zero day hacks aren't going to be targeting Joe Blogs Velocity points.

If you are the CFO of a large company, or a nuclear scientist it might be a little different.
 
Fair enough.
But the state or experienced bad actors with enough nous to find new exploits or exploit zero day hacks aren't going to be targeting Joe Blogs Velocity points.

If you are the CFO of a large company, or a nuclear scientist it might be a little different.
No, but at an airport you have all levels of civil/public servants both for work and on holidays with their close family.
For State actors the gold medal is for politicians, high level bureaucrats and security services.
Silver is for political advisers, lobbyists, consultants (who may have access to multiple companies or Govt departments and journalists.)
Bronze is everyone else.
You throw out the net and hope for gold but if you get half a dozen bronze instead then you can still profit.
 
Last edited:
Are you saying that anytime we use public wi-fi we are going to get hacked?

I have used hotel wi-fi many times over the years without VPN and don't recall anything bad happening.

I've stopped using airport wi-fi but do use lounge wi-fi, mainly in SIN.

I do check banking websites, make bookings etc but don't really login into Velocity or Qantas websites. There have been times where I've had issues trying to change my own password so struggling to see how some random hacker is going to succeed.
No not every time but just like having home & contents insurance - you never know when it might happen...

Just when you thought it was bad enough - this is the latest scam sweeping the UK (& seemingly Europe). Makes me glad I never use QR codes either. Who'd thought of pasting a fake QR code, leading to a scam page over a legitimate QR code? Scammers of course!

Counterfeit QR Codes in Public Places (2024)​


A surge in reports of fraudulent QR codes in public places has emerged this week. Media outlets in the UK have highlighted a particularly alarming prevalence of these codes on parking payment machines. It's crucial to be aware that this issue is not confined to a specific location or business; fraudulent QR codes can appear anywhere in the world, often disguised as legitimate payment options. Exercise caution and carefully scrutinize any QR code before scanning by reading this article
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top